In our last post, ‘Three Pillars of Internal Data Security’, I defined, in simple terms, the basic understanding of DLP technologies and their primary objectives. Now that we understand the basics of these three technologies, I would like to highlight some examples why organisations fail to implement them well. Here are the top three reason’s Data Security Solutions fail and how to avoid them.
REASON 1: DLP has to be implemented in full at once (or so it’s sold!)
Most vendors want to sell everything their product can do at once. Device control, Content aware, Encryption solutions are all pushed to IT Security folks at once as it provides more value or the solutions are bundled together as one. This leads to failure as policies end up being misconfigure due to lack of understanding of data or certain data loss surface areas are ignored or too tight to be effective.
REASON 2: Data Classification doesn’t work
Many times companies who buy integrated all in one DLP plus data classification solutions always get stuck in this spider web of never ending mis-classification or troublesome classification work. Data classification always fails if it is forced down without understanding the data flow/maps and the different value (opinion) on data. Data classification is as much a consultative and evaluative process as it is a technology process. Most users are non-IT experts and most IT people don’t understand the user’s data. What would an IT Security Professional know about molecular biology and fatal medicine to be able to decide the classification levels of such research?
REASON 3: IRM should be applied to all files and documents
Let’s put this into perspective. Most people have a door at the entrance to their homes, yet they still have bedroom doors and then they have safe deposit boxes at home. IRM is your safe deposit box. You only secure the most valuable things in the house there. You do not put your plates, clothes, and other daily regular stuff inside a safe deposit box. It will take a lot of money and many safe deposit boxes to do so and then it will lose its relevance as a secure tool. This is the same with IRM. Traditionally the maximum data, IRM should be applied to is 10-20% of our overall data. This varied according to industry but in general this should be ideal. Coupled with the additional effort users have to make to decide permissions, applying IRM to all data defeats its purpose and relevance.
So the question I always ask myself and customers is this:
Should all the 3 technologies be used together and deployed?
The answer is: Yes but not at the same time.
It goes against tradition as a distributor or vendor to say that it is best not to sell all 3 or implement all 3 at the same time but it is in the best interest of the end users to not deploy at the same time to benefit from such technologies.
Let me lay out my suggested process and logic.
Step 1: Device Control
The first technology that should be deployed is Device Control of DLP. I think its necessary to reduce the “loss” surface area and implement some form of immediate control by only allowing authorise data storage devices to be used. This allows IT security to have a basic level of security in place and reduce the risk to a small number of approved device.
Step 2: Data Classification (If Necessary)
Ideally everyone should have data classification in place. But for data classification to be effective, data maps and data flows have to exist. Discussions and planning committees with various data owners and stakeholders must occur to ensure appropriate and common language and understanding ID used to classify data. Having completed with this exercise of classification language, the next phase would include user training and awareness, and classification of pre-existing files and documents. Easily, this process could take months if not a year. Therefore why pay for DLP features when the organisation’s data is only fully understood a while later?
Step 3: Content aware DLP
Now that the organisation has proceeded to classify pre-existing documents and implementation in new ones, content aware policies which apply to classification levels and contraband content can be finally implemented effectively with full understanding of objectives and the data itself. Clarity is now the essence for effective use of the powerful Content Aware features of DLP.
Step 4: IRM
Once classification and Content Aware DLP are in place, the recognition and protection of Crown Jewels is ascertained. Therefore, the next step is to decide the access and permissions to these crown jewels of data, bring to the forefront the power and value of IRM.