Best Practices For Endpoint DLP: Part 1
As the first analyst to ever cover Data Loss Prevention, I’ve had a bit of a tumultuous relationship with endpoint DLP. Early on I tended to exclude endpoint only solutions because they were more limited in functionality, and couldn’t help at all with protecting data loss from unmanaged systems. But even then I always said that, eventually, endpoint DLP would be a critical component of any DLP solution. When we’re looking at a problem like data loss, no individual point solution will give us everything we need.
Over the next few posts we’re going to dig into endpoint DLP. I’ll start by discussing how I define it, and why I don’t generally recommend stand-alone endpoint DLP. I’ll talk about key features to look for, then focus on best practices for implementation.
It won’t come as any surprise that these posts are building up into another one of my whitepapers. This is about as transparent a research process as I can think of. And speaking of transparency, like most of my other papers this one is sponsored, but the content is completely objective (sponsors can suggest a topic, if it’s objective, but they don’t have input on the content).
Definition
As always, we need to start with our definition for DLP/CMP:
“Products that, based on central policies, identify, monitor, and protect data at rest, in motion, and in use through deep content analysis”.
Endpoint DLP helps manage all three parts of this problem. The first is protecting data at rest when it’s on the endpoint; or what we call content discovery (and I wrote up in great detail). Our primary goal is keeping track of sensitive data as it proliferates out to laptops, desktops, and even portable media. The second part, and the most difficult problem in DLP, is protecting data in use. This is a catch all term we use to describe DLP monitoring and protection of content as it’s used on a desktop- cut and paste, moving data in and out of applications, and even tying in with encryption and enterprise Document Rights Management (DRM). Finally, endpoint DLP provides data in motion protection for systems outside the purview of network DLP- such as a laptop out in the field.
Endpoint DLP is a little difficult to discuss since it’s one of the fastest changing areas in a rapidly evolving space. I don’t believe any single product has every little piece of functionality I’m going to talk about, so (at least where functionality is concerned) this series will lay out all the recommended options which you can then prioritize to meet your own needs.
Endpoint DLP Drivers
In the beginning of the DLP market we nearly always recommended organizations start with network DLP. A network tool allows you to protect both managed and unmanaged systems (like contractor laptops), and is typically easier to deploy in an enterprise (since you don’t have to muck with every desktop and server). It also has advantages in terms of the number and types of content protection policies you can deploy, how it integrates with email for workflow, and the scope of channels covered. During the DLP market’s the first few years, it was hard to even find a content-aware endpoint agent.
But customer demand for endpoint DLP quickly grew thanks to two major needs- content discovery on the endpoint, and the ability to prevent loss through USB storage devices. We continue to see basic USB blocking tools with absolutely no content awareness brand themselves as DLP. The first batches of endpoint DLP tools focused on exactly these problems- discovery and content-aware portable media/USB device control.
The next major driver for endpoint DLP is supporting network policies when a system is outside the corporate gateway. We all live in an increasingly mobile workforce where we need to support consistent policies no matter where someone is physically located, nor how they connect to the Internet.
Finally, we see some demand for deeper integration of DLP with how a user interacts with their system. In part, this is to support more intensive policies to reduce malicious loss of data. You might, for example, disallow certain content from moving into certain applications, like encryption. Some of these same kinds of hooks are used to limit cut/paste, print screen, and fax, or to enable more advanced security like automatic encryption or application of DRM rights.
The Full Suite Advantage
As we’ve already hinted, there are some limitations to endpoint only DLP solutions. The first is that they only protect managed systems where you can deploy an agent. If you’re worried about contractors on your network or you want protection in case someone tries to use a server to send data outside the walls, you’re out of luck. Also, because some content analysis policies are processor and memory intensive, it is problematic to get them running on resource-constrained endpoints. Finally, there are many discovery situations where you don’t want to deploy a local endpoint agent for your content analysis- e.g. when performing discovery on a major SAN.
Thus my bias towards full-suite solutions. Network DLP reduces losses on the enterprise network from both managed and unmanaged systems, and servers and workstations. Content discovery finds and protects stored data throughout the enterprise, while endpoint DLP protects systems that leave the network, and reduces risks across vectors that circumvent the network. It’s the combination of all these layers that provides the best overall risk reduction. All of this is managed through a single policy, workflow, and administration server; rather than forcing you to create different policies; for different channels and products, with different capabilities, workflow, and management.
