May 13, 2020

To Allow or Not to Allow: The Policy-Setting Predicament

Ankur Chadda
Photo by Hidde van Esch on Unsplash

It’s a philosophical question that security teams have long wrestled with: when should file sharing or data movement be allowed, and when should it be forbidden?

Employees increasingly depend upon quick and effortless file sharing to get their jobs done. As video conferencing tools or other collaboration platforms become increasingly central to people’s ways of working, it’s only natural they’ll want to take advantage of these tools’ full capabilities. However, failing to block any file movements when required can leave organizations dangerously exposed. 

The vast majority of breaches either begin with the download of a malicious file or proceed through the unauthorized transfer of volumes of data. Beyond dealing with the threat of breaches, , many organizations must comply with a growing list of regulations that mandate how Personally Identifiable Information (PII) and Protected Health Information (PHI) must be safeguarded and its movement and access restricted.

For security teams, finding the right balance between permissiveness and control is a lot of work. All too often, it ends up being an exercise in futility.

Traditional static policies are too restrictive 

In the traditional approach to policy enforcement, security teams allow the actions they believe to be the least dangerous in their particular environment or the most common among their users. They block those believed to carry additional risk or be subject to less user demand. 

A team might, for instance, permit files to be transferred via email and USB drives as well as be sent to in-office printers. But, they block file uploads to cloud-based file sharing platforms, sharing files via unstructured chat conversations, or sending files to a mobile device over a Bluetooth connection. 

The problem with this approach is that when policies are static, they limit productivity. The result is employee frustration, endless complaints, and efforts to evade restrictions or find unsanctioned work-arounds. If an employee needs to upload information to a customer portal, for instance, and they’re not able to do it, they’ll be frustrated  when they’re unable to get their jobs done.

At the same time, static policy enforcement cannot guarantee consistent protection from all types of risk. If an account were compromised, the attacker could still readily exfiltrate sensitive data via email.

Reactive approaches don’t offer real protection

It’s an all-too-common scenario. Once somewhat restrictive DLP policies are put in place in a production environment, employee complaints abound. As a result, security teams often backpedal, moving to an audit-only mode in which their DLP tools are used solely for the purpose of providing after-the-fact evidence for forensic purposes in case of a breach. 

The difficulty with this approach is obvious: moving to audit-only mode means de-facto acceptance of additional risk. It also means the organization will never experience the principal benefit (data protection in real time) that was hoped for when it invested in the security solution in the first place.

A dynamic approach to policy enforcement is the solution

In reality, “to allow or not to allow?” is the wrong question. Implement a data loss prevention (DLP) solution that takes a dynamic approach to policy enforcement, and teams can be making decisions about when and where to permit file sharing—instead of whether to or not. When risk is assessed dynamically, employees can accomplish what they want and need to do in all low-risk situations. 

Leverage an intelligent behavior analytics engine that calculates risk by determining which behaviors are typical for employees. You’ll discover the vast majority of their activities fall into the “low-risk” category. Only in those rare circumstances that something’s truly risky, such as an authentic case of account compromise, will increasingly stringent controls be implemented.

When context informs decisions about what’s risky and what’s not, security becomes frictionless. The traditional—and false—dichotomy between security and accessibility (and productivity) is erased. Security teams’ jobs become more manageable at the same time employees across the business have broader access to more capabilities when they need them.  It’s a win for everyone involved.

Want additional information about how Forcepoint DLP with Dynamic Data Protection helps security teams become more efficient when adopting a human-centric approach to data security? Check out Data Security Can’t Be Black or White” by clicking the link or by clicking Watch the Webcast button on the right to learn how to effectively modernize your data protection strategy.

Ankur Chadda

Ankur serves as Principal Solutions Manager for the company. He brings over 20 years of experience in the technology industry and leads the product marketing efforts for data protection solutions leveraging his UEBA startup experience where he helped global enterprises implement behavior...

Read more articles by Ankur Chadda

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.