2. User authorization – all users should only have access to the minimum necessary to conduct their job responsibilities (least privilege access) and should not have access to risky combinations of data or systems access (segregation of duties). These are basic conceptual controls but effectively deployed, they go a long way to reducing the number of people in your organization who have access to the sensitive data you are concerned about losing. If they do not have it, they cannot lose it.
3. Data classification and data ownership – there is nothing like ownership and its inherent risks and rewards to ensure that sensitive data are only used with adequate oversight and controls. Strong data owners will demand protection and accountability for their most sensitive assets. Data owners also assume the risk for lack of adequate controls and can serve as champions of more robust security infrastructure.
4. Sensitive system and data inventories – if you do not know what data you need to protect, where it resides, and how it is currently accessed, you will either miss all the data leaking out around you or you will grind the business to a halt trying to protect everything.
Popularity: 1%
2 Comments
Yes, there is a plethora of “customer data, legal agreements, financial reporting” and so on that needs protection. And trying to block content such as this from leaking out through any number of doors and windows is next to impossible. And not necessarily desirable – sensitive content does need to move in order to meet business requirements. Rather than barring the egress points, it makes much better sense to continuously protect the data, whereever it goes. This approach also offers a simpler, more direct path for “strong data owners” to take control of data they know is sensitive. There is no way that an expensive and complex DLP solution provides the necessary flexibility. Solutions such as those [that create a secure virtual project workspace] don’t require a company-wide deployment; they’re highly efficient for individual workgroups and departments.
Thanks for the feedback. Most companies I’ve spoken with have never completed an enterprise-wide deployment of a DLP tool, but with the new Massachusetts data leakage law, I imagine organizations will be looking for manageable solutions.