We reached out to several IT security professionals in an effort to zero in on the true elements of an effective DLP programme. This article will focus specifically on five technological approaches that, when used together, offer a solid data defense. 1. Data discovery, classification and fingerprinting
Richard Stiennon, chief research analyst at IT-Harvest, says a complete DLP solution must be able to identify your IP and make it possible to detect when it is "leaking". William Pfeifer, CISSP and IT security consultant at the Enforcement Support Agency in San Diego, agrees, calling data classification the prerequisite for everything that follows. "You cannot protect everything," he says. "Therefore methodology, technology, policy and training is involved in this stage to isolate the asset (or assets) that one is protecting and then making that asset the focus of the protection." 2. Encryption
This is a tricky one, as some security pros will tell you encryption does not equal DLP. And that's true to a point. As former Gartner analyst and Securosis founder Rich Mogull put it, encryption is often sold as a DLP product, but it doesn't do the entire job by itself. Those polled don't disagree with that statement. But they do believe encryption is a necessary part of DLP. Stiennon says that while all encryption vendors are not DLP vendors, applying encryption is a critical component to DLP. "It could be as simple as enforcing a policy," he said. "When you see spreadsheets as attachments, encrypt them." 3. Gateway detection and blocking.
This one would seem obvious, since an IT shop can't prevent data loss without deploying tools that can detect and block malicious activity. Sean Steele, senior security consultant at InfoLock Technologies, said the key is to have something in place that provides real-time (or close to real-time) monitoring and blocking capabilities for data that's headed outbound at the network perimeter, data at rest and data being used by human beings at the network's endpoints and servers. 4. Email integration
Since email is an easy target for data thieves, whether they are sending emails with links to computer-hijacking malware or sending out emails from the inside with proprietary company data, partnerships between security vendors and email gateway providers are an essential piece of the DLP puzzle. Fortunately, Stiennon says, "Most DLP vendors formed partnerships with email gateways early on." 5. Device management
Given the mobility of workers and their computing devices these days [laptops, smart phones, USB sticks], security tools that help the IT shop control what can and can't be done with mobile devices is a key ingredient of DLP. Stiennon is particularly concerned about the USB devices that could be used to steal data. Being able to control the use of USB devices is a key requirement of a DLP solution, he says.