Q: When you have an organization that has a vague awareness of their risk [A.C. – around data, presumably], but are not demanding a solution, what’s the best strategy for IT to engage them and kick off the program?
A: I suspect that if the information owners don’t feel the urgent need for data protection, none would be forthcoming. Apart from clarifying and explaining the risks to data (loss, theft, abuse, accidental disclosure, whatever other scenarios), I can’t think of anything drastic that can be done. It may well be that they “vaguely” realize that risks to their particular data [and I don’t know what that is] are just not that high. On the other hand, cases where the business side expects the infosec team to just “handle it”, there is a need for additional motivation.
Q: How about [DLP] legal reviews for different countries? Is there some study that highlights the key difficulties for specific countries? Data privacy/ employee guidelines/ workers councils/ etc? Looking for an overview, not specific legal opinion
A: a good question. Does anybody know? We have specific research on China, but I am not aware of a good resource that covers many countries, would love to see it
Q: Do you see the DLP Team sitting in an operational area or separate from this in an Information Security focused area?
A: Ah, a very good one! We have seen cases where DLP was deemed “too sensitive” for the security team to handle (yes, really!). Specifically, “some participants also considered DLP different from other security monitoring they were performing, where “security monitoring” was mainly used to refer to infrastructure monitoring and DLP dealing with higher layers.” So far, my research has not revealed one right way to do it: we have seen cases where DLP project was “owned” by the business side, the security team or a separate cross-functional team. Overall, unlike with other tools, it is NOT a certainty that DLP ownership will sit inside the security operation team.
Q: What are good metrics to measure DLP success? What are example metrics related to reduced data risk?
A: Please read the document for this: “Enterprise Content-Aware DLP Architecture and Operational Practices”, the section titled “DLP Reporting for Operational Efficiency and Risk Reduction”
Q: How does this all work (or not!) in the cloud?
A: There are 3 scenarios where DLP and [public] clouds overlap: DLP for the cloud (protect data stored in the cloud from leaking out), DLP in the cloud (deploy DLP as SaaS) and DLP against the cloud (prevent the data from leaving the premise and going to the cloud). I suspect that the question is about the first of the three – and this one is still a very tough one. CSPs (whether IaaS or SaaS) are in different stages of “working on it.” As of today, the only easy case to handle is external cloud scenario (like Amazon VPC). See this document for details: “DLP Reporting for Operational Efficiency and Risk Reduction”
Q:If the data is not classified, wouldn’t it put more burden on the DLP admin to write/create business rules that will be used to monitor/control content?
A: Yes, but what are the alternatives? If you cannot finish the burdensome classification project and you make DLP dependent on it, the situation will be even worse: an unfinished classification and no DLP. See this for details, the section called “The Data Classification Question”
Q: What is the role of classification with DLP? Wouldn’t these be complimentary to keyword or context based rules? Would this help drive an identifier into key content that can be leveraged by policies?
A: Very much so – data classification makes DLP much easier, as we say in our research. However, as we discovered in “Information Classification: An Essential Security Thing You’re (Still) Not Doing” , “security [data] classification has existed for well over 40 years, but its successful implementation is a continuing struggle.“
Q: Why is USB port control / USB blocking not DLP?
A: Non-content-aware port blocking is not the same of content-aware DLP. Endpoint DLP tools can perform content-aware USB port monitoring, blocking, control, etc, so such port control can be part of your DLP effort.
Q: If on-going policy tuning is critical to the success of DLP, then isn’t the business the better owner of the DLP project to ensure that there is no breakdown in tracking business changes?
A: Yes, very much so. We even say that “the best role for the IT and security organizations to play is that of custodian of the technology, ensuring that policies are implemented according to business requirements, with most analysis, review and remediation assigned to business stakeholders.”
Posts related to DLP:
- Upcoming Gartner Webinar: DLP Architecture and Operational Processes
- My Second DLP Paper Publishes
- My First DLP Paper Publishes
- DLP: Education and/or Automation?
- More On Internal Data Loss Incidents
- On “Internally Lost Data” and DLP Discovery
- On Risks of DLP
- DLP and Data Classification
- DLP: Discover First or Monitor First?
- On DLP and PCI DSS
- On DLP and IP Theft
- DLP and/or/for/vs Data Security
- On DLP Processes or “No DLP For Dummies”
- On DLP Research