Jun 09 2011

Understanding Endpoint DLP

Follow these six tips to protect your network from unwanted data loss.

Endpoint data loss prevention (DLP) essentially works by examining all the data that flows to a user's computer (the endpoint) and deciding what will be allowed based on the organization's policies. It is a powerful tool for protecting sensitive data such as personal, financial and proprietary information.

Although endpoint DLP is conceptually simple, a successful deployment takes time, forethought and effort. Here are six tips that will help you sort out how to proceed.

Tip 1: DLP touches nearly everything, so be prepared. The two biggest potential problem areas for DLP, especially endpoint DLP, are resource use and policy setting. DLP categorizes nearly every piece of information that flows through the system and applies policies to that data, which means it uses a great deal of computing horsepower. In fact, with poorly chosen policies or an inappropriate application, DLP can easily bring a system to its knees. This is especially true in the case of endpoint DLP because of the workload it puts on desktops and notebooks.

Policy setting can be equally frustrating. If DLP policies are not carefully chosen, the network can experience side effects -- for instance, users may be inadvertently blocked from accessing data they need to do their work.

Issues with resource use or policy setting can produce a storm of user complaints. The solution to both of these problems is forethought and careful testing. Policies must be chosen wisely and tested carefully before they are implemented.

Tip 2: Decide what to protect, and how. The first instinct many IT managers have when considering DLP is to protect everything on the network. This is often not feasible, cost-effective or prudent. Instead, decide what kinds of data the organization needs to protect and how tightly that data needs to be covered. Remember that endpoint DLP makes heavy use of computing resources. If the IT department tries to protect too many kinds of data with too many policies, the load can reduce performance to an unacceptable level.

As part of the classification process, it's also necessary to decide what method to use to protect data. Most DLP tools offer several methods of protecting different classes of data. For example, some data might be downloaded only to specific desktops using a role-based scheme. In other cases, the best approach is to prohibit downloading the data to a USB device.

Tip 3: Contact all stakeholders in the organization. When categorizing data and deciding how to protect it, be sure to consult the organization's departments. Setting the categories also requires input from the legal department to determine which laws and regulations apply to the data.

Ideally, the result of this effort will be a list of data categories in order of importance. Because DLP usually is rolled out in stages, the most important data classes should be considered for protection first.

Tip 4: Start small, with targeted data sets. It is best to start with a small, highly focused set of DLP policies applied to a few categories of data. Follow up by rolling out other categories sequentially. Ideally, the first policies should focus on protecting the most critical data, such as personal information.

Tip 5: Test new policies before deployment. Policies are the heart of DLP. Policies classify the kinds of data and determine how they will be handled. In most organizations, policies will change over time as new kinds of data are added and access needs change.

Whether before or after the installation of a DLP system, it is important to test new policies before deployment. Be especially vigilant for unwanted side effects, and make sure the policy actually does in practice what it is intended to do.

One useful feature in most DLP products is the ability to set the system to merely alert the user and the administrator when a policy is breached. This is invaluable in the testing stage because it lets everyone see how a new policy will actually work when implemented.

However, it is unwise to depend solely on this feature. The IT staff needs to check a new policy every step of the way. The alert feature should serve merely as a final check before the new policy goes live.

Tip 6: Don't become overconfident. Finally, remember that DLP is not magic. It doesn't substitute for other security tools, such as a good password policy. IT departments can't slack off on other measures just because they have a successful DLP installation in place.