Why has DLP never taken off?

Why is data loss prevention (DLP) technology not being adopted if it provides the very protection most businesses need?

As cyber criminals and nation states have increased the volume and sophistication of data stealing attacks on business, security firms have touted various data loss prevention (DLP) technologies.

But despite the hype and the need to protect intellectual property, businesses are not investing heavily in DLP technologies, a survey of IT security purchasing intentions has revealed.

Why is DLP technology not being adopted if it provides the very protection most businesses need?

Andrew Rose, principal analyst security and risk at Forrester Research believes there are two main reasons: The lack of a compelling motivation and the lack of an enabling data structure.

“Many firms live in blissful ignorance of the reality of the threat environment," Andrew Rose told Computer Weekly.

“Many CIOs do not recognise that breaches could be happening to them right now, and that these could be undermining their long-term competitiveness and even their fiscal survival,” he said

Attackers benefit from denial

Rose believes that until businesses are hit by a major incident that impacts them publicly, cyber attacks will not be perceived as a significant problem.

“It is this situation that the modern attacker leverages to their benefit, staying under the radar as much as possible, and consequently, firms struggle to understand the benefit of DLP," he said.

READ MORE ABOUT DLP:

  • Deploying DLP technology requires hands-on approach, experts say
  • Lessons learned from real-world DLP technology deployments
  • Deploying DP systems: Four DLP best practices for success
  • Four DLP implementation best practices from ISACA
  • Security Zone: DLP – Did we miss the point?

“Indeed, they see them as negatives - requiring investment and valuable resources to implement and then disrupting carefully balanced business processes,” he said.

Rose also believes these technologies would be easier to implement if they could be slotted into existing working practices such as a data classification standard that make it easier to deploy DLP, for example.

Effective use of the tools

A poll of more than 250 IT professionals by Computer Weekly and TechTarget showed that 58% do not use DLP systems.

“I’m pleasantly surprised that 42% of respondents do use DLP," said Rose. "My concern would be to what extent they are using the tool to provide real business value.” 

Of those who said they did use DLP, 24% said it was for email/web, 23% for database applications and 14% for flashdrives and USB tokens.

Disruptive effects

A significant barrier to adoption of DLP is that fact that it needs to have full backing from the board. The introduction of DLP will have some disruptive effects on the business, is likely to incur unforeseen costs and will take time to get it right, said Adrian Wright, vice-president of research for ISSA-UK.

“There is also a need to educate staff on policies and appropriate use, so projects need to set realistic timescales and expectations as deploying DLP well takes considerable time to achieve," Adrian Wright added.

Adopters should also not underestimate what it takes to manage DLP operationally, he said, as it is likely require a dedicated team - not just additional responsibilities placed on the security or IT functions.

The top challenge cited in implementing DLP was that it was too expensive (32%), followed by concerns over too many false positives (28%), complexity in deployment (27%) and lack of supplier support (13%).

“The research data is peppered with concerns about expense, complexity and issues related to integration and user disruption. Any conversation with a CIO that touches on these topics isn't going to get very far unless it is backed up with a compelling business argument,” said Forrester's Rose.

“That is the job of the security and risk professional now - to step away from the console and the command line, and craft a business case that drives our organisations to do the right thing,” he said.

Constant maintenance required

Rose also notes that when DLP is deployed in a comprehensive manner, it will require constant maintenance to update rules to accommodate new projects, clients and designs etc. 

“Bypassing this expense will ultimately reduce the value of the tool over a short period,” he said.     

Setting up user profiles can be a thorny issue in implementing DLP, said ISSA's Wright. Introducing a restrictive scheme that blocks a user's actions, based on rank or job role, will invariably give rise to some emotional resistance, while false positives can block user's actions unnecessarily, he said.

ISSA-UK suggests that organisations start with a pilot in a small, self-contained business area or function and begin by detecting only.

“Don't block anything until you know what you are dealing with and tune your policies based on that learning. Look for false negatives as well as false positives by creating lots of test scenarios, otherwise leakage of real sensitive data could occur,” said Wright.

Unwieldy and ineffective

According to Nigel Stanley, CEO at security consultancy Incoming Thought, DLP has been sold as the answer to all a corporate’s problems when it came to data loss, but very quickly clients he worked with found it extremely unwieldy and ineffective due to things like false positives.

“Back in 2009, I suggested that DLP should be coupled with data encryption (DE) so that any gaps in a DLP solution should only see encrypted data going missing," said Nigel Stanley.

“Nowadays I see DE being the primary mechanism to prevent data loss instead of a DLP. But DE is problematic as while encrypting data is trivial, the key management can become a burden quickly. At clients I work with, I see DE in 95% and DLP in around 5%,” he said.

Another problem associated with DLP is that generates reams of reports and alerts that require a response. According to Wright, this workload is often not factored-in to the total cost of ownership.

“Dealing effectively with email quarantines needs to be done well to avoid affecting normal business activities, as wrongly blocking user's activities can lead to loss of worker productivity and ultimately to DLP operation being down-scaled to merely detection rather than active prevention,” he said.

Integration considered most important

Integration with existing infrastructure was cited as the most important purchasing criterion for DLP by 53% of respondents, followed by features (22%), policy templates (4%) and supplier support (3%).

“It is interesting to note that the main blocker to DLP is expense, yet cost is not the primary purchasing criterion," said Andrew Rose. "To be effective, DLP needs to work across all data egress routes and that can become complex; that explains why intergration is a key issue."

Stanley adds: “I agree with the respondents that stress the need to integrate with a current infrastructure. It would take a brave CIO to recommend a product that does not easily integrate with the current solution in these days of constrained budgets.”

So, despite all the hype, common barriers to DLP are complexity, interoperability and high total cost of ownership.

Once organisations have factored-in all the issues they need to overcome, the final ROI argument they are left with can be tricky to justify, said Wright.

Conversely, if they fail to identify all the costs and challenges upfront, deployment programmes can quickly run out of senior management support and finances, leading to aborted or vastly scaled-back use of these technologies.

In all cases, he said, organisations need to include the right stakeholders in the deployment programme and socialise well with them to iron out issues as they arise.

Read more on Privacy and data protection