Guide to Data Leak Protection

Compliance needs drive data leak protection best practices

By Cara Garretson

So you've chosen a data-leak protection tool and you now have an answer when the boardroom asks what the company is doing to protect data breaches. Or do you? In order for these tools to have a high success rate for preventing sensitive data from leaving the corporate network, they require quite a bit of upfront work. Following are some best practices to help you get your DLP up and running.

  • Your DLP policies should be based on your compliance needs. These tools will only enforce the policies you have set. For example, many regulations call for the encryption of any personal-identifiable data. If the tool offers encryption, it should therefore be set to encrypt figures that obviously fit the profile to identify them as Social Security and credit card numbers
  • Policy creation is not a one-time deal. DLP is one part technology, one part understanding the business. For the tool to be effective, IT and business units must collaborate on developing policies that protect the company, but are also flexible enough to allow employees to get their jobs done. Once created, IT should expect to engage the business to help update and hone policies on a regular basis using feedback from users. One way to do this is to let users offer an explanation for why a policy-breaking action should be allowed to occur – many tools offer users a dialog box to enter such reasons. But even if the tool doesn't automate that process, offering users a channel to submit feedback is still useful. This input leads to policies that better reflect how a company operates.
  • These tools will catch mistakes, but may not catch intentional breaches. The good news is that most data leakage incidents stem from mistakes, rather than malfeasance. According to Nick Selby, senior analyst and director of The 451 Group's enterprise security practice, 98% of leaked data is the result of "stupidity or accident" on the part of the user. If a disgruntled employee is determined to send product road maps to the competition he'll be hard to defeat, Selby says. But accountants who send corporate financial data to themselves over Web e-mail so they can work on spreadsheets at home will quickly learn from these tools that such actions compromise security.
  • When using a tool's blocking feature, consider the risk of false positives. This issue isn't necessarily related to the quality of the tool, but more to the lack of a hard-and-fast definition of sensitive data. Many companies opt to operate these tools in monitor-only mode initially, so they can see what's being sent out of the company, and then work on policies and enforcement from there.
  • Classify your data in the first place. If, upon creation, data can be classified as sensitive or not, you'll save yourself a lot of work trying to decide after the fact. A classification tag that can follow the data wherever it may go in and out of the network would act as the flag needed to ensure DLP tools catch security breaches.

Five questions to ask data-leak protection vendors before buying

By Cara Garretson

Setting up a data-leak protection product on your network can be quite a lot of work. You must create all the necessary policies, establish where sensitive data resides and decide which communication channels should be monitored for violations. But before you can begin, you've got to find yourself an appropriate vendor. Here are some guidelines:

1. What types of data can the product identify? If you are simply trying to ensure that the basics are covered – employees' Social Security numbers, customers' credit card numbers – you may be happy with a lower-end product. These can watch for numbers based on their format and block them from leaving the network. But if you want to make sure all of the company's intellectual property is protected (R&D project names, sales and projection numbers), you would benefit from a higher-end product. These use more complex algorithms to identify all such data and block it from leaving the organization without proper authorization.

2.Where does the tool protect data? Does the tool protect data stored on the endpoints (usually PCs and laptops)? Does it protect data stored on the network (servers, storage-area networks, nearline storage)?  Hand-and-hand with the way a product identifies sensitive data is the places in which it scans for that data. If you choose a product that blocks sensitive information from outbound communication channels such as e-mail and instant messaging but has no clue when an employee copies the company's financials to a thumb drive, you may be leaving your organization's back door wide open. Additionally, this product category sprang to life by watching data in motion, such as e-mail and IM. However, increasingly the tools can scan data at rest. If you opt for this feature, which endpoints will the product scan? One that only protects data stored on the endpoint but can't find it in e-mail archives won't help you get an enterprise-wide view of all the sensitive information floating around.

3. How hard is it to establish policies? Find out what this procedure entails before you buy. Can non-IT business managers use the tools to help them label which data qualifies as "sensitive"? Will setting up policies require buying consulting time from the vendor? How easy is it to modify established policies? What is the recommended process for testing policies before the product goes live?

4. When a violation is encountered, what choices of action does the products offer? Does the tool simply alert administrators of violations, or can it block the transaction from happening? Does it alert the user as well, and give him an opportunity to enter a reason? Does the tool create an audit trail for forensic purposes?

5. What other products does this tool work with? Can it share policies or exchange data with other products such as e-mail security, identity management or access management offerings?

