Feds Should Investigate Digital Loss Prevention Protection

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology and government. He is currently the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys

Many of you probably know that in addition to my writing this column for Nextgov, I also get tapped to review lots of high-end and cutting-edge tools for various national technology publications. Network World often uses me as a kind of review specialist, calling me in to work on reviews where the topics are either completely bleeding edge or incredibly high tech, to the point that very few other people could probably conduct a solid evaluation. I often spend months emerged with such a topic, working with those advanced tools in a production environment as much as possible.

I’m not embarrassed to admit I often learn a lot when working on a review like that, including finding what might be previously unknown, gaping holes in most security defenses.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

That was the case with a recent roundup I conduced on the topic of data loss prevention products. I wasn’t even too familiar with the term when I started. My background evaluating defenses designed for the federal government left me a little unprepared for DLP.

Most federal cybersecurity, from Einstein 3 Accelerated to endpoint security, is focused on keeping external attackers at bay. DLP, by contrast, is instead concerned exclusively with keeping sensitive information in place. For the most part, the three systems I tested from Comodo, Digital Guardian and Forcepoint would all work as part of an overall security plan without getting in the way of other protections.

Which product worked best in the evaluation really isn’t important in terms of this column, though they all did well depending on the targeted environment. What was so shocking to me, and what I wanted to bring up here, is how vulnerable a federal network might be to data leakage without some type of DLP protection.

The problem is that for most agencies to do their job, users need to be able to access information. But you might be surprised how that information could then get out of a network when being used by that trusted insider.

Of course, we all know about former NSA contractor Edward Snowden, a true insider threat who purposely extracted information from federal networks. DLP protection would have likely caught him long before he made his getaway. But I also learned a lot of sensitive information leaves networks every day because of innocent user mistakes, or because they did not understand how data protection policies applied.

Information can be accidentally leaked by doing things like moving it out of an encrypted folder, which is especially problematic in this era of cloud computing. Emailing files home or putting them on a key drive to work on later are other popular avenues of data loss.

Even something like printing can be a problematic low-tech way that protected data ends up somewhere it’s not supposed to go. And don’t even think about the problems associated with mobile devices and phones, with each one practically becoming a full-fledged network client these days.

With a DLP suite, administrators can specify how data should be treated within a network. Not just the specific data, but also data types. So you can lock down your database of Social Security numbers, but also put rules in place to protect new numbers, even if they are previously unknown on the network.

Another great feature about most of the DLP programs I evaluated is they can help to train users about data policies. While many offer a draconian setting where everything is locked down, most can also warn users when they attempt to violate a policy, explaining to them in great detail what they did wrong.

It’s entirely possible someone did not know they were not allowed to send certain types of data over instant messaging or work with a file outside of its encrypted folder. Honest mistakes do happen, and probably often when users have to deal with multiple security policies on very large networks. DLP can even be deployed in complete secrecy, merely watching suspected users for anything out of the ordinary.

Regardless whether administrators choose the velvet glove, the iron fist or the undercover option for their DLP, every policy violation is recorded, in some cases with screen captures and movies showing every keystroke. That way, it’s very easy to determine if a user’s violations rise above the honest mistake territory by either number of incidents or severity. It also makes a very clear case for federal auditors or authorities.

Even though most federal networks are already packed with cybersecurity protections, the need for DLP could easily be overlooked. Based on what I’ve recently discovered, I would highly recommend federal administrators take a hard look at DLP protection. It may be the missing link that saves the government a lot of trouble down the road.