Patrick Foley

How Deep in DLP Are You?

While every security tool a vendor advertises to or demonstrates for you is purportedly the silver bullet that saves your organization from drowning in a virtual sea of hackers, rogues and spies, data-leakage protection – or prevention (DLP) is one for which many electrons have been slain to sell you the “next great [security] thing”. I am sure there are organizations that have had the intestinal fortitude to fully implement a DLP solution, though in the conversations I have had with security team members in a handful of large companies that have purchased such systems, none has completed or is currently planning to complete a full deployment.

The concept seems simple enough, post guards at the doors and make sure no one walks out with the good silver. For certain industries that are highly regulated, or depend for their survival and success on vast amounts of intellectual property, the breathtaking cost of DLP may be justifiable. But what about the rest of us, who are protecting garden-variety customer data, legal agreements, financial reporting or associate information? We need to protect our data too but making the ROI case for DLP work for our CFO likely means we are SOL.

There are just too many egress points for an organization with a large global customer base; hundreds, if not thousands or outlets; distributed systems; significant third party interaction; low margins; and relatively casual regulation. Ask TSA to comment on the diminishing returns of trying to stop every bad thing from happening at every airport, when they have high staff turnover, looking for hard-to detect risks, with limited resources, especially when a significant number of travelers originate outside the US and they have no control over the vetting process in those countries. DLP might work for those companies where the enterprise cost of a data breach is staggering to consider and the likelihood high enough that even the bean counters will not skimp on adding significant security infrastructure.

2 Comments

  1. Maven Dec 1, 2008 at 7:03 pm | Permalink

    Yes, there is a plethora of “customer data, legal agreements, financial reporting” and so on that needs protection. And trying to block content such as this from leaking out through any number of doors and windows is next to impossible. And not necessarily desirable – sensitive content does need to move in order to meet business requirements. Rather than barring the egress points, it makes much better sense to continuously protect the data, whereever it goes. This approach also offers a simpler, more direct path for “strong data owners” to take control of data they know is sensitive. There is no way that an expensive and complex DLP solution provides the necessary flexibility. Solutions such as those [that create a secure virtual project workspace] don’t require a company-wide deployment; they’re highly efficient for individual workgroups and departments.

  2. Pat Foley Dec 4, 2008 at 4:04 pm | Permalink

    Thanks for the feedback. Most companies I’ve spoken with have never completed an enterprise-wide deployment of a DLP tool, but with the new Massachusetts data leakage law, I imagine organizations will be looking for manageable solutions.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*