Thursday, 22 September 2011

Why DLP is virtually useless

DLP is one of the greatest vendor TLAs at the moment. Pretty much every security vendor has a DLP 'solution' that they would have us buy.
The bottom line is that DLP has very little to offer us.

Don't get me wrong, there are a few instances where DLP can demonstrate a small value, preventing the accidental information leak from an ill-informed user but that is pretty much it.
Let's face it, if full DLP is implemented, an information system becomes so bogged down with warnings, alerts and reminders that normal productivity cannot be achieved. If industry figures are to be believed, more than 80% of information leakage is carried out by malicious insiders. If those malicious insiders are intent on extricating your information, they'll find a way to bypass your security controls - or are you going to ban printouts, handwritten notes even?

I have seen (and built) high security systems that had very little opportunity for information to leak. Logging of printers, hardcopy document registers, no export to optical or magnetic media, no onward connectivity, no removable media access permitted. How usable would these systems be beyond the single-use they had? Nil. Would the security controls prevent a malicious user from jotting down a few notes of what they saw on the screen or, heaven forbid, remembering a few salient points? Not a chance.

Our businesses employ personnel they trust. If we don't trust them, why do we employ them? It is entirely possible that staff become disillusioned or corrupted in some way, that's why we verify. It's an old adage but worth repeating - Trust, but Verify.
We should be enabling our users to be as productive as they can be, protect them from silly mistakes, allow information on a need-to-know basis but provide them with the tools that make them efficient. The deployment of DLP in the vast majority of cases will be a business disabler and users will find workarounds that are below the radar.


  1. What is this effluent drivel supposed to instill in the reader exactly? I realize beauty is in the eye of the beholder and all that but DLP - being a Business disabler. Anyone reading that for the first time is going to be asking themselves what DLP is;

    Digital Light Processing (DLP) or Data Loss Prevention (DLP)

    Being a security orientated blog one presumes the later, "users will find workarounds that are below the radar!" Couldn't come up with a more definitive example?

    "More than 80% of information leakage is carried out by malicious insiders." erm no, a good percentage of that are insiders with loose lips who cant help but brag to co-workers or other interested parties that understand the raw data.


  2. Constructive input? Not really. You identified the correct DLP. Well done.
    The 80% is what the Sy industry quotes. My wording suggests you take it with a pinch of salt.
    Users will find DLP circumvention methods, I did not cite any examples beyond that as it is as broad as it is long. If you want examples, read up.