However, even a large, deep-pocketed, high-profile, heavily-regulated organization is unlikely to put all their data protection eggs in one (vendor-supplied) basket, no matter how costly or time-consuming to implement. And DLP products are a fine additional control, when the environment demands. As for the rest of us, the better DLP products might identify places where our sensitive data are currently leaking, maybe building the case that better controls are necessary. But, we can start with the premise that we generally have more sensitive data, more widely available than is prudent.
Therefore there are plenty of good, basic security 101 steps we can take to ensure our data are as protected as current conditions allow. If after we have done all of the following, we can still quantify an unacceptable level of risk, maybe, just maybe, our CFO will write us that check to buy a shiny, new DLP solution.
1. User identity – we really cannot determine whether sensitive information is being used appropriately if we cannot ascertain who is accessing it. Protecting the perimeter of our organization means that once the sensitive data are past those controls, they are gone. But once you can consistently and simply identify your users’ access to all systems and data, other controls become possible.
Popularity: 1%
2 Comments
Yes, there is a plethora of “customer data, legal agreements, financial reporting” and so on that needs protection. And trying to block content such as this from leaking out through any number of doors and windows is next to impossible. And not necessarily desirable – sensitive content does need to move in order to meet business requirements. Rather than barring the egress points, it makes much better sense to continuously protect the data, whereever it goes. This approach also offers a simpler, more direct path for “strong data owners” to take control of data they know is sensitive. There is no way that an expensive and complex DLP solution provides the necessary flexibility. Solutions such as those [that create a secure virtual project workspace] don’t require a company-wide deployment; they’re highly efficient for individual workgroups and departments.
Thanks for the feedback. Most companies I’ve spoken with have never completed an enterprise-wide deployment of a DLP tool, but with the new Massachusetts data leakage law, I imagine organizations will be looking for manageable solutions.