Understanding DLP Deployments for Email – Why focus on Email? Because it is the Most Likely Vector of Leakage
Enterprises today need to not only understand how Data Leak Prevention (DLP) impacts their organization, but also need to be aware of DLP specifically as it relates to email. In this column, I’ve provided best practices for DLP adoption, focusing on email as it’s the most likely vector of leakage, and also looking at DLP in the cloud.
DLP solutions are best categorized into two general classes, enterprise DLP (E-DLP) and single channel DLP (C-DLP). The two categories are distinguished by the scope of the solution and the clientele. E-DLP covers the full spectrum of data protection: data at-rest, data in-motion, end-point security. Whereas, C-DLP covers a narrowly defined source of risk, such as email. E-DLP is complex, expensive to deploy, and most likely to be deployed in large regulated enterprises and those firms with secrets to protect. C-DLP is much less costly to deploy and focused on a specific problem, such as personally identifiable information (PII) in email or Web traffic.
DLP deployments typically are initiated to defend against the accidental disclosure of data. Most enterprises do not have the data protection posture of an intelligence agency with compartmentalization of data access and the restriction of sharing data. Such would inhibit productivity and innovation. Instead, the danger is that someone accidentally or inadvertently releases data that can have financial and reputational repercussions – for example, someone emails to her home email account a spreadsheet containing PII that, because the ISP is considered a public network, triggers a reporting event under privacy laws. Gartner estimates that 60% of the data leakages occur as a result of negligence not nefarious intent.
Special Attention to Email
Why focus on email? Because it is the most likely vector of leakage, followed by Web 2.0 (social media and Webmail), instant messaging, and removable media. In the case of email C-DLP solutions offer advantages over E-DLP solutions. Because C-DLP solutions are tailored to a specific method of egress, they offer greater policy control and flexibility in the actions that they are able to take on a potential incident. For example, an E-DLP solution may have the ability to monitor email traffic and block or quarantine email messages but often do not have the intelligence and functionality to modify parts of a message or performing encryption functions.
When choosing to deploy a C-DLP solution for email it is important to look for a solution that can be implemented on existing policy and routing infrastructure. This enables much finer control over email monitoring and policy enforcement since the reliable routing infrastructure already sits in-line managing real-time email traffic. This type of architecture also reduces the risk of email messages getting lost or causing and interruption in message delivery as can happen with solutions that act as proxy servers. All E-DLP solutions today are implemented on a proxy technology for in-line enforcement, which has limited the solutions primarily to monitoring, not enforcement.
DLP in the Cloud
Cloud-based email solutions pose a challenge. For Internet collaboration and email like Microsoft Office 365 and Google Gmail, it is difficult to put effective DLP monitoring or enforcement into these environments, because the organization does not own the infrastructure. In some instances, monitoring of the traffic from within the organization to the Cloud-based service, however, in order to effectively implement policy controls that include encryption actions, it is likely that email traffic will have to be back-hauled to an on-premises email backbone where the DLP functionality resides. In that instance, a C-DLP solution may be the best option. It provides the high-function policy controls needed, but at a lower cost to deploy than E-DLP solutions.
Increasingly, businesses are looking towards lowering costs while maintaining controls with virtualized data centers that permit moving resources from on-premises hardware to infrastructure-as-a-service providers. In those instances both E-DLP and C-DLP are easier to deploy because the company is still in control of the virtual machines that happen to be running on an external physical infrastructure. Virtualization opens up the possibility of deploying virtual appliance products for C-DLP which offer some of the most compelling total cost of ownership, relative to other solutions.
C-DLP should not be considered as poor-man’s DLP or an inferior solution. It is a complimentary solution to an E-DLP solution due to its often-greater policy enforcement mechanisms. Particularly in the case of messaging, C-DLP is able to provide integration with security solutions such as encryption that become part of an over-all strategy for protecting PII and ensuring PCI compliance. C-DLP solutions complement a security strategy when moving to the cloud through the deployment of C-DLP in an on-premises email backbone. Virtual appliance products for C-DLP can provide the lowest total cost of ownership for implementing the policy controls for regulatory compliance when deploying a virtualized data center