One size doesn't fit all

I was talking with a student recently who was has a management directive to implement DLP in his network.  We talked about some quick wins that can move you towards DLP success.  One such idea is using group policy to restrict CD/DVD burning.  Another is preventing the use of removable media (USB).  The student pointed out tons of reasons that this wouldn't work for his entire organization.  I proceeded to explain that's what a well engineered group policy hierarchy is for.  However, I'm not naive.  I understand that a hierarchy engineered before DLP might not meet all of the granular DLP requirements.  For instance, one person in an OU may need to perform data transfers but the OU implements a no override policy (for some other setting).  The student then proceeded to explain how these GPO settings could be circumvented anyway if an attacker (or insider) elevated privileges on the endpoint (arguing that they were therefore ineffective).  Of course he's right - they can be implemented.  But is he missing the point?

In DLP, as in security, one size doesn't fit all.  Just because you can't implement a control everywhere in your network doesn't mean it can't add protection in those areas where it makes sense.  Maybe restricting USB use globally can't work, but restricting it in the HR department can.  For these solutions, I say don't let perfect stand in the way of good enough (or even better).  Evaluate whether a quick win can provide added security today and implement it where it will work.  This can provide some stopgap protection even as you search for a better solution that can:

1. Cover all (or a larger percentage) of the network
2. Cover the nodes not protected by some other control

I like to analogize this to the use of a bulletproof vest.  Police wear bulletproof vests when on patrol.  In fact, policy makers (supervisors, chiefs, etc.) usually force them to be worn.  They force their use even though it is well known that they don't cover the entire body.  Not only that, but the don't even cover all of the critical areas (groin, head, etc.).  To make matters worse, for the areas they do cover, some large caliber and specialty bullets cut right through them!  And yet, we would question the judgement of a police chief who said "because this solution isn't perfect and doesn't protect our officers from all potential bullet hits, we refuse to invest the time and money to implement it."  Why do we treat our network security controls any differently?