An Approach for DLP Implementation

Myth: - DLP is for IT and it is an IT Project |Truth: - DLP is for Business and it is a Business Project

DLP Solution is implemented by IT for the business with the close association of various business departments; DLP implementation requires strong upper management commitment and support, in-depth involvement of middle management, IT operation and business/data owners of various departments.

DLP implementation project is destined to be failed if it is considered merely as IT project.

(Read more:  Top 5 Big Data Vulnerability Classes)

Let’s understand the objective of the DLP

  • Discover the sensitive, confidential or restricted information across the enterprise network, Servers, Machines, Databases etc
  • Monitor and control the flow of such information across the network
  • Monitor and control the such information on the end user systems

In short, the prime objective of DLP is to monitor and control thesensitive/confidential/restricted information whether it is in rest, in use or in transit

DLP benefits to Business

  • Protection of sensitive business information and IP
  • Improve compliance
  • Reduce data leakage breach risk
  • User Awareness for information security and handling sensitive information

There are 3 state of information that any DLP should handle: - Data in Rest, Data in Motion and Data in Use.

Data in Rest: - DLP must have capability to discovery various file types like spread sheet, word and pdf documents etc whether they are present in end user machines, file server, databases, SAN or NAS storage etc. Once found such file types, DLP must be able to open the files and scan the contents to determine the specific type of information as per decided policy like credit card numbers, PAN card no or bank accounts, customer details or specific information. To accomplish this, DLP uses crawler application which crawls through various data stores in the network, machines, databases etc to discover the set of information and develop fingerprints

Discovering the locations and collecting the specific set of information is very critical and important to determine whether its location is permitted to store that specific information set as per business guidelines and policies

Data in Move: - To monitor information movement in the network, DLP use network analyzer and sensors that capture and analysis network traffic. DLP must have Deep Packet Inspection capability (DPI). It allows DLP to inspect the data in transit and determine contents, source and destination. If sensitive information is detected flowing to an unauthorized destination, DLP has the capability to alert the user and manager and IT and block the data flow

Data in Use (end point): -Data in Use refer monitoring data movement on the end user that they perform on their machines whether data is being copied on thumb drive, sending information to the printer, or cut and paste activities in between applications.


Implementing DLP solution is complex task and requires significant preparatory activities like policies development, directory service integration, work flow management, incident handling, business process analysis, assessment of various type of information that org uses, detailed inventories of the assets carries sensitive information, data flow analysis, data classification and these activities require the deep involvement of the various business dept, data owners, stakeholders and IT dept.

(Read more:  How to write a great article in less than 30 mins)

DLP strategy

  1. Get the Management support for the Solution: - Justify the requirement of the DLP solution in the organization with the facts, trends and POC results
  1. Proper planning and strategy are vital for successful DLP implementation
  • Involvement of business owners & stakeholders: - correct business people from various departments who understand what information should be restricted and why should be involved in the DLP project.
  • Data Flow Analysis: - understanding the flow of information between various business processes and department inside and outside are very imperative. Output of DFA will be played very important role while designing policies for the DLP
  • Data Classification: - Here the involvement of business users is very critical. Business owner, business stakeholders are the key people who know the criticality and sensitivity of the organization information and can provide key information that what information is critical for them and organization and where located and who should access that information. Based on the severity level, data is classified and controls are selected.
  • Data Discovery:- once data is classified and segregated based on sensitivity and criticality, DLP discovery engine that uses crawls agents gets deeper into various data stores across the enterprise network to identify and log the sensitive information and their locations and develop fingerprints for further usages in policy

Note: - Quite often enterprises are unaware about all type of information they posse and have limited clue about the locations of sensitive and critical information. So it is very imperative to identify all type of sensitive information and their locations and classify them based on their sensitivity.

  • Defining DLP Policies with Business workflow: - once the sensitive information has been identified, next step is to develop policies to protect the identified sensitive information. Each policy consist of few rules that dictate flow of the information and determine that how the information will be handled by DLP mechanism. Mind it policies will only be developed at this stage not enforced
  • Understanding information flow is critical component of policy formation.
  • What should be source and destination of the identified data?
  • What are the egress points in the network through which information flows out the org
  • What processes are there to govern of the information flow?

DLP rules operates on Content and Context awareness hence Understanding What, Who, Where & How are very important for DLP Security Policies






Financial statement

Finance Dept

Personal Email

Mail Service

Block, Notify, Audit

Financial statement

Finance Dept

Tax consultant

Mail Service

Allow, Notify, Audit

Salary Statements

HR Dept


Memory Stick

Block, Notify, Audit

  • Incident Management: - DLP is useless if it does not report incident, it must report violation whenever occurs. IT dept, compliance dept or any other authorized individual must receive the incident notification. Once the manager review and assess the report, further course of action may be taken. If incident is false positive then the policies should be fine tuned to bring the false positive scale minimal. If incident is true positive, appropriate action must be taken .i.e. DLP policy should be redefined. DLP policy management must be agile and flexible enough and they must accommodate rapidly changing security needs.
  • DLP must be tuned for low false positive (DLP detect non sensitive information in an incident)
  • DLP must be tuned for high true positive (DLP detect sensitive information in an incident)
  • DLP must be tuned for low false negative (DLP not detecting sensitive information in an incident)
  • Go Slow: - start monitoring two or three departments and get the incident management and workflow in place. Starting with all department will overwhelm the DLP incident management will tons of false positive.
  • Monitoring & Period review of DLP policies: - Period review of policies, rules and logs is quite critical to identify the false positive/negative

Associated Operation risk of DLP Implementation

High Volume of False Positive may cause productivity loss, hence planning and systemetic approach is very much need. Block Box and using readymade templates approach should be avoided.

Involve valid business users from all department from the initial stage itself. Business users are right person to take quick decision on false positive and IT can tune the rules and policies accordingly.

Proper placement of DLP components is very critical, else you will certainly miss coverage for important data stream. An updated Network diagram must be available to DLP team to understand the flow of information in the network.

Tight integration between DLP and directory service (AD or LDAP) is essential, else it will be difficult to trace user in case of violation.

(Read more:  Cyber Safety in Cars and Medical Devices)

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform


  • Very informative....Appreciate for sharing this, Vinod

This reply was deleted.

RSAC Meetup Banner

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)