Comment: Simplifying Data Loss Prevention

Thorkelson ays that breaking down your DLP needs into pieces can help you focus on the right solution
Thorkelson ays that breaking down your DLP needs into pieces can help you focus on the right solution
Jared Thorkelson, DLP Experts
Jared Thorkelson, DLP Experts

DLP capabilities have evolved within the last decade from the initial ability to identify and then block sensitive/restricted data and website access to an extensive list of solutions defined by customers’ needs. The ability of suppliers to expand their DLP product offerings has been, to some extent, part of the deterrent to more rapid acceptance of the technology.

Many products are just too complex for customers and beyond the scope of what they expect to implement in the short and even the long term. This is especially true for small and medium-size businesses (SMBs). As with most complex technical problems, breaking down the situation into smaller manageable pieces and understanding how we got to where we are today can help to focus on the right solution.

Promised Solutions

Today, what customers are looking for in a DLP solution includes network monitoring, network-based discovery, endpoint security/management, web/FTP blocking, email blocking, an incident database, and a management platform to tie it all together, for starters. This lists, and even greater capabilities, have emerged from DLP’s humble beginnings as a sniffing tool to find information that was traversing the network. Once identified, users wanted to block certain kinds of data. Other DLP capabilities were recognized in a sequential manner, and the industry’s response was, in many respects, “identify a problem – add a box” for the solution.

The added components were built on top of each other for reuse and scalability. Reuse was pursued because the suppliers did not want to rework the original code. Because the only users that were initially interested in DLP technology were the world’s largest enterprise organizations, separating the pieces into components was acceptable for scalability.


The modular approach that resulted from this design evolution has created a complexity level that is widely recognized as a limiting factor for broader market acceptance of DLP. Complexity is specifically cited in the Aberdeen Group report “Content Aware - The 2010 Data Loss Prevention Report” as the leading technology inhibitor in DLP initiatives. The report states, “In terms of current inhibitors to investment in data loss prevention initiatives, the top performers are challenged by the available bandwidth of their staff (people), and by the complexity of available solutions (technology) and their current computing infrastructure (technology).”

In fact, Eric Ouellet, research vice president and co-author of Gartner’s “Magic Quadrant for Content-Aware Data Loss Prevention” report expressed concern in a panel at Gartner’s Security & Risk Management Summit 2010 that customers are wasting money and resources with DLP. He said that many customers buy full-suite DLP products with network, discovery and endpoint capabilities and only implement the network side over the course of two or even three years. As a result, they do not get the full value of what they paid for.

While this is true in many cases, some DLP suppliers have already addressed the complexity and associated implementation problems by making the process much easier to implement in steps – and by only requiring a single appliance.

A Simplified Solution

A modular approach works well in many technology areas. For DLP, however, it creates unnecessary complexity. In contrast, companies that started with the goal of a single appliance implementation of DLP based on a more complete knowledge of what users expected in a complete or unified solution have developed a simplified approach for users.

Code Green Networks exemplifies this newer design concept. Its methodology includes a straightforward process for customers that starts with prioritized needs and builds up from there.

For example, a user in a small organization may start with only the network DLP deployment in perhaps three or four separate data centers requiring three or four separate appliances. Instead of purchasing a full suite, the user purchases the network solution and deploys it, usually completing the installation within hours, not days or weeks.

When they are ready to take the next step, such as discovery, all they have to do is flip a switch in the graphical user interface (GUI). Another appliance or server does not have to be purchased and installed. Also, an additional database is not involved. The simple process of flipping a switch is the same migration path for adding endpoint and other capabilities as well. In this case, the software is modular within the scope of the DLP solution rather than requiring another modular piece of hardware.

When users add more functionality through the GUI switch, they pay an initial license fee for the added portion. This provides the flexibility that companies need to implement a new technology, while reducing the cost for the first – and usually the riskiest – step. Don’t pay for it until you need it should be a part of the DLP strategy.

The Right Approach

Cost-effective scalability is not readily accomplished with separate modular solutions. One of the technical issues for a company with a larger solution scaling down to meet the needs of smaller customers is the overhead, including multiple servers and interfaces, which is an integral part of the modular methodology. Some of the overhead is not easily scalable, especially for user maintenance.

Depending on the initial hardware, scaling up is actually easier than scaling down. Some suppliers have proven the scale-up approach with several implementations at tens of thousands of users. The methodology can be extended to larger enterprises. In fact, scaling to several hundred thousand users is also possible with a single appliance approach – it just requires more appliances that can be easily managed from a single administrative console – as long as the supplier has addressed the expansion issues with tools such as centralized content registration, as well as policy and incident management.

Recommended steps for organizations that are considering how to implement DLP are shown below. Large organizations can follow the same process as long as the hardware is scalable. They just have to purchase more hardware to encompass the entire organization.

An SMB Approach for Implementing DLP
  1. Develop the data protection strategy appropriate for your organization.
  2. Reduce the strategy to an implementation plan. The plan should identify the need and timing to implement items such as network, discovery, endpoint and other required aspects.
  3. Investigate a DLP solution that can implement the plan in phases, so cost is incurred as different phases are implemented – not all at the beginning.
  4. Verify that the implementation time is within acceptable limits. This can be as low as weeks, days, or less.
  5. Get started.

Jared Thorkelson is a data loss prevention and information security practitioner and principal at DLP Experts, LLC. He has written and spoken extensively on DLP and data protection. Thorkelson is a graduate of Brigham Young University.

What’s hot on Infosecurity Magazine?