In our last post we talked about the preparatory work before you begin your DLP content discovery deployment, including expectation setting, prioritizing information for protection, and defining your workflow. By this point you should know what policies you’d like to deploy, where you want to start protecting the content, how you’d like to grow that protection after initial deployment, and the workflow for when you detect policy violations.

Today we’re going to move beyond planning into deployment.

1. Integrate with your infrastructure: DLP content discovery tools require either a local agent or file share access to scan content in a repository. In this stage you define the initial repositories to scan and either install agents or load credentials into the DLP system. For endpoints, you should scan C$ or D$ (administrative access to all files) remotely, but a local agent is your best option for managed systems. If you haven’t already, you also need to integrate with your enterprise directory servers so the DLP tool understands users and roles/groups.
2. Build initial policies: For your first deployment, you should start with a small subset of policies, or even a single policy, in alert or content classification mode (where the tool reports on sensitive data, but doesn’t generate policy violations).
3. Baseline, then expand deployment: Deploy your initial policies on a limited number of storage repositories (or endpoints). Once you have a good feel for the effectiveness of the policies, performance, and enterprise integration you can expand into a wider deployment, covering more of the enterprise. After the first few times you’ll have a good understanding of how quickly, and how widely, you can roll out new policies.
4. Tune policies: Even stable policies may require tuning over time. In some cases it’s to improve effectiveness, in others to reduce false positives, and in still other cases to adapt to evolving business needs. You’ll want to initially tune policies during baselining, but you’ll continue to tune them as the deployment expands. Most DLP clients report that they don’t spend much time tuning policies after baselining, but it’s always a good idea to keep your policies current with enterprise needs.
5. Add enforcement/protection: By this point you should understand the effectiveness of your policies, and have educated users where you’ve found policy violations. You can now start switching to enforcement or protective actions, such as moving, encrypting, or changing access controls on files. Any time you make a file inaccessible, you should leave a plain-text contact note (or send the user an email) so they know why the file is missing and how to ask for an exception. If you’re making a major change to established business process, consider scaling out enforcement options on a business unit by business unit basis (e.g., restricting access to a common content type to meet a new compliance need).

Deploying DLP content discovery isn’t really very difficult; the most common mistake enterprises make is applying policies too widely, too quickly.

It’s also important to keep in mind that there are four general types of discovery deployments. With a monitoring/alerting deployment you roll out and generate alerts in the DLP system which are then followed up on by incident handlers. These deployments are often for sensitive data types where you don’t want immediate protection, but do want to prompt corrective actions or user education. The second type of deployment is where you add content protection actions, like encryption. It’s typically for very sensitive data types, and as we’ve outlined above often follows an alerting-only deployment. In a compliance deployment we scan for selective data related to regulatory compliance, like credit card numbers- both to ensure sensitive data is remaining within allowed containers, and also to generate compliance reports to show auditors that content is being handled appropriately.

The last deployment is a completely different model- content classification. In this case you are scanning with a very wide scope, often using general policies, to identify and classify systems based on the content they hold. Or, in some cases, you may tag the content as part of a broader classification initiative. Content classification deployments aren’t concerned with alerts or enforcement actions, but rather use these tools to help classify systems and content.

Posted on April 29