In some cases, your DLP products will need to integrate with other security systems. In particular, many network-based DLP products must work with third-party ICAP proxies to prevent sensitive information from leaking out via communication channels such as HTTP/S, FTP, and IM.
Another likely integration area involves encrypted e-mail. For instance, if your company handles the personally identifiable information of a Massachusetts resident, as of March 1, 2010, you're subject to the new Massachusetts Data Privacy Law (CMR-201). Among the requirements of this new legislation is the rule to encrypt any personally identifiable information that must traverse the public Internet during the course of business. With a fine of $5,000 per customer record exposed or lost, this privacy law puts a significant price tag on even a small number of exposed records.
If your business practices require you to e-mail personally identifiable information within your organization, as well as to third parties or business partners, you might need to have your DLP appliance to forward e-mail to an encryption appliance. Unfortunately, not only have you just introduced another two hops into your e-mail routing process, but you've also introduced products from two separate vendors that you must now configure, manage, and troubleshoot. The same issues often apply on the end point, where organizations may run DLP as well as software that can encrypt files, folders, or the entire hard drive.
As mentioned earlier, network-based DLP technology can log and deny data transfers or communications that violate policy. However, as with intrusion-detection systems, not all actions can be automated, and network-based DLP will generate events that must be investigated and adjudicated by humans. The more aggressively you set your protection parameters, the more time administrators will spend reviewing events to decide which communications can proceed and which should be blocked.
In addition to administrators, your help desk staff may also see an uptick in calls because your employees are used to doing whatever they want with company data--attaching Excel files to Web mail accounts to download to a home laptop, saving loads of customer records to a USB drive, and so on.
If you're deploying DLP technology that prevents such behavior, be prepared to field complaints.
The range of features and reporting that you get from a robust DLP suite is impressive, and can be a critical part of a risk management strategy. But don't expect your DLP products to run themselves. Be sure your IT and security operations teams understand what they're getting into with a DLP rollout, and that sufficient resources, both human and financial, can be committed to ongoing maintenance. DLP must be managed consistently to minimize the burden on employees while ensuring solid security. Finding that balance requires work, but the benefits outweigh the drawbacks.