An Approach for DLP Implementation



Myth: – DLP is for IT and it is an IT Project  | Truth: – DLP is for Business and it is a Business Project

DLP Solution is implemented by IT for the business with the close association of various business departments; DLP implementation requires strong upper management commitment and support, in-depth involvement of middle management, IT operation and business/data owners of various departments.

DLP implementation project is destined to be failed if it is considered merely as IT project.

Let’s understand the objective of the DLP

  • Discover the sensitive, confidential or restricted information across the enterprise network, Servers, Machines, Databases etc
  • Monitor and control the flow of such information across the network
  • Monitor and control such information on the end user systems

In short, the prime objective of DLP is to monitor and control the sensitive/confidential/restricted information whether it is at rest, in use or in transit


DLP benefits to Business

  • Protection of sensitive business information and IP
  • Improve compliance
  • Reduce data leakage breach risk
  • User Awareness for information security and handling sensitive information


There are 3 states of information that any DLP should handle:  Data in Rest, Data in Motion and Data in Use.

Data in Rest: – 

DLP must have the capability to discover various file types like spreadsheet, word and pdf documents etc whether they are present on end user machines, file server, databases, SAN or NAS storage etc. Once found such file types, DLP must be able to open the files and scan the contents to determine the specific type of information as per decided policy like credit card numbers, PAN card no or bank accounts, customer details or specific information. To accomplish this, DLP uses crawler application which crawls through various data stores in the network, machines, databases etc to discover the set of information and develop fingerprints

Discovering the locations and collecting the specific set of information is very critical and important to determine whether its location is permitted to store that specific information set as per business guidelines and policies


Data in Move: – 

To monitor information movement in the network, DLP use network analyzer and sensors that capture and analysis network traffic. DLP must have Deep Packet Inspection capability (DPI). It allows DLP to inspect the data in transit and determine contents, source and destination. If sensitive information is detected flowing to an unauthorized destination, DLP has the capability to alert the user and manager and IT and block the data flow


Data in Use (end point): 

Data in Use refer monitoring data movement on the end user that they perform on their machines whether data is being copied on thumb drive, sending information to the printer, or cut and paste activities in between applications.



Implementing DLP solution is complex task and requires significant preparatory activities like policies development, directory service integration, work flow management, incident handling, business process analysis, assessment of various type of information that org uses, detailed inventories of the assets carries sensitive information, data flow analysis, data classification and these activities require the deep involvement of the various business dept, data owners, stakeholders and IT dept.

(Read more:  How to write a great article in less than 30 mins)


DLP strategy

  1. Get the Management support for the Solution: –

     Justify the requirement of the DLP solution in the organization with the facts, trends, and POC results

  2. Proper planning and strategy are vital for successful DLP implementation

  • Involvement of business owners & stakeholders: – correct business people from various departments who understand what information should be restricted and why should be involved in the DLP project.
  • Data Flow Analysis: – understanding the flow of information between various business processes and department inside and outside are very imperative. Output of DFA will be played very important role while designing policies for the DLP
  • Data Classification: – Here the involvement of business users is very critical. Business owner, business stakeholders are the key people who know the criticality and sensitivity of the organization information and can provide key information that what information is critical for them and organization and where located and who should access that information. Based on the severity level, data is classified and controls are selected.
  • Data Discovery: – once data is classified and segregated based on sensitivity and criticality, DLP discovery engine that uses crawls agents gets deeper into various data stores across the enterprise network to identify and log the sensitive information and their locations and develop fingerprints for further usages in policy

Note: – Quite often enterprises are unaware about all type of information they posse and have limited clue about the locations of sensitive and critical information. So it is very imperative to identify all type of sensitive information and their locations and classify them based on their sensitivity.


  • Defining DLP Policies with Business workflow: – once the sensitive information has been identified, next step is to develop policies to protect the identified sensitive information. Each policy consists of few rules that dictate the flow of the information and determine that how the information will be handled by DLP mechanism. Mind it policies will only be developed at this stage not enforced
  • Understanding information flow is critical component of policy formation.
  • What should be source and destination of the identified data?
  • What are the egress points in the network through which information flows out the org
  • What processes are there to govern of the information flow?

DLP rules operates on Content and Context awareness hence Understanding What, Who, Where & How are very important for DLP Security Policies

Financial statementFinance DeptPersonal EmailMail ServiceBlock, Notify, Audit
Financial statementFinance DeptTax consultantMail ServiceAllow, Notify, Audit
Salary StatementsHR DeptUSBMemory StickBlock, Notify, Audit

READ MORE >>  Top 10 must-read blogs for CISOs on Data Loss Prevention solution


  • Incident Management: – DLP is useless if it does not report the incident, it must report violation whenever occurs. IT dept, compliance dept or any other authorized individual must receive the incident notification. Once the manager review and assess the report, further course of action may be taken. If an incident is false positive then the policies should be fine tuned to bring the false positive scale minimally. If an incident is truly positive, appropriate action must be taken .i.e. DLP policy should be redefined. DLP policy management must be agile and flexible enough and they must accommodate rapidly changing security needs.
  • DLP must be tuned for low false positive (DLP detect non-sensitive information in an incident)
  • DLP must be tuned for high true positive (DLP detect sensitive information in an incident)
  • DLP must be tuned for low false negative (DLP not detecting sensitive information in an incident)
  • Go Slow: – start monitoring two or three departments and get the incident management and workflow in place. Starting with all department will overwhelm the DLP incident management will tons of false positive.
  • Monitoring & Period review of DLP policies: – A Period review of policies, rule, and logs is quite critical to identify the false positive/negative.

Read More:- 7 Tips For DLP Implementation

Associated Operation risk of DLP Implementation

High Volume of False Positive may cause productivity loss, hence plan and systematic approach is very much needed. Black Box and using readymade templates approach should be avoided.

Involve valid business users from all department from the initial stage itself. Business users are the right person to take a quick decision on false positive and IT can tune the rules and policies accordingly.

Proper placement of DLP components is very critical, else you will certainly miss coverage for the important data stream. An updated Network diagram must be available to DLP team to understand the flow of information in the network.

Tight integration between DLP and directory service (AD or LDAP) is essential, else it will be difficult to trace user in case of violation.


This is a re-post of the blog originally published on CISO Platform

Link to original blog:

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

Virtual Summit - Best Of The World In Security 2021

  • Description:

    This conference celebrates the foremost security researchers and trainers in the world. This is co-hosted by CISO Platform and SACON with 40,000+ global security professionals. Our vision is to promote collaborative and cooperative learning with the best of the minds in Cyber Security.

    Link to register :

  • Created by: pritha