Data Loss/Leakage Prevention (DLP) has been one of the hot buzzwords over the last several years. And it's a great idea - determine where your critical business data lives and actively enforce policy around it. Data in motion, at rest and in use, absolutely critical elements in ensuring enterprise business protection.
But is it, really? In terms of protecting business critical data, the most important element is first and foremost understanding where that data lives and breathes. That is absolutely where DLP infrastructure contributes the most. But once that business critical data is discovered, wherever it may live, is it not logical to then make the business decisions to allow said data to reside in certain areas and not others? Policies redrawn to dictate where critical data should reside and then, through alternative means such as, oh, authentication and authorization, allow access to such data?
Don't get me wrong. People will send CCs and SSNs unwittingly over email. This is not that argument. Few organizations have gone out of business for such breaches, so clearly these are not true business risks. This argument is focused on innovation lifeblood. Formulas, research, sales playbooks, medical breakthroughs, etc. Everything that contributes to a strong economy that we, as infosec practitioners, are accountable in protecting.
If we know where that data lives in the first place, the overarching overhead of customizing DLP systems to actively look for your specific business critical data is, to a degree, moot, now that we know where it is confined to, by enforceable policy, and can control access to via both standard and enhanced authen/author controls. AD controls what you can and cannot access, as well as who can take data and copy to removable media. At some point you have to realize that you cannot control persons taking camera shots of monitor screens that may contain business sensitive data. Assume the breach. Digitally mantrap your data such that only persons with advanced authorization has access to the sum of the parts. Limit you threat landscape and focus your controls on such persons, no matter how high up on the food chain they may be.
DLP systems have their place, but I believe that place is simply to identify the most important variable any organization needs to know in an effort to protect their business critical data - where that data lives. At that point existing controls can be implemented to enforce the business policies, restrict access to said data, redefine where said data should live and reduce the scope of threat vectors that have the potential to exfiltrate said data.
DLP - one time insight or ongoing overhead?
