Why does DLP fail to become a security standard?
The DLP concept suggests that data flow should be monitored and controlled
DLP (Data Loss Prevention)– a term that has been around for more than 15 years, but still fails to establish itself as a proven and trustworthy technology. Why is that?
It all starts with the name – DLP. Is it Data Loss Prevention? Or Data Loss Protection? Or maybe it’s Leakage instead of Loss … It’s difficult to acknowledge something that doesn’t even have a fixed name and for which everyone uses a different set of words. But, to be fair – they all mean more or less the same.
The concept of DLP is exceptional and has become the foundation for many other cyber security mechanisms and tools. Actually, DLP is one of the first examples of data-driven security. It puts the focus on Data and what really happens with it. Many data protection regulations establish specific rules for the use of certain data, such as GDPR (- personal data), HIPPA (- clinical and health data) or, PCI-DSS (- card and transactional data). etc. Implementing an effective DLP system is therefore a huge step toward achieving compliance with most regulations and requirements.
But if the concept is so good and important, why isn’t DLP established as a standard, just as Security Operations Center (SoC) is basically becoming a benchmark for an organization’s cyber security maturity? Let’s take a closer look at how it works to understand why.
How it works
The DLP concept suggests that data flow should be monitored and controlled in order to analyze and understand the information, identify the flow pattern and determine whether this data exchange is allowed or prohibited.
Let’s have a quick example where John is a business analyst and Clair is an HR expert. If Clair sends an ID and a contract to her manager, a good DLP system would know that both she and her manager are allowed to work with such data. If John does the same, the DLP should react, because business analysts are not authorized to work with and exchange personal data. If either John or Clair sends such data outside the organization, the DLP should react again. “React” could mean block the data flow, put the data under “Review” or even allow it while alerting someone. The type of reaction depends on how the company defines its rules and processes.
This dependency on rules explains why DLP is not adopted as a standard: DLP works extremely efficiently in organizations where the rules and processes are strictly defined, and is a nightmare to implement and operate elsewhere.
And to make it even more complicated – what is “sensitive data” or “critical data”? It is specific for each company. One way to overcome this uncertainty is to leverage the data classification that companies have, but let’s be honest – how many companies have good, working and consistent data classification policies?
And that is not all, because we haven’t even mentioned the different DLP implementation scenarios yet –Network DLP, DataCenter DLP, Endpoint DLP and Email DLP, etc.
In summary – implementing an effective DLP can be extremely complicated and troublesome and it works well only if the company has its data under control.
One of the most used ways to exchange data is still via email. In its 25+ years of experience in cyber security, GBS has taken the data-driven security for email to a top-notch level. We provide our customers with numerous pre-defined patterns for data classification, while also giving them the power to create ones that match their specifics. And on top of that, our consultants are always available to help customers define their policies and get the maximum out of implementing this technology. Learn how we can support you with DLP and other email functions as a service within our iQ.Suite aaS. Reach out to us at firstname.lastname@example.org and together we can discuss how DLP can protect your communication!
Author: Pavel Yosifov