I woke up in a pretty good mood this morning. First of all, it’s Friday and I can just feel the weekend oozing around the corners of the neighborhood. Sure, every day is either a Friday or a Monday when you’re self employed, but there’s still something special about the official weekend.
I also woke up a little more alert than usual lately, and even decided to skip my morning routine of getting totally ready before slipping downstairs for some morning coffee and news (via RSS, of course).
That’s when my day took a sad turn. As soon as I dug into my news feeds I saw that my friend Amrit’s blog had been pwned by some attacker looking to damage his reputation. That’s the only thing that can explain this post on how DLP is just a feature of either network security or endpoint security. Either that, or Amrit was intentionally goading me, something all of us security bloggers are a little prone to doing.
I’ll just point out a few internal inconsistencies with the hax0r-pretending-to-be-Amrit’s position.
However I need to call out several things that are being missed in all the DLP analysis. First DLP is a future feature of either network or host-based security, just as all other security technologies whether they be AV, IDS/IPS, firewall, etc are segmented by network and host so shall DLP follow. The never ending explosion of crap and bloatware that must be deployed at the network and host is becoming increasingly difficult to manage. So why would an organization want a separate infrastructure, team, and set of processes to deal with data security differently than information security?
Um, last time I checked data security was part of information security. But this is a great example of what Hoff and I have been ranting on about the loss of the term information security, which in some circles only represents AV and firewalls. If that’s your definition of information security, Amrit is correct. Also, we see more divisions than just host and network in real-world operational environments. Is application security a network or host issue? Incident response? SIEM? NAC? Even web filtering today has both host and network components. Those lines were drawn when it made sense to draw those lines; now we’re drawing new ones.
We need a different infrastructure, team, and set of processes because you can’t solve the problem with network-only or host-only infrastructure, teams, and processes. We’re solving a business problem (”protect my data”), not just thinking of this as a collection of tools.
Second thing to note is that organizations segment administration responsibility between the network and desktop and servers, that is network security technologies are generally purchased, deployed, and administered by a different group (usually network operations) than the group that is responsible for desktop security (usually desktop operations/support). It is common for an organization to deploy one AV vendor at the email gateways and a separate vendor at the desktop, just like it is common to deploy different firewalls at the network vs. the host, same with anti-spam, Intrusion detection/prevention and pretty much anything else that can run on the network or the host – so why would it be any different for DLP?
It won’t be- as I’ve discussed before, DLP will be all over the place and will integrate with these existing investments, while being managed someplace else. Why the heck should the guy managing AV be dealing with highly sensitive policy violations around the use of intellectual property? Besides, the different gateway vs. desktop AV argument is spurious- most organizations do that for defense in depth.
The management of deploying and integrating DLP will be the responsibility of the network and host teams Amrit is so enamored with. The management of DLP policies and violations will be a separate group (in a big enough organization) with a data/content/compliance focus.
There are two kinds of administrative responsibilities- the one to solve the problem, and the one to keep the stuff running. The latter is a throwaway, and can be implemented by whoever is “in charge” of the platform where the sensor is being deployed.
So if one believes, as I do, that DLP will converge with adjacent security and eventually systems management functions and one believes, as I do, that there is a pretty clear separation of duties between the network and host operations folks in an organization then one would have to question analysis that called for a converged network/host solution.
Or, if you believe as I do that we’re here to solve business problems and not just support organizational momentum of the past, the only way to solve DLP is through a hybrid solution. It makes absolutely no sense to have to build different data protection policies for the network, host, and storage; rather, we’ll build one policy based on the content and distribute that to all the necessary enforcement points. That’s where DLP is headed.
We’ll let BigFix distribute the agents and keep them running, just as we let the mail and web gateways keep their DLP engines running. Don’t worry Amrit, you guys will continue to see your success as an endpoint management tool. But you’ll be distributing agents for something that connects back to a DLP tool that also talks to network gateways, storage, and a bunch of other stuff.
That is not to say that there shouldn”t be an ideal of integration, but an ideal is a far cry from reality and the reality is that network focused tool vendors are terrible, absolutely abysmal at providing central management of desktop technologies (can anyone say Cisco CSA?) so why would an organization deploy an agent from a network focused company? And for that matter why would an organization deploy a network device from a desktop focused vendor – they wouldn”t, unless the vendor had mastered both, and there were no organizational politics between the network and desktop teams, and there was good collaboration between the security and operations teams, and there was a child born on the seventh moon, under the seventh sign, on the seventh day you get the idea.
And why would we trust a vendor that only understands bad packets or malicious software to protect data from internal user abuse/mistakes? We wouldn’t; they don’t have the expertise to manage the problem.
Which brings us back to where we started- I’m a fan of DLP, even as immature as it is, because it’s directed at solving a business problem that crosses traditional technical boundaries. It’s the business, not the tech.