A dummies guide to Data Loss Prevention (DLP)

What is DLP (Data Loss Prevention)?

DLP (Data Loss Prevention) is a group of technologies whose purpose is to ensure data is not lost, misused, disclosed or accessed by unauthorised users. DLP solutions generally classify data, protect confidential information, implement controls, identify data in transit and help prevent users (or customers) from accidentally or maliciously sharing data.

When trying to explain what are sometimes quite abstract technical scenarios, I like to use analogies.

Your Data. Your Asset.

Imagine your business as a big warehouse, with several rooms and each room populated with shelves. The warehouse is filled with boxes that contain your corporate data. Some boxes are labelled confidential, others are not. There are literally thousands if not millions of boxes.

For financial data, you know the room, shelf and box where it is stored. You have a vague idea where the HR and payroll information is. There is another room with a random stack of boxes, but you are not sure what information is contained in them.

Staff enter and leave the warehouse through different entrances, at different times of day, some on foot and others in vehicles.  Many are restricted to certain areas, others are not. There is no register to record access, and the management have a rough idea of who can access the different areas.

This is representative of a modern business.

Substitute the warehouse for your IT environment. Substitute boxes for servers or systems, and files for documents or data. The staff represent your users or in some cases, your customers.

To maintain an inventory of your data, never mind control access and identify theft is a massive undertaking. This is where DLP comes into the equation. So how does data loss prevention work?

Classification

Classification and data inventory is a key step in DLP. The Data Classification process can be described as some kind of stock take. Every file, folder, user, database or workspace is recorded and logged on a central asset register. In addition to the inventory itself and perhaps more importantly, a list of people or groups of people who can access this information is created.

When someone brings a new box into the warehouse, they are forced to label the box and classify its contents as confidential, high security or for public release. In the ICT world, this is mirrored with word documents, spreadsheets and e-mails; each is classified and labelled. This is often known as meta-data. Permissions and user-rights are established and documented.

Network DLP

The purpose of Network DLP is to identify (and potentially block) data in transmit.

Imagine someone standing in the warehouse aisle inspecting every box passing by, looking at every document, checking where they are from and where they are going to. Network DLP also checks to see if the person who is carrying the information has permission, they refer to the register created in the previous Classification stage for reference. If they do not have permission, they can inform management or deny access. If the particular box or file is not permitted to be removed from the warehouse, access is denied.

In an IT environment, a network DLP appliance sits in your network and observes data in transit. People e-mailing files or documents, people using Cloud services such as Dropbox or Office 365, staff sending documents using instant messaging or FTP transfers. Network DLP can identify these transfers, even encrypted ones, create an audit trail, alert management and block access if required.

You may be surprised / horrified / amazed what goes on with your data, where it is stored and who has access to it

Device DLP

Device DLP is typically installed on the end-user workstations or laptops. The majority of workstations and laptops have USB ports, removable media and support for Bluetooth and WIFI devices. These are all avenues for data loss.

The warehouse has windows, doors and vehicle entrances. Device DLP would lock these doors or optionally control access. It could only allow certain types of boxes to leave the building, at certain times or only to be carried by a select group of individuals. It can also record every attempt to leave with information, record all information that has been carried on and keep a central log of all the boxes moving around the warehouse. If staff are only allowed to take home one box each day, it can enforce that policy.

In an IT environment, Device DLP is an agent installed on each and every one of your workstations or laptops. It can disable USB, restrict access to certain devices and enforce the use of encryption. If a staff member attempts to plugin a USB key, the management are alerted. If a staff member copies your price-lists to a HDD, they are alerted. Restricting or outright blocking access to USB may be counterproductive, so having granular control and visibility of permissible activity is a better outcome.

Single pane of glass visibility

With DLP and data classification solutions it is possible to achieve the following:

  • An inventory of every data asset contained in your organisation, its location, who has access and an audit trail relating to access.
  • Classification assigns a label or category to every data asset identified during the inventory stage. Data can be classified as confidential, public or top-secret. Users are forced to classify information and any change in classification is recorded. This is typically stored as meta-data alongside the file itself. Classification integrates seamlessly with common productivity apps such as Word, Outlook, Excel and similar systems such as CRM/Invoicing.
  • Policy creation. You can create network and device policies linked to the classifications you defined in the previous step. Confidential information cannot leave the organisation by e-mail or internet. Top-Secret information cannot be copied to USB or the network. Public information is fine and can be sent out.
  • Network DLP identifies data in transit, even in encrypted streams. The policies defined earlier control traffic flows. The network DLP functions identify traffic whizzing around your network and can alert you of anomalous behaviour or potential breaches. If the solution identifies a price-list being e-mailed, it can first block that network traffic and secondly alert you.
  • Device DLP locks down your workstations and laptops. You can outright block removable device access or choose to create detailed policies that allow a level of device usage, albeit subject to stringent controls.

The piece de resistance is a central console where you can see all of this activity across your organisation. Identify potential data leak attempts. Identify anomalous activity. Identify weaknesses in your permissions structures.

DLP allows you to take control of your data and help eliminate the risk of data loss.

Industry Specific Solutions

DLP has applications across a range of industries. Often driven by regulatory requirements or data protection law.

  • Healthcare – HIPAA, HITECH, NHS, Data Protection
  • Financial Services – FCA, PCI-DSS, Isle of Man FSC, Basel III
  • Manufacturing – ISO 27001
  • Government – PAS 555, NIST, BSI
  • EU Data Protection Act

Speak to us about DLP

If you are interested in learning more about our range of Data Loss Prevention Solutions, our team will be happy to discuss your requirements, your business, concerns and goals. Call +44 1624 640400 or e-mail sales@mtg.im

Related Posts