1

Some high level risks with DLP that I can identify (with the monitoring componant):

1- Abuse of authority: people with access to the system can look into other users private data.

2- Loss of service availability: Specially within large organizations where DLP is unable to keep up with network traffic demands.

3- loss of user data confidentiality: If all traffic is monitored, user information like Bank account and health records can be intercepted and confidentiality of users compromised.

Anything else you can think of?

AdnanG
  • 707
  • 2
  • 8
  • 18

1 Answers1

2

The most predominant issues with DLP I currently see are in regards to what it can actually retrieve. Often this already omits encrypted connections such as HTTPS (unless SSL certificates are used to implement a MiTM).

Furthermore there are some legal issues in most European countries regarding privacy and proportionality of collecting data which is one of the biggest reasons DLPs are not really selling over there.

There are some strict guidelines regarding data retrieval and processing in the EU:

  • Notice—data subjects should be given notice when their data is being collected;
  • Purpose—data should only be used for the purpose stated and not for any other purposes;
  • Consent—data should not be disclosed without the data subject’s consent;
  • Security—collected data should be kept secure from any potential abuses;
  • Disclosure—data subjects should be informed as to who is collecting their data;
  • Access—data subjects should be allowed to access their data and make corrections to any inaccurate data; and
  • Accountability—data subjects should have a method available to them to hold data collectors accountable for following the above principles.

In comparison to the US for instance, if a European employee has a folder on his computer titled "personal", even on a company machine, the data within this folder may not be accessed. The definition of personal has also been kept quite broad allowing for wide interpretation. And personal data is not allowed to be processed unless certain conditions are met:

  • Transparency (subjects should always be notified what data is being processed)
  • Legitimate purpose
  • Proportionality (When sensitive personal data (can be: religious beliefs, political opinions, health, sexual orientation, race, membership of past organisations) are being processed, extra restrictions apply.)
  • The data itself can also not be sent to other countries outside of the European Union, unless certain conditions are met

Violating (even accidentally ) any of the above rules will make you legally liable and can cause a lot of hurt to your company. So a machine collecting almost everything which passes over your network (and which decrypts SSL streams) is a real risk if something goes wrong with the data it collected or if someone decides to take a peak in it, as your company will be held responsible for it.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • So you are talking about Company reputation in addition to end user confidentiality breach. – AdnanG Sep 05 '13 at 09:37
  • 1
    I'm talking legal liability of the company and law suits which may follow. This will, as a result, also indeed affect your company's reputation. – Lucas Kauffman Sep 05 '13 at 09:43
  • So if you plan to implement DLP in europe, you better have a few lawyers assisting you with the legal requirements. – Lucas Kauffman Sep 05 '13 at 09:44