Five Tips to Ensure Data Loss Prevention Success A DLP Experts White Paper January, 2013 Author s Note The content of this white paper was developed independently of any vendor sponsors and is the sole work of DLP Experts. Copyright Notice The content of this publication is copyrighted 2013 DLP Experts, LLC. DLP Experts 760.927.5000 www.dlpexperts.com info@dlpexperts.com
1. Understand the Differences Between DLP Technologies Data Loss Prevention means different things to different people. For purposes of this white paper, the terms "data loss prevention" and "DLP" refer to systems that detect and protect sensitive data in motion, at rest and in use through advanced content analysis techniques and from within a single management console. It's not uncommon to find the term "Data Loss Prevention" or "DLP" attached to products found in a neighborhood office supply store, such as power strips, privacy filters, remote data destruction, backup and recovery technologies and USB storage devices. In fact, at the 2011 RSA Conference, 37 vendors used the term "data loss prevention" to describe their products or services in some way. Of those vendors, only 15 provided some form of DLP as we have defined in this paper. Many vendors want to take advantage of the high visibility of recent data breaches and the resulting product acquisitions made in an effort to lessen those breaches. The unfortunate result of all this is that many organizations select a DLP technology without fully understanding the range of products available, only to discover that the selected technology does not cover all the points through which data may leak. Generally speaking, there are two levels of DLP technologies: Full Suite and Channel Data Loss Prevention. Full Suite DLP technologies are focused exclusively on the task of preventing sensitive data loss, while Channel DLP solutions make DLP a single feature among a long list of non- DLP functions. Full Suite DLP Coverage. Most Full Suite DLP solutions were developed with the idea of data loss prevention in mind and include comprehensive coverage for the greatest effectiveness. These solutions provide coverage across the complete spectrum of leakage vectors, namely, data moving through the network gateway or data in motion, stored data on servers and workstations or data at rest, and data at the workstation/endpoint level or data in use. Equally as important, Full Suite DLP solutions address the full range of network protocols, including email, HTTP, HTTPS, FTP and other non- specific TCP traffic. Detection Methodologies. Another critical distinction of most Full Suite DLP solutions is in the depth and breadth of sensitive data detection methodologies. The earliest DLP technologies relied exclusively on pattern matching on text strings, looking for patterns that matched account numbers or a dictionary of words. These early detection methodologies can detect very specific patterns, but often result in a high number of false positives as well. Over time, a number of new detection methodologies have been introduced that have drastically improved the effectiveness of DLP solutions. One critical detection methodology, data fingerprinting, is now common across leading full suite DLP vendors. The fingerprinting process can be used on databases (structured data) and files or documents (unstructured data) by initially creating and storing a one- way hash on the DLP system. The DLP solution then analyzes content, compares it with the stored hashes and returns an incident if there is a match. This methodology can be used to accurately identify sensitive database content, such as a last name and account number as well as exact or partial matches of documents. Central Management Console. Another unique feature of Full Suite DLP solutions is a central management console for configuring coverage across data in motion, at rest and data in use, creating and managing policies, reporting and incident workflow. This sidesteps the need for different management interfaces for each component of DLP, significantly reducing the management overhead of a comprehensive DLP initiative. Five Tips to Ensure Data Loss Prevention Success Page 2 of 8 2013 DLP Experts, LLC
Channel DLP Most Channel DLP solutions were designed for some other function besides DLP and were modified in order to take advantage of the DLP visibility by providing some limited DLP functionality. Some common Channel DLP solutions include email security solutions, device control software and secure web gateways. In each case, Channel DLP solutions are limited both in their coverage and detection methodologies. For example, a number of email security vendors both on- premise and cloud- based have the capability to scan email content for sensitive data. In most cases, detection methodologies are limited to pattern matching across email. Among other widely- used protocols, such as HTTP, HTTPS and FTP, content is not inspected in any way. Recommendations Before researching DLP solutions, first consider where you are vulnerable and add those areas to your requirements list. Frankly, there are very few instances where an organization would decide they are vulnerable to data loss via email, but not via web or endpoint. Our recommendation is to consider only those solutions that meet all technical requirements. 