Credit: Dreamstime
We accept the fact that the security operations centre (SOC) responds to external security incidents, but people forget that incidents can also be internal. The number of such issues is growing every year.
To track and prevent data leakage, it is important to use data loss prevention (DLP) systems. These are easiest to run based on the SOC model, transferring the support functions to the service provider.
The construction and development of a SOC is a continuous process that allows for the comprehensive protection of information. Unfortunately, SOCs are often presented as an out-of-the-box solution that will provide complete protection against data breaches with a single click of a button.
The same situation is true with DLP systems, which are also expected to be out-of-the-box solutions that will solve problems that other information security systems have not been able to. Real-life cases show that this approach is wrong.
DLP-as-a-service
No business owner wants to lose profits due to negligent (or malicious) employees. It has become particularly important to identify confidential data leak cases even to those companies that previously did not want to think about it.
In 2020, the Covid-19 virus gave a new impetus to information security outsourcing, including the maintenance of DLP systems by a third-party company. Security leaders realise that the cost of purchasing DLP systems may not be affordable even for large organisations that are ready to allocate necessary budgets.
Therefore, a subscription-based model of purchasing DLP support services has started to gain momentum this year. This approach can save a lot of money. You do not need to purchase the system or the equipment needed to install it, and you don't need to hire more people to work with the system.
Such a service will work similarly to a SOC format, as the service provider runs full technical support of the system and the infrastructure. This ensures the whole life circle of DLP activities, and the customer receives only the results of already processed events and decides whether to conduct internal investigations.
What's required to work with DLP service providers
Before launching a DLP system, IT professionals must determine what information in the company is considered confidential and write it into internal regulations. After that, it is necessary to prepare documents related to the so-called legalisation of the system in the company. Without the adoption of special regulations, it will be difficult to bring employees to justice in the event of an incident.
Moreover, consulting (or, rather, legal) support is required not only at the beginning of the journey but also at all other stages. If you decide to go all the way and sue the employee or contact the police, you need to prepare all evidence and documents properly.
Any company that plans to buy a DLP system needs support in three areas: technical, analytical, and legal. Without any of these areas, the system will either not work at all or will be ineffective. Any outsourcing company that provides DLP services must be ready to cover all these areas, too.
DLP-as-a-service payment models
Not all vendors are ready to change the years-old sales scheme where the price depends on the number of connected employees/seats, but some have started to offer pricing based on the type and quantity of scanned content/data. You can now get both subscription and perpetual licenses. And some vendors are ready to negotiate the price and offer corporate discounts. So, we may see a breakthrough in the well-established DLP market.
New approaches will help the joint efforts of vendors and outsourcing companies to offer full-fledged services, including those operating on the SOC format. Over time, this may help eliminate some negative sides of DLP systems that have to do with the complexity of their installation and operation.
Information disclosure risks
It is often psychologically difficult to outsource DLP support because it is not easy for some customers to assess information leakage risks coming from the service provider. IT managers are afraid that the service provider will become an additional risk factor. That is why many companies still prefer to use their own employees to manage DLPs.
However, this is not necessarily the approach, as even the obligations of the employee as described in the employment contract will not give a 100 per cent guarantee that they will not allow the disclosure of information entrusted to them.
The employment contract is designed to protect the employee, as many governments require this. However, with the contract that you sign with a service provider, both parties are equal in their rights and can discuss and fix mutually favourable conditions (fines, penalties, etc.).
If staff members of your company manage DLP, the company must have a complete package of regulations governing the confidentiality of information. A court will reject any claims against employees if they violated a rule that they know about only verbally from a supervisor or by email.
The outsourcing company is not interested in committing such violations because the services provided to the customer are the essence of its business. Major service providers make a lot of effort to check the reliability of their employees. These measures are usually much more significant than those that businesses take at their level.
Although the DLP market remains relatively narrow in terms of the number of specialised companies and people working in them, it is still important to pay attention to the outsourcing company's reputation, the history of its relationships with other customers, and the duration of these relationships.
