DLP: Data Loss Prevention
Companies tend to be very careful about keeping their confidential information, since their business continuity and their very existence often depend on it. To protect this valuable resource, they usually apply multiple tools to try and prevent outsiders or unauthorized people from accessing it.
However, sometimes data breaches are caused by the company’s own employees, either intentionally as they seek to damage the organization’s image or sell the data on the market or accidentally due to carelessness or unsafe use of technologies.
One way to mitigate this risk is by implementing roles or permissions so that each user can only access the resources they need to do their job. However, the vast majority of information security controls do not cover actions aimed at monitoring the copying of data to external devices such as USB or hard drives, its uploading to cloud services or sending using messaging applications.
To avoid such actions, companies that want to protect themselves against data breaches implement a solution called DLP (Data Loss Prevention).
What is DLP and How Does It Work?
Data Loss Prevention (DLP) is a system that consists of three main steps: identifying where data is stored in the organization’s mobile devices, cloud services, or facilities, monitoring how the data is used by employees inside and outside the corporate network, and, finally, protecting it against being stolen or lost.
DLP solutions can identify, monitor, and protect sensitive data in any location: at the workplace, on the go, or in the cloud, by extending visibility and control to all channels where a data breach can occur.
DLP identifies and protects the organization’s confidential information by:
- Scanning data in transit, in use, and at rest
- Identifying data to be protected
- Taking corrective actions: alerting, requesting, quarantining, blocking, encrypting
- Providing reports for compliance, auditing, forensic analysis, and incident response
The purpose of DLP is to actively prevent data breaches originating within the organization itself, which is why such solutions tend to incorporate artificial intelligence that allows them to learn about the types of confidential documents used and what users do with them to become increasingly effective in preventing data breaches.
DLP systems monitor the corporate network to prevent data breaches before they occur. Once a possibility of a breach has been identified, the user is notified that their actions violate the company’s confidentiality or security policies. These actions help raise awareness among people within the organization.
The resources monitored by a DLP system are not limited to the company’s internal network as these tools can extend control to mobile devices as well. In addition, they are capable of checking which corporate emails have been accessed and can identify and stop the transmission of the organization’s sensitive data to cloud storage services or social networks.
Other noteworthy features of these solutions are:
- The created policies can be applied in different ways: to a network segment, gateway, user group, etc. Each company can choose the method that best suits their needs.
- Administration is centralized in these solutions, providing a simpler and more flexible management.
- They are capable of inspecting multiple file types and protocols, whether the information transmitted is encrypted or not.
- They can apply visible or invisible watermarks to files, so that the person responsible can be identified in the event of a breach.
Given the variety of data within an organization, DLP solutions generally classify data based on its state to determine how it can be protected These data states are:
- Data at rest refers to data stored on any medium with which no user is interacting at a given time. Protection is applied to the devices where the data resides so that it cannot be copied, moved, or deleted, unless the rules expressly permit it.
- Data in transit is data moving through any medium. Data in transit is most commonly found in any corporate network.
- Data in use is data being accessed or manipulated by a user or software. This means that the data is in volatile memory, such as RAM, or that some application or process is interacting with it. For example, data on a USB device is “at rest” unless it is accessed for reading. Once the data is accessed for reading, its state changes from “at rest” to “in use”.
Types of DLP Solutions
There are different types of DLP solutions, each with its own specific purpose, but all with the same goal: to prevent data loss. These types include:
Network Data Loss Prevention solutions are available as software or hardware and installed at the data exit points of the corporate network. Once installed, the solution monitors, tracks, and reports all the network traffic data.
This DLP type is perfect for monitoring all content passing through the organization’s ports and protocols as it provides important reports that help ensure information security, such as: what data is being used, who accesses it, and where it goes. The collected information is saved in a database that is easy to manage.
Storage Data Loss Prevention solutions are systems that provide visibility of the confidential files stored and shared by those who have access to the corporate network, allowing you to identify sensitive points to prevent data breaches.
This is generally a good solution to control data stored in a cloud as it can identify what data is stored and shared, as well as how much of this information is considered confidential and may be at risk of a breach.
End-Station or Endpoint Data Loss Prevention solutions are those installed on all workstations and devices used by the company employees to monitor and prevent sensitive data from being distributed via removable media, sharing applications, or transmission.
With the increasing use of external storage devices such as USB flash drives or portable hard drives, security risks due to accidental or intentional data leakage are high. To mitigate them, this type of solution can be used to prevent data loss via removable devices.
Implementing a DLP Solution
Consulting before you deploy a DLP solution is an essential step which can be considered part of the process. To properly implement a DLP, you must perform at least two preliminary steps that complement each other: classify information and assign roles and responsibilities.
No DLP solution will be able to apply a data breach prevention policy unless it has been provided with a classification based on the organization’s needs.
There are solutions that can identify information in critical assets such as databases. However, the patterns to look for may not be standard ones, so the corporate rules need to define what the DLP solution should find to apply filters.
An incorrect configuration in this case can lead to two possible failure modes: the technology will block legitimate actions, affecting the company’s performance, or fail to prevent a data breach, making the implemented DLP useless.
Information does not necessarily need to be classified by technical staff. This must be performed by personnel with knowledge of the business who can translate business terms into technical ones to implement appropriate solutions.
Assigning and Documenting Roles and Responsibilities:
Information classification will not be of much use unless the roles and responsibilities are well defined, at least to determine which personnel can manipulate the data.
The rules must be followed by all users, and the DLP solution should function according to the needs defined for each role within the organization. In other words, the DLP solution will enforce the rules defined for each role, acting according to the business needs.
The people defining the roles in an organization do not need technical knowledge of the systems, but each manager or director must know what responsibilities and rights their subordinates have and how they must interact with the data they handle.
Due to the complexity of organizations, to successfully implement a DPL solution, a team is usually created whose task is to identify the company’s critical information, understand its global vision, assess risks in different areas, and transform this knowledge of the environment into technical needs and projects to prevent data breaches in a corporate environment.
Threat intelligence can help companies move from a reactive to a proactive approach to security. With real-time context and insight into the threat landscape, you can get ahead of attackers and disrupt their agenda, thus limiting the impact and cost of attacks.