Security Experts:

From Traffic Cop to Fleet Manager, DLP Evolves Beyond the Perimeter

Perimeter-based DLP Enforcement Has Increasingly Taken a Backseat to Host-based Implementations

Harkening back to a time before “cyber” entered a CISO’s daily vocabulary, data leakage prevention (DLP), even after two decades, has adapted new enterprise defense in depth strategies to protect the outbound flow of business data beyond the traditional network perimeter. DLP has broadened to encompass a menagerie of three-letter acronyms, such as information leak prevention (ILP), content monitoring and filtering (CMF), and extrusion prevention system (EPS). 

Of all the technologies commonly employed to protect the enterprise, the evolution of DLP perhaps most closely captures the changing practices of how information security should be applied and the business role of the team managing the system.

Traditionally, DLP deployments have been led and defined by IT departments – and more recently by security operations teams. For a long time, data inspection and policy enforcement has occurred at or near the best approximation of the businesses perimeter. In such environments, IT and security professionals have effectively operated as an internal police force – following strict policies, enforcing regulations, and dealing with offenders on a case by case basis. DLP has always been tricky to deploy and enforce, and most CISOs can freely regale stories of DLP promises and their subsequent failures. A common tale is the typically cringe-worthy reality of policing a brand-spanking, newly deployed, network DLP solution.

Data Leakage Prevention -  EnforcementThe aspirations are high, but the goal simple – prevent users from emailing, posting, or otherwise sharing customer credit card details insecurely over the Internet. Deployment is where theory diverges from reality. 

Day One: DLP threshold set to ANY credit card details being sent, resulting in 50,000 alerts, the DLP solution grinding to a halt, and so too does the business.

Day Two: DLP threshold set to emails and files containing 10 or more credit card details, resulting in 5,000 alerts and complaints that the business “clearly can’t operate this way”.

Day Three: DLP thresholds set to emails and files containing 1,000 or more credit card details, resulting in a more manageable but still not ideal “few dozen” incidents.

Then, over the next many months, thresholds gradually get reduced – edging closer to the experience the company envisaged when they aspired to deploy the solution.

This often-repeated experience underlines the reality that security operations take much longer to change than what the business needs. It also highlights the awkward position security professionals traditionally occupy – ineffectively policing and enforcing centrally-defined barriers to business productivity, reinforcing an “us versus them” relationship with IT and line-of-business colleagues.

Thankfully, new approaches to achieving DLP objectives have been making their way to the enterprise. While perimeter enforcement is still an important element, it has increasingly taken a backseat to host-based implementations. 

Today we see leakage prevention embedding itself within the data and document creation process itself. The user is given real-time feedback on the level of importance or confidentiality of the document they are creating along with recommendations on enforcement – allowing them to take an active role determining the appropriate level of sensitivity and grade of protection required. Behind the scenes, user behavioral analytics and AI help to prevent misclassification or intentional insecure data handling. Meanwhile, the data labeling and management policies come from within the business unit itself (often using classification processes learned and improved by AI) rather than the IT department.

In so doing, enforcement also has moved from being a gateway security function to become a built-in document feature – with standardization underway. 

Security and privacy enforcement are now native to the data and document itself. A new range of remote management and policy enforcement capabilities have done away with the concept of the enterprise “perimeter network”. For example, popular business document formats increasingly support capabilities for remotely monitoring their use (e.g. opened by, edited by, location and time opened), providing selective revocation of partial or complete access at any time, and changing the security protections of the data (e.g. copy/paste, printing, projection) within the document, from anywhere in the world – regardless of whether the document is on-premises, in the cloud, or sitting in the recipient’s unopened mailbox.

A range of open platforms that support information protection and leakage prevention are extending their way to additional document types, creators, and viewers to reuse and build-upon. This enables greater transparency for end users into the labeling, classification, protection, and enforcement mechanisms, making DLP easier to consume within the desktop and mobile products they use (i.e. to view, share, or generate content).

This shift from hard-edge DLP enforcement to a continual visibility and creator-level control paradigm underscores the fundamental change CISO’s need to guide their teams through implementing. This approach also allows security professionals to break from the “us versus them” confrontational shackles of policing and policy enforcement, becoming instead the enablers of secure business practices – while allowing  business units to retain ownership of their data and policies. 

Instead of being the traffic cop ticketing every single infringement, security operations become more akin to a delivery company managing a fleet of armored cars. The job now focuses on ensuring each business package arrives to its destination on time, in the most secure manner possible, as efficiently and cost effectively as budgets will allow while enabling the business unit to define package content and destination. 

view counter
Gunter Ollmann is currently the CSO of Microsoft’s Cloud and AI Security division. He is a seasoned information security leader who has defined and trailblazed new security markets through his work with globally recognized companies, including Microsoft and IBM X-Force, and startups, including IOActive and Damballa. As a seasoned C-level executive and technologist, Mr. Ollmann has been instrumental in several dozen M&A deals (as acqui-hire, acquirer, consultant, or adviser) ranging from tens-of-millions to billion dollar transactions.