Thursday, February 25, 2010

10 Steps to Achive Successful DLP Implementation

DLP Implementation is having usually 9-12 process steps. Some of the process steps are sequential and some of them can be completed in parallel. They are as:-

1) Identification of what type of solution do we require? (1-3 Months based on the enterprise size and their partners agreement)

There are many different types of products on the market that promise to solve DLP such as hard drive encryption products or endpoint port control solutions. While they may address one of the ways that data loss can occur they do not address the issue as a Content-aware DLP solution will. Content-aware DLP solutions focus on controlling the content or data itself. Some of them are already in use and some of them are in phase of deployment. (Data @ Motion / Rest / Endpoint or Single Channel or Enterprise Wide etc.)

2) Identify information we are interested to protect. (Usually most expensive and time consuming step in entire deployment varies between 6 Months to 2 Years. The success stores and case studies shows that for R&D and Intellectual property protection it takes 5-8 Months, for financial data protection it takes almost 1-3 years and for healthcare and PII information protection 2-5 years). This step has three sub steps (Identification, Discovery and Classification)

Data Identification

DLP solutions include a number of techniques for identifying confidential or sensitive information (Based on metadata or signature scanning) metadata scanning for enforcement is most common deployment technique. Sometimes people are confused with discovery, data identification is a process by which organizations use a DLP technology to determine what to look for (in motion, at rest, or in use). A DLP solution uses multiple methods for deep content analysis, ranging from keywords, dictionaries, and regular expressions to partial document matching and fingerprinting. The strength of the analysis engine directly correlates to its accuracy. The accuracy of DLP identification is important to lowering/avoiding false positives and negatives. For example data sheets used in HR payroll department, Customer data sheet used by operations, company balance sheets, new business work order agreement procedure document etc.

Data Discovery

Means identify where does the data sleep?

Discovering where sensitive data lives are most important when dealing with unstructured data. If data has structure, then locating that data is only necessary for risk assessment. If the data can be detected using structured patterns on a server, file system, document repository, or other system, then that information can be discovered through a loss vector. However, with unstructured data, the information must be located first so it can be identified when it leaks. One particular challenge is file servers. The use of file servers and shares always starts with the best intentions of keeping things organized, but unless the data users are diligent in placing files in the appropriate shares, it will be difficult to identify which shares need to be protected and which can be ignored. Ideally, each group in an organization will have shares assigned around job functions and data classifications.

Document management systems are less of a challenge since they impose a certain degree of organization on their content by virtue of their structure. Browsing through the structure of a data repository and identifying the administrators for various sections should allow Us quickly to discover what documents are sensitive and which are not. Discovery of data poses lots of political challenges as compare to technical. And while defining the discovery of data following points should be considered.

Understand what is practically achievable. Rather than perfection, aim for what is achievable. Like rather than discovering and classifying every piece of potentially sensitive data, we might focus on high-risk data like credit card information, and customer data.

Involve key players early. Involving key stakeholders early in the process increases the likelihood that they will support it during implementation.

Strictly restrict the metadata removal tools in our devices. As DLP usage is increasing more and more metadata removal tools are popping up in the internet domains. Deploy strict control to restrict the usage of metadata removal tools.

Data Classification

Data classification involve very critical role is the success of DLP implementation. Most organization thinks that defining the classification label is more than enough. But organization should consider the classification tools which will allocate the metadata (also called as Meta tags in all the files used in the organization). Once classified meta tags are observed by DLP Controller it will start executing the preventive and informative policies either deny or allow rules can be defined to reduce the processing load on the system. Organization should identify and appoint the designated document management officer who should be able to address the concern regarding the classification criteria and should vouch the ambiguous documents classifications.

Now some of the members might be interested to know which product is available in market to accomplish above three. With my limited knowledge I have seen the Web sense Data Security solutions are available in the Web sense Data Security Suite* which is comprised of four, fully-integrated modules that can be deployed based on customer need:

Websense Data Discover – Discovers and classifies data distributed throughout the enterprise.

