Beyond DLP: Embracing a Multi-Layered Strategy for Personal Data Security
Data, especially personal data, drives the digital world. It is essential for everything from financial transactions and property registration to job applications and accessing government services. This data is also used when we enter government buildings, check into hotels or travel by planes, trains, buses and cruise ships.
While digital systems continuously gather and use personal data to enhance user experience, there is a significant issue. The alarming frequency of data breaches indicates that the methods used to collect, store, process and use personal data often lack adequate security measures.
Why do more security tools and enhanced protection measures not always result in fewer and less severe data breaches? Can we tackle the issue of data leaks just through technical solutions?
The Role and Limits of DLP
Solutions like data loss prevention (DLP), which are specifically designed to prevent data leaks, play an important role—but they are not the only necessary component in a robust data protection strategy.
Putting all your trust in just one method to control data movement can be as risky as a soccer team relying solely on a skilled goalkeeper: no matter how good the goalkeeper is; eventually, he might slip up. A more effective approach is a team effort, where both the goalkeeper and defenders work together. By stopping the opposing team from getting close to the goal, the defenders reduce the pressure on the goalkeeper. When the defenders perform well, the goalkeeper faces less strain, but if they falter, the goalkeeper bears an overwhelming burden, often leading to defeat.
In information security, the role of defenders is taken up by various solutions that block attackers from accessing data in applications or databases, downloading it, packaging it into files and transferring it to a computer with access to information transmission channels. Sometimes, these systems enhance the capabilities of DLP solutions, but they are frequently set up independently, collectively creating a comprehensive data protection ecosystem.
When protecting personal data, DLP systems’ most powerful analytical tools – content analysis and digital fingerprints – are often ineffective. This is because database downloads usually contain structured data, such as names, dates and numbers. In such cases, content analysis struggles in vain to find anything substantial, and digital fingerprints from large databases become outdated faster than they can be updated. Consequently, these methods tend to produce many false positives. As a result, most DLP customers employ these tools for monitoring rather than actively blocking data movement, which helps identify and investigate leaks but does not prevent them.
A Comprehensive Security Approach
DLP systems identify personal data by analyzing its structure, as each type typically follows a specific format. Take, for example, various personal identifiers like social security numbers, tax IDs, passport numbers, diplomas, driver’s licenses or credit cards. These are not just random strings of characters. They are composed of a specific number of letters and digits that convey important details like the place of issuance, registration region, type of payment system or bank name.
However, relying solely on DLP tools for data protection is somewhat limited. A comprehensive understanding of the entire business process is essential to deciding whether to permit data to leave the corporate information system. This approach ensures a more rounded and effective data protection strategy.
For example, consider a situation where a bank’s data loss prevention system detects a letter detailing account transactions, which falls under bank secrecy. If this letter responds to a client’s request, matches the client’s address on file, and contains their personal information, then it is a valid operation. However, if these conditions are not met, it is considered unauthorized. The challenge arises because the DLP system does not have access to the bank’s CRM, client correspondence, or other internal systems. This limitation prevents it from making a fully informed decision, leading to potentially incomplete assessments. The most likely action in such cases is to bypass the letter but mark it for monitoring due to the transfer of sensitive bank information. As a result, corporate data may still leave the information system.
Yes, DLP systems offer numerous valuable functions, such as identifying and classifying sensitive data across networks and devices, tracking data movement and usage in real-time, detecting user actions and screen photos through AI-enhanced video cameras, and evaluating data context for more precise classification and control. However, to effectively combat data leaks, a range of additional tools is also necessary beyond DLPs’ capabilities. This comprehensive security approach includes the following:
• IdM (Identity Management) – controlling access to company resources that hold and process data.
• PAM (Privileged Access Management) – managing access to privileged accounts.
• DBF (Database Firewall) – overseeing queries to databases and the handling of data within database management systems and applications.
• Masking – responding to data requests, not with complete information but with deliberately altered or masked data.
• DCAP (Data-Centric Audit and Protection) – examining the contents of files, their access rights and related operations.
When a comprehensive data protection ecosystem is in place, attackers face numerous hurdles before successfully transferring data outside the information system. They would need to access the data either through applications or directly from the database management system, download it, save it to a file and then transfer this file to a computer equipped with communication channels, such as an email account capable of sending messages to external addresses, etc.
The attack can be thwarted at any point in this process: Access to data can be denied or restricted, uploads can be blocked or limited, masked data instead of actual data can be uploaded, or the movement of files can be prohibited.
This layered defense strategy effectively disrupts and impedes potential data breaches at multiple stages.
This multi-layered approach to personal data protection is equally effective against both internal attackers and external hackers who have infiltrated the network. This uniformity is crucial, as it eliminates the need for separate layers of defense against internal and external threats. Statistics indicate that many data leaks are caused by insiders, whether intentional or due to negligence.
Human Factors and Process Optimization
Fighting data breaches is not just about technical solutions. Companies must critically assess their digital business processes to ensure they are necessary and secure. Let’s take, for example, an employee requesting a database download. If it is for research, could they instead request an analytics report, not raw data? If it is to evaluate something, why not ask for a direct scoring result, like a simple yes/no or a percentage? And for sending holiday greetings to clients, why not use a template that automatically fills in names and addresses? By making these changes, not only is security enhanced by reducing the circulation of downloadable files, but business processes also become more streamlined and efficient.
The human factor plays a crucial role in data security, as many internal incidents stem from negligence rather than malice. In cases of external hacker attacks, there is often an unwitting internal accomplice – someone who failed to update software, opened a phishing email, executed a suspicious program, clicked on a risky link, incorrectly configured the IT system or used a weak password.
Therefore, regularly training employees, fostering a corporate culture that emphasizes adherence to security protocols, and conducting regular drills and tests are essential components in preventing data leaks. These practices help create an environment where following security rules becomes second nature to the workforce, significantly reducing the risk of breaches.
Tools designed to prevent data leaks must align with a company’s level of digital maturity and its existing systems for collecting, storing and processing personal data. As a company progresses to higher levels of digital sophistication, more complex and costly strategies become necessary to protect data effectively.
There are no easy “buy and forget” solutions in combating data breaches. Despite the appeal of such straightforward approaches, the complexity of data security demands continuous attention and adaptation far beyond the capabilities of any single, set-and-forget tool.
Final Thoughts
As digitalization progresses, we will see an ever-increasing amount of data being collected and used on a broader scale. Services will become more adaptable and systems more intricate. The convenience offered by digital services often comes at the cost of our privacy. It falls on both the customers and the designers of digital systems to prioritize security in their design. The best path forward is collaboration among those who build digital systems, industry experts, government regulators and the creators of information security tools.