Sometimes, in the rush to be the first person to publish an idea or design; people will overlook security in the planning phase. Redspin would like to propose something different.
In the last few weeks I have talked with several customers about their data loss prevention initiatives. It seems that most of the programs are focused on inadvertent data loss. These are issues such as employees sending spreadsheets with PII data to their Gmail account so they can be productive at home (a VPN is such a hassle). Another example is even more basic – sending email with PII data in the clear to business associates.
What I have heard from customers is that they are deploying DLP systems from companies like Symantec (Vontu), EMC/RSA (Tablus) and Intel/McAfee (Reconnex) to solve these problems. It strikes me that these systems are expensive (both from an acquisition and operational point of view) and heavyweight solutions to a problem that might be better addressed through additional investment in security awareness training.
The other issue I have is that it seems most of these systems have been deployed for compliance purposes, in hopes that they will help meet some regulatory criteria (look at the money we are spending, we must be addressing the problem). Yet, most often there is not enough planning being done around the supporting workflow and security processes. As a result, these systems tend to address a fairly narrow information protection requirement and lack integration with other security systems and processes. One has to wonder why DLP isn’t more tightly integrated with rights management systems, SEIM, identity and access management systems …even GRC.
But the real problem, as I see it, is that the DLP vendor community hasn’t addressed the most important areas. While the number of incidents associated with inadvertent PII data loss is high, the dollar value isn’t that significant. The bigger problem is associated with malicious insiders and skilled attack teams (that look like malicious insiders given that they can compromise users and steal credentials). The volume of incidents in this space is low, but the dollar value impact is very high. To address this problem requires an investment in security processes and skilled people.