Monday, May 26, 2008

Oops! I Leaked My Data

The hot topic these days in security seems to be DLP or Data Leakage Prevention. Personally, when I someone says "data leakage" I immediately think of incontinence. I can't help it, in some (many) ways I am still an 11 year old boy. In all seriousness, I think this is yet another solution looking for a problem. Kinda sorta. In my meetings with various DLP vendors I am beginning to get the sense they are selling re-purposed, bass-ackwards IDS. Basically you have to either tap or span an egress port at your edge and inspect relevent packets heading for the exit. If the informtion heading out is not encrypted and matches predetermined criteria (signature-based) if will act according to the business rules set on the device (drop, log, etc.). The DLP solutions I have been exposed to also have a desktop client that will monitor for pre-defined data types and will try to lock this data down so it can't leave the machine without proper authorization. At least that's what the product brochure says. :eye roll:
In most enterprises you need an iron grip on your infrastructure in order to pull off an effective DLP deployment. By iron grip I mean effective controls such as:
  • Accurate directory structure to determine user semantics
    • Finance users should be able to see financial data
    • Finance users should not be able to see IT data
  • Corporate data standards that define data by type, sensitivity, and audience
  • File servers that are locked down to prevent users from "folder surfing"
  • Corporate desktop that is locked down and strictly enforced (can't install/uninstall apps)
  • Web proxies that are capable of blocking traffic and can work with the DLP system
  • Single point into and out of the enterprise network to prevent data "leaking out the back door" (sorry, couldn't help it)
I think products like DLP have their place in the corporate environment, however, I think the vendors are promising things they can't deliver except in a lab environment or in small tightly run shops. In my opinion DLP will become mature when it is integrated with a web proxy and possibly an inbound IDS/IPS solution. Oh, and it has to have powder-fresh scented and original unscented models.
Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)