Quick Wins with DLP LightBy Rich
Our entire profession is called “information security”, but surprisingly few of our technologies focus on actually protecting the data itself, as opposed to the infrastructure surrounding it. Data Loss Prevention emerged nearly 10 years ago to address exactly this problem. By peering inside files, network traffic, and other sources – and understanding both content and context – DLP provides new capabilities comparable to when we first started looking inside network packets.
The Data Loss Prevention market is split into two broad categories of tools – full suites dedicated to DLP, and what we call “DLP Light”.
There is lots of confusion about the differences between these approaches… and even their definitions. In this series we will focus on DLP Light – what it is, how it works, and how to rapidly take advantage of it. (For more information on full-suite Data Loss Prevention, see our white paper Understanding and Selecting a Data Loss Prevention Solution.
Defining DLP Light
We are talking about a subset of Data Loss Prevention, so we need to start with our definition of DLP:
Products that, based on central policies, identify, monitor, and protect data at rest, in motion, and in use, through deep content analysis.
A full DLP suite includes network, storage, and endpoint capabilities; as well as a range of deep content analysis techniques such as document fingerprinting.
DLP Light tools include a subset of those capabilities; they are generally features of, or integrated with, other security products – such as endpoint protection platforms, email security gateways, and next-generation firewalls. DLP Light tools tend to have some or all the following characteristics:
- Focused on a subset of ‘channels’. A DLP Light tool might focus on portable storage, email, web traffic, other channels, or a combination.
- Fewer/simpler content analysis techniques. Rather than providing a wide range of deep content analysis techniques, many of which are resource-intensive, DLP Light products tend to include a smaller set of techniques, or even a single method. The most common is pattern matching, which is the most commonly used technique in both full and Light DLP deployments.
- Less dedicated workflow. DLP Light tools are often integrated with, or features of, other security tools. As such, they lack the full self-contained workflow found in full DLP suites.
You might ask, “So how is this still DLP?” The key defining characteristic of both full DLP and DLP Light is content analysis. If a tool can peer into network traffic or a file and sniff out something like a credit card number, it’s DLP. If all it does is rely on tagging/labeling, metadata, or contextual information… it isn’t DLP.
The Role of DLP Light
DLP Light plays an important role in a few different use cases:
- Organizations that already use the product the DLP Light tool integrates with – such as email security gateways – often want to start protecting sensitive data while constraining costs.
- Organizations that don’t require dedicated DLP tools. This is often due to less stringent or more circumscribed data security requirements.
- Organizations that want to scope out their DLP problem before investing in a dedicated tool. DLP Light can play a valuable role in helping assess data security risk.
- Organizations that want to start small and grow into full DLP.
There is a bit of overlap between these cases, but they reflect the most common reasons we see people using DLP Light. Dedicated Data Loss Prevention is extremely powerful, but not appropriate for everyone.
Next we will cover the technology side of DLP Light, and then we will finish with the Quick Wins process for rapidly deriving value from your implementation.