2. An Ounce of Prevention Key to all of DLP is preventing the transfer of sensitive data outside the network. Prevention sounds like a standard requirement since the acronym DLP includes the very word. But this is not necessarily the case. To this day, some vendors and DLP- using organizations remain fearful that blocking might inhibit business processes that could ultimately cost more than the organization might save by protecting their data. Detection alone was acceptable in the early days of DLP since no one really knew how much sensitive data was actually leaving the secure confines of the network. But, as word of data breaches became more frequent in the press and as organizations implemented first generation DLP products, it became painfully clear that sensitive data was, in fact, leaving the network and in a big way. In today s data loss environment, prevention must be part of the solution. Because of the way most DLP solutions are architected, prevention is much easier within some protocols than others. Many organizations have acquired DLP technologies only to find that in order to derive full benefit from their DLP technology investment, they must also acquire and implement other products. In some cases, vendors overlook disclosure of all that may be required for full integration of a DLP solution in prevention mode. Blocking Email For email, many DLP systems can act as an MTA (mail transfer agent), which in itself provides the technological means for selectively blocking or allowing individual email messages. The process is very simple: the email is first routed to the DLP system where it is inspected for sensitive content. If sensitive content is found, the email is held until released by an administrator (quarantine) or held indefinitely (blocked), depending upon the remediation steps called for by the violated policy. Five Tips to Ensure Data Loss Prevention Success Page 3 of 8 2013 DLP Experts, LLC
Blocking HTTP/S and FTP With other network protocols, however, prevention is not as simple. Most DLP solutions inspect network flow via a SPAN port or network tap. This passive inspection method gives the DLP system a copy of the network traffic, while the original network flow is sent on its way to some web server or other Internet destination. If the DLP system identifies the presence of sensitive data in the copy of the traffic, the original is long gone to its destination and can't be called back. In order to facilitate a reliable blocking mechanism in this scenario, most DLP solutions make use of a network proxy server via the Internet Content Adaptation Protocol or ICAP for short. The ICAP proxy is positioned in the network such that all HTTP, HTTPS and FTP traffic is routed through it. The proxy is then configured to communicate all requests via ICAP to the DLP system, which in turn inspects the traffic for policy violations. If none is found, the request is then allowed to proceed. If a policy violation is found, the proxy then has the ability to block the request and deliver an explanation to the user. Leading DLP vendors have found this ICAP proxy integration to be the most effective method of blocking web and FTP traffic. All this assumes that the DLP- buying organization already has an ICAP- compatible proxy server. For those organizations that want to block incidents of sensitive data via HTTP, HTTPS and FTP, but do not have a compatible proxy, be sure to consider budget requirements for such a purchase along with DLP. DLP with ICAP Proxy Integration 3. Understand Available DLP Architectures DLP solution architecture has not been a common consideration for DLP- buying organizations. Perhaps this is due to the fact that DLP is generally considered to be a complex technology not to mention the widely accepted assumption that DLP solutions are very similar architecturally. It is true that DLP solutions are complex technologies since they approach the problem from three very different angles: at the gateway, stored data and endpoint. Each approach necessitates a distinctive technological tack, so it is not an insignificant task to pull them all together into a single solution with common policy engines, detection engines and management interface. The assumption that all DLP solutions share a similar architectural approach, however, is simply incorrect. What differentiates one DLP solution from another architecturally can be very significant. The majority of DLP solutions especially among first generation vendors have adopted complex architectures that have not changed much since 2005. In fact, these architectural models were deliberately chosen as the only effective means to support the largest and most data- driven enterprises in the world. Five Tips to Ensure Data Loss Prevention Success Page 4 of 8 2013 DLP Experts, LLC
Modular, Multi- Server DLP Architecture In order to facilitate the needs of these large enterprises, early DLP vendors adopted a modular approach to creating their software. This modular approach allowed vendors to: create new and separate software components as the marketplace demanded, offer buyers just one or all components and maintain critical revenue streams from existing modules. For example, initial DLP technologies provided for only monitoring not blocking of outbound traffic. Once organizational users of these products determined that sensitive data was indeed leaving their network, they required some way to stop the flow of this information. Vendors responded by creating a new component for blocking email and another new component for blocking HTTP and FTP and so on. The result is the modular, multi- server architecture favored by many of the leading DLP vendors today as shown in Sample Architecture 1, below. Sample Architecture 1: Modular, Multi- Server Approach The modular, multi- server approach was useful in supporting the world's largest enterprises (the initial buyers of DLP technologies), however, such an architecture can prove very daunting for smaller organizations. While some components support virtual deployment, many do not, resulting in multiple servers and a distinct database installation to support. This often means added costs for hardware and support and maintenance, not to mention license costs for each separate DLP component. Five Tips to Ensure Data Loss Prevention Success Page 5 of 8 2013 DLP Experts, LLC
Unified DLP Architecture Today, the largest and most data- driven enterprises in the world are not the only buyers of DLP technologies. As such, some DLP vendors have set out to simplify the traditional DLP architecture. The result is a single appliance solution that maintains core DLP features and integrates in the same way with an organization's existing network infrastructure, but does so with a fraction of the complexity of first generation DLP solutions. Sample Architecture 2: Unified DLP Approach The single appliance houses the same core DLP components as its more complex cousins, including comprehensive management platform, data in motion, data in use and data at rest functionality, full blocking capability and a self- contained incident database. The Unified DLP Architecture approach is proven to support data protection across thousands of users with a single appliance. Multiple appliances can be deployed at other network egress points for increased coverage across many gateways, all managed through a single web- based console. From a cost standpoint, savings are derived from reduced management overhead and the need for fewer servers. In addition, these solutions typically require fewer licensed components, further reducing cost when compared to solutions adhering to the modular, multi- server architectural approach to DLP. When researching DLP requirements, carefully consider not only DLP features and functionality, but which architectural approach best meets the needs of the target organization. Five Tips to Ensure Data Loss Prevention Success Page 6 of 8 2013 DLP Experts, LLC
