Does DLP Actually Work?

With the state of information security today, organizations are looking to implement defensive systems to protect against breaches, but more specifically to protect against their precious data being ex-filtrated from their network. Data Loss Prevention or DLP is being deployed more and more to solve this problem. There are numerous reasons why organizations fail at this. One of which is trying to make this solely an information security issue and not understanding the requirements from the business or the implications on the user base.

So what is DLP? DLP is a solution used to detect (and at times prevent) potential breaches/ex-filtration by monitoring data while in the following states:

  • Data at Rest – data while it is being stored
  • Data in Use – data while it is being accessed by the “end point”
  • Data in Motion – data while it is transmitted over a network (in transit)

Deep content analysis or techniques used to understand our information include – Described data like a credit card or social security numbers. Information we can “describe” based upon known criteria (i.e. CC numbers begin with a certain number) –  and Registered data – Registered within the DLP policy system data of interest (i.e. specific document or specific database).

DLP has been very popular as a stop-gap measure considering most organizations deploy a DLP solution without proper planning, proper understanding of the capability of the solution and the most important – not always working with the business to align goals and scope. One of the biggest mistakes an organization can make is relying solely on security teams to implement a data protection program.

 It is critical that there is a well-defined set of policies – standards, directives, and guidelines — that outline exactly what data requires protecting, where data security controls will be enforced, and exactly how data will be protected.

A recent article in DarkReading refers to a Gartner report, “Gartner’s recent “Best Practices for Data Loss Prevention: A Process, Not a Technology” report reinforces that organizations cannot simply “set and forget” DLP, and must involve business stakeholders early in the early stages to develop a clear and concise strategy for how the organization will address data exposures”.

They also go on to mention, “The most effective way of creating administrative data-protection controls — policies, standards, directives, and guidelines — is through a collaboration of strategic business lines that understand the risk and have an invested interest in the outcome. That includes, but is not limited to, legal, privacy, security, and human resources. Having perspectives from these and other stakeholders will ensure that when it’s time to commence the data protection program, the technical controls are not seen as roadblocks, but rather enablers, for performing business securely. “

As I mentioned earlier, the solution you choose is very important as well. Be sure that what you are relying on your DLP vendor to do is something that is actually possible. As DLP is a “fairly” new technology concept, but very popular, many vendors have flocked to provide a solution. Some of the most common criteria for evaluating DLP products are ease of administration, business integration, infrastructure complexity, and cost of ownership.

For me, with my experiences deploying DLP, the most important is ensuring your organizations’ technologies can be monitored with the solution you go with and that you understand exactly how you are going to use it. Key items like documenting your data flows, egress points, compliance requirements, storage locations, and having a clear understanding of your organizations data classification policy.


By Peter Morin (

Leave a reply