How to Drive Successful DLP Projects
DLP initiatives are on the horns of a dilemma: IT can’t enforce the rules unless the business backs it up. Without the business on board, data protection is quite difficult. However, successful DLP programs have bridged this gap through effective business and IT engagement.
News of repeated security breaches across multiple industries has raised awareness of the adverse impact security shortfalls can have on an organization’s reputation, liability position and financial well-being.
We often encounter organizations that have received negative audit findings flagging the lack of DLP, or inadequacies in DLP. Or sometimes executives have read about breaches, or imbibed a bit too much cybersecurity koolaid from an enterprise DLP vendor’s marketing literature. We hope that you – the security pros or executives reading this – haven’t been deluded into thinking that a purely tooled-based DLP program stands any chance of success.
The first step to DLP enlightenment is understanding the sardonic meaning of the dilemma figure above, which was inspired by a recent consulting project. Repeat after me – “DLP can’t succeed without broad IT and business engagement.” Understanding this, your second step to DLP enlightenment is learning which domains of IT and business to engage and how to bridge the gaps between them.
DLP programs and solutions are designed to help organizations monitor and protect sensitive data while it is in motion, at rest or in use. DLP solutions – which may consist of a combination of enterprise DLP products (such as those from Symantec, Websense, McAfee, RSA, Code Green and CA) and “channel DLP” or “DLP-lite” products – are quite sophisticated. Deployed correctly and with the right policies and processes, they can protect the enterprise while not impeding beneficial data uses, data flows and user experiences. They can integrate with the IT resources storing and handling sensitive data. Harder but still possible, they can foil some of the creative efforts of cyber-attackers and policy-violators to subvert control.
DLP often fails to deliver full value — not necessarily due to broken tools, but due to broken processes and practices by the organization that owns and operates the tools. Reaching DLP’s full potential is a difficult task. DLP solutions will inevitably discover multiple issues with the ways that even well-meaning business units, users and tools store, use and exchange data. Broad buy in to the DLP program must therefore exist at the business level to resolve these issues.
DLP projects have the goal of containing security risks and ensuring regulatory compliance. They must discover and rein in unauthorized copies of, access to and methods of exchanging sensitive information. But they have to operate in the context of customer expectations for service delivery, easy access to systems and data, mobile device support, cloud computing, and data exchange with authorized third parties.
Data flows are the life blood of the business. It requires business engagement to restrict and channel them without killing the business. Unless you strike that balance, the business simply won’t be able to enforce its own DLP policies.
Any DLP enforcement or monitoring technologies and practices must – in a phased approach – be integrated with network, endpoint, server, application and repository resources as well as all approved business processes or systems for (internal/external) data storage, transfer or exchange. They must align with other security monitoring and enforcement tools, access provisioning and incident management workflows within traditional, mobile, private cloud and public cloud environments.
IT is an intricate machine. Don’t let DLP be the sand in the gears. It requires IT engagement at the operations and service management level to architect and build DLP in.
DLP Requires a Phased Approach
Only through a phased approach can DLP be smoothly integrated into IT resources and business processes. Tools, business users and security response staff must work together to strike the balance between convenience and security. Gradually, the DLP program’s coverage, capabilities and monitoring or enforcement roles must be integrated into a changing and changeable IT network, endpoint, data management and operations fabric.
Over time, expand the DLP program purview, enabling discovery and elimination of unnecessary copies or uses of data while still allowing productive uses of the data. Take the friction of false-positive alerts, and disputes over valid alerts, out of the system.
Security Architects Partners fully comprehends the aforementioned challenges and their impact on the staff supporting security, privacy, business continuity, and compliance functions. The overall goal of our DLP projects is to help organizations develop a full DLP strategy in close collaboration with their business and IT stakeholders. This strategy will include architecture patterns, solution evaluation and selection, process recommendations, a multiple phase roadmap and more.
The benefits of a strong DLP program include the ability to:
- Better position the organization for the next audit and assure regulatory compliance
- Protect the overall organizational brand, image and reputation by mitigating the risk of future negative headlines and publicity due to a breach
- Enable safe, confident use of valuable or sensitive data as an operational asset across approved traditional, mobile and cloud environments as well as authorized networks, repositories and devices
- Discover where and how valuable or sensitive information assets are stored or transferred, then analyze and eliminate or manage the risk
- Reduce the costs and friction of sensitive data discovery and improving the coverage by automating and broadening searches and scans using up-to date policy templates and customizable data fingerprinting patterns as new risk or regulatory requirements are addressed
- Align with data protection and data governance technologies and processes to:
- Reduce risk of accidental data loss
- Reduce risk of insider abuse of valuable or sensitive information
- Reduce risk of cyberattacker exfiltration of valuable or sensitive information
- Provide the appropriate level of institution-wide monitoring of student or staff misconduct
- Maintain forensic data of security events as evidence
If your DLP program is in the doldrums, contact Security Architects Partners. Our consultants would be happy to provide feedback on your DLP project, or help you build one.