Data loss prevention
Data loss prevention definition
Data loss prevention (DLP) is a set of products, strategies, technologies, and techniques that ensure end users do not transmit critical or sensitive data outside an organization. DLP also refers to data loss prevention software and other data loss prevention tools that assist network administrators in managing the transfer of data by end users.
Whether it is sent through messaging, email, file transfers, or some other way, information can end up in unauthorized locations. Data loss prevention includes solutions that monitor for, detect, and prevent the unauthorized flow of sensitive data to ensure organizations remain compliant with regulations and maintain customer trust.
Data loss prevention strategies protect organizations against both data leakage and data loss. In a data loss event, something like a ransomware attack causes critical data to be lost. Data leakage is more likely to occur as sensitive information moves between an organization’s critical records systems, for example. Data loss prevention focuses on preventing both types of illicit data transfer outside organizational boundaries.
What is data loss prevention?
Data loss prevention is a package of processes and tools designed to see that critical information is not accessed, misused, or lost by unauthorized users. Data loss prevention software, typically informed by regulatory compliance such as the General Data Protection Regulations (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), or the Payment Card Industry Data Security Standard (PCI-DSS), classifies data as regulated, confidential, or business critical and then defines policy violations defined by the organization itself and applicable guidance. Should it identify a violation, this kind of DLP data loss prevention software then enforces remediation, typically with protective actions such as encryption and alerts.
Data loss prevention (DLP) tools and software filter data streams on networks, control and monitor endpoint activities, and monitor data in the cloud. In this way, various DLP tools protect data in use, data in motion, and data at rest. Data loss prevention programs also feature reporting, which aids both in identifying anomalies and problems for forensic response and in meeting audit and routine compliance requirements.
There is a wide array of data loss prevention (DLP) solutions available today. This is primarily because of the many ways confidential data may exist. Information lives in many locations, such as databases, flash drives, file servers, mobile devices, PCs, physical servers, point-of-sale devices (POS), and virtual servers. Various network access points for data to move through also exist, including VPNs and wireless, so there are many ways to take on the issues of data leakage and loss.
What should data loss prevention include?
Data loss prevention (DLP) is essential everywhere data resides. Data in use, data in motion, and data at rest are all important focal points for a DLP strategy.
Some data loss prevention technologies secure data in use: data that an endpoint or application is actively processing. These protections typically involve authenticating users and controlling resource access.
Other data loss prevention technology ensures confidential data in transit across a network is not routed via insecure channels or outside the organization. Email security, home to so much commercial communication, is an important part of securing data in transit, as is encryption.
Data at rest is also at risk, and data loss prevention technologies safeguard data in the cloud and other storage mediums. Data loss prevention tools can control authorized users, manage who stores and accesses data, encrypt the disk, and track access to sensitive information.
Components of a comprehensive data loss solution include identifying and securing various kinds of data and detecting issues, allowing you to:
- Identify the sensitive data that needs protection either manually using metadata and rules, or automatically using machine learning techniques or tools.
- Secure endpoints using endpoint-based agents to control data transfer between external parties, users, and groups of users.
- Secure data in use by deploying DLP data loss prevention tools that monitor and warn of unauthorized activities and unintentional violations.
- Secure data in motion with network edge technology that analyzes traffic based on a coordinated security policy and data loss prevention policy to detect sensitive data violations.
- Secure data at rest with encryption, access control, and data retention policies.
- Detect data leaks by monitoring for anomalous or suspicious data transfers.
Three common causes of data leaks are: insider threats, attackers, and negligent/unintentional data exposure.
Insider threats encompass attacks by malicious insiders who abuse their permissions, moving sensitive data outside the organization.
Many cyber attacks target sensitive data and use techniques such as code injection, malware, or phishing to penetrate the security perimeter and gain access. In addition, attackers can target sensitive data via compromised privileged insider accounts.
Negligent or unintentional data exposure can cause data leakage. For example, leaks might occur if employees fail to restrict access according to organizational policies, provide open internet access to data, or lose sensitive information in public.
Organizations typically use data loss prevention policies to:
- Ensure compliance and protect sensitive data about people, such as Personally Identifiable Information (PII) or the broader definition of Personal Data, defined by the GDPR and CCPA
- Protect an organization’s critical intellectual property (IP) on the corporate network
- Achieve data visibility at the enterprise level
- Secure Bring Your Own Device (BYOD) environments
- Secure data and prevent data breaches on remote cloud storage systems
Use cases for data loss prevention
Data loss prevention providers solve several common pain points: ensure compliance and protect personal data, protect intellectual property, and achieve data visibility.
Compliance for personally identifiable information
If your organization gathers and stores protected health information (PHI), personally identifiable information (PII) or other personal data, or payment card information (PCI), you are probably subject to compliance regulations for critical data. For example, HIPAA regulates PHI, and the GDPR covers the personal data of EU residents; both require some level of sensitive customer data protection.
Data loss prevention system software identifies, categorizes, and tags sensitive data so that it can monitor context, such as events and activities around the data. Data loss prevention products also report pursuant to regulatory requirements, making compliance audits easier to manage should they arise.
