By Maya R Nair, Head- Information Security, a leading telecom company
The amount of data that comes into the company network and the amount of data that leaves, is overwhelming. Since most of us still don’t know how much it is, we are better off. Just pause for a moment and think. What are the avenues available for the data to leave the company network? To know that, we need to know where is the data residing? Do we know all the places where the company’s data resides? Is it held by a piece of semiconductor or the magnetic media? Do we still rely on the old fashioned papyrus? And finally, how much data is stored on the grey matter, between the two ears? Unfathomable, isn’t it?
When you think about DLP (Data Loss / Leakage Prevention) solution, think of all the places where data is stored electronically. This may be within the company network and on company asset. It may be on some leased assets, which are to be returned after a certain period of time. It may be on the cloud, it may be a partner’s place on the partner’s asset. The lesser the spread, the easier it is to control. Reduce the spread, if it is unwarranted. However if the business needs this spread, so be it.
Look at the tools available in the market. You may check out the rating given by neutral third party rating agencies and also check out with industry peers who run a similar business or have a similar scale of operation. Seriously evaluate 2-3 products before you zero-in on any one. In addition to the product features, which will be similar among the available products, look for local / remote support, customization of reports, recurring expenses and hidden costs, if any.
Think of all the avenues for the data to exit from all the sources. The crux of the matter is “all the sources”, and not just the prominent ones. Include all the gateways – the email gateway, the internet gateway, connections to the partner / dealer / distributor networks etc. Cover all the gateways with the DLP agent. While a phased approach works most of the time, with DLP, it is best to cover the end points in the initial go itself. Unless you cover all the end points, be it laptops, desktops or any other mobile device that connects to the corporate network, you will not be in a position to get a 360 degree view of what is going on. As the saying goes, what the CISO doesn’t know, doesn’t hurt. Is it, really?
Avoiding exceptions
It’s best to avoid exceptions, while defining policies. Let the DLP flag all that goes out. If business needs certain data to be sent out, let it get flagged and then go out. It is essential to re-validate policies at least once in 6 months. Be on the lookout for policies that never triggered any event in the last 6 months. Check if there is any logic flaw in defining those policies.
Do test cases that match the policy composition and see if the policy triggers an event. Be aware of the blind spots and have compensating controls in place. A desktop when rebooted in the safe mode, does not have the DLP agent started. This gives the user an invisibility cloak to escape with valuable information of the company, and, of course, without anyone seeing it. Make sure that if at all there has to be one, it is with the most responsible person, who is going to use it only for the greater good.
Have a governance framework in place to handle events and escalation. Have clear responsibilities and timelines defined for closures. The reports can sometimes be eye openers to the fact that “strictly need to know” principle gets violated. We may also see that ignorance is still not eradicated. You will then realize that DLP is one area that expands beyond its conventional reach, to be fully effective. And rightly so. How can you down the defenses when you are unsure of, from where the next spell is pronounced?