Even a novice system administrator can handle the installation of a DLP system. But fine-tuning DLP requires some skills and experience.

The foundation for the stable operation of DLP class products is laid at the implementation stage, which includes:

  • identification of critical information to be protected;
  • development of a privacy policy;
  • setting up business processes to address information security issues.

Performing such tasks requires narrow specialization and in-depth study of the DLP system.

Classification of protection systems

The choice of a DLP system depends on the tasks that a particular company needs to solve. In the most general form, tasks are divided into several groups, including control of the movement of confidential information, supervision of employee activity during the day, network monitoring (gateway analysis) and complex (networks and end workstations).

For the purposes of most companies, the choice of an integrated DLP solution will be optimal. For small and medium-sized businesses, host systems are suitable. Advantages of host DLP are satisfactory functionality and low cost. Disadvantages include low performance, scalability, and fault tolerance.

Network DLP has no such disadvantages. They easily integrate and interoperate with solutions from other vendors. This is an important aspect, since the DLP system must work harmoniously in tandem with the products already installed on the corporate network. DLP compatibility with databases and software used is equally important.

When choosing DLP, the data transmission channels that are used in the company and need protection are taken into account. Most often these are protocols of e-mail, IP-telephony, HTTP; wireless networking, Bluetooth, removable media, printing to printers, networked or offline.

Monitoring and analysis functions are important components for the correct operation of a DLP system. The minimum requirements for analytical tools include morphological and linguistic analysis, the ability to correlate monitored data with dictionaries or stored "reference" files.

From a technical point of view, modern DLP solutions are largely the same. The effectiveness of the system depends on the competent tuning of the automation of search algorithms. Therefore, the advantage of the product will be a simple and understandable DLP setup process, which does not require regular consultations from the vendor's technical specialists.

Approaches to implementation and customization

Installation of a DLP system in a company most often follows one of two scenarios.

The classical approach means that the customer company independently establishes a list of information that needs protection, the specifics of their processing and transmission, and the system controls the information flow.

The analytical approach is that the system first analyzes information flows in order to isolate the information that needs protection, and then fine-tuning takes place for more accurate monitoring and protection of information flows.


according to the classical scheme:

according to the analytical scheme:

  • analysis of basic business processes and registration of a list of confidential data;
  • creation of a DLP protection project;
  • "Inventory" of carriers and data movement routes, which are threatened by unauthorized actions;
  • setting the minimum permissions of the confidential policy;
  • registration of the procedure for working with information services, including Internet resources, removable devices, PCs, laptops, tablets, printers, copiers, printed media;
  • familiarization of the specialists responsible for the work of DLP with the basic principles of the system;
  • familiarizing employees with the requirements for the circulation of information in the company;
  • starting the system in trial mode;
  • creation of a DLP project with an indication of how the system responds to identified incidents, as well as methods of external management;
  • analysis of test launch results;
  • launching the experimental system in the observation mode;
  • making changes to the system settings;
  • training of specialists responsible for DLP work;
  • launching the system into "industrial" operation;
  • analysis of a pilot launch of a DLP system, if necessary - additional configuration;
  • regular analysis of the system operation, adjustment of parameters.
  • launching the system into "industrial" operation;


  • regular analysis of the system operation, parameter adjustment.


Problems during DLP operation

Practice shows that most often the problems of DLP systems functioning lie not in the technical peculiarities of the work, but in the overestimated expectations of users. Therefore, the analytical approach to the implementation of protection works much better, it is also called consulting. Companies “mature” in information security issues that have already faced the implementation of tools for protecting confidential information and know what to protect and in what way, increase the chances of building a well-functioning effective system of protection based on DLP.

Common mistakes when setting up DLP

  • Implementing Pattern Rules

Often, an information security department is assigned the role of a service department for other departments of the company, which provides "clients" with services to prevent information leaks. Whereas for effective work, information security specialists need thorough knowledge of the company's operating activities in order to "sharpen" a DLP system, taking into account individual business processes.

  • Coverage of not all possible channels of confidential data leakage

Controlling e-mail and HTTP protocols by means of a DLP system with uncontrolled use of FTP or USB ports will hardly provide reliable protection of confidential data. In such a situation, it is possible to identify employees who send corporate documents to their personal mail to work from home, or idlers who sit out working hours on dating sites or social networks. But against the deliberate "leak" of data, such a mechanism is useless.

  • False incidents that the information security administrator does not have time to process manually

Keeping the default settings in practice turns out to be an avalanche of false alerts. For example, at the request of "bank details", information about all transactions in the company, including payment for stationery and water delivery, falls on the information security specialist. The system cannot adequately handle a large number of false alarms, so you have to disable some rules, which weakens protection and increases the risk of missing an incident.

  • Failure to prevent data breaches

DLP standard settings allow you to identify employees who are engaged in personal affairs in the workplace. In order for the system to correlate events in the corporate network and indicate suspicious activity, fine tuning is required.

  • Deteriorating DLP efficiency due to building information flows around the system

The information protection system should be "tuned" on top of business processes and accepted regulations for working with confidential information, and not vice versa - adjust the company's work to the capabilities of DLP.

How to solve problems?

In order for the protection system to work like clockwork, you need to go through all stages of implementation and configuration of DLP without exception, namely: planning, implementation, verification and adjustment.

  • Planning

It consists in the precise definition of the data protection program. The answer to a seemingly simple question: "What are we going to protect?" - not every customer has. A checklist made up of answers to more detailed questions will help to develop a plan:

Who will use the DLP system?

Who will administer the data?

What are the prospects for using the program within three years?

What are the goals pursued by the management implementing the DLP system?

What are the atypical requirements for preventing data leaks in a company?

An important part of planning is to clarify the object of protection, or in other words, to specify the information assets that are transferred by specific employees. Specification includes categorization and accounting of corporate data. This task is usually separated into a separate data protection project.

The next step is to determine the real channels of information leakage, usually this is a part of the information security audit in the company. If the detected potentially dangerous channels do not “close” with the DLP complex, you should take additional technical protection measures or choose a DLP solution with more comprehensive coverage. It is important to understand that DLP is a proven effective leak prevention method, but it cannot replace all modern data protection tools.

  • Implementation

Debugging the program in accordance with the individual requests of a particular enterprise is based on the control of confidential information:

  • in accordance with the signs of special documentation adopted by the company;
  • in accordance with the features of standard documentation common to all organizations in the industry;
  • using rules aimed at identifying incidents (atypical actions of employees).

Three-step control helps to identify deliberate theft and unauthorized transfer of information.

  • Check

The DLP complex is part of the enterprise information security system, and does not replace it. And the efficiency of a DLP solution is directly related to the correct operation of each element. Therefore, before changing the "factory" configuration for the particular needs of the company, they conduct detailed monitoring and analysis. At this stage, it is convenient to calculate the human resource required to ensure the stable operation of the DLP program.

  • Adjustment

After analyzing the information collected during the test operation of the DLP solution, they begin to reconfigure the resource. This step includes clarifying existing and establishing new rules; changing the tactics of ensuring the security of information processes; staffing the staff for working with a DLP system, technical improvement of the program (often with the participation of the developer).

Modern DLP complexes solve a large number of problems. However, the potential of DLP is fully realized only on the basis of a cyclical process, where the analysis of the results of the system operation is replaced by the refinement of the DLP setting.