Traditional defenses are no match for targeted attacks that bypass security controls and steal sensitive data. As IT changes continue to occur, organizations need to be more strategic to combat modern threats. They must shift their focus from attempting to secure everything, to protecting what matters most—the data itself. No matter where it is stored, used or transmitted.
Data loss prevention (DLP) is a critical part of comprehensive data-centric security. The technology is designed to perform both content inspection and contextual analysis in order to prevent the loss of data. It is often thought of as a way to keep users from uploading sensitive information into email, cloud storage services and unauthorized file transfer platforms.
DLP requires careful planning, including the development of clear and achievable goals and the establishment of proper expectations among executives and business unit leaders. While there are numerous considerations when preparing for a DLP deployment, it is important not to overlook the following eleven factors:
1. Deployment strategy
Organizations are often eager to implement DLP in an effort to better protect intellectual property, enhance compliance efforts, and address the risks associated with cloud, mobility and the Internet of Things (IoT). Without a well-planned deployment strategy, they tend to go all-in and attempt to deploy all facets of a DLP solution — network, discovery endpoint and cloud — simultaneously.
This hurried approach introduces an overwhelming number of alerts and false positives. Excessive alerts are usually the biggest complaint associated with DLP; they translate into lost hours spent on investigation and money wasted on inaccurate intelligence. Alleviation of this issue and the success of DLP depends on a carefully planned deployment. Two strategies can help to ensure success.
- One strategy involves a phased approach that considers which DLP technologies should be deployed first and which organizational business units they should be rolled out to over a period of time.
- The second approach involves using a DLP managed service provider to accelerate the deployment and manage policies more easily. The right provider can help you reduce complexity and up-front costs, meet service level agreements (SLAs), and offer the proper controls to secure the sensitive data they will have access to.
2. Encrypted traffic
The amount of network traffic that is encrypted — according to various studies — ranges between 30 and 80 percent. Even if we assume the low end of that range is accurate, it indicates that nearly one third of an average network is currently encrypted. It is hard for an organization to determine whether a data breach is occurring if it cannot see all of its traffic. Factoring in methods for forwarding encrypted traffic via proxies, application delivery controllers, or dedicated SSL decryption solutions to your DLP appliances for analysis is therefore critical.
3. Alignment with business units
Identifying which content to focus on is key. Standard policies looking for personally identifiable information (PII), protected health information (PHI), credit card numbers and social security numbers are easy to establish. The difficulty lies in defining custom policies that look for internal documents containing sensitive information. Many completed DLP deployments are operated by IT staff.
- Collaborating with the organization’s business units enables them to understand which data is considered sensitive.
- This allows the responsibility for protecting sensitive data to be more easily placed where it belongs — with the data owners, not with IT.
4. Endpoint standardization
Endpoint DLP is generally considered to be the most effective method for preventing data loss, since it can monitor activity that extends beyond Web and email. However, it is also the most frustrating to work with; it can be difficult to fully deploy and tune, and it generates the greatest number of alerts.
- One key reason for this is that many organizations have not standardized their endpoint deployments. They often use various laptop models and do not have standard images defined and utilized. This makes it difficult to test DLP for effectiveness and potential conflicts, and to ensure the effective monitoring of hardware, such as removable media.
- It also makes it difficult to devise the specific strategies and policies that individual business units need in order to minimize the impact DLP may have on their day-to-day operations. The growing adoption of Windows 10 provides a great opportunity for enterprises to standardize their endpoint deployments.
5. Cloud and mobile issues
A DLP agent for mobile devices is currently infeasible for several reasons, including a lack of required CPU and memory resources. Typically, providing DLP on mobile devices requires a backhaul VPN connection to the corporate network where DLP can monitor activity. However, the growing use of cloud services makes mobile device activity more difficult to monitor, as connections are often bypassing VPN and going direct. This is also a concern for laptop users working remotely.
- Monitoring cloud usage for potential data loss requires proper planning and expectations. DLP vendors are slowly introducing tighter API integrations with cloud services such as AWS, Box, Office 365, Google Drive, Salesforce and others.
- They are also integrating with Cloud Access Security Brokers (CASBs) to provide visibility to additional SaaS vendors. But cloud service vendor support and integration levels vary by DLP vendor. Establishing an understanding of which cloud services are being used — both authorized and unauthorized — is key. With this information, organizations can work with DLP vendors to determine what they can realistically support now and in the near future.
- Compensating controls should be leveraged to help monitor and secure sensitive data stored with cloud service providers that are not currently supported by DLP vendors.
6. Integrations with security controls
DLP is most effective as part of an overall data-centric security program and integrates well with other security solutions to enhance its capabilities. Complementary controls include the following:
7. Prioritize and Classify Data
Classifying data means applying tags that enable organizations to monitor and track data use with DLP tools. It’s advisable to use simple and explanatory category tags, such as “regulated data,” “credit card numbers,” “intellectual property.” The full list of categories will vary across businesses but categorization is a crucial starting point that sets the tone for the rest of the DLP implementation.
Prioritizing data means identifying and ordering data types based on the severity of impact a loss or leak incident would have. A manufacturer might have design files as a top priority to protect but there will be other types of sensitive data too. DLP implementation should begin with the most sensitive data.
8. Define Roles and Responsibilities
For data loss prevention to work, you need to clearly define roles and responsibilities, both to people responsible for implementing the plan and users of sensitive data. The principle of least privilege ensures users only get access to the data that is strictly necessary for doing their jobs.
Many DLP solutions come with pre-configured rules based on regulations, such as HIPAA or GDPR, however, the information security team should adapt this to their specific organization and create custom policies. Also, define who is responsible for responding to alerts and incidents. This step provides structure and clarity to the DLP implementation.
9. Understand the Three Data States
It’s crucial to understand when your different types of sensitive data are at most risk. The risk profile typically relates to the different states data can be in: at rest, in use, and in motion. An effective DLP implementation must adopt appropriate techniques to data that exists in each of these states.
- Data at rest resides in databases, file systems, or cloud storage centers. Applying strong cryptographic algorithms to encrypt data at rest can protect it from loss or breach. You can also use policy-based rules to delete or alert you about sensitive data at rest if your storage DLP tool finds it in unauthorized servers or other storage locations.
- Network DLP technology inspects network traffic and files moving across or outside the network and takes policy-based actions to protect sensitive content.
- For data in use at endpoint devices like laptops and workstations, endpoint DLP solutions can track user behavior and block certain actions like copying sensitive data to USB drives.
It’s important to note that some DLP tools focus on protecting data in one of the three risk states: storage, endpoint, and network, while others are all-in-one solutions.
10. Prove DLP Value
At the executive level, stakeholders want concrete proof that an initiative or technology is working for an organization, and DLP is no exception.
- Make sure you can provide key performance indicators (KPIs) and reports that clearly display the value of your DLP implementation, particularly when it comes to software.
- Look out for metrics like the number of data loss or breach incidents since implementing a DLP plan, data loss trends over time by severity, and how accurately your DLP solution detects true data loss incidents.
11. ESTABLISH POLICIES UPFRONT
Engage IT and business staff in the early stages of policy development. This stage of the process should include identifying:
- Data categories that have been singled out
- Steps that need to be implemented to combat malpractice
- Future growth of the DLP strategy
- Steps that need to be taken if there is an abnormal occurrence.
Before the DLP strategy is put into practice, it is essential to establish incident management processes and ensure they are practical for every data category.
Successful DLP is not just the use of high-tech tools and strategies — it is a movement that sees data protection as a central tenet of a modern digital organization’s culture.