It might not seem necessary to have an area of cybersecurity called Data Loss Prevention (DLP). Isn’t all security about protecting data? Yes, but to keep from losing your most sensitive and valuable data, you need to take an organized, coherent approach to the work. That’s what DLP is about. DLP involves detecting and preventing loss or leakage of your data. It combines people, process, and technologies to achieve that goal.
DLP overlaps with many different areas of IT operations, cybersecurity, and compliance. The core purpose of DLP is the same, however, no matter how complex a DLP deployment may be. DLP is about protecting your data from loss, which might mean breach, exfiltration, or malicious encryption.
There are some who view DLP as simply a product. Yes, many great DLP solutions exist, and acquiring one is essential for DLP success. However, as Gartner put it, “Data loss prevention technology is most effective when supported by business-inclusive processes, rather than as a ‘set and forget’ technology platform.”
Another factor to bear in mind is that data loss is not just a risk posed by cyberattacks. Indeed, some truly damaging data loss incidents have occurred by accident, caused by careless or poorly thought-out data management practices. The goal is to operate a business without losing corporate data.
DLP encompasses several functional areas. These include data security and related countermeasures, e.g., encryption, data resiliency processes like backup, and data governance. To make DLP work, it’s necessary to engage in four core activities:
Identifying your data: You can only protect data if you know what it is and where it is. Your organization has its own data landscape that contains a wide range of data in various formats and at differing levels of sensitivity. Effective DLP proceeds from an awareness of what constitutes your sensitive data and where it’s stored.
Protecting your data: This occurs through the application of data loss prevention controls and countermeasures like data encryption and access controls, as well as through data backup and restoration capabilities.
Preventing accidental data loss: Your people can lose data, sometimes with surprising ease and often by complete accident. Mistakes run the gamut from oversharing of data to password sharing and unauthorized storage of data on public cloud platforms.
Governing your data: Keeping data safe from loss requires data governance policies that cover the data lifecycle (e.g., retention and deletion), rules for storage of sensitive data, and so forth.
How is DLP different from data security? The two spheres of work overlap, but they are distinct from one another. Data security comprises controls, practices, and technologies that protect data from breach and unauthorized access. Data security practices and controls do not have the same overview as DLP. They don’t inventory data and classify it. They aren’t concerned with accidental data loss.
DLP has a broader outlook. A DLP solution protects sensitive data from breaches, leakage, and unauthorized access by enabling unified policy definitions and management. It may centralize control of data security countermeasures from a single DLP policy set. Additionally, a DLP solution might monitor user behaviors as they relate to data access and flag problematic situations, such as an employee sharing too many files outside the organization. This could be the result of a simple error or it could be evidence of a cyberattack. In this case, the DLP solution would likely integrate with security operations center (SOC) teams and toolsets. Its processes are usually automated to a great extent.
Three types of DLP predominate:
Network DLP: Network DLP secures your data while it’s in transit on your network. Malicious actors can intercept network traffic and steal data from email servers and applications, for instance. Network DLP solutions monitor network traffic for signs of data loss and flag suspicious transfers of data.
Storage/Cloud DLP: This type of DLP protects data at rest. The process involves classifying and protecting data wherever it is stored, usually through encryption. It applies to data that’s stored on-premises, in the cloud (public and private), and hybrid or multi-cloud environments.
Endpoint DLP: Endpoint DLP ensures data security on devices (such as smartphones, laptops and servers) that access the internal network. Endpoint DLP involves monitoring the client side of the network for signs of data loss, as well as policy enforcement that’s relevant to DLP, e.g., strong passwords, access controls, and encryption.
Why should you pursue DLP? For one thing, instances of data loss are on the increase and getting worse by the year. A data broker just disclosed, for example, that it suffered a breach that led to the loss of virtually every social security number in the USA. Major brands, ranging from Yahoo to Alibaba, LinkedIn, and Marriott have been similarly affected. These incidents damage reputations and can prove very costly to remediate. They may also get you in trouble with regulatory authorities.
