Ask HN: Can anyone recommend good DLP platform?

1 points by edkvmn ↗ HN
We are a Saas provider and are going through compliance process, DLP came up as a gap(Data Loss Prevention). I have looked online and it is really hard to understand what those platforms do. I have read Googles white-paper and also their enterprise offering for DLP, but it only covers drive and email. if anyone has experience with platform that cover other endpoints and also shed some light into pricing, that will be greatly appreciated.

3 comments

[ 1.7 ms ] story [ 15.5 ms ] thread
The universal reply of "it depends" is appropriate here. The definition of "good" will depend upon your requirements and threat model, since there's not one best band-aid for all situations

Some DLP are driven from the client side, and have deep integration with things like Microsoft Office, or Office 365, or (as you said) G-docs and Drive, others are designed to identify leaky buckets, exposed databases, data found in places that it shouldn't be, that kind of thing

The reason why the requirements especially matter in this discussion is that a lot of those products work via proxy to allow alleged prevention of loss, and other products work by detection. If the prevention proxy goes down or is misconfigured, that's a business impeding event and will be "pager goes off." The detection approach means no one is blocked if something goes wrong, but will naturally have a lag between "someone saves something they shouldn't" and any potential leak happening

So, it depends on the kinds of risk your business is willing to tolerate and the kinds of leaks you're trying to prevent or detect

Thank you for your reply. Your point about requirements is spot on. I guess that is the problem, requirements change pretty quickly for us, within few months and that makes commuting to a platform a bit more challenging.
I mean, surely your business requirements change but not the threat model against your business leaking data, right? If you're using cloud storage, and it was misconfigured to be open to the public, on a scale of "annoying" to "company ending event," which end of the spectrum is it? If you're processing PII in documents, and someone shares the document with too wide of an audience, or exfiltrates all the customer records to their home Gmail address, is that annoying, or company ending?

Further, do you currently have any incident response processes in place? Because for a non-trivial portion of the DLP space, including Google's offering, they're most likely just going to alert you about it. If you don't already have the organizational muscle memory to ingest and prioritize alerts, adding a DLP product is just going to fill up someone's inbox, or worse: Jira dashboard

I'm not being critical or "you must be this tall to ride this ride" type thing, as much as trying to help you think through what a vendor's requirement list should look like for the kinds of risks you're driving down. In my job, finding the right set of questions is much harder than answering them once we know what we're trying to know. I would guess it's similar in a lot of situations, about the unknown unknowns etc