I saw this article via a list I am on:
http://jadedsecurity.net/2011/06/13/you-cant-buy-dlp/
I think the author makes a very important point. Often most of your information security challenges will require more than deploying a single off the shelf solution to solve. At the least you will need to figure out how this new tool will mesh with your policies and procedures (assuming they exist) and what controls will be changed or established by a tool, and how to measure the success of the controls. At the worst case the organization would have to go through all of the steps mentioned in the article (data classification, identify the things that need to be protected, deploy compensating controls such as encryption, communicate to users how to handle data of various classification levels, monitor the systems and network appropriately to verify compliance and to detect any misuse, and constantly assess the systems and networks to improve your security level).
Even then there is really no such thing as Data Loss Prevention - you can't prevent someone from printing a confidential piece of data and then walking out the door with it. You can make it very complex for the wrong people to access this data and train people on how to reduce the risk to the company by handling it correctly, but as with many of our InfoSec challenges people are the critical piece.
http://jadedsecurity.net/2011/06/13/you-cant-buy-dlp/
I think the author makes a very important point. Often most of your information security challenges will require more than deploying a single off the shelf solution to solve. At the least you will need to figure out how this new tool will mesh with your policies and procedures (assuming they exist) and what controls will be changed or established by a tool, and how to measure the success of the controls. At the worst case the organization would have to go through all of the steps mentioned in the article (data classification, identify the things that need to be protected, deploy compensating controls such as encryption, communicate to users how to handle data of various classification levels, monitor the systems and network appropriately to verify compliance and to detect any misuse, and constantly assess the systems and networks to improve your security level).
Even then there is really no such thing as Data Loss Prevention - you can't prevent someone from printing a confidential piece of data and then walking out the door with it. You can make it very complex for the wrong people to access this data and train people on how to reduce the risk to the company by handling it correctly, but as with many of our InfoSec challenges people are the critical piece.
Comments