DLP: technical vs. administrative | InfoWatch

You are here

DLP: technical vs. administrative

As I have mentioned before, it is difficult to find a major IT security firm without a DLP package in its lineup, whether one of their own, or snatched up early. Those packages, however, are mostly technical, with little consultation beyond “here’s our box and good luck to you”, a topic previously discussed at length. Those solutions tend to ignore an incredibly important part of DLP: the administrative method.

The administrative method and its weight in the overall solution strongly depend on the client’s business and the security of their data A fake camera placed at an intersection to monitor speeding is just as effective as a real one at preventing speeding, provided the public does not know about its fakeness. When that fakeness is exposed, the efficiency of the camera as a deterrent plummets. However, if the fake camera has been replaced with a real one by then, the camera catches the speeders with their true intentions revealed.

Similarly, if, at the beginning of the integration process, one were to call for enough meetings with the client’s employees to explain to them that they are always being watched, that alone could prevent a ton of leaks, as well as raise the employee stress and paranoia level to new heights. Whether that is a negative or a positive connotation is left as an exercise to the reader. If one were then to spread a rumour that the paranoia is unjustified (after finally finishing integration, of course), the number of employees caught with trying to steal corporate data will be higher than by pure integration alone. Again, the usefulness of this is left as an exercise to the reader.

Of course, not all leaks are preventable with integration of DLP solutions, nor do DLP products claim to prevent all leaks. No solution can vouch for a 100% prevention rate, while at the same time avoiding being draconian. The solutions that do have an astoundingly high success rate usually don’t involve technical DLP at all. An example: there is a company in Russia that designs and builds airplanes. The blueprints of these airplanes would fetch a fine price if one were to “borrow” them and “lend” them to other nations, for example. In order to prevent such a  situation, they cut off all connection to any device capable of transferring data from the people who work with these blueprints. They had no direct access to the Internet, flash drives, CDs or even printers. In order to print, a designer would have to go to the security officer in charge of the blueprint, who had the one USB key and the sole computer with access to the printer and the Internet, and ask him to  use his computer. He then logged the time he was using the computer for and did whatever he needed to have access to the outside world for with the security officer standing over his shoulder and watching him. When he was done, he left the  computer and got back to work.

Such a solution is, of course, impossible to implement in a typical corporation, but it teaches an important lesson: a lot of data loss prevention can be done with administrative methods. Even when software-based solutions are present, the administrative part is a major requirement. This will help minimize the leaks and, as a result, the losses. The prevention rate will never reach 100%, of course, even in the aforementioned example: if the designer agreed to cut the security officer in on  the sale, both of them could easily steal the needed documents.

Malicious insiders that are determined enough and patient enough will get around any solution and steal the data anyway. DLP solutions do not focus on them, they focus on the employee that learns that he’s about to be downsized and tries to grab the employee database; they focus on the inexperienced sales person that  accidentally sends the company offer to his competition as well as the buyer; they focus on the employee that left his laptop with the company’s next merger data on

it on the bus. These are preventable. These can be dealt with efficiently with proper application of both administrative and software components of a DLP solution.