photobank.kiev.ua - Fotolia
Inside the four main elements of DLP tools
Security expert Rich Mogull outlines the four elements of a DLP tool: the central management server, network monitoring, storage and endpoint DLP.
Data loss prevention, or DLP, can be a critical tool to have in your enterprise's security toolbox. It is critical to understand the technical components of DLP products to ensure your company's data loss prevention needs are properly met.
A full-suite DLP tool contains four main elements: the central management server, network monitoring, storage DLP and endpoint DLP. In a small deployment, everything except the endpoint agent may be consolidated on a single server or appliance; larger deployments might include multiple, distributed pieces to cover different parts of your infrastructure.
Let's take a deeper look at each of the four main technical elements.
Central management server
The central management server is the control center of your DLP deployment. At a minimum, it is where you manage DLP policies, integrate with your directory servers (to tie users to activities), manage incidents, collect data from sensors and endpoint agents, and handle basic functions like backup/restore and reporting.
In most data loss prevention products, the management server can also function as a network monitor, your email queue, and as a storage scanner. It is also the piece that generates reports.
Network monitoring
The next piece or "function" is network monitoring. Basic passive monitoring involves network sniffing on a SPAN or mirror port, and it's where most organizations start. However, this is limited because it doesn't provide insight into SSL traffic, which is a glaring hole if you want to actually protect data. Sniffing SSL traffic means intercepting it either with your DLP tool or with another Web proxy/security gateway that can pass traffic to the DLP tool (usually using the ICAP protocol). Plan for this from the start; if you can't monitor SSL traffic, you are wasting your time by only watching unencrypted traffic.
Monitoring email, on the other hand, is easier because it's a store-and-forward protocol, and you can pass messages to the DLP tool for analysis and handling before releasing them to the outside world. You can, for example, automatically encrypt emails with sensitive medical information by sending the email to the DLP tool, identifying the content and then passing it directly to your encryption product.
Storage DLP
Also referred to as content discovery, storage DLP scans stored data using one of two methods. The easiest approach is to load the DLP tool with credentials to a file share and allow it to connect and analyze the files. This might be slow for large repositories or take up a bunch of network bandwidth, which you can manage by deploying an LP server, appliance or virtual appliance closer to the target storage repository. Some larger deployments may even call for the use of a dedicated backhaul network.
The second option is to deploy a monitoring agent on the server to analyze files locally and then send the results back to the central DLP server. This is also a common way of integrating with document management systems, which don't expose standard network file shares.
Endpoint DLP
The final piece is endpoint DLP, which is always a local agent. Endpoint agents have a lot of work in front of them: The agent should monitor and control network traffic, scan local storage, scan and manage portable storage, and potentially even include more advanced data protection, such as print/fax control, cut/copy/paste control, screen grab control and print screen control. An agent may even control which applications can access protected data. As you might have guessed, these capabilities vary widely between different products and may not always work as advertised.
Be extremely careful when evaluating DLP endpoint agents. Not only do core capabilities vary widely, but performance, and even what policies are supported, are all over the map. Going back to our content analysis techniques, not all of them are capable of running on a laptop or desktop with limited system resources. Even if a vendor technically supports all the techniques on the endpoint, the "size" or structure of the policy might be so limited as to make it worthless. Some tools offer the option to alter policies based on the network the endpoint is connected to, letting you use full database fingerprinting on the corporate network, but then swap to rules/pattern matching when on a home or public network.
This covers the basics of full-suite DLP tools, and should help you figure out which features to look for in partial-suite or DLP lite tools. Keep in mind, different products may include quite a bit more than the core capabilities, such as file activity monitoring or mobile device support, but I recommend you focus on the basics.
About the author:
Rich Mogull has nearly 20 years of experience in information security, physical security, and risk management. Prior to founding independent information security consulting firm Securosis, he spent seven years at Gartner Inc., most recently as a vice president, where he advised thousands of clients, authored dozens of reports and was consistently rated as one of Gartner's top international speakers. He is one of the world's premier authorities on data security technologies, including DLP, and has covered issues ranging from vulnerabilities and threats to risk management frameworks and major application security.