DLP (Data leakage prevention or as I sometimes call it, “disastrously ludicrous project”) is fantastic in theory. However, without the right approach to a DLP project, it can be a recipe for losing your sanity or your job.
Most DLP projects start with the notion that a business can locate, identify and classify all of its data. Once they have done that, the IT person responsible is somehow supposed to write a policy which dictates who can access what data, for which purpose and what they can do with it. Assuming this project even makes it through the planning and consideration phase (most DLP projects are killed here), deployment will result in something like the following inevitable scenario:
The CFO will be trying to upload his end of year accounts and be blocked by DLP (the policy is so complex, it will go wrong sooner or later). The IT team will be put in the firing line and the DLP project cut back to a point of being useless or perhaps discarded altogether. The net result is spending a lot of time and money to ultimately do very little, leaving the business vulnerable.
Whilst this ‘big’ approach to DLP is valid for some organisations, 99% of businesses I talk to do not have the required business maturity for this approach. Their infrastructure and information have grown too organically and while IT may desire more control, the rest of the business is not ready to make that commitment. In reality, most businesses are still dealing with basic operational management such as patch and deployment to roaming users so it’s unrealistic to expect such an advanced and sizeable project to succeed.
The alternative is to approach DLP rather more pragmatically. Instead of trying to make data decisions for the user, involve them in the decision-making process and focus your efforts on the top priority data. This can be accomplished without massive discovery exercises, expensive software and user disruption. Imagine, a user moves a file which contains a large amount of personally identifiable information into the web browser to upload it to biggiles.com. If you challenge that user as to whether they are doing the right thing, in most scenarios you win: if the user is malicious they realise they are being monitored, if it is an accident, most users will avoid it. In any case, the incident is logged so that IT can take action quickly. Such an approach embraces simplicity, can be deployed in a day and delivers 90% of the advantage of a big DLP deployment for less than 1% of the cost. Why not start here and then build yourself up to something more significant?
There is an increasing gap between available technology, mandatory technology and what is actually deployed. This gap needs to be addressed to keep up with cyber criminals, risk of data loss and regulatory pressure. Complex, unrealistic, un-adoptable marketing hype is the problem. Keep it simple and you too can do DLP!