The typical organization stores data in multiple locations, including hard drives, virtual servers, physical servers, flash drives, and databases. There are equally many ways to move this data, including through VPNs, wirelines, and wireless. This modern reality begs the question of whether it is possible to protect sensitive data.
What is Data Loss Prevention (DLP) Anyway?
Data loss prevention (DLP) refers to a combination of software, techniques, strategies, and processes to prevent the loss, misuse, or unauthorized access and transmission of sensitive data.
More commonly, DLP is used to refer to software and other technologies that protect sensitive data. This protection may include filtering data streams, controlling endpoint activities, and monitoring data stored in the cloud.
Organizations implement data loss prevention for many crucial reasons, including:
Data Privacy Obligations: Today, every organization that collects, stores, and uses sensitive customer data is accountable for safeguarding this data. Regulations such as GDPR, HIPPA, and PCI-DSS enforce compliance with the set-out data protection measures. Companies wanting to avoid hefty fines and other penalties implement DLP to guarantee compliance with regulators.
Cyber Security Threats: Many organizations face increasing internal and external threats to sensitive data. Corporate espionage and malicious attacks are on the rise, forcing organizations to take a security-first approach in handling data. Data loss prevention helps to identify sensitive data and protect it from internal and external attacks.
Data Visibility: It is hard to track the movement of data within an organization. DLP offers a 360-degree view of how data moves through the various networks, endpoints, and the cloud. This visibility helps identify how each employee interacts with data.
Bring Your Own Device (BYOD) Policies: BYOD helps increase workforce mobility, cut down the cost of business-owned devices, and increase efficiency and productivity. However, these devices pose a security threat, including employees unwittingly sharing sensitive information via their personal laptops, mobiles, or tablets. DLP brings these devices to the fold, securing all data leaving the organization regardless of the device.
How Data Loss Prevention Works
Data loss prevention is a simple concept with two main objectives. The first objective is to identify sensitive data that needs protection. The second objective is to protect sensitive data from loss.
However, there are technical details that go into accomplishing these two seemingly simple objectives.
Identifying Sensitive Data
Data exists in different states within any given infrastructure. These states include:
Data in use: Refers to data that’s actively making its way through the IT infrastructure, such as in RAM, CPU registers, or cache memory. This includes data in the process of being generated, updated, amended, viewed, or erased.
Data in motion: Refers to data being moved or transferred from one place to another via a network. An example of data in motion is downloading files from a web browser to a local app. Data in motion is also referred to as data in flight or data in transit.
Data at rest: Refers to data collected in one place, such as databases, data lakes, file systems, or the cloud.
DLP solutions deploy agent programs to comb through data in different states and locations. During this process, the software can identify sensitive data using various techniques such as rule-based matching. In this case, the agents use familiar patterns to locate sensitive information matching specific rules.
For example, nine-digit numbers may indicate to the program that the file contains social security numbers, while 16-digit numbers may indicate credit card numbers.
Other techniques that DLP solutions use to find sensitive data include:
- Exact file matching
- Database fingerprinting
- Partial document matching
- Statistical analysis
Protecting the Sensitive Data
Once the DLP solution finds the sensitive data, it takes active measures to protect the information. To this end, the DLP software monitors data to identify violations.
It is first necessary to come up with DLP policies and procedures. The policies and procedures essentially tell your software what to do when it identifies a security breach or violation.
In the event of a violation, the solution implements security controls, such as blocking data transfer, cutting off network access, popping up a warning, or sending an alert to the network administrator.
Let’s take a look at a few real-world examples of how data loss protection works.
Example #1: Omni American Bank
The Omni American Bank is based in Ft. Worth, Texas, has been in business for more than 60 years. The bank has a customer base of more than 86,000 and holds more than $1 billion in assets.
The bank already had several data security solutions in place, including a URL filter and content filtering. The bank’s Chief Information Officer noted that the organization needed more visibility into data in addition to boosting data security.
The solution was simple. The bank’s CIO looked to Websense, a leading DLP software provider. As a result, network administrations now have a full view of where the data is stored, where it is going, and every touch-point in-between.
Administrators know precisely who is using the data and for what purpose. This visibility allows administrators to control to whom employees can send information and who can view the information.
One challenge that administrators face is securing data coming into the organization. Omni American Bank’s DLP system blocks employees from replying directly to emails containing sensitive information.
For example, a customer might send an email containing their social security number. The standard procedure is to create a new email so that it doesn’t include sensitive information. If a rep hits the “reply” button, the software blocks the outgoing message and sends an alert to the information security department.
Additional benefits that Omni American Bank enjoys from its DLP solution include:
- Securing all data points, including USBs and CDs
- Comprehensive reporting and documentation for its compliance programs
- Identifying potential data leaks quickly
- Centrally managed data security
Example #2 – US Department of Veteran Affairs
In 2006, a data analyst working for the Department of Veteran Affairs had his laptop and external hard drive stolen during a home burglary. Home invasions are hardly unusual, But this particular one has a twist. The hardware contained personal information belonging to 26.5 million US military veterans and military personnel.
This personal information included social security numbers, names, birthdates, and other personally identifiable information (PII). After a much-publicized nationwide search and a $50,000 reward, the FBI retrieved the laptop. Thankfully, the thieves had not accessed the information.