3) Establish Why the Content Needs to Be Protected? (A month time of good discussion required by different stakeholders. Second major involvement of Management group) Here we have to define why the identified data should be protected for ex. Is it for compliance reasons or for protection of Intellectual Property? This could change not only how the content is identified but also how it is reported on. For compliance, we have to ensure that we meet not only the data coverage required, like credit card numbers and other personally identifying information (PII) as required for PCI DSS compliance, but also the reporting requirements for the auditing process. This is going to be a critical step in the success of Our DLP solution, so we need to give it the time it deserves.

4) Identify How Data is Currently Lost ( Again a proper FMEA and Risk analysis give better result consider a month time for this process step too. ) Major involvement would be of technical staff. This will help us determine the type of product to use. Is it through email? Is it being uploaded to websites such as Web email or blog sites? Is it the usage of USB sticks on our endpoints? The most important advice here is not to try to solve all possibilities that we can think of for data loss. We have to remember that what we are trying to stop is the accidental loss of data. If we are trying to stop the deliberate loss of data, then that is significantly more difficult and will quite definitely have a serious impact on our business. If the user is resourceful and knowledgeable enough they will find ways to do it. An audience that many companies forget about is the remote user and the devices they use off-site. People will be more bold and daring if they are not in the office of their organization.

5) Technical DLP Policy Creation (Usually varies from 2-8 Months market research shows that consulting firm like Accenture accomplish this is 8 week time while organization like DuPont and Ranbaxy are able to define all the DLP policies in 16-18 week time frame with their DLP Experts and Partners). This is where we get down to the implementation. Once the solution is installed we now look at how we can create policy that recognizes the actual content we want to control and then how it will be controlled. The above steps that have gone through will help us what should be in the policy and how we can prevent the information from leaking out of our organization.

6) Testing (2 Months of regress testing is sufficient). Like any other IT implementation testing is a major factor for ensuring success

7) Policy Communication A step many miss but in our organization I would consider this step a crucial part for being a successful. Employees need to be brought into the project to guarantee success. It will impact their day-to-day functions, so we need to be certain they understand why these controls are in place and support its use. This can be as simple as explaining why we are implementing such a control and what could happen if we didn’t. Obtain their feedback on the controls and how we might minimise the impact on their work.

8) DLP System Policy Enforcement (2 Months sequential from testing ) Now that we have created the policy, tested it and communicated it, time has come to throw the big switch between just monitoring controls to actively implementing them. Don’t turn them all on at once. Prioritise them and release the most important and critical ones first. Ensure we have plenty of coverage to rectify any issues not found in testing as they arise, as this will impact the employees who are trying to do their job. If we are not helpful or responsive, our employees’ support will vanish.

9) Future Proofing for Organization (Ongoing) We have taken the first steps here, but don’t assume our job is done. Look for better ways of classifying content or where different types of content are saved. When new applications or systems are installed, consider how we can implement them to simplify the DLP controls required. Also continue to pay attention to the evolution of our DLP product. Keep it up to date as there will be newer and better ways of implementing the controls we have in place.


Marin said...

I'd rahter say phase 4 being "Risk assessment", followed by phase 1. We need to identify the best option for DLP only after we identified our information, the need for protection and the risks involved.

sivaram said...

I liked the way the issues are presented and gives the user a chance to think and work better in implementation.

Tadepalli Sivaram

Prashant Joshi said...

Dear Mukesh,

Myself Prashant from Swiss...

I am planning to implement the DLP solution in my organization and was searching for some helpful articles... I went thru the one posted by you and am writing to you regarding the same...

I seek your genuine guidance for the same for which I wish to talk to you... If u don't mind...

may I hear u on and if u can share ur contact number so that I can talk to u...

thnx in advance...

Prashant Joshi
+44 79 24456141