Data Loss Prevention (DLP)

Data loss prevention and data leakage prevention are terms used interchangeably to describe the controls put in place by an organization to ensure that certain types of data (structured and unstructured) remain under organizational controls, in line with policies, standards, and procedures.

Controls to protect data form the foundation of organizational security and enable the organization to meet regulatory requirements and relevant legislation (e.g., EU data protection directives, U.S. privacy acts, HIPAA, and PCI DSS). DLP technologies and processes play important roles when building those controls. The appropriate implementation and use of DLP will reduce both security and regulatory risks for the organization.

DLP strategy presents a wide and varied set of components and controls that need to be contextually applied by the organization, often requiring changes to the enterprise security architecture. It is for this reason that many organizations do not adopt a “full-blown” DLP strategy across the enterprise.

For hybrid cloud users or those utilizing cloud-based services partially within their organizations, it would be beneficial to ensure that DLP is understood and is appropriately structured across both cloud and non-cloud environments. Failure to do so can result in segmented and non-standardized levels of security, leading to increased risks.

DLP Components

DLP consists of three components:

1. Discovery and classification: The majority of cloud-based DLP technologies are predominantly focused on the first stage of a DLP implementation, which is also an ongoing and recurring process. The discovery process usually maps data in cloud storage services and databases and enables classification based on data categories (e.g., regulated data, credit card data, public data).
2. Monitoring: Data usage monitoring forms the key function of DLP. Effective DLP strategies monitor the usage of data across locations and platforms while enabling administrators to define one or more usage policies. The ability to monitor data can be executed on gateways, servers, and storage, as well as workstations and endpoint devices. Recently, the increased adoption of external services to assist with DLP “as a service” has increased, along with many cloud-based DLP solutions. The monitoring application should be able to cover most sharing options available for users (e.g., email applications, portable media, internet browsing) and alert on policy violations.
3. Enforcement: Many DLP tools provide the capability to interrogate data and compare its location, use, or transmission destination against a set of policies to prevent data loss. If a policy violation is detected, specified relevant enforcement actions can automatically be performed. Enforcement options can include the ability to alert and log, block data transfers or reroute them for additional validation, or encrypt the data prior to leaving the organizational boundaries.

DLP Architecture

DLP tool implementations typically conform to the following topologies:

1. Data in motion (DIM): Sometimes referred to as network-based or gateway DLP. In this topology, the monitoring engine is deployed near the organizational gateway to monitor outgoing protocols such as HTTP/HTTPS/SMTP and FTP. The topology can be a mixture of proxy-based, bridge, network-tapping, or SMTP relays. To scan encrypted HTTPS traffic, appropriate mechanisms to enable SSL interception/broker are required to be integrated into the system architecture.
2. Data at rest (DAR): Sometimes referred to as storage-based DLP. In this topology, the DLP engine is installed where the data is at rest, usually with one or more storage subsystems and file and application servers. This topology is very effective for data discovery and tracking usage, but may require integration with network- or endpoint-based DLP for policy enforcement.
3. Data in use (DIU): Sometimes referred to as client- or endpoint-based DLP, the DLP application is installed on a user’s workstations and endpoint devices. This topology offers insights into how the data is used by users, with the ability to add additional protection that network DLP may not be able to provide. The challenge with client-based DLP is the complexity, time, and resources to implement across all endpoint devices, often across multiple locations and significant numbers of users.

Cloud-based DLP Considerations

Some important considerations for cloud-based DLP include:

• Data in the cloud tends to move and replicate: Whether it is between locations, data centers, backups, or back and forth into the organizations, the replication and movement can present a challenge to any DLP implementation.
• Administrative access for enterprise data in the cloud could be tricky: Make sure you understand how to perform discovery and classification within cloud-based storage.
• DLP technology can affect overall performance: Network or gateway DLP, which scans all traffic for predefined content, might have an effect on network performance. Client-based DLPs scan all workstation access to data; this can have a performance impact on the workstations’ operation. The overall impact must be considered during testing.

Cloud-based DLP: Leading Practices

Start with the data discovery and classification process. Those processes are more mature within the cloud deployments and present value for the data security process.

Cloud DLP policy should address the following:

• What kind of data is permitted to be stored in the cloud?
• Where can the data be stored (jurisdictions)?
• How should data be stored (encryption and storage access consideration)?
• What kind of data access is permitted?
• Which devices and what networks are permitted?
• Which applications are permitted?
• Which tunnel is permitted?
• Under what conditions is data allowed to leave the cloud?

Encryption methods should be carefully examined based on the format of the data. Format-preserving encryption such as digital rights management (DRM) is getting more popular in document storage applications; however, other data types may require vendor-agnostic solutions.

When implementing restrictions or controls to block or quarantine data items, it is essential to create procedures that will prevent business process damage due to false-positive events, but will not hinder legitimate transactions or processes from being performed.

DLP can be an effective tool when planning or assessing potential applications for migration to cloud. DLP discovery will analyze the data going to the cloud for content, and the DLP-detection engine can discover policy violations during data migration.