DLP in a Proxy World

DLP (Data Leakage Protection) seems to be gaining more steam in the last year. While DLP was relegated to those organizations that had requirements for DLP due to government compliance issues (like HIPAA, Sarbanes-Oxley, Graham-Leach-Bliley, and others), today many organizations are starting to look at DLP to prevent data theft, accidental data loss, and just the prevention of possibly embarrassing incidents.

It's impossible to implement DLP without bringing the proxy or Secure Web Gateway into the picture. That's because the proxy handles all the outbound web traffic in a typical network architecture. DLP relies on the proxy to determine what outbound traffic needs to be relayed to the DLP device for inspection to determine if the data is sensitive or if it's okay to be sent out of the organization. This conversation between the DLP device and the proxy occurs over the ICAP protocol discussed here. Unlike anti-malware which inspects inbound web traffic, DLP is primarily interested in outbound traffic, also known as request-mod in ICAP.

DLP of course isn't limited to the proxy and outbound web traffic. There's also outbound email traffic, IM traffic, other outbound network traffic and physical device security, typically implemented as a client on PCs and laptops. There's also Network Discovery to determine what and where sensitive information is stored on the network. Each organization is going to differ in which of these pieces of DLP is more important, but it's important to recognize that a complete DLP solution requires a bit of thought, and implementing and integrating with multiple existing services, including the web proxy.