DLP Requires Focus And Time To Build Operational Value
Use and implementation of Cloud in business
To me, the major "noise" around cloud security involves the implementation of controls that have been part of security frameworks for quite some time, but not commonly implemented on a regular basis. Concerns with shared hardware, software, and storage have led to conversations around how cloud vendors handle controls like access auditing/logging, host-based IPS/IDS, and file integrity monitoring. The advantage of cloud becoming such a buzzword is that it has made me, as well as other security professionals, think about the control frameworks in a more comprehensive fashion. Allowing us to not only focus on what we want to see from a cloud offering, but what we want to see from our internal security infrastructure.
In addition, the security posture of cloud vendors is improving as well.
Utilizing security resources like Cloud Security Alliance has been extremely useful in helping us focus on our assessment approach, what is important, and how a cloud vendor’s security controls can map back to our own internal control framework. One of the first thing we look for from a cloud vendor is how much visibility we can get into our hosted environment. And is this visibility provided by vendor-implemented controls or Capella-implemented controls? Next, we look for the ability to audit that environment or obtain audit information provided by the vendor. It is important to understand the vulnerability landscape as much as we can within our own internal environment.
Building An Effective DLP Program
First and foremost, DLP requires focus on requirements. I heard your chuckle… but I have been part of some very unsuccessful DLP implementations because the focus became more about the "cool spinning/blinking things DLP can do" or the "vaporware from a demo that is not available in reality" than the core requirements that made you think about DLP in the first place. DLP is not easy and becomes more complicated depending on the depth of the product you select.
Secondly, DLP requires time. Time for the basic implementation. Time to monitor and learn. Time to tune. Time to understand the business requirements taking into consideration process and workflow. DLP is on our horizon at Capella. During our last security steering committee, someone asked a very good question to sum up my point Why wouldn't we want to go ahead and install DLP agents and get started?”. I explained some of the challenges to implement DLP and why it is important to take a measured approach.
In order to build operational value from DLP, everyone has to understand it is a business problem and not an IT one. As soon as you can break down that misconception and dig into the business side of the conversation, the better you can design an implementation that will be relevant and effective.