Data loss prevention sounds like a great idea. But poor planning can run up costs, making how organizations choose tools an important-and meticulous-process.
There are several things organizations should take into account when buying a DLP solution, starting with what type of data they want to protect, Securosis analyst Rich Mogull said. From there, organizations should consider everything from their incident handling process to where the data they want to protect is and how they want to protect it and what the infrastructure requirements are, he said.
Businesses often don't pay enough attention to the management requirements of the product and get burned because of it, noted Forrester Research analyst Jonathan Penn. There are several questions organizations should ask themselves, he said, such as, "Can I have a hierarchical policy framework, where one policy inherits the properties of another? Can I view events in different ways, and is information provided in a way that gives me a prioritized view and sense of my current risk exposure? ... Can I control who sees what, and have a workflow around incidents that allows non-IT people-business managers, HR-to participate in the review process?"
In the last 18 months, a lot of businesses have become more educated about DLP technologies, opined Bob Hansmann, senior product marketing manager at Blue Coat Systems, which just recently entered the DLP space. Having seen tools either too complex to effectively deploy or too simple to be useful, businesses are looking for something that gives them full DLP capabilities but is also easy to deploy and manage, he said.
"The single most important thing we tell customers is to make sure they have a plan that includes not only technical solutions but also employee education. ... To successfully implement DLP, it is important that businesses understand and prioritize the key issues-whether those are compliance issues or concerns around proprietary information-driving the deployment," Hansmann said. "Not all DLP solutions provide the same functionality. If you're a global company, for example, you will need a solution that supports multibyte characters for offices in Japan, China or the Middle East. Without that support, a business will have to deploy local solutions in each country, which creates both a policy and reporting headache.
"Likewise, many DLP solutions are piecemealed together with third-party databases, software and servers," he added. "Businesses need to have consensus between the different purchasing groups on how to acquire, deploy and manage these assets, or they should consider a solution that integrates these components into a single appliance."
Understanding how a DLP solution fits in with the other systems it needs to talk to is key, said Rich Dandliker, director of product management for data loss prevention at Symantec.
"For example," he said, "will a DLP system require a change to the e-mail messaging infrastructure-and potentially slow down a rollout because of requirements of adding a completely new Message Transfer Agent? Will the DLP system be able to link into enterprise reporting and incident response systems, or will it require an extensive retooling of how the company's processes work?"
Many businesses have also become concerned with data leaks on social media sites like Facebook, as well as protecting data when it no longer lives on promises due to cloud-based projects, he said. The most successful DLP customers plan out their deployment and make sure they have the necessary business processes in place to train employees to avoid the common causes of a breach, he added.
"Getting visibility is a first step, followed by remediating issues that are found, then automating notification of issues to end users, and finally blocking in real time to stop potential breaches in their tracks," Dandliker said. "Customers should take small bites of the elephant and make demonstrable progress around reducing risk with their most critical data rather than trying to boil the ocean."