DLP may not be specified in regulations that deal with data security and privacy, but they can be a big part of getting—and remaining—compliant. Rules like GDPR and CCPA require controls to prevent the leaking of consumer’s private data, with penalties for violations that occur with data breaches. HIPAA similarly penalizes lapses in controls that lead to the breach of private healthcare information.
What does it take to get to success with DLP? It’s a mature enough area of security that IT and security professionals have embraced a body of best practices that facilitate DLP adoption and effective execution. In addition to standard best practices for any IT or security project, such as documenting processes and procedures and defining requirements, highlights of DLP best practices include:
Identifying and then classifying your sensitive data: Of all your data, what needs the most protection from loss? Unstructured data like documents and emails should be included in this thought process. A good DLP solution will enable you to label the highest priority data for loss prevention measures.
Finding and securing the weakest points in your IT estate: Attackers are very skilled at finding ways into your network and data storage infrastructure. In some cases, your people are that weakest link. Access controls are critical because they limit employees’ access to the data they need to do their jobs.
Backing up data in the cloud: Backing up data stored in the cloud should be a key element of a DLP program. The cloud enables you to have geographic diversity in backups, with a rapid capability to recover down systems.
Training and educating employees and other users of data, such as contractors: Given the potential for users to create data loss by mistake, training is essential in achieving good DLP outcomes.
Being consistent with cyber hygiene: Keeping your networks and systems secure is part of DLP, even if it’s not officially in the DLP program. Practices like patch management, password rotation, and multi-factor authentication (MFA), among many others, help keep bad actors away from your data.
Establishing success metrics: If you can track your DLP progress with quantifiable tracking measurements, you will be able to explain how the program is working to executives and other stakeholders. For instance, you can track how many data loss incidents you have experienced in a given time period, as well as how long it took to respond and remediate. Ideally, these metrics will improve upon implementation of DLP.
It's also a good idea to be clear about roles and responsibilities. Someone needs to own DLP and understand what’s expected of him or her. At the level of controls, separation of duties (SOD) may be a suitable way to prevent situations where users can create data loss risk exposure, either deliberately or by accident.
Some wonder if they need both Endpoint Detection and Response (EDR) and DLP. The reasoning seems to be that an effective EDR solution will block hackers from entering the network, detect attacks, and prevent them from succeeding. Or, EDR will alert security teams that they have a security incident to handle.
However EDR has a different purpose from DLP. Both are needed. DLP takes on the bigger assignment of categorizing and prioritizing data for protection. It seeks to establish and enforce unified policies across endpoints, the network, storage, and the cloud. Policy enforcement may involve EDR and DLP working in tandem.
An effective DLP strategy is comprised of three steps:
Identification of sensitive data: A DLP solution may discover sensitive data across the organization, though other data classification tools, such as those provided by Rubrik, can augment the process.
Protection: This step involves the definition and implementation of controls that encrypt data and prevent unauthorized access.
Monitoring and response: This step completes the DLP picture, with continuous surveillance and swift action mitigating detected threats.
There are a number of good DLP solutions on the market that will help you prevent data leakage and unauthorized access to your organization’s data. However, it’s optimal to think through what you already have that can drive data loss prevention outcomes before you get an actual DLP platform.
Existing control capabilities in applications, databases, and networks could realize some of the same policy goals as a DLP solution. Backup and recovery solutions may also be able to assume a role in DLP by ensuring data availability even after a breach or ransomware attack.
Additionally, each organization will necessarily have its own distinctive DLP strategy. Company size and industry will inform DLP, for example, a small healthcare business will have a different DLP profile than a large industrial corporation. Everyone has their own unique data protection priorities. For a drug company, for example, intellectual property data is the ultimate data asset to protect, versus a financial firm that must safeguard transaction data, and so forth.