Tips for successful Data Leakage Prevention

Requirements analysis is indispensable

A viable export monitoring policy based on a DLP product requires careful analysis of requirements. And these requirements can vary greatly within departments. Whereas in Customer Support a crucial role is played by keywords and regular expressions such as "Client Number", one of the important terms in Engineering is "Fingerprinting" in the context of technical documents or source codes.

Minimizing false positives

DLP is not an exact science. That applies both to content analysis and to export monitoring. False positives frequently present a threat in the area of content analysis as a result of ambiguities with keywords. For example, the word "job" has an entirely different meaning in HR (employment) than in the technical area (action or activity). Clear company rules have to be defined in this context.

Export monitoring is not enough

Export monitoring alone does not protect against IT specialists among the internal perpetrators. For example, a text that has been disguised using the ROT-13 algorithm popular with Usenet newsreaders can be picked out really easily using common DLP products. The principle is as follows: ROT-13 shifts the alphabet by 13 characters. The message is later revealed, for example, by means of add-ons in popular e-mail programs (such as Thunderbird from Mozilla).

Avoid instant messengers

Problems with data leakage protection often occur via secure export channels on the terminal, such as by means of instant messengers (ICQ, Yahoo Messenger, MSN Messenger). Vendors of DLP products can often only react to the current messenger releases at the time, and offer support for a coming version of DLP solutions. For that reason, administrators should forbid the use of such programs within the company.

Explain the situation to employees

The introduction of a comprehensive DLP solution requires the inclusion and involvement of the company's employees. A soft touch is usually more effective during the implementation stage than harsh measures against the misuse of data. The latter approach often leads to employees simply ignoring the guidelines.

Keep calm – even during an alert

Not every infringement of DLP precautions should inevitably lead to an alert or to sanctions. Occasionally, a confidential document is exported with legitimate intentions. An ID card number may, for example, just be a jumbled telephone number. It is advisable to weight matches within the individual categories (keywords, regular expressions, similarities), to add up the coincidences with the corresponding factor, and to trigger a sanction only when a definable threshold figure is reached.

Correct sanctions

If an unauthorized export of a confidential document is detected there will be appropriate sanctions, depending on set policy guidelines. These sanctions may include logging the operation to give administrators an overview of the current security situation in the company. Certain operations may also be blocked. One of the intelligent variations involves an interactive dialogue with the user: The system points out any security reservations to the user by means of a dialogue, and asks the user to enter a justification for the export.

No comments:

Post a Comment