DLP Myth #1: You can get DLP as an add-on to an existing solution.
I read a blog post today from Midwest IT Professional entitled Myths of Data Loss Prevention (DLP). The post didn’t really address the kind of thing I consider to be myths about DLP, but it did get my thought process going. So, over the coming days, I’ll present a series of myths related to Data Loss Prevention.
The first myth I’d like to address came in the form of a firewall/UTM vendor announcement about the growing demand for DLP. The quote that accompanied the press release stated: “Today, customers can have both state of the art multifunction firewall protection and unbeatable Web, messaging and DLP security that is affordable, powerful, highly reliable and easy to use.”
From this, I pull myth number one: You can get effective DLP as an add-on to your firewall, web or email security solution. While some rudimentary data loss prevention functionality can be added to most any network security device, its effectiveness may often do more harm than good.
Most add-on DLP functionality comes in the form of scanning network traffic (web, email, other) and looking for simple regular expression pattern matches for social security numbers, credit card numbers, etc. This content monitoring capability has been around for many, many years, however in my experience it has been ineffective and in many cases counterproductive.
I had one client, for example, who tried to use their leading email security solution to identify and block incidents of sensitive data leakage using regular expression patterns. They went this route initially to avoid having to buy a purpose-built DLP technology–trying to save some money in this tough economy. What they found was that the rudimentary content monitoring and filtering technologies did a poor job of identifying *true* incidents of data leakage. They ended up with more incidents each day than they could keep up with and since the vast majority of the incidents were false positives, they stopped looking at them altogether. I won’t go into detail about why this just doesn’t work. Just give it a try with your own email security solution and see the results for yourself.
In addition to the fact that regex patterns alone are ineffective, consider the fact that in most cases, an SSN alone does not constitute a data breach. Most regulatory or legal mandates state an SSN when accompanied by other data points that together make an individual “personally identifiable” (hence the term PII–personally identifiable information). True DLP technologies have the ability to do much more than just pattern matching. In fact, a key feature of most every major DLP technology includes the ability to do “exact matching” of specific individual data fields. This means that a rule can be established that when an SSN combined with other data fields *from the same database record* are seen in a single communication, this will trigger an incident. So if it’s my SSN along with the name Steve Smith (not my name), that won’t trigger. However, if it’s my SSN along with my name, it will trigger. This exact matching capability is critical to effective data loss prevention and adding “DLP” to your basic firewall, web or email security device just may do more harm than good.
Other data loss prevention (DLP) myths to follow!