What is data loss prevention?
Whether it is sent through messaging, email, file transfers, or some other way, information can end up in unauthorized locations. Data loss prevention (DLP) includes solutions that monitor for, detect, and prevent the unauthorized flow of sensitive data to ensure organizations remain compliant with regulations and maintain customer trust. DLP ensures users do not transmit critical or sensitive data outside an organization, and may also refer to software and other tools to assist administrators in managing the transfer of data.
Data loss prevention strategies protect organizations against both data leakage and data loss. In a typical loss event, a ransomware attack, accidental deletion, or similar scenario causes critical data to be lost. DLP focuses on preventing both types of illicit data transfer outside organizational boundaries. Tools and software filter data on networks, control and monitor endpoint activities, and monitor data in the cloud. In this way, data in use, motion, and at rest can remain safe and protected.
There are a wide variety of solutions available today. This is necessary due to the many ways confidential data may exist. As information lives in many locations — databases, file servers, mobile devices, PCs, and more — the various network access points for data to move through exacerbate the issues of data leakage and loss.
Evaluating an ideal DLP solution
Some technologies secure data in use, or that which is actively being processed. These protections typically involve authenticating users and controlling resource access. Other data loss prevention technology ensures confidential data in transit across a network is not routed via insecure channels or outside the organization. Email security, home to so much commercial communication, is an important part of securing data in transit, as is encryption. Data at rest is also at risk, and common approaches safeguard data in the cloud or via another storage medium.
DLP tools can control authorized users, manage who stores and accesses data, encrypt the disk, and track access to sensitive information. An ideal DLP solution should allow your organization to:
- Identify sensitive data needing protection either manually using metadata and rules, or automatically using machine learning techniques or tools.
- Secure endpoints to control data transfer internally and externally.
- Secure data in use — monitoring and warning of unauthorized activities and unintentional violations.
- Secure data in motion by analyzing traffic and automatically detecting potential violations.
- Secure data at rest with encryption, access control, and strong retention policies.
- Monitor for anomalous or suspicious data transfers.
Accounting for common types of data loss
The most common causes of data leaks are: insider threats, attackers, and negligent/unintentional data exposure.
- Insider threats — Attacks by malicious insiders who abuse their permissions, moving sensitive data outside the organization.
- Cyber attacks — Using techniques such as code injection, malware, or phishing to penetrate enterprise security; attackers may often target sensitive data via compromised privileged insider accounts.
- Negligent or unintentional data exposure — Leaks resulting from employee failure to restrict access, providing open internet access to data, or distributing sensitive information to the public.
DLP use cases
Organizations typically use data loss prevention policies to:
- Protect sensitive data about people, such as Personally Identifiable Information (PII), and maintain compliance with regulations such as GDPR or CCPA.
- Protect critical intellectual property (IP).
- Achieve data visibility at the enterprise level.
- Secure Bring Your Own Device (BYOD) environments.
- Secure data and prevent data breaches on remote cloud storage systems.
Key tips for implementing effective DLP
Prioritize data so that your DLP implementation strategy starts with the information that is most sensitive or valuable if lost or stolen. Classify data based on context, such as the user who created the data, where the data is stored, or the source application. This allows for tracking through classification tags. Content inspection for regular expressions, such as credit card information or keywords, often runs according to protocols for PCI, PII, and other regulatory standards.
Understand which data is at risk and when by assessing risk at each point of data distribution. As information travels between customers, partners, and user devices along the supply chain, it is typically at greatest risk while in use on endpoints. Monitor data in motion for a look at how users deploy data and which behavior places data at risk to determine the scope of the data loss prevention strategy.
Provide guidance and training continuously to reduce the risk of negligent data loss by insiders. In addition to blocking risky activities, advanced data loss prevention products educate employees of risky and potentially violative data use.
Strategies and tools
Fundamental information security tools can protect against data loss and data leakage to some extent. However, especially for larger businesses, designated solutions may be best to safeguard your data. These tools are specifically designed to prevent attempts to transmit or copy sensitive data to unauthorized locations, whether intentional or not.
- Network-based solutions are installed at the perimeter of enterprise networks to protect data in motion. Their analysis engines monitor network traffic including email, IM, SSL traffic, social media interactions, and web 2.0 applications, to detect violations of set information disclosure policies, such as the sending of sensitive data.
- Data center or storage-based solutions protect data at rest within the company’s data center infrastructure, such as databases, file servers, and collaboration tools like SharePoint. These data loss prevention tools locate confidential data and help users determine whether it’s secure.
- Endpoint-based solutions monitor devices such as laptops, Point-of-Sale (POS), smart phones, and tablets for all data transferring actions such as printing, downloading, copying, or transferring to CD/DVD, social media, USB, or webmail. These data loss prevention tools may be configured to actively block specific activities, or configured only for passive monitoring.
- Content-aware tools reduce the risk of accidental exposure of sensitive data outside authorized channels. These tools help prevent data leaks by monitoring, blocking, and remediating based on company policies that classify content.
Explore your DLP options with Druva
Druva offers DLP features that enable IT admins to maintain secure control over sensitive data on endpoint devices, and respond to potential data loss events quickly if devices are lost or stolen. The Druva team has implemented many of such features, from remote wipe to encryption and more, into its impressive and award-winning cyber resilience portfolio.
Visit the cyber resilience page of the Druva website to learn more about how we provide a comprehensive approach to keeping your data resilient and compliant — combining air-gapped architecture, sensitive data governance, eDiscovery, and ransomware defense and recovery.