DLP and eDiscovery

DLP lends itself well to eDiscovery. The biggest obstacle today is machine learning that can easily enable the process of discovering documents from vast repositories. With email, the situation is the same, but the discovery process is more mature as emails have been sought by litigants for a while now.

DLP would also facilitate a broader eDiscovery search than is possible without DLP. If DLP is deployed for network traffic, Data in Motion, DIM, across repositories, Data at Rest, DAR, and on endpoints, it would be possible to search for any pertaining document across the entire organization.

For DIM, with most DLP vendors, you would only have a record of incidents caught, so an archive of all traffic is not maintained. The most notable difference would be the DIM product Reconnex provides. They capture all traffic, and store it. This would enable eDiscovery on all captured traffic, and not just the traffic causing incidents.

For DAR, most DLP vendors scan the information in a central system, causing the information to move over your network, which could cause a higher utilization of the network than what is desired. With DAR, a new scan would need to be done if the rules are changed as most DAR vendors do not utilize archived and indexed material. Tablus, now RSA/EMC uses a notably different process, as most of their information is scanned locally instead of being transported across the network.

For end points, it is clearly an advantage to do the scanning locally if you have a large number of desktops/laptops deployed, unless you can use a targeted process for which systems to scan against. However each time you do a targeted scan, you increase the number of man hours needed for the process.

With DLP and eDiscovery, it is important to note that good retention policies, and actually enforcing the remediation policies. As anyone is aware of, merely relying on policies without enforcement does not effectively address the risks posed by storing un-needed information. It is my belief that DLP systems, and general search systems will be increasingly used for discovery purposes, and the dredging capabilities enabled by such systems can turn out to be very costly for organizations who does not enforce their retention policies.

Good risk management should drive the adoption of DLP in the organization, and it should pinpoint in what areas the highest return on the investment can be found.