There’s an old axiom that goes “Simpler is better” and that holds even for security technology.
A number of years ago, Data Loss Prevention (DLP) started becoming the “fad” technology of the day. The concept was that you control data based on what the data classification was. You could put DLP technology at the edge or you could use it on the desktop. And, supposedly, you would be able to control where data ended up and ensure that data doesn’t go outside the organization.
One little problem though – it’s dependent on people actually classifying data.
Let’s be honest – how many of you actually are in organizations that not only have a classification scheme but have organizational users that classify their data. I would suggest that very few of you do.
A few years ago, I looked into DLP for a Utility company I was working with. So I held a mastermind group with around 10 Utilities and it turned out 5 of them were trying to implement or had implemented DLP. But none of them had been successful in using DLP.
Two organizations were stuck in Pilot mode because they couldn’t get the technology to work, another was spinning it’s wheels because they had to apply classifications against a wide range of data, and two had implemented the technology but the technology was not being used.
Not good results.
To me, the problem with DLP is simple – it’s too complex. The logic goes something like this:
- A user creates data
- A user then determines what the data classification is
- A user then applies the solution against the classified data
- A user then has to figure out how individuals get access to the data if they should have access but RBAC isn’t implemented that allows the individuals to access the data.
- A user then is finished.
The core issue is that you want to the creators of data to determine who should have access to the data. DLP forces a second step in there where you are asking the user to classify the data.
Digital Rights Management, or DRM, actually takes a simpler approach. The steps are:
- a User creates data
- A User determines who should have access to the data
- A user then is finished.
Soon much simpler.
DRM applies an XML wrapper on the data that is created automatically and, when the User creates the data, they determine who has access to the data or the default is just the User themselves.
There are a couple of different XML approaches but Microsoft has a DRM capability built into their office documents if it’s implemented as part of their Server packages. The same goes for PDF forms. If the document goes outside of the organization, the document can’t opened simply because it requires the User to have authenticated against the Domain that the document was created within.
Viola! Tying document access to AD authentication just as if you authenticate a device to a domain. Simple and something that Users are used to.
I’m actually surprised that the Music Industry doesn’t make use of DRM more. You can have people buy the piece of music, the music is downloaded, and accessing the music is based on a federation authentication mechanism. And they don’t have to worry about the purchaser then sending the music to a friend. (FYI, the XML format for music DRM is different from document DRM).
Anyway, if you are looking to control data from leaving your organization, look at DRM before you look at DLP. DLP is good from a theoretical point of view but, from a practical point of view, DRM fits the bill much better.
Hope this helps …