Still, this didn’t stop the people whose information was on the laptop from filing a class-action lawsuit. After a prolonged three-year legal battle, the US Department of Veteran Affairs was forced to pay out $20 million.
The lesson here is plain: Bring-your-own-devices can be a severe security threat if not appropriately addressed. Part of data loss prevention is securing personal devices that employees bring to the workplace.
In this incident, the department’s network administrator or IT service provider might have been able to wipe out the sensitive data or shut down the device remotely had there been a comprehensive DLP policy in place. Better yet, the employee shouldn’t have been able to store such sensitive information on their personal device.
How to Get Started With Data Loss Prevention
Implementing a data loss prevention program is crucial to your organization’s data security. Even so, the process doesn’t have to be complicated. Here’s what you can do to get started with data loss prevention:
Step 1: Analyze and Categorize Data
The obvious place to start when rolling out a data loss prevention plan is data discovery. Data discovery lets you identify the type of data you collect, where it is located, and how it is accessed, used, and shared within the organization.
A data discovery tool automatically finds data in different locations, including on-premise, cloud, and hardware storage. You can then collect all this data in one place, so it’s easy to manage.
Next, perform data classification. This means categorizing the data you collect. This step helps you identify the data that you need to protect and why. Typical data categories include:
- Payment Card Information (PCI)
- Personally Identifiable Information (PII)
- Customer Information
- Public Domain Information
- Customer Information
- Internal-only Information
- Intellectual Property
Once again, you can use a data classification tool to help you in this step. These tools use a variety of methods to identify and categorize different types of data.
Finally, tag the data appropriately so you can track how the data is used.
Step 2: Identify Regulatory Compliance Requirements
With your data neatly categorized and tagged, you can now identify the DLP regulatory compliance requirements relating to your industry. This will help you to set the baseline for your data loss prevention policy and procedures.
For example, if your business processes credit cards, you are bound by the PCI-DSS. Companies in the healthcare industry are required to comply with HIPPA regulations.
Common data protection regulations and standards include:
Remember that regulatory compliance is just a baseline for your data loss protection needs. This step is just to make sure you don’t unknowingly breach your industry’s regulations. Such a breach could result in hefty fines, loss of customer trust, and reputation damage.
You’ll also need to identify other essential data assets to protect, such as intellectual property, growth strategy, financial reports and information, and strategic planning information. Think about the consequences if a specific piece of information were to be leaked. This should help you figure out where to focus your data security.
Step 3: Develop a Data Loss Protection Policy
Your data loss prevention policy sets the framework for how your organization handles sensitive data. This policy also helps create a repeatable process for securing sensitive data. Some of the features of a successful policy include:
- How data is classified
- Critical data to protect
- Clearly defined roles for employees involved in data loss prevention
- Criteria for vetting data loss prevention solutions vendors
- Data loss prevention success metrics
- Behaviors that put sensitive data at risk
Keep your policy simple at the start. Start with the most critical data you want to secure and create your policy around it. You can slowly start to build on your policy when you begin to see success.
Step 4: Choose a Data Loss Prevention Solution
The key to rolling out your data loss prevention policy lies in DLP solutions. These solutions help to automate the process. There are two main types of DLP solutions. The option you choose depends on the nature of your business and your data security needs.
Integrated DLP Solutions: These solutions are generally designed for purposes other than data loss prevention but are adapted to add some DLP functionality. Though not always, integrated DLP solutions tend to focus on a single data security area such as device control software, email security solutions, and secure web gateways.
Enterprise DLP Solutions: Enterprise DLP solutions take a more comprehensive approach to data security. These products cover a wide range of network protocols, including email, HTTP, HTTPS, and FTP traffic. Enterprise DLP is often complex and expensive but offers very effective DLP capabilities. These systems also often replace other management interfaces by providing a unified management console.
While Enterprise DLP solutions are comprehensive and attractive, they aren’t always the obvious choice. For example, many organizations already use multiple security technologies, including firewalls, antivirus software, identity management, secure web, and email gateways, and IT asset management.
Integrated DLP solutions easily integrate with existing technologies. This helps you make the most use of the existing technologies and save costs on more expensive Enterprise solutions.
Important features to consider when choosing your DLP solution include:
- Content analysis helps you to analyze data to find sensitive information.
- Data in its life cycle where the solution can handle data in its various states, including in motion, at rest, and in use.
- Policy management to create and enforce data security policies.
- Admin management offering a central interface where administrators can manage the entire solution.
- Real-time analytics that sends out notifications and analytics for sensitive data in real-time.
Step 5: Automate Your Data Protection Policy
If you picked the right product in the previous step, you can now start rolling out your data protection policy. The best part about DLP technology is it allows you to automate the data loss protection process.
This process involves setting up rules for what employees can’t do with sensitive data. These rules tell your DLP solution what to do when it encounters a violation. The software may revoke sharing, send notifications and alerts, quarantine information, un-sanction an application, or temporarily suspend a user account.
Depending on your industry, you can start with relatively loose restrictions and tighten the restrictions incrementally. You may want to take the opposite approach in a strictly regulated industry such as healthcare. In this case, start with rigid rules and slowly open up access if needed.
Finally, train your team on your data loss prevention policy. It is often said that your data security is only as good as your weakest link. Employees that understand their obligations complement your DLP solution.