In our next post we’ll discuss the technology and major features to look for, followed by posts on best practices for implementation.
Sharon Jul 1
Disclaimer first: I was part of a team that was building a DLP suite (network and agent). Currently, I am not affiliated with DLP vendors even though I have some interest in some of the related technologies.
With your permission, I would like to add several comments.
When evaluating a solution, one should remember that not all features are born equal. Vendor A and Vendor B might have a solution that can prevent unauthorized copy to a USB device. They might have the same specification (supported devices, supported detection methods, supported file formats). However, Vendor A will ensure that under any circumstance partial data will never leave the host, while vendor B’s solution provides only a best effort method. In other words - similar solutions, similar capabilities but one is inferior. It is hard to compare and differentiate between the two. I will leave it to the vendors to come with their evaluation criteria but as an industry I feel that there is a need to come with agreed list of minimum tests and checks. it might take some time until the space will mature.
The full suite has another advantage - it allows you to reduce the scope of implementation. instead of deploying on all desktops and laptops, the organization can combine network based DLP with “traditional” security and endpoint security. The more advanced concepts I’ve seen allows the DLP policy server to assign dynamic policies based on location (e.g. a user is now inside the office thus there is no need to activate the agent).
Productivity is a factor that can’t be measured easily. an extreme example is a DLP solution that blocks everything, all the time (Yes, there were times like this. I still remember the poor men’s version of gluing the USB ports).
The last comment is regarding the ability to understand the context of the data in order to create better policies and support the productivity requirements. I’m sure that you’ll cover this in detail, but nevertheless I feel that it’s important enough to be mentioned as a must-have capability for the DLP endpoint. Most of the users are spending their time working on their productivity applications (office, email, browsing) and business applications (ERP, CRM, mostly via browser). Data is sent back and forth between business and productivity applications. Limiting copy-and-paste between environments can not be accepted (I know that I will never use a solution that limits productivity). The DLP solution should be aware that the authorized user is copying sensitive information from one application to another and block/alert/whatever only when the action is out of context.
Manu Namboodiri Jul 2
While I agree that this might be the future - deep content analysis, end points as well as network inspection, I think (as an interim step) most folks should seriously look at full disk encryption as a model. Do the blunt instrument before you do the tweaks… :)
So how about this for the interim? ala FDE, encrypt everything! And make sure it remains encrypted while it is at rest and in motion.
Before folks throw up their arms in horror :) - if one can encrypt data across the board, share it and collaborate seamlessly with folks who need access, then this is a better (and possibly more achievable) step methinks… You don’t care as much about the content as making sure that only authorized folks can get the data - in this scenario, I don’t care if encrypted data leaks from the enterprise.
In this case, DLP would be achieved, but the deep content analysis part of your DLP definition, Rich, might not be required… Thoughts?
rmogull Jul 2
Manu,
First, remember the full disclosure rule around here- if you work for a vendor and write on a topic that’s related to your space, you need to let people know. Let’s be honest, this is an area where you have a bit of bias.
I disagree- we’re talking about two different problems. FDE is about protecting physical loss of an asset. DLP is about content based protection of information as it’s used. Encryption doesn’t help with many of the problems that DLP attempts to solve.
The technologies aren’t mutually exclusive; they achieve different goals.
All-data encryption, as opposed to FDE, also solves a different problem. It doesn’t do a darn thing to prevent someone who has access to the data from accidentally sending it out the front door. Only contant-based policies allow people to use information, but then restrict that use when needed.
You are hitting one of my pet peeves- expanding the definition of DLP to non-content based solutions.
Manu Namboodiri Jul 2
Apologize for the oversight! Should have made full disclosure - I work for BitArmor and do have some bias around this :)
I was not talking about using FDE for just data at rest or preventing physical loss of an asset - but the model around FDE. The idea that folks use something like it to protect everything without an idea of the content itself.
All-data encryption, if persistent, I do believe can be allow someone authorized to view data and if they accidentally send it out, it goes out encrypted. While I am not arguing about the long term value of DLP and content analysis, I am wondering if we can use all data encryption as the interim step…
rmogull Jul 2
That seems even harder than using what I suggest- especially since DLP, while not perfect, still provides a lot of value today.