Protect intellectual property
If your organization relies on mission critical intellectual property, such as trade secrets that might jeopardize the brand and company financial health if lost or stolen, data loss prevention solutions are crucial. Data loss prevention tools classify intellectual property based on context in both structured and unstructured forms. You can protect against unwanted exfiltration of this data with the right controls and policies in place.
Data isn’t useful without insight and the ability to act. If your business needs to achieve greater visibility into data movement, you can see and track your data on networks, at endpoints, and on the cloud using a comprehensive enterprise data loss prevention solution. This offers increased visibility into how individual users and data interact within your organization.
Benefits of data loss prevention
There are many benefits of data loss prevention features:
Well-enforced data loss prevention policies supported by the latest data loss prevention technology enable monitoring data usage and location.
DLP may help prevent theft or accidental disclosure by employees and other authorized users with access to sensitive information. All browsing, corporate communications, and related activities by internal employees should be monitored, and risky or non-productive activities should be blocked.
Enterprise data loss prevention can help prevent loss of credibility, reputation, and revenue, and protect against lawsuits.
Enterprise data loss prevention technologies help offset the added risk of data loss presented by BYOD and locating enterprises and data in the cloud.
Data loss prevention software supports capture of security events as needed to prove employee misconduct or conduct forensic analysis.
Data loss prevention technology encrypts confidential data automatically.
Ways to prevent data loss
- Identify your main data protection goal. Whether you are trying to gain more data visibility, protect your intellectual property, or meet regulatory compliance needs will determine the most appropriate data loss protection deployment architecture.
- Classify your organization’s structured and unstructured data sets so the data loss prevention policy can clarify which data is sensitive.
- Maintain a solid security policy that includes regular audits, and security incident documentation and remediation.
- Clearly define the roles and responsibilities within the organizational data loss prevention program to develop accountability.
- Clearly describe the initial approach and set goals that are measurable. Focus your use cases to ensure your initial rollout plan is not overly complex.
- Keep the data loss prevention policy manageable by either focusing on one specific type of data, or by focusing on identifying and classifying sensitive data automatically to limit egress.
- Carefully document how data loss prevention features perform to ensure their consistent application, to help employees and the system generate better records, and to provide a smoother training process for new team members.
- Define data loss prevention key performance indicators (KPIs) and other measures of success and monitor them closely. This helps to improve the data loss prevention framework over time and demonstrate its business value.
How to implement data loss prevention
Prioritize data so that your data loss prevention implementation strategy starts with the information that is most sensitive or valuable if it is lost or stolen.
Classify the data based on context, such as the user who created the data, where the data is stored, or the source application. This also allows for data tracking through use of persistent classification tags. Content inspection for regular expressions, such as credit card information or keywords, often runs according to protocols for PCI, PII, and other regulatory standards.
Understand which data is at risk, when, by assessing risk at each point of data distribution. As information travels between customers, partners, and user devices along the supply chain, it is typically at greatest risk while in use on endpoints.
Monitor data in motion to comprehend how users deploy data and which behavior places data at risk to determine the scope of the data loss prevention strategy.
Provide guidance and training continuously to reduce the risk of negligent data loss by insiders. In addition to blocking risky activities, advanced data loss prevention products educate employees of risky and potentially violative data use.
Strategies and tools for data loss prevention
Fundamental information security tools can protect against data loss and data leakage to some extent. For example, a firewall can stop unauthorized parties from accessing systems that store sensitive data. Antivirus and anti-malware software and intrusion detection systems (IDS) can also protect systems from attackers.
More mature or advanced security measures for detecting irregular data access may also be appropriate for some organizations, including data integrity controls, honeypots, network traffic analyzers, security machine learning, and user identity checks or activity-based verification.
However, especially for larger businesses, designated data loss prevention solutions may be best to safeguard your data. These tools are specifically designed to prevent attempts to transmit or copy sensitive data to unauthorized locations, whether intentional or not.
Network-based data loss prevention solutions are installed at the perimeter of enterprise networks to protect data in motion. Their analysis engines monitor network traffic including email, instant messaging, SSL traffic, social media interactions, and web 2.0 applications, to detect violations of set information disclosure policies, such as the sending of sensitive data.
Datacenter or storage-based data loss prevention solutions protect data at rest within the company’s data center infrastructure, such as databases, file servers, and collaboration tools like SharePoint. These data loss prevention tools locate confidential data and help users determine whether it’s secure.
End-point based data loss prevention solutions monitor devices such as laptops, Point-of-Sale (POS), smart phones, and tablets for all data transferring actions such as printing, downloading, copying, or transferring to CD/DVD, social media, USB, or webmail. These data loss prevention tools may be configured to actively block specific activities, or configured only for passive monitoring.
Content-aware data loss prevention tools reduce the risk of accidental exposure of sensitive data outside authorized channels. These tools help prevent data leaks by monitoring, blocking, and remediating based on company policies that classify content.
Does Druva offer data loss prevention?
Druva offers data loss prevention (DLP) features to enable IT admins maintain secure control over sensitive data on endpoint devices, and respond to potential data loss events quickly if endpoint devices are lost or stolen. Learn more about Druva’s cloud data loss prevention features from remote wipe to encryption and more here.