DLP: Do not pass go, do not collect £200
The absolute best way of securing information or machines holding information is to isolate them. Categorically disconnect them from other machines, lock them away, air gapped networks, zoned off rooms and all that stuff.
This is not a realistic possibility, we are more connected than ever before, we’re working on planes, trains, from coffee shops and in more recent times from the living room! Cloud adoption in 2020 saw an estimated 65-70% of workloads move to include cloud services in some faction, an increase from around 45% in previous years.
Keeping data safe in a world which relies on interconnectivity and networking so inherently is a tough task, we’re estimating that around 320 billion emails get sent every single day now, a connected world really is a necessity!
Sharing data internally and externally is paramount to us doing business, add to the vast amount of email traffic things shared on platforms like O365 or Google Workspace. Data held in file shares, data being sent to printers, data being posted on webpages – it all adds up. Data Loss Prevention (DLP) software’s sole job is to guard these activities, and only let the right data be subjected to those actions.
In the not-so-distant past DLP came in the form of a glaring stop sign, something akin to a cartoon hammer brought around to the desk of an unsuspecting user attempting to get their job done. They had perhaps done something as simple as tried to send an attachment via email to a partner organisation and were then met with flashing lights and warning sirens accusing them of corporate espionage.
Instead of throwing up roadblocks, DLP implementations in 2021 are more sensitive platforms. Most folk have a horror story about over-sensitive DLP controls meaning it took four hours to send an email. Just implementing block and the scalding warning message, drives users to subvert the controls in the first place, to adopt shadow IT platforms just to harmlessly achieve what is needed to get their job done.
That poses a bigger problem: if you’ve got data being shifted by systems you don’t even control then what chance do you have?
Ultimately, DLP controls should empower our user community, not send them off to live out their days in data security purgatory.
Blocking should be the policy of last resort in my opinion, encourage users to share securely, educating them on how they should be operating and impart appropriate controls when required.
Instead of stopping a user by blocking an action, allow it and employ encryption? Insert Data Classification to highlight the data’s importance and perhaps team that with a Digital Rights Management (DRM) policy.
DLP has come a long way, it’s now capable of allowing transactions and data flows but stripping out and redacting the sensitive info. Meaning users still gets job done and is not driven to subvert controls, but the potential data breach and security risk is mitigated in microseconds without an update to how they do their jobs.
If you have a DLP headache you need taking away talk to one of HANDDs data security experts on +44 (0)8456 434 063 or at firstname.lastname@example.org .