Plugging Data Leaks
Data loss prevention solutions prevent sensitive data from seeping through cracks in security.
IT security systems are designed to prevent malicious outside forces from invading the network. However, these systems generally do little to keep data inside the network. After all, employees, contractors, suppliers, partners and even customers need ready access to data in order to keep the organization running smoothly. The rapid shift to work-from-home and hybrid work models has made remote access to data even more critical.
However, transferring and storing sensitive information outside the secure network perimeter dramatically increases the risk of cyberattack and regulatory compliance violations. What’s more, employees routinely email sensitive data and files without carefully considering the potential ramifications, and there’s a significant threat of malicious insiders stealing or transferring data.
Data loss prevention (DLP) is a set of tools and processes that help reduce the risk of data loss or exposure and protect business processes that are fueled by mission-critical data. It is designed to classify sensitive information and prevent it from being accidentally or maliciously shared in ways that could put the organization at risk.
DLP solutions help companies discover, monitor and manage sensitive data in flight across corporate networks and email systems, at rest in servers, cloud stores, backups and archives, or in use in websites and applications. They also help organizations comply with laws and regulations regarding data privacy and security, and ensure that all users adhere to the established internal policies regarding data protection.
Find It, Protect It
Few organizations know where all of their sensitive data resides on the network, making it difficult to control access to that data and protect it from threats. In light of that, the step in any DLP strategy is to identify data that needs protection — including both corporate secrets such as financial data and trade secrets and custodial data such as customer and payment card information. Enterprise DLP solutions include discovery components that identify sensitive data in file servers, databases, cloud services and email repositories, as well as endpoints such as desktops, laptops and removable storage.
Once sensitive data is identified, the DLP solution is used to define, manage and enforce policies governing the use and protection of that data. Discovery and policy management functions combine to automatically protect data as it travels across the network and beyond. Based upon these policies, the DLP solution can prevent users from copying sensitive data or downloading it to their personal devices. The DLP solution can also monitor email, instant messaging and collaboration tools for Social Security numbers, credit card numbers and specific keywords and automatically block, encrypt or quarantine those communications.
Administrators can set up alerts when security lapses occur so that steps can be taken to better protect the data. Reporting and analytics tools provide trends that can aid in regulatory compliance and in defining employee training and awareness programs. These strategies pay off — multiple studies have shown that negligent insider data breaches decrease in number and cost due to the positive effect training and awareness programs have on employees’ sensitivity to the protection of personal information.
Precisely defining policies is key to the success of DLP. If IT frequently grants policy exceptions to users, it may indicate that the policies are so strict that users cannot perform their jobs or that users are attempting to work around the policies out of convenience.
There are a number of ways to implement DLP. Enterprise DLP solutions are designed to protect data at every state and on every platform throughout the IT environment. However, these platforms can be difficult to implement, with a high number of false positives if the policies aren’t defined correctly.
Best-in-class firewalls and intrusion prevention solutions perform DLP functions as they inspect network traffic. Some of today’s firewalls implement DLP as a cloud-based service, simplifying implementation and management. There are also cloud-based DLP solutions that focus specifically on data stored and shared on cloud platforms.
Because email is the primary source of data leakage, it deserves special attention. Some secure email gateways, which protect against spam, malware and other threats, also perform DLP functions. For organizations that use Microsoft 365, the Security & Compliance Center includes a robust set of DLP capabilities that encompasses not only Microsoft Exchange email but SharePoint Online, OneDrive for Business and Microsoft productivity apps.
Remote work, coupled with increasingly stringent privacy laws and government and industry regulations, has made it imperative that organizations implement policies and tools that mitigate the risk of data leakage. DLP solutions provide a mechanism for classifying sensitive data and preventing it from seeping through cracks in security.