Okay, I’m a day late with this one, but that’s pretty good for me these days.

In our last post we talked about the base technical architecture. Today we’ll fill in with enforcement, management, workflow, and reporting.

Enforcement actions

Once the DLP discovery tool determines something is out of place, it can (depending on the tool) take enforcement actions that range from alerts to full on protection, including combinations. In cases where files are restricted, moved, or encrypted an unprotected plain text file can be dropped into the same location to notify users who to contact with questions now that they can’t access the file.

1. Alert: an alert is recorded as a DLP incident. This is the base action, triggered no matter what else occurs.
2. Notify: email is sent to either the content owner (based on access controls and directory integration), policy owner (based on the DLP policy), or pretty much anyone else (such as the content owner’s manager).
3. Restrict access controls: access controls are modified to restrict access. E.g. block anyone except a security administrator from accessing the file so it’s protected until the violation is manually reviewed.
4. Move/quarantine: the file is moved to a secure repository.
5. Encrypt: the file is encrypted. It could be protected with something as generic as a corporate key, or something more specific like a group, security, or administrative key.

Management

Ideally your content discovery capabilities will be managed using the same server as the rest of your DLP deployment. This will maintain consistent policies, workflow, and incident handling. Here are a few discovery-specific capabilities to look for:

1. Policy creation: data at rest policies should be completely integrated with your other DLP policies. Thus you only have to define a type of content once (e.g. credit card number or engineering plan) then apply appropriate alerting and protection rules for at rest, in use, and in motion as part of a single policy. Policies should allow for granular actions based on user groups through directory integration.
2. Directory integration: all DLP solutions can identify IP and email addresses, but for discovery you also need to understand network users and groups to tie into access controls.
3. Repository management: this is the part of the system where you identify and group storage repositories such as servers, shares, and document management systems. For crawling it’s where you store access credentials, and for agents it includes agent management. Ideally you can tag groups of repositories to make policy building easier (e.g. “accounting” or “engineering”). Here is where you also define scanning frequency, bandwidth/performance throttling, and other basic functional preferences.

Workflow and Reporting

Workflow should be completely integrated into your standard DLP incident handling queue. Discovery related incidents should appear right with in motion or in use incidents, although you may assign a different incident handler for at rest policies depending on organizational needs. For example, you may decide to assign a specific incident handler to review all storage related PCI violations, while keeping network violations in the general queue. If you encrypt, quarantine, or otherwise protect files the DLP solutions needs to include management of those controls so you can release/restore when needed.

Reporting, on the other hand, should include discovery-specific reports, especially audit reports to help with compliance efforts. While a report on all transmissions of credit card numbers over email might not be the kind of thing you want to send to an auditor, a report showing that you don’t have any unprotected numbers in any known storage location might be more interesting. Also look for the ability to generate reports for business unit managers, storage administrators, audit/legal/compliance, and other non-technical personnel. Because scans are run periodically, the solution should allow you to automatically schedule and distribute reports, rather than requiring them to be run manually every time.

Again, this section is just meant to highlight a few discovery-specific capabilities to look for and is not a substitute for a full description of all standard DLP features.