What is Data Loss Prevention? DLP (Data Loss Prevention) is a group of technologies whose purpose is to ensure data is not lost, misused, disclosed or accessed by unauthorised users. DLP solutions generally classify data, protect confidential information, implement controls, identify data in transit and help prevent users (or customers) from accidentally or maliciously sharing data. Data loss should not always be associated with hackers; data loss can be instigated by staff accidentally and without knowledge.
When trying to explain what are sometimes quite abstract technical scenarios, I like to use analogies.
Your Data. Your Asset.
Imagine your business as a big warehouse, with several rooms and each room populated with shelves. The warehouse is filled with boxes that contain your corporate data. Some boxes are labelled confidential; others are not. There are thousands if not millions of boxes.
For financial data, you know the room, shelf and box where it is stored. You have a vague idea where the HR and payroll information is. There is another room with a random stack of boxes, but you are not sure what data is contained in them.
Staff enter and leave the warehouse through different entrances, at different times of day, some on foot and others in vehicles. Many are restricted to certain areas, and others are not. There is no register to record access, and the management has a rough idea of who can access the different areas.
This is representative of modern business.
Substitute the warehouse for your IT environment. Substitute boxes for servers or systems, and files for documents or data. The staff represent your users or in some cases, your customers.
To maintain an inventory of your data, never mind control access and identify theft is a massive undertaking. This is where DLP comes into the equation. So how does data loss prevention work?
Classification and data inventory is a critical step in DLP. The Data Classification process can be described as a stock take. Every file, folder, user, database or workspace is recorded and logged on a central asset register. In addition to the inventory itself and perhaps more importantly, a list of people or groups of people who can access this information is created.
When someone brings a new box into the warehouse, they are forced to label the box and classify its contents as confidential, high security or for public release. In the ICT world, this is mirrored with word documents, spreadsheets and e-mails; each is classified and labelled. This is often known as meta-data. Permissions and user-rights are established and documented.
The purpose of Network DLP is to identify (and potentially block) data in transit.
Imagine someone standing in the warehouse aisle inspecting every box passing by, looking at every document, checking where they are from and where they are going to. Network DLP also checks to see if the person who is carrying the information has permission; they refer to the register created in the previous Classification stage for reference. If they do not have permission, they can inform management or deny access. If the particular box or file is not permitted to be removed from the warehouse, access is denied.
In an IT environment, a network DLP appliance (of DLP capable Firewall) sits in your network and observes data in transit. People are e-mailing files or documents, people using Cloud services such as Dropbox or Office 365, staff sending documents using instant messaging or FTP transfers. Network DLP can identify these transfers, even encrypted ones, create an audit trail, alert management and block access if required.
You may be surprised / horrified / amazed what goes on with your data, where it is stored and who has access to it
If your business uses a cloud service such as Microsoft Office 365, then there are built-in tools and features that enable the use of DLP in that environment. We discuss the various compliance aspects of Office 365 in another article, but the DLP features are something that every business should utilise.
The most common DLP application that we have implemented in Office 365 is to safeguard sensitive or internal-use documents (i.e. price-lists). In the event a staff member deliberately (or accidentally) e-mails a confidential document out of the organisation, the rules kick in and block this activity – reporting the incident to the administrator. This topic is covered in the following Microsoft Article “Overview of data loss prevention“.
Device DLP is typically installed on the end-user workstations or laptops. The majority of workstations and laptops have USB ports, removable media and support for Bluetooth and WIFI devices. These are all avenues for data loss.
The warehouse has windows, doors and vehicle entrances. Device DLP would lock these doors or optionally control access. It could only allow certain types of boxes to leave the building, at certain times or only to be carried by a select group of individuals. It can also record every attempt to leave with information, record all data that has been sent on and keep a central log of all the boxes moving around the warehouse. If staff are only allowed to take home one box each day, it can enforce that policy.
In an IT environment, Device DLP is an agent installed on every one of your workstations or laptops. It can disable USB, restrict access to specific devices and enforce the use of encryption. If a staff member attempts to plug in a USB key, the management is alerted. If a staff member copies your price-lists to a HDD, they are informed. Restricting or outright blocking access to USB may be counterproductive, so having granular control and visibility of permissible activity is a better outcome.
Single pane of glass visibility
With DLP and data classification solutions, it is possible to achieve the following:
- An inventory of every data asset contained in your organisation, its location, who has access and an audit trail relating to access.
- Classification assigns a label or category to every data asset identified during the inventory stage. Data can be classified as confidential, public or top-secret. Users are forced to sort information and any change in classification is recorded. This is typically stored as meta-data alongside the file itself. Classification integrates seamlessly with universal productivity apps such as Word, Outlook, Excel and similar systems such as CRM/Invoicing.
- Policy creation. You can create network and device policies linked to the classifications you defined in the previous step. Confidential information cannot leave the organisation by e-mail or internet. Top-Secret information cannot be copied to USB or the network. Public information is fine and can be sent out.
- Network DLP identifies data in transit, even in encrypted streams. The policies defined earlier control traffic flows. The network DLP functions determine traffic whizzing around your network and can alert you of unusual behaviour or potential breaches. If the solution identifies a price-list being e-mailed, it can first block that network traffic and secondly inform you.
- Device DLP locks down your workstations and laptops. You can outright block removable device access or choose to create detailed policies that allow a level of device usage, albeit subject to stringent controls.
The piece de resistance is a central console where you can see all of this activity across your organisation. Identify potential data leak attempts. Identify anomalous activity. Identify weaknesses in your permissions structures.
DLP allows you to take control of your data and help eliminate the risk of data loss.
Industry Specific Solutions
DLP has applications across a range of industries. Often driven by regulatory requirements or data protection law.
- Healthcare – HIPAA, HITECH, NHS, Data Protection
- Financial Services – FCA, PCI-DSS, Isle of Man FSA, Basel III
- Manufacturing – ISO 27001
- Government – PAS 555, NIST, BSI
- EU Data Protection Act
Speak to us about data loss prevention
If you are interested in learning more about our range of Data Loss Prevention Solutions, our team will be happy to discuss your requirements, your business, concerns and goals.