Deploying endpoint data loss prevention is probably the most fear-inducing step in any DLP project. The feature sets that vendors offer are highly divergent, and no organization ever mucks with its workstation images without at least a little trepidation.
Here are five tips that will help you avoid common pitfalls while successfully protecting enterprise data:
- Testing on static workstation images is all well and good, but most of the problems with DLP appear once it's deployed to users working with the data. Identify a few key power users in the first department you plan on rolling out the DLP solution to, educate them on what they should expect, and work with them closely during testing. Sticking with power users helps avoid the problems of testing across a non-tech savvy business unit, or rolling out the product without any user feedback.
- Make sure your directory server is up to date and accurate (this actually applies to any form of DLP deployment). If you try and manage policies by machine group as opposed to user role, it could create policy conflicts (especially as users move around). Most organizations design their DLP policies to apply differently based on user role, so, for example, the accounting team has more freedom to work with financial information than the customer support representatives. Even if a machine group currently maps to a business unit or a particular user within that unit, that policy will break on the next update. It's far better to manage on a user and group/role basis than a machine basis, even if it means taking some time to prune your directory server first.
- Build adaptive policies that change if a user is behind your network DLP vs. being on an uncontrolled network. For example, if you have a policy on your network DLP to detect and prevent transmission of credit card numbers in your customer database, have a policy on the endpoint that changes to use a regular expression for credit cards when it is off the corporate network. This is a feature of many, but not all, full-suite DLP tools with an endpoint agent. Partial document matching and database fingerprinting policies can be very memory intensive, far exceeding the capabilities of a user's laptop or desktop (assuming the user wants to use it for anything besides DLP). Switching to a pattern-matching policy such as a regular expression will increase false positives, but reduce the impact on the machine's performance. You can also set the policy to switch to a monitoring/alerting mode, rather than blocking mode to further reduce user impact, albeit at a slightly higher security risk.
- Focus on endpoint discovery and USB protection first. Across the range of endpoint DLP tools, discovery (finding sensitive information stored on the local hard drive) and USB monitoring/blocking are the two most consistent features. They also provide the lion's share of endpoint DLP benefits by helping you track when users take sensitive information outside of approved enterprise applications and store or share it locally. When enabling endpoint discovery, choose incremental scans if your product offers them; no one wants their computer to come to a screaming halt every Wednesday at noon for the antivirus scan, and then again every Thursday for the DLP scan. Also make sure you scan locations other than users' default document directories, since they rarely keep all their files in one place. Finally, if you allow users to utilize local Microsoft Outlook PST files, make sure your product scans inside the PST format to catch emails moved into local storage.
- Take your time; roll out agents and policies incrementally. After you finish your initial testing, roll out only those policies on a group-by-group basis to ensure the product scales well, and you don't overwhelm your incident response team. Nearly every DLP client reports a large volume of policy violations when they first start using DLP, until users self-train to better manage the protected information. The process should be as follows: Implement a single policy on a small user group and expand that policy (and agent installs) until you hit your desired coverage. Once that first policy works well, roll out your second one the same way; although you now don't need to worry about installing new agents.
While these tips aren't everything that's needed to deploy and manage endpoint DLP, they should help avoid some of the worst pitfalls and more quickly realize the security benefits of your new tool.