In the wake of several recent regulatory changes and the rise in popularity of social networking sites, the use of data leakage or data loss prevention (DLP) solutions has become crucial for organizations. However, theselection of the right DLP tool is not that easy, so we will identify critical aspects which need to be kept in mind while evaluating DLP solutions.
If an organization handles customer data (especially personal identifiable data) and IPR, then a DLP solution becomes a must. A DLP solution can also be useful as a part of the company policy or to maintain a sound and safe enterprise culture.
Find out what needs to be protected: Before actually starting the evaluation of DLP solutions, an enterprise must carry out a business impact analysis (BIA) to assess the risk to its information assets. In order to do this, an organization will need to prepare an asset inventory including details about its assets, the people who are authorized to access them, and the legal obligations attached to these assets. Based on this, an organization can determine the risk to as well as the exposure value of each asset. This exercise helps to identify what needs to protected, against whom, and also the data loss expectancy. It will help the organization to come up with a specific DLP policy defining a set of rules, controls and procedures.
Prepare a checklist of desirables: Based on the BIA, prepare an exhaustive checklist of desirables from the DLP solution. You must know what you want to buy. The following are some of the key criteria that can be kept in mind while evaluating DLP solutions.
• Ease of installation and use.
• Richness of report: Most of the DLP solutions available in the market provide a basic framework for all compliance requirements. However, if you are required to meet specific compliance requirements such as HIPAA or SOX, then ensure that the DLP solution in consideration offers compliance-mapping capabilities.
• Flexibility for setting rules/policies: All DLP
solutions come laden with a set of rules. However, depending on your business and clients, you may require to set more rules for data security. Thus, the DLP tool needs to be flexible enough to accept such rule setting and changes.
• Number of devices required: The fewer the number of devices required for log collection and correlation, the lesser the false alarms and manageability issues. The DLP solution's cost of ownership will also reduce.
• Integration capability: Some organizations may have already made an investment in point DLP solutions, so during the evaluation process you must check whether the new DLP solution offers seamless integration with the existing solutions. Integration with Microsoft Active Directory can also be an important criterion, because it allows centralized control for policy enforcement.
• Offline use of mobile devices and log synchronization: Make sure that the DLP solution is able to provide protection to mobile devices and laptops especially when they are outside the enterprise network.
Content validation over different ports (http, FTP, MSN, USB, serial, parallel, infrared, etc), and blocking end users from disabling the tool's agent are some of the other criteria to kept in mind during evaluation of DLP solutions.
Understand the types of DLP solutions: DLP solutions are mainly available in two forms: network and endpoint. Several factors and parameters can affect your choice of network or endpoint DLP solutions. For example, productivity loss can be one of the parameters. If there are several employees in the organization who watch videos or surf the Internet during working hours; this not only consumes a lot of bandwidth, but also reduces their productive time. In such cases, the organization can go in for a network-based DLP solution to restrict the misuse of its network resources.
Another scenario could be that people may try to copy corporate IPR (such as software code) on to their private USB drives while leaving the company. In such cases, the organization will require an endpoint DLP solution. In such cases, banning USB usage may not solve the problem. So select a DLP tool which offers you the appropriate surveillance capability.
Vendors nowadays are providing both network and endpoint capabilities in one solution. Going for all the capabilities from one vendor can be more cost-effective, plus monitoring becomes very easy. Besides, there will be no need to integrate DLP solutions from different vendors and carry out correlation between two events. There has been significant evolution in DLP solutions in the past few years, and content-aware DLP solutions have emerged as an important technology. Content awareness basically refers to the ability to look deep into content and understand the content.
Do a proof of concept: It's always advisable to undertake a proof of concept (POC) of the DLP tool you have decided to adopt. While doing the POC, keep track of how much resources (IT as well as people), processes and time are being utilized, because they can impact the organization's productivity. Finally, be a part of the DLP implementation—do not leave it to the vendors.
About the author: Kaushal Chaudhary is the CISO of NIIT Technologies, and has recently carried out a detailed evaluation of DLP solutions.
(As told to Dhwani Pandya)