Chapter 1: Preparing to Deploy Data Loss Prevention”
Deploying a data loss prevention (DLP) solution can be intimidating, but take heart—it’s not as daunting as you might think if you approach it step by step. In his four-chapter white paper, Implementing and Managing a Data Loss Prevention Solution, Rich Mogull, analyst and CEO of independent research firm Securosis, guides you through a successful DLP implementation. The first chapter, which we’ll talk about here, Preparing to Deploy Data Loss Prevention, walks you through the all-important planning stage. Over the next four months, we’ll be covering the other three chapters, which will offer more tricks, tips, and techniques for integration and actual deployment, configuration, and management. It’s true that DLP is powerful and sophisticated, but, once you get a handle on it, you’ll find that you can extract a lot of value “without killing yourself with complexity.”
Preparation Is the Key to Success
Let’s get started. You already know about the importance of planning—but you may not know about all of the technical complexities of DLP deployment, some which are not immediately apparent. Of course, before you take anything out of the box, you’ll want to be trained in order to be thoroughly familiar with how your solution works. If you start with detection and test agents and components for compatibility, you’ll have a high probability of success.
As soon as you turn on the switch for your DLP solution, it will start collecting policy violations. Generally, these may not require special handling and escalation, but be prepared to find violations that may require legal or HR intervention. Minimize headaches for your legal department by keeping the following requirements in mind as you formulate a comprehensive incident handling process:
- Criteria for incident escalation.
- Who has access to incident data during an investigation.
- Determining whether the incident is caused by external actors or insiders.
- Escalation workflow—who does what and when.
- Whether and when to involve management when an incident is escalated.
Clean directory servers
The next thing you’ll need to tackle is determining whether you have a clean directory server, as most DLP solutions tie into directory servers as a way of linking users to incidents. You’ll need to know which networks are connected to which users and what their rights and access privileges are. If your organization has consistently maintained compliance with regulatory mandates, then you’re probably in pretty good shape. But if your company is large and has been through multiple mergers and acquisitions, it might take a while before your directory severs are squeaky clean. In the long run, you’ll be glad you invested time in this important activity.
Get your priorities straight
No doubt your organization already has a pretty good idea of its DLP priorities, like complying with PCI requirements, as an example. But it’s one thing to know what you want and quite another to know how to accomplish it with your new DLP solution. The first thing you need to do align your priorities—such as compliance to regulations, preventing intellectual property leaks, or safeguarding customer personally identifiable information (PII). Then, you’ll want to develop a deployment strategy and process. You can choose one of these two paths:
- Full deployment, if you have already prioritized what to protect, know where it is, and understand the scope of this task.
- Quick wins, which focus on hot spots out of the gate and will help you establish your priorities for a full deployment later.
Map out your infrastructure
Regardless of whether you go with a full deployment or quick wins, you will need to map out key components of your network, storage, and endpoints so that you’ll know exactly where to push out the DLP components. You don’t necessarily need to map out every single component—just focus on the locations and infrastructures that correspond to your DLP priorities.
Testing one, two, three
Even if you have already done extensive testing or a proof-of-concept before you purchased your DLP solution, it pays to go deeper, now that you know your priorities. Your testing plan should encompass the following:
- Test single policies and combinations of policies you will likely want to enforce across all components and against your directory server. In addition, you’ll want to best various scenarios to become conversant with the user interface and workflow.
- Make sure your DLP has its eye on the right network ports and protocols and can keep up with traffic.
- If you plan to use agents on storage servers, test for performance.
- Check performance and compatibility on diverse endpoints in your organization and determine which content analysis system works best for you.
I hope chapter 1 of this series helps you put your DLP plan in place. Believe me, it gets easier the deeper you get into it. In chapter 2 of this four-part series, we’ll discuss Integrating and Deploying Data Loss Prevention, so stay tuned.