- What is DLP?
- How does Data Loss Prevention software work?
- Types of Data Loss Prevention solutions
- Why implement Data Loss Prevention solution? 3 reasons
- 1. Compliance
- 2. Better treatment of the company’s assets
- 3. Data visibility
- How to create a successful DLP policy: a six-stage guide
- 6 Metrics to Evaluate the Effectiveness of DLP Solutions
- 1. Data classification success rate
- 2. Percentage of policy exceptions
- 3. Percentage of false positives
- 4. Percentage of fingerprinted databases
- 5. Alert response time
- 6. State and amount of unmanaged devices
- In conclusion
The constant turnaround of information in the age of big data and cloud computing has led to a significant increase in software vulnerability.
In the past couple of years, the number of data breaches and data loss incidents has increased exponentially. According to Bleeping Computer report, there were over 12 thousand confirmed data breaches in 2018, a staggering 424% increase from 2017.
Most of the breaches involved exposure of user's personal data and disclosure of business-related documents.
Data breaches and data loss are natural things when you have many people working with information in numerous data analytics, data mining, machine learning operations, accounting, customer support, etc. The tool that avoids this from happening is data loss prevention software.
In this article, we will explain what Data Loss Prevention Software is, and talk about the best practices of its implementation.
Data Loss Prevention (aka DLP) is a set of policies and software applications. Its goal is to monitor the information in the system and prevent the possibility of losing or breaching data for various reasons.
Image source: ShiftLeft Blog
There are three types of data that require special handling:
- Intellectual Property - source code, design documents, process documentation;
- Corporate Data - legal and financial documents, strategic planning documents, employee information
- Customer Data - personal data like name, address, phone number, location, preferences, social security numbers, credit cards, medical records, financial statements, and so on.
Read also: Importance of Data Security & Privacy
Overall, the main focus of data loss prevention software is:
- Keeping data safe in use, in motion and at rest
- Monitoring endpoint data movement
- Vulnerability prevention, i.e., the disclosure of sensitive information (either intentionally or by accident)
Besides, DLP software helps to identify the source of the insider’s leak in the event of the data breach.
- Providing security measures and fixing weak points in the data processing pipeline - i.e., providing encryption for sensitive data and performing routine backups.
A DLP solution is all about identifying the sensitive data, managing its access, and taking measures in keeping it safe.
It revolves around monitoring and analysis tools that:
- determine whether a particular data operation is legitimate or threatening to the company’s assets;
- take proper measures to keep data secure.
Data Loss Prevention operation revolves around two concepts:
- Content awareness - the information and its role in business operation;
- Contextual analysis - i.e., the medium of the content and its internal presentation coupled with the intentions of using data;
Action-wise, data loss prevention practices revolve around the following methodologies:
- Encryption - used for basic safeguarding of sensitive data in storage and transit;
- Cryptographic hashing - used for anonymization of personally identifiable data;
- Data fingerprinting to identify and track data in the system (usually for reading, hashing, and storing activities);
- Routine backups of information - used to keep versions of sensitive data intact, especially in cases of unauthorized or accidental changes, movement, or erasure.
DLP software's modus operandi is broken down into four key components:
- Above every type of data-related operation stands the system’s policy. It defines what kind of data is sensitive and what users can do with it. Most importantly, the policy describes the course of action regarding data loss protection (for example, encrypting sensitive data or sending a notification to admin).
- Management component is an interface for the system’s policy. It is an initial set of regulations to keep things in check. It includes monitoring:
- what data is currently used and its state of access;
- who is using which information;
- where the data is going in the process.
- Identification component uses the system’s policy to find sensitive data and assess its state in the system. It is also used to identify the user and his level of access.
- Protection component is the one that takes action. It is a set of DLP tools designed to safeguard the sensitive information from unauthorized access and prevents its loss via the creation of backups. Usually, it is either reporting on something or providing different levels of access and encryption to the sensitive data.
There are three major types of Data Loss Prevention software. It is important to note that these DLP tools are used interchangeably for various purposes.
Image source: phoenixNAP
- Network DLP - the type of DLP solution where the solution integrates with all of the data points of the Network. This type of DLP is commonly used in corporate networks as a precautionary measure, due to the high volume of various data operations.
- Network DLP monitors the state of data in the Network and keeps an extensive log on its movement and transformations. In a way, it is a kind of fail-safe option that avoids both routine chances of data loss and diligent malice.
- Storage DLP - this type of DLP software is for data lakes on cloud storages. Its primary focus is on keeping the confidentiality and safety of data in the data warehouse.
- The process includes monitoring of the sensitive data in the storage and managing its access configuration accordingly. In a way, it is a kind of surveillance service with alarm.
- Endpoint DLP - this type of DLP solution is designed to monitor data sharing from point to point i.e., device, storage, or account. For example, you are sharing a market research report with a business analyst. This action is documented in the system's log.
- For example, if you share this document with somebody outside the system, it is automatically blocked, and you need to enable its access outside manually.
- In addition to sharing, endpoint DLP also keeps an eye on clipboards and even physical devices. While physical storage is not as popular now - it is still used here and there. However, physical devices can break, and this may lead to a data loss.
- Endpoint DLP is similar to Network DLP. It monitors where the data goes and what happens to it, but unlike Network DLP, it is workstation-based. Thus, it handles only one source of data operations.
The vulnerability of data on cloud storage is a fact of life, and you have to deal with it. Many unfortunate things can happen to it without proper DLP security. For example:
- Unauthorized access data breach;
- Data Loss - i.e., irreversible change, movement or erasure of sensitive information;
- Storage misconfiguration - exposure of the confidential data on the outside.
