Despite costs and complexity in writing and tuning rules, data loss prevention (DLP) tools can make sense for many...
midmarket IT organizations. DLP is a solid security technology that not only catches sensitive data leaving organizations via various routes, but also reveals unsecure data management practices.
This is key for smaller companies that store and handle personally identifiable customer and employee information, especially those subject to the 40-plus state data breach notification laws and regulations such as HIPAA and PCI DSS.
DLP can be a pretty straightforward implementation for the midmarket, and ultimately requires relatively little care and feeding if your requirements are straightforward. More so than enterprises, midmarket companies can fairly easily locate and define what sensitive data needs protection. Enterprises have to deal with multiple departments, business units and locations, sprawling partner and outsourcing relationships, hundreds of applications and no clear picture of where all their sensitive data -- and every instance of that data -- resides.
"SMBs that have easily defined sensitive data requirements and an obvious need to protect it, should look at single-channel DLP," said Gartner analyst Paul Proctor. "You can have a very narrow implementation around that easily defined data."
For example, credit unions can focus on account names and numbers, and simple rules prohibiting them from being sent via email or other Internet channels. DLP can automate detection.
"You need to do due diligence; it was an obvious weak point," said Rob McGee, director of information security at First Technology Credit Union in Oregon. He uses Code Green Networks TrueDLP. "We had no control for data leakage; we would be none the wiser if there was a breach."
If you have policies, for example, that say employees will not send sensitive data over unsecured channels, ask yourself if you have any controls to enforce those policies. If the answer is no, the next step is to research vendors and bring them in for demos.
"Having policy without control is like having paper champion," said McGee.
Credit unions are prime candidates for DLP -- they've been a big part of Code Green's business. Part of the reason is National Credit Union Administration's security guidelines for compliance with Gramm-Leach-Bliley. The guidelines call for a comprehensive information security program, which, among other things, must ensure appropriate controls are used to ensure the confidentiality and integrity of member information and transactions and testing key procedures and controls (which DLP can be used to test and report on).
But another strong criterion in the decision to implement DLP is the ratio of assets to staff. Credit unions have a small staff, a large number of members and thousands if not millions of records to protect. If this sounds like your organization, it's a good candidate for DLP.
"SMBs can hold the problem in their hand," said Rod Murchison, VP of marketing and strategic alliances at Code Green Networks. "Even though they have limited staff, they can see where all databases are, where file servers are."
On the other hand, Gartner's Proctor cautions, if a smaller business can't define it its requirements clearly and simply, it may want to shy away from DLP and leave it to the bigger enterprises that have the money and resources to invest in large, lengthy projects.
"If you have simple requirements, yes," he said. "If complicated sensitive data requirements, then, no."
EVALUATING DLP AND SELLING MANAGEMENT ON THE BENEFITS
Automation and price point are both key when evaluating data loss prevention tools. Assuming you have straightforward requirements that make DLP feasible for your organization, you should:
- Determine if there are templates for the type of data you want to monitor.
- Look for automation features, such as self-remediation, to take the burden off your small staff.
- Find a product that has an intuitive interface and is easy to use. You don't have time and neither does your staff. Further, in a small organization, your help may be inexperienced, which puts even more pressure on you.
- Pick a reasonably priced product that meets your requirements in one package. Even lower-priced DLP isn't cheap; $25,000 is pretty typical. But higher-end products are clearly geared to complex enterprises and will likely be beyond your price range.
Expect some fine-tuning, but DLP shouldn't be a significant burden to your small staff.
"As data and traffic changes, there's always going to be some fine tuning ," said McGee. "Too many zeros and ones pass through your network not to expect to tweak it, but it doesn't eat up life."
Once your evaluation is complete, one of the best ways to convince management that DLP is worth the money is to bring one of these products in house for a test drive.
Steve Rousch, director of information services at Gibson General Hospital in southern Indiana uses Palisade Systems' PacketSure, primarily for HIPAA enforcement.
"Protecting health information has been one of our biggest goals," Rousch said. "HIPAA is one of our biggest things; we live and breathe that."
Rousch said his CEO and CFO are pretty tech and security savvy, but he had to convince them they had broken processes that were letting sensitive data outside the hospital. A product demo and concurrent security assessment changed their perspective.
"Their eyes were opened," Rousch said.
First Technology Credit Union's McGee added: "Find a vendor that will send in an engineer, hook it up and use it to justify that the data you want to protect is worth the purchase."
In the end, DLP is about addressing the problems that allow sensitive data to move outbound. Are your policies are straightforward? Check. Is your data easy to define? Check. Can you locate all your data sources? Check.
The job doesn't end with monitoring, detecting and reporting.
"You have to develop simple processes for dealing with detected incidents, because DLP will find them," said Gartner's Proctor. "You have to be willing to change the broken business processes, changing practices that are causing incidents."