Thursday, 22 September 2011

Why DLP is virtually useless

DLP is one of the greatest vendor TLAs at the moment. Pretty much every security vendor has a DLP 'solution' that they would have us buy.
The bottom line is that DLP has very little to offer us.

Don't get me wrong, there are a few instances where DLP can demonstrate a small value, preventing the accidental information leak from an ill-informed user but that is pretty much it.
Let's face it, if full DLP is implemented, an information system becomes so bogged down with warnings, alerts and reminders that normal productivity cannot be achieved. If industry figures are to be believed, more than 80% of information leakage is carried out by malicious insiders. If those malicious insiders are intent on extricating your information, they'll find a way to bypass your security controls - or are you going to ban printouts, handwritten notes even?

I have seen (and built) high security systems that had very little opportunity for information to leak. Logging of printers, hardcopy document registers, no export to optical or magnetic media, no onward connectivity, no removable media access permitted. How usable would these systems be beyond the single-use they had? Nil. Would the security controls prevent a malicious user from jotting down a few notes of what they saw on the screen or, heaven forbid, remembering a few salient points? Not a chance.

Our businesses employ personnel they trust. If we don't trust them, why do we employ them? It is entirely possible that staff become disillusioned or corrupted in some way, that's why we verify. It's an old adage but worth repeating - Trust, but Verify.
We should be enabling our users to be as productive as they can be, protect them from silly mistakes, allow information on a need-to-know basis but provide them with the tools that make them efficient. The deployment of DLP in the vast majority of cases will be a business disabler and users will find workarounds that are below the radar.