(Just in case, we have an entire article dedicated to that).
There are three main reasons why the implementation of DLP software is critical for moving forward and expanding the business operation.
Different government standards and regulations broadly cover the requirements for safety and confidentiality of sensitive data regarding users and business processes (to name a few - GDPR, HIPAA, SOX, PCI DSS).
In one way or another, they regulate the treatment of personally identifiable and other types of sensitive data.
Implementation of a data loss prevention policy is one of the critical steps for compliance. In addition, the regulations map out the extent of control you have over data and give direction for more efficient data management.
Disclosure or loss of confidential data leads to lawsuits, reputation and credibility damages and, ultimately, loss of revenue.
A company’s assets what keep the engine rolling. Such valuable data requires strict monitoring of who is using and why. A data loss prevention policy covers the treatment of information such as:
- trade secrets;
- strategic proprietary information;
- customer lists and personally identifiable data;
- business strategies.
The loss or breach of this data can cause a lot of problems for the company. Just ask Facebook.
DLP security policy clearly states types of access for sensitive data and describes courses of action, in any case.
The foundation of an effective data loss prevention policy is in understanding what kind of sensitive data is in the system, its location, and who is using it for what purposes.
This process involves constant asset audit, which gives a better grasp of your data.
1. Identify which data requires protection;
- Evaluate possible risk factors (for example, the risk of a breach through email communication or exploits in the API framework);
- Assess the vulnerability of different assets (for example, customer lists, legal documents, marketing analytics, and so on).
- Select a priority scale for the protection of different types of data - which types represent what risk to the business operation. For example:
- The app user database is an operational asset always in use, and it requires encryption both in transit and storage.
- Competitor’s research data requires specified access and storage encryption.
2. The documentation of the DLP policy should be as thorough as possible. Everything needs to be written down to keep everybody on the same page. Being thorough provides full clarity of the proceedings and enables full compliance with standards.
- Enforce a Data Loss Prevention policy at the organizational level.
- Keep stakeholders and users aware of DLP policy and its importance.
3. Optimize data management and identify what type of data is unnecessary for business operation. If this type of data is not needed, then it should be removed, and thus, the breach or loss is impossible.
4. Establish transparent metrics (more on that later). Things which can measure the effectiveness of a DLP security policy:
- Percentage of false positives during monitoring;
- The number of security incidents;
- Response time to an emergency.
5. Describe the scope of access of each type of user in the system (heads of departments get more access than junior specialists).
6. Automate the procedure with specialized software. The more workflow is automated, the easier it is to control.
- DLP tools like McAfee DLP use machine learning anomaly detection and behavioral analytics to maintain the precision of DLP management.
- Each user group has its own set of behavioral patterns. This layout allows to quickly identify the intent of the particular data operation and neutralize suspicious activity without sustaining any damage.
Image source: netskope
Data Loss Prevention is a complex operation with many moving parts. Once implemented, it needs constant optimization and enhancement in order to serve its purpose well.
The best way of keeping a DLP solution in shape is to implement tangible metrics of its effectiveness.
Let’s look at them more closely.
The first step in implementing a Data Loss Prevention solution is data classification. This process identifies and differentiates types of sensitive information and describes its context. It is the backbone of every DLP tool.
Data classification is often performed in a semi-automated mode when the basic groundwork is done by the algorithm and then validated by the operator. The percentage of erroneous classifications can show how much of the sensitive information is left behind by the monitoring tool.
A System Data Loss Prevention policy contains a list of the do's and don'ts regarding the use of data throughout the company. It also includes certain types of exceptions from the rules. It can create one-off permission for a specific employee (for example, marketing getting access to project documentation to prepare a case study) or providing wider access to a third party via API (like Facebook for vendors or advertisers).
Monitoring of the number of exceptions gives you an understanding of how much of the DLP security policy is really used. It is a good way of optimizing the weak points.
Each monitoring system gets its own share of false positives and false negatives. The root of this issue is in the Data Loss Prevention monitoring routines. Some things are less defined or unmentioned, and this causes all sorts of false alarms.
The percentage of such events compared with the number of real alerts is a good measure for the effectiveness of the DLP tool. Helps to identify real data issues.
Digital fingerprinting is a method of data leakage prevention used to keep an eye on who is using what kind of data for what purpose.
As a metric, it is a good way of understanding the integrity of information and classifying the scope of access.
This helps in identifying tampering and tracing the possible source of a leak.
This metric takes into consideration how much time it takes to fix an issue from its emergence to its solution.
It helps to optimize the workflow and figure out the most effective routines of responding to alerts.
The risk of unmanaged devices is in the lack of control over them. They create uncertainty because you can’t enforce data loss protection policies.
Such devices are data endpoints (employee workstations or smartphones), cloud storages, and removable storages (USB sticks et al.) - basically any departure point for information.
The goal of this metric is to monitor the number, type, and storage size of devices outside the company’s system infrastructure.
Just like the DLP security policy exceptions, this figure must be kept at a minimum in order to avoid incidents of the breach.
In this day and age, the implementation of a Data Loss Prevention solution is a necessary step in keeping your company’s data safe and under complete control.
With the dangers of data loss and breaches growing, a fine-tuned DLP security policy is one of the foolproof mechanisms that help you to avoid sustaining financial and reputational damages from intentional malicious threats, system malfunctions, and unintentional human errors.
Do you want to protect your data?