Data-leak prevention that lets organizations monitor for unauthorized transmission of sensitive content is a powerful technology sometimes put to surprising uses. And those with DLP experience say the biggest challenges lie with people and their online habits rather than technology.
DLP technology, at the gateway or host level, is not difficult or time-consuming to deploy, according to IT managers gaining experience with it in business, government and school systems. Rather, DLP is a game-changer that creates an atmosphere where network users may be caught committing various types of data violations, inadvertent or not. The IT department, though first to know, can't end up as the enforcement arm, experts say. Management of it comes from human resources and the legal department, and they have to be deeply involved to play the DLP police role. It all starts with creating the DLP policy.
"One of the lessons learned is get your policy in place first," says Charles Thompson, chief information officer for the city of Phoenix, which is installing the Fidelis Security Systems' DLP called XPS to prevent unauthorized transmissions related to city business.
Thompson can be counted as a DLP veteran after previously installing DLP in the Washington, D.C. and Orange County, Florida school systems. He says years ago he quickly learned that turning on a DLP system for content monitoring without a clear policy in place, which management understands and supports, is a misstep others would do well to avoid.
"You need the personnel department, human resources, legal and management involved," says Thompson, adding that it must be clear that they are to play a unified enforcement role when DLP catches policy violations.
It turns out that while DLP technology is fairly simple to deploy, getting policies and procedures to follow in the event of violations is not.
"There will have to be a lot of discussions about procedures, about what I call the 'scope of sequence,'" says Thompson. That means a clear definition of what a violation is, how different sorts of violations should be handled since all may not be equal in scope, and keeping track of repeat offenses.
In the Washington, D.C., and Florida school systems, schools not only watched out for prohibited sensitive content, such as student records as a privacy violation, or banned content like pornography or music; DLP also looked for evidence of cyberbullying using school-issued computers. "Cyberbullying is one child threatening another, whether it's physical or mental abuse," says Thompson.
It turns out defining sensitive content is one of the hardest parts of DLP.