4. Beware of Professional Services As if the architectural complexity of most DLP technologies wasn't bad enough, there is another level of complexity to face in the deployment of the DLP solution. DLP vendors or their solution integrators provide professional services in order to ensure complete and effective implementations of their solutions. However, these implementation costs can run up the total solution cost by as much as 50%, so it's important to know what you are paying for. Below are a few tips to ensure your organization gets the service it expects. Know what's included in the cost. Ask for a detailed quote showing what implementation services will be provided and the number of hours for each line item. Know what policies will be created. Clarify which policies will be included in the implementation and consider every type of violation you can think of across all components of data in motion, in use and at rest. Take advantage of onsite expertise; it may be more difficult to find help after the solution providers leaves your site. Confirm the provider's capabilities. Before committing to your solution provider for implementation, be sure they have the technical skills to perform all required deployment requirements. Situations where solution providers could not complete the agreed- upon deployment are more common than they should be and many organizations have been burned as a consequence. Confirm detection methods. As explained previously, there are many different detection methods available and they are not created equal. The more effective the detection method, the more difficult it is to deploy and the more hesitant the solution provider may be to take the time to implement it. For example, in working with personally- identifiable information (PII), there are two main detection methods that can be used to detect a US Social Security Number (SSN). The first involves a simple regular expression (regex) looking for a 9- digit number. All DLP solutions include this simple regex right out of the box and configuration is very minimal. However, this simple regex pattern is not the most effective method for accurately identifying an SSN and the false positive rate is very high, especially across HTTP. The much more effective method is to fingerprint actual SSNs and last names from an organization's database. In some cases, an SSN by itself may not even constitute a data breach, while the same SSN combined with the corresponding person's last name would. While not overly complex, setting up this detection method often requires involvement from an organization's database administrator and may require read- only access to the database in question. As a result, it can cause some internal wrangling and delays. Consequently, solution providers sometimes overlook especially cumbersome deployment options or do not include them in their quotes in order to keep costs down, and the sale alive. Know what integrations will be made with existing infrastructure. In order to facilitate email encryption or blocking of email and HTTP/HTTPS/FTP, integration with an organization's existing infrastructure is required. Confirm with your solution provider that these integrations will be completed as part of the deployment. Understand, however, that it's unlikely the solution provider will be willing to make direct changes to an organization's encryption, email or web security systems unless explicitly covered in the statement or work. Additionally, the organization's experts in these fields should be ready and available to support the integrations. Five Tips to Ensure Data Loss Prevention Success Page 7 of 8 2013 DLP Experts, LLC
5. Understand Hardware Requirements for Complete Deployment It is not uncommon for an organization to acquire DLP technologies only to find out that there are additional hardware costs or unanticipated architectural requirements. One DLP buyer lamented the huge personal political capital it had cost him when unexpected DLP hardware requirements overran his budget. DLP buyers should note that many vendor proof of concept architectures are significantly dumbed down to simplify deployment and initial usability. After purchase, buyers find that requirements call for multiple additional servers or appliances and virtual machines. These unforeseen hardware requirements can derail a project or significantly impair critical expected features. When considering DLP technologies, require that each vendor provide a complete architectural map, including all hardware existing and new required for the desired deployment. This will provide a better understanding of vendor differences and set realistic expectations for budgets A final recommendation is to confirm that the buying organization currently has the correct infrastructure to support potential requirements of encryption and blocking for web and email. About DLP Experts DLP Experts is a Value Added Reseller focused exclusively on technologies to support the safeguarding of sensitive data. The company's mission is to provide organizations with a complete, unbiased view of the data protection marketplace, available technologies and a vendor- agnostic approach to finding solutions that match technical and budgetary requirements. This is accomplished using a unique methodology that views data protection as a process, not a technology silver bullet. Five Tips to Ensure Data Loss Prevention Success Page 8 of 8 2013 DLP Experts, LLC