Where do I start the discussion around DLP?
Commercial Enterprises operation on a spectrum between IT dictates to the Business or Business dictates to IT. I have been in enterprises at both ends of this where IT provides general capabilities, and the Business is required to fit into then to Business groups coming to IT with hardware specs and directs IT to purchase and configure. Neither of these extremes are optimal as they often serve different goals and disregard the holistic success of the enterprise.
This is Part 2 of a multi-part article around Data Protection.
What can be said is in today’s Enterprises the goal of IT should be to enable the business.
IT needs to be able to determine the best way to meet the needs in a secure way that algins with corp IT strategy, and when done correctly IT should be seen as an enabler of the business and not an impediment. In a DLP conversation how this works can be partially dependent on who owns the DLP initiative and the corporate reporting structure. CISOs that report up through the CFO that have procurement driving a tool selection can be drastically different than environments where CIO/CISOs report directly to the CEO.
With terms defined where is a good place for an organization to begin to discuss what a DLP strategy should be? In a business environment of a Hybrid Infrastructure, SaaS, Remote workers, and BYOD devices the logical place to start to understand the business use case data access scenarios.
I’ll start with a scenario that most security professionals may find familiar
This protection scenario is not possible. If you struggle to articulate this the question explore with them is what control plane is available in this scenario?
The scenario requirements cannot be met. Versions of this ask happen frequently with the expectation that IT security options are a magic bullet adaptable to any scenario, they are not. Business and IT need to work together to determine access scenarios that will be supported.
Control Planes for DLP
Reviewing data access scenarios require the gathering of data similar to what is needed to create a Conditional Access policy.
What becomes clear when you step back and look at a DLP scenario is a perimeter-based solution which sits on the edge of your corporate environment. To create a DLP protection scenario there are two primary things you must define.
Our data protection solution is a proactive approach to data protection and requires forethought in where data will exist in a solution. A way to discuss this is to explore the protection scenarios for a forward proxy vs reverse proxy.
By leveraging an agent, off network computers may also use this forward proxy which creates an experience similar to a VPN to access internet resources. Using forward proxy to browse the Internet usually slows down your overall Internet speed. The experience depends on the location between your computer and the forward proxy and how many people are using that forward proxy. (for a cloud proxy this remains true depending on the nearest entry point of the proxy)
Protection viewpoint - The difference is the protection model of a forward proxy looks at protection from an endpoint focused view.
Reverse proxies are therefore in line with Zero Trust frameworks where forward proxies are not. Forward proxy solutions are an extension of the inherent trust model we discussed in Part 1 and allows data to move without restriction to ‘trusted’ endpoints and simply moves the firewall from the edge of the corporate infrastructure to the endpoint.
In Microsoft’s Modern Workplace Suite (M365), the control planes that our tools can leverage are:
In the next installment I’ll discuss how DLP fits into an Information Protection strategy and aligning a business ask with supported access scenarios
If you have questions on M365 DLP capabilities, please contact your Microsoft or CSP account team for more detailed information.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.