A Delicate Balance: DLP and Privacy

Tuesday, September 07, 2010

Michael Cohen


Article by Tamir Elchayani, Technical Training Engineer

Data Leakage Prevention (DLP) practices are implemented in order to prevent the unauthorized distribution of confidential/private information. Because email was not originally developed with security as a top priority, the transfer of sensitive information is immediately exposed to a range of threats.

The limitations of the SMTP protocol, industrial espionage, disgruntled employees and the growing frequency of identity theft represent only a fraction of the threats to an organization’s emails.

While these threats are real and must be addressed, it is crucial that a DLP system and policy be consistent with a company’s overall strategy so that employee expectations about privacy can be reasonably managed.

Sensitive information is typically characterized by keywords, textual or numerical patterns (i.e. credit card number, social security number etc.) and other content-related phrases. PineApp’s policy-driven DLP module, for instance, scans all outgoing emails for the presence of content that has been defined by an organization’s own policy.

An email that is flagged, due to these predefined criteria, is immediately intercepted and system administrators are instantly notified.

While it may be obvious to company management that all emails ought to be reviewed and scanned for security purposes, a company must make it clear to their employees that someone is NOT reading every email in their system.

This “Big Brother” perception must be acknowledged and addressed from the very beginning stages of a DLP policy development.

When applying DLP to an organization’s email server, IT managers need to maintain a delicate balance between their company’s security interests and the end-user’s privacy. This balance is only possible through a coherent policy that is aligned with the management of sensitive data in all facets of the organization.

Cross-posted from PineApp

Possibly Related Articles:
Enterprise Security
Policy Data Loss Prevention
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.