Top trends in the data-leak protection market

DLP tools gain advanced features, integration with security products

By Cara Garretson

Data-leak protection is a young segment of the security market that is growing up fast. With the rapid consolidation of the security market that has occurred over the last year, as large security vendors snapped up start-ups, and with many DLP products maturing, what was once a collection of scrappy point products is becoming a set of enterprise-grade tools. 

Called by many names, including outbound content management and data-loss or data-leakage protection, these tools help companies identify and protect sensitive information. Gartner Research estimates the total content filtering and DLP market hit about $50 million in 2006 and tripled to $150 million in 2007. Meanwhile, IDC predicts the 2007 market to be even higher. It says the market reached $194 million in 2007 and will rise to $434.6 million in 2009, representing a nearly 50% compound annual growth rate. The bottom line is that investing in DLP is becoming a corporate necessity.

The following are some key trends in this market:

  • The buying spree is winding down. From late 2006 through all of 2007, larger security companies spent at least $1.6 billion acquiring DLP start-ups. And that figure only includes the deals with values that were made public. Giants including Cisco, Symantec, Trend Micro, McAfee and EMC/RSA picked through the couple dozen start-ups in this market and ponied up the necessary cash, culminating with Symantec's $350 million bid for Vontu in November.
  • Integration has begun. Now that so many security vendors can boast about the addition of data-loss protection features to their product portfolios, they are creating road maps detailing how these acquired products will better integrate with their existing platforms. That's how it should be, says Nick Selby, senior analyst and director of The 451 Group's enterprise security practice, who believes this function is best suited to be part of a larger security plan instead of remaining as stand-alone point products.
  • DLP products are becoming more useful. One reason bigger security vendors have been so interested in DLP start-ups is that the tools have matured. They no longer simply watch sensitive data fly out the door; they help companies pinpoint where it's stored. "The story has been moving from just information-in-motion protection to information at rest and discovery; that may be a reason why acquisitions lit up so quickly," says Trent Henry, vice president and research director with Burton Group. "Many solutions were inline devices on the network that said 'something sensitive has left the network.' Now with e-discovery requirements and [the payment card industry's specifications for protecting data], you don't want to just know where the information is going, but also where it is stored."
  • User participation is becoming more important and easier to do. DLP products only work as well as the policies that guide these products. To discover what information should and should not be shared, IT must rely on input and participation from business-unit managers and other non-technical employees. These tools are becoming more savvy to that fact. Many now include set-up components that don't require a technical background to understand. At the same time, the tools are also becoming more flexible with the user. For example, when a user attempts to send out data without authorization, some tools will send up an alert but also give the user an opportunity to explain his actions. This feature helps create policies that more effectively describe how work is accomplished in an organization.

Data-leak protection tools work to contain sensitive information

By Cara Garretson

Data-leak protection tools aim to monitor, and often block, sensitive information from leaving the corporate network without proper authorization. In doing so, they also give administrators a detailed view into what type of data is leaving the network and how.

The components include server software that matches the data contained in a user-initiated transfer – such as sending an e-mail or instant message, copying a file to removable media, or even printing – with a list of predefined terms that dictate what is considered sensitive. Most tools not only monitor such policy breaches but can also block them or quarantine them.

In addition to the server-side software, which sometimes comes preconfigured on a gateway appliance, many companies also supply client agent software. These agents ensure that at the PC or notebook level the policies regarding sensitive data are enforced. Users don't have to be connected to the network to have these agents be effective, since they operate on their own and update their rule sets once the user reconnects.

DLP tools catch sensitive data in a number of ways. The simpler methods employ a dictionary of preset terms – including Social Security and credit card number formats, as well as regulatory terms related to sensitive data – and then scan user activity for these terms. More complicated systems offer language analytics for determining whether data should be considered sensitive or not. This is often achieved by capturing all the data moving around a company, indexing it and recommending what should be protected. These approaches can be helpful for classifying information that isn't easily identified as sensitive, such as intellectual property that could be contained in an e-mail text or as part of a PowerPoint slide.

Tools generally offer policy-creation capabilities to help establish rules regarding what data can and cannot leave the corporate network. Many offer some sort of log or audit capability, allowing administrators to review user behavior and better understand the conditions surrounding policy violations.

More DLP vendors are integrating their tools with other technologies, such as encryption engines, to automatically trigger the encryption of sensitive information as it leaves the network. They're also partnering with enterprise-rights management vendors, e-mail and Web security providers, and others to integrate knowledge about sensitive information with these products.


Subscribe to the Best of PCWorld Newsletter