Is DLP a blunt instrument or a misused technology?
Following on from the introduction of monetary penalties by the Information Commissioner's Office last year, I looked at the likelihood of data loss prevention (DLP) solutions rising in popularity in line with the regulatory increase.
Whether there was an overall increase in take up of DLP solutions is one for the analysts to determine, but a year on it seems that there is a growing feeling that DLP has not been the wonder solution it could have been. It has been suggested to me several times that DLP is a 'blunt instrument' in the information security toolkit.
James Lyne, senior technologist at Sophos, recently called DLP 'a monstrous idea' and described it as a 'disastrous ludicrous project'. Frank Coggrave, general manager EMEA at Guidance Software, was less scathing, saying that DLP helps with inadvertent things but not with malicious things, as you can send out some other way.
Lyne summarised his frustration saying that while there is a human factor there will be mistakes and accidents, but technology controls many users and a system will control risk and help prevent accidents.
He said: “But who knows where all the data is? One day you find all of your information and write a new policy that says what every person can and cannot do and then ten minutes before that, the CFO uploads the end of year accounts and DLP looks at it, says it is not authorised and IT has to deal with the problem. DLP is a disaster as we try and take responsibility for data and it does not understand that there is data out there. It is at a stage of maturity that we do not have and we need to help users make the right decision, there will not be a solution to human error but it can help them be smart.”
Tony Pepper, CEO of Egress, previously asked why people still think DLP is the answer to all their prayers, claiming that it is only a matter of time before the bubble bursts.
Pepper told SC Magazine that DLP was a popular phrase used by aspiring IT professionals before cloud computing became the new buzz word, but if the technology cannot substantiate its claims and solve business problems, then the industry simply moves on and searches for alternative solutions.
“We're now experiencing that shift in momentum. Many of the clients we speak to were sold false promises by the analyst community that DLP would answer everyone's prayers and eliminate data loss, but it didn't. Why? Because confidential information is increasingly mishandled by third parties and now customers are now looking to solve this problem once and for all,” he said.
Another issue about DLP has been the amount of false positives that could be raised by a solution set to flag anything deemed suspicious. Paul Judd, head of UK and Ireland at Fortinet, summarised this by saying that often, it is 'better to have a false positive than a data loss'.
I asked Jelle Niemantsverdriet, principal consultant for forensics and investigative response EMEA at Verizon Business, whose reports on data loss are much referenced and respected, on whether constant alerts from a stringent setting would be an inconvenience for users when it comes to DLP.
He said: “It is probably one of the challenges for security to not just be perceived as the department who says no and blocks development as things are not secure. In general I can imagine end-users are annoyed with this but they need to know what business the company is in and remain secure. This is somewhat of a grey area, but the consensus is that if it is secure enough it is something that users can get used to.
“If you get a pop-up every ten minutes then people will click it away and not consider that, so on the one hand it is user education, and on the other hand systems are truly detecting data that is appropriate to the organisation, so that you can tune systems and alerts so users know when something real is going on.”
So is all DLP bad? Not according to Andy Philpott, regional vice president of UK and Ireland for Websense. He said that 'DLP used to be overly complex and expensive but now there's no good excuse not to immediately implement solutions'.
Pepper said: “Here at Egress we've turned the concept of DLP on its head. Using patented encryption and leveraging a secure authentication service, customers can now share personal or sensitive information with confidence, safe in the knowledge that they can enforce accountability and if necessary revoke access wherever the data resides.”
Colin Williams, networking and security practice leader at reseller Computacenter, admitted that DLP can be challenging to deploy but that it should be a starting point for everyone to understand the movement of information.
He said: “It is an asset to the end-user to alert to them, as if you have a pop-up saying 'not sure if you send this' and they say 'ok', they are now accountable. Two-thirds of files are now taken out of the company, so it was fundamental in the past and nice to have, but now you need to use it.
“From a business and user mode, it can understand data in many languages and work it out. Look at RSA Archer; SIEM without Archer is a waste of time or requires too much interaction from the user to be worthwhile. DLP should help and if you use it correctly, it should evolve over time as it learns and scans more information.
“Risk management is done right with the CIO and rests with the end-user, and it is the job of all of us to be less alerted than the rest. We all have to be aware.”
What we should understand is that this technology exists for a reason and perhaps the reason why there is continued data loss and breaches is not the fault of the technology, but of users. The most recent fine from the Information Commissioner concerned email failures that would have bypassed most DLP settings.
Is preventing data loss a question of attitude, settings or heuristics? I would say a combination of all, together with risk assessment of your business and environment, ensuring technology is used properly after all it would be a waste of money to leave that investment switched off.