Data loss prevention technologies can be costly and challenging to deploy--especially without proper planning upfront. Here are some things to think about before you spend money.
Data loss prevention sounds like a great idea. But poor planning can
run up costs
, making how organizations choose tools an important-and
There are several things organizations should take into account when buying
a DLP solution, starting with what type
of data they want to protect, Securosis analyst Rich Mogull said. From there,
organizations should consider everything from their incident handling process
to where the
data they want to protect
is and how they want to protect it and what the
infrastructure requirements are, he said.
Businesses often don't pay enough attention to the
management requirements of the product and get burned because of it,
noted Forrester Research analyst Jonathan Penn. There are several questions
organizations should ask themselves, he said, such as, "Can I have a
hierarchical policy framework, where one policy inherits the properties of
another? Can I view events in different ways, and is information provided in a
way that gives me a prioritized view and sense of my current risk exposure? ... Can
I control who sees what, and have a workflow around incidents that allows
non-IT people-business managers, HR-to participate in the review process?"
In the last 18 months, a lot of businesses
have become more educated
technologies, opined Bob Hansmann, senior product marketing manager at Blue
Coat Systems, which just recently entered the DLP
space. Having seen tools either too complex to effectively deploy or too simple
to be useful, businesses are looking for something that gives them full DLP
capabilities but is also easy to deploy and manage, he said.
"The single most important thing we tell customers is to make sure they
have a plan that includes not only technical solutions but also employee
education. ... To successfully implement DLP,
it is important that businesses understand and prioritize the key issues-whether
those are compliance issues or concerns around proprietary information-driving
the deployment," Hansmann said. "Not all DLP
solutions provide the same functionality. If you're a global company, for
example, you will need a solution that supports multibyte characters for offices
in Japan, China
or the Middle East. Without that support, a business
will have to deploy local solutions in each country, which creates both a
policy and reporting headache.
"Likewise, many DLP solutions are
piecemealed together with third-party databases, software and servers," he
need to have consensus
between the different purchasing groups on how to
acquire, deploy and manage these assets, or they should consider a solution
that integrates these components into a single appliance."
Understanding how a DLP solution fits in
with the other systems it needs to talk to is key, said Rich Dandliker,
director of product management for data loss prevention at Symantec.
"For example," he said, "will a DLP
system require a change to the e-mail messaging infrastructure-and potentially
slow down a rollout because of requirements of adding a completely new Message
Transfer Agent? Will the DLP system be
able to link into enterprise reporting and incident response systems, or will
it require an extensive retooling of how the company's processes work?"
Many businesses have also become concerned with data leaks on social media
sites like Facebook, as well as protecting data when it no longer lives on
promises due to cloud-based projects, he said. The most successful DLP
customers plan out their deployment and make sure they have the necessary
business processes in place to train employees to avoid the common causes of a
breach, he added.
"Getting visibility is a first step, followed by remediating issues
that are found, then automating notification of issues to end users, and
finally blocking in real time to stop potential breaches in their tracks,"
Dandliker said. "Customers should take small bites of the elephant and
make demonstrable progress around reducing risk with their most critical data
rather than trying to boil the ocean."