Comment: The Missing Link from DLP

David Gibson examines the shortcomings of DLP
David Gibson examines the shortcomings of DLP

The analyst firm Gartner estimates that in five years, unstructured data – which makes up 80% of organizational data – will grow by an astonishing 650%. The risk of data loss is increasing above and beyond this volatile rate, as more data has to be transferred between network shares, email accounts, SharePoint sites and mobile devices.

Many security professionals are turning to data loss prevention (DLP) solutions for help, hoping that this will be the IT equivalent of ‘the missing link’ between productive collaboration and preventing data loss. To their dismay, organizations are finding that these DLP solutions fail to fully protect critical data because they focus on the symptomatic, perimeter-level and file-based solutions rather than the deep seated problem – the fact that users have inappropriate or excessive rights to sensitive information.

Don’t Let Accidents Control Your Responses

Solutions to prevent data loss need to enable the personnel with the most knowledge about the data, the data owners, to take appropriate actions to remediate risks before data is leaked, in the right order. To do this, organizations need enterprise context awareness – i.e., knowledge of who owns the data, who uses the data, and who should and shouldn’t have access.

Managing and protecting sensitive information requires an ongoing, repeatable process. The analyst firm Forrester refers to this as protecting information consistently with identity context (PICWIC).

The central idea of PICWIC is that data is assigned to business owners at all times. When identity context is combined with data management, organizations can provision new user accounts with correct levels of access, recertify access entitlements regularly, and take the appropriate actions when an employee changes roles or is terminated. By following the PICWIC best practices, the chances of accidental data leakage are dramatically reduced while lifting a substantial burden from IT.

The Problem with DLP: It Won’t Stand on Its Own

DLP solutions primarily focus on classifying sensitive data and preventing its transfer with a three-pronged technology approach:

  • Server protections focus on content classification and identifying sensitive files that need to be protected before they have a chance to escape.
  • Network protections scan and filter sensitive data to prevent it from leaving the organization via email, HTTP, FTP and other protocols.
  • Endpoint protections encrypt data on hard drives and disable external storage to stop data from escaping via employee laptops and workstations.

This approach works well if an organization knows who owns all the sensitive data and who’s using it. Because that is rarely the case, once the sensitive data is identified – which in the average-sized organization can takes months – IT is left with the monumental job of finding out: Who the sensitive data belongs to? Who has and should have access to it? Who is using it? These questions must be answered in order to identify the highest-priority sensitive data (i.e., the data-in-use) and determine the appropriate DLP procedures.

Initially, solutions that focused primarily on endpoint and network protections were quickly overwhelmed by the massive amounts of data traversing countless networks and devices. Unfortunately, DLP’s file-based approach to content classification is cumbersome at best. Upon implementing DLP, it is not uncommon to have tens of thousands of ‘alerts’ about sensitive files. The challenge doesn’t stop here. Select an alert at random – the sensitive files involved may have been auto-encrypted and auto-quarantined, but what comes next? Who has the knowledge and authority to decide the appropriate access controls? Who are we now preventing from doing their jobs? How and why were the files placed here in the first place?

DLP solutions provide very little context about data usage, permissions, and ownership, making it difficult for IT to proceed with sustainable remediation. IT does not have the information available to them to make decisions about accessibility and acceptable use on their own; and even if the information was available, it is not realistic to make these decisions for each and every file.

The reality is that sensitive files are being used to achieve important business objectives – digital collaboration is essential for organizations to function successfully. But, in order to do this, sensitive data must be stored somewhere that allows people to collaborate, while at the same time ensuring that only the right people have access and that their use of sensitive data is monitored.

Bolstering DLP to Improve Its Efficiency

The concept of PICWIC and the resulting policies and procedures that it enables are very promising, but how to implement PICWIC and improve DLP implementations?

Data governance software automation is providing organizations with the ability to improve DLP implementations by not only automating the process of identifying sensitive data, but also simultaneously showing what data is in use and who is using. It provides the needed context for comprehensive DLP. By non-intrusively, continuously collecting critical metadata and then synthesizing this information, data governance software provides visibility never before available with traditional DLP implementations. When data governance software is used in conjunction with traditional DLP software, implementations move faster and sensitive data is more accurately identified and protected.

According to, over 23 million records containing personally identifiable information (PII) were leaked in 2011 alone, making it more important than ever for organizations to ensure sensitive data is secure. New regulations make it an imperative for organizations to ensure their DLP practices are quick, comprehensive and continuous.

The method outlined – of integrating data governance software automation into existing or new DLP implementations – not only ensures sensitive data is secure, but it also provides a factor of efficiency that traditional DLP cannot achieve alone.

David Gibson has been in the IT industry for more than fifteen years, with a breadth of experience in data governance, network management, network security, system administration, and network design. He is currently director of Technical Services at Varonis Systems where he oversees product marketing and positioning. As a former a technical consultant, Gibson has helped many companies design and implement enterprise network architectures, VPN solutions, enterprise security solutions, and enterprise management systems. He is a Certified Information Systems Security Professional (CISSP).

What’s hot on Infosecurity Magazine?