For any business, protecting sensitive data is anything but simple. Data volumes are growing rapidly, and all too often, users create confidential files and spread them to unsecure locations. Meanwhile, IT security teams have limited resources and face enormous pressure, since the both company’s reputation and its financial future are at stake.
How can your organization establish a balanced approach to data loss prevention (DLP) that allocates budget and other resources wisely and maximizes security at the same time? We will try to answer this question with takeaways from Gartner’s report, “How to Choose Between Enterprise DLP and Integrated DLP Approaches.”
Understand your options.
In its report, Gartner explains that DLP is not a product or a set-it-and-forget-it platform, but a well-defined data security process that should be bolstered by well-managed supporting technology. Further, the report notes that DLP products can be divided in two groups: ‘’enterprise DLP’’ (a standalone, full-featured DLP solution) and ‘’integrated DLP’’ (a limited DLP feature set that is integrated into another data security product).
As a result, an organization might have some DLP capabilities even though they do not have an enterprise DLP solution. Gartner’s experts recommend that companies evaluate which controls they already have and what they need to add to their security infrastructure in order to have the desired DLP capabilities.
Estimate the value of enterprise DLP solutions for your organization.
Many organizations think that enterprise DLP solutions are the right choice for everyone. Some purchase them in response to an immediate need, such as the need to act upon an improvement notice from a regulatory compliance authority or to demonstrate a strong commitment to security after a data leak makes the headlines. Others are looking to protect their intellectual property, meet complex data security requirements, or plug the gaps left separate DLP technologies.
However, enterprise DLP products are not the best choice for all companies. Enterprise DLP products are designed with large enterprises in mind, and they have a reputation for being overly complex for basic use cases — a reputation that Gartner says is well earned. Many IT managers and C-level security leaders new to DLP do not realize that the enterprise DLP products they are considering will not be used to even half of their capacity, yet they will likely cost as much as a little jet plane and require onerous initial implementation and subsequent upkeep.
Consider the features of the products you’ve already implemented.
Organizations often have an alternative to enterprise DLP solutions: taking full advantage of the products and applications they already have. While technologies like antivirus software, firewalls, endpoint protection, IT asset management, identity management, secure web and email gateways, log analysis, data discovery, and data classification are not DLP products in a conventional sense, they all deliver data protection in one way or another. In fact, the Gartner report notes that an organization’s existing products often have features that can provide business leaders with enough insight into information security gaps and deliver adequate protection for sensitive data.
For many smaller or less complex organizations, integrated DLP is a cost-effective alternative to enterprise DLP products. The DLP capabilities of the security tools the organization already owns can be equivalent to those of an enterprise product, while coming at significantly less cost and staffing requirements and creating far less complexity.
Focus on data discovery and classification.
Developing a data loss prevention program involves far more than simply implementing a particular DLP technology. Early on, companies should get a good understanding of what types of data they have, where it is stored, who has access to it and how it is used, and then classify the data based on its sensitivity and value to the organization. With this visibility, security teams can better analyze data security risks, including identifying data that is overexposed, and prioritize the protection of their most critical information assets.
The goal of data classification is to minimize false positive and negatives. The more sensitive data that your solution doesn’t recognize (false negatives) and the more documents it incorrectly classifies as sensitive (false positives), the more you’re at risk of not protecting sensitive data properly. You’ll end up spending more time fine-tuning the solution and less time actually managing and securing data. Improving the precision of data classification is no easy task, but it’s one you can’t afford to disregard.
Conclusion
Data loss prevention begins with gaining insight into both your current DLP capabilities and your data itself. Effective data discovery and classification will help your organization get a complete and accurate picture of what data you store, so you can make informed choices about appropriate security measures for different kinds of data and avoid the financial and reputational consequences of a breach of sensitive or regulated information.