While many businesses, health care providers and government agencies have purchased data leakage prevention products, the complexity of DLP products, coupled with the time and effort required to deploy and maintain them, has prevented their widespread adoption. However, DLP vendors have been adopting a wide variety of approaches to reduce deployment time and effort, while offering different levels and types of protection.
All U.S. Social Security numbers have nine digits, but not all nine-digit numbers are Social Security numbers.
Resellers and integrators can fill a critical role in helping customers select the product that best fits their requirements, and in this tip, we'll discuss DLP strategy, including deployment and maintenance, for security solution providers.
DLP products offer a variety of features. Some products scan network traffic to prevent confidential data from being sent to unauthorized destinations, while others scan servers to identify and tag confidential data. There are also products that reside on laptops to prevent data exposure while disconnected from the corporate network.
Large vendors offering data leakage prevention products include CA Technologies Inc., McAfee Inc. and Symantec Corp. Smaller DLP-focused vendors include Code Green Networks Inc., Fidelis Security Systems Inc. and Websense Inc.
Data leakage: A multifaceted problem
The data leakage problem is inherently complex. Data can be lost through many paths. In addition to the highly publicized hacker attacks, data leakage can occur when employees, either deliberately or inadvertently, email, FTP, text, post data on or via the Web or copy confidential data to a CD or USB key.
Putting a data leakage prevention product in place can help prevent such data leakage, but determining which data to block is not a simple problem. For example, all U.S. Social Security numbers have nine digits, but not all nine-digit numbers are Social Security numbers. Identifying intellectual property can be even more difficult. Social Security numbers and credit card numbers have a known format, but policies required to identify unique or proprietary data -- such as product plans or design specifications -- must be created by each DLP customer based on the type of information that needs to be protected.
Time-consuming deployment and maintenance procedures
Many vendors' early DLP strategy was simply to combine existing point products. Some vendors with existing email monitoring products combined them with Web monitoring and antivirus products, added DLP-specific features, and released the combination as a "DLP solution."
The problem was that each component -- email, Web and antivirus -- needed to be individually installed, configured and monitored. Policies defining the data types to be blocked needed to be entered for each component, often in different formats. Multiple appliances were required. Some products required that a database product, such as Oracle, be installed to support the DLP solution.
Current products reduce deployment time and maintenance effort
Vendors have taken a variety of approaches to create products that deliver results quickly and reduce demand for staff effort, such as:
- Focusing on a single function or the single most likely path through which data can be lost.
- Delivering the product in an appliance that includes all necessary components, operating system, database and DLP applications all preinstalled.
- Providing a wide assortment of prebuilt policies, including policies for common requirements, such as PCI DSS or HIPAA compliance, and tools to help create customer-specific policies for data such as intellectual property.
- Providing a process to configure and deploy leak protection for one path at a time.
Limiting complexity by limiting functions
A product with limited functions may suit the needs of some customers. For example, a company without an interactive website need not be concerned about protection from Web hackers, but may fall prey to phishing attempts. In this case, a product targeted solely at email may be sufficient, such as cloud-based email protection from Proofpoint Inc. that scans outgoing mail for confidential data and can encrypt data sent to trusted partners.
Dataguise Inc. offers products that don't block communication channels but instead reduce the chance for exposure of confidential data. This is accomplished by scanning the network for sensitive data and removing critical items such as names and parts of credit card numbers in files. The full content of files must be retained for production processing, but are not needed for application development, quality assurance or for generating reports such as product sales patterns.
Delivering DLP in an appliance eliminates the time needed to install and configure individual components. Some vendors of appliance-based products ship customers a hardware appliance with all software components preinstalled. Other vendors deliver their product as a single bootable image that can be quickly installed in a customer-owned appliance.
In each case, preinstalled or downloaded, the operating system and other necessary components are preconfigured with the parameters required for optimal DLP application performance. The only customer configuration required is selecting and entering an IP address.
Prebuilt policies and tools achieve quick results
Fidelis Security Systems and Websense products are delivered with prebuilt policies to address common customer requirements. For example, a retailer accepting credit cards selects a policy designed to meet PCI DSS requirements while a medical provider chooses a policy for HIPAA compliance. Customers can begin operating with the prebuilt policy, which over time, they can customize to meet specific requirements.
Code Green Networks provides tools to identify database-resident sensitive data by comparing cryptographic hashes of database elements with hashes computed on elements in the outgoing data stream. A server-based tool periodically scans each database and computes a hash of each element. Then the network scanning component identifies elements by comparing hashes. If the hash comparison detects an event such as a customer name followed closely by a credit card number, the outgoing data can be blocked.
Address one path at a time
Typically, most DLP customers are primarily concerned with data that may leak out via the Internet. To prevent the problem, the best course of action would be to install a DLP appliance behind the firewall with all outgoing traffic passing through it. After observing the results, customers may refine their policies to address additional requirements or reduce false positives.
For some customers, this initial step of blocking leakage to the Internet will be sufficient. Others will need to then address other sources of leakage with a "full" DLP implementation, which of course presents additional opportunities for solution providers.
The next step may be to help customers isolate employees from data not required for their jobs. Some appliances offer additional network ports that can be connected to switches, separating portions of the internal network. An appliance monitoring internal network traffic could prevent customer data from moving to the portion of the network supporting the HR department.
The final step will be to help customers install software on workstations and laptops to protect against data leaks when off the corporate network or via removable media such as CDs or USB keys.
A broad variety of data loss prevention products are available to reduce the possibility of data leaks. The challenge for solution providers is to understand their customers' specific requirements and match products to their exact needs. For channel partners and resellers, addressing customer needs with DLP products is a tremendous opportunity.
About the author:
David B. Jacobs of The Jacobs Group has more than 20 years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies as well as software start-ups.