Five questions to ask data-leak protection vendors before buyingBy Cara Garretson
Setting up a data-leak protection product on your network can be quite a lot of work. You must create all the necessary policies, establish where sensitive data resides and decide which communication channels should be monitored for violations. But before you can begin, you've got to find yourself an appropriate vendor. Here are some guidelines:
1. What types of data can the product identify? If you are simply trying to ensure that the basics are covered – employees' Social Security numbers, customers' credit card numbers – you may be happy with a lower-end product. These can watch for numbers based on their format and block them from leaving the network. But if you want to make sure all of the company's intellectual property is protected (R&D project names, sales and projection numbers), you would benefit from a higher-end product. These use more complex algorithms to identify all such data and block it from leaving the organization without proper authorization.
2.Where does the tool protect data? Does the tool protect data stored on the endpoints (usually PCs and laptops)? Does it protect data stored on the network (servers, storage-area networks, nearline storage)? Hand-and-hand with the way a product identifies sensitive data is the places in which it scans for that data. If you choose a product that blocks sensitive information from outbound communication channels such as e-mail and instant messaging but has no clue when an employee copies the company's financials to a thumb drive, you may be leaving your organization's back door wide open. Additionally, this product category sprang to life by watching data in motion, such as e-mail and IM. However, increasingly the tools can scan data at rest. If you opt for this feature, which endpoints will the product scan? One that only protects data stored on the endpoint but can't find it in e-mail archives won't help you get an enterprise-wide view of all the sensitive information floating around.
3. How hard is it to establish policies? Find out what this procedure entails before you buy. Can non-IT business managers use the tools to help them label which data qualifies as "sensitive"? Will setting up policies require buying consulting time from the vendor? How easy is it to modify established policies? What is the recommended process for testing policies before the product goes live?
4. When a violation is encountered, what choices of action does the products offer? Does the tool simply alert administrators of violations, or can it block the transaction from happening? Does it alert the user as well, and give him an opportunity to enter a reason? Does the tool create an audit trail for forensic purposes?
5. What other products does this tool work with? Can it share policies or exchange data with other products such as e-mail security, identity management or access management offerings?