Data leak prevention (DLP) describes a group of policies that automates the detection and protection of sensitive and classified data. DLP systems not only prevent sensitive data from leaving an organization’s network perimeter, but they also can be used to deny access to unwanted data entering an organization’s network.
Monitoring large flows of information through an organization’s network is no easy task. However, risk and compliance officers, who often are in charge of this task, must take care not to be so rigid such that legitimate content and data required by authorized users are denied. There are cases of emails that are denied entry into an organization’s network because of data reporting errors from DLP systems, resulting in the loss of bids and contracts.
DLP systems have policies that implement two significant functions: identification and protection. Let’s look at both.
DLP System Identification
The identification function of a DLP system uses policies to determine the classification of an organization’s data. Organizational data may be classified as restricted, private or public. There are three input and output sources for data within an organization’s network:
Data in use – data being processed by a computer program or a device.
Data in transit – data leaving or entering an organization’s network boundary.
Data at rest – data stored in share points, cloud or storage devices.
The scope of DLP identification includes fingerprinting, a technique that allows a sample file type to be uploaded into the DLP system. When uploaded, any data with similar file type, name or content will be matched for appropriate configured action to be taken.
DLP System Protection
Immediately after the DLP system signals the detection of classified data according to set policies, the protection system implements actions according to set policies. The most common activities implemented according to the set policies are blocking, encryption and quarantine.
During the copying of data from an endpoint, the protection component of a DLP system might implement two actions, blocking or encryption. Blocking refers to the complete denial of a USB device detected on the endpoint. In this case, the system will not allow data to be copied across to the USB device. Encryption refers to the protection of data being copied such that only authorized users can decrypt it. In this case, the data being copied across is automatically encrypted before copying is completed. The encryption policy also renders hard disks removed from endpoints useless without decryption cryptographic keys.
DLP systems also may be configured to block access to websites with weak security certificates to prevent leaking of sensitive data from an organization’s network.
Quarantine is a configured policy that allows data leaving or entering an organization’s network to be held in a safe mode until it is reviewed and approved. An email with an attachment containing an executable file or program entering an organization’s domain may be quarantined until it has been reviewed and approved by responsible officers.
For DLP systems implementation, the three most common areas are network, endpoint and discovery.
DLP at the network level covers the effective monitoring of data leaving and entering the network. It includes looking at data in transit for sensitive or confidential data attempting to leave the corporate network. Network DLP scans all content passing through the ports and protocols of an organization’s network.
This approach extends the policies to cover all servers and workstations located within an organization’s network. An endpoint-based solution can monitor the transfer of data to detachable media on a workstation, such as USB drives and CD-ROMs. Endpoint DLP needs careful implementation as users are now able to easily disable policies from the bios setup without having to access a firewall.
Discovery DLP Technology
The discovery DLP technology implements policies that scan stored data for sensitive elements. When such sensitive data is found, it protects the data from being copied or encrypts it before it is copied. An example of this type of sensitive data is email storage files. Some DLP systems will not allow email storage files to be backed up onto share points or copied onto external storage devices.
DLP technology aims to reduce the amount of data lost in breaches. Despite its advantages, it can be very frustrating when the tools or necessary procedures required to decrypt sensitive data is not readily available. Organizations should focus solely on features of DLP systems that are most important and can easily integrate into their systems.