Data Loss Prevention (DLP) is a computer security term referring to systems that identify, monitor and protect data in use, data in motion, and data at rest through deep content inspection, contextual security analysis of transaction and with a centralized management framework. Systems are designed to detect and prevent unauthorized use and transmission of confidential information.
Also, instead of „Data loss prevention” are used the following terms:
- Data Leak Prevention (DLP);
- Data Loss Prevention (DLP);
- Data Leakage Protection (DLP);
- Information Protection and Control (IPC);
- Information Leak Prevention (ILP);
- Information Leak Protection (ILP);
- Information Leak Detection and Prevention (ILDP);
- Content Monitoring and Filtering (CMF);
- Extrusion Prevention System (EPS);
Most Data Loss Prevention solutions include a suite of technologies that facilitates three key objectives:
- Locate and catalog sensitive information stored throughout the enterprise;
- Monitor and control the movement of sensitive information across enterprise networks;
- Monitor and control the movement of sensitive information on end-user systems;
These objectives are associated with three primary „states” of information: data in use, data in motion, and data at rest. Each of these three states of data is addressed by a specific set of technologies provided by Data Loss Prevention solutions:
- Data in use
Primarily refers to monitoring data movement stemming from actions taken by end users on their workstations, whether that would entail copying data to a thumb drive, sending information to a printer, or even cutting and pasting between applications. Data Loss Prevention solutions typically accomplish this through the use of a software program known as an agent, which is ideally controlled by the same central management capabilities of the overall Data Loss Prevention solution. Implementing rule sets on an end user system has inherent limitations, the most significant being that the end-user system must be able to process the rule sets applied. Depending on the number and complexity of the rules being enforced, it may be necessary to implement only a portion of the entire rule set, which can leave significant gaps in the overall solution.
- Data in motion
To monitor data movement on enterprise networks, Data Loss Prevention solutions use specific network appliances or embedded technology to selectively capture and analyze network traffic. When files are sent across a network they are typically broken into packets. To inspect the information being sent across the network the Data Loss Prevention solution must be able to: passively monitor the network traffic, recognize the correct data streams to capture, assemble the collected packets, reconstruct the files carried in the data stream, and then perform the same analysis that is done on the data at rest to determine whether any portion of the file contents is restricted by its rule set.
- Data at rest
A basic function of Data Loss Prevention solutions is the ability to identify and log where specific types of information are stored throughout the enterprise. This means that the Data Loss Prevention solution must have the ability to seek out and identify specific file types (such as spreadsheets and word processing documents) whether they are on file servers, storage area networks or even end-point systems. Once found, the Data Loss Prevention solution must be able to open these files and scan their content to determine whether specific pieces of information are present, such as credit card or social security numbers.
To be considered a full Data loss prevention solution, the capability to address the three states of information must exist and be integrated by a centralized management function. The range of services available in the management console varies between products but many, if not most, have the following functions in common:
- Policy creation and management — Policies (rule sets) dictate the actions taken by the various DLP components.
- Directory services integration — Integration with directory services allows the DLP console to map a network address
to a named end user.
- Work-flow management — Most full DLP solutions provide the capacity to configure incident handling, allowing the central management system to route specific incidents to the appropriate parties based on violation type, severity, user and other such criteria.
- Backup and restore — Backup and restore features allow for preservation of policies and other configuration settings.
- Reporting — A reporting function may be internal or may leverage external reporting tools.
As with any set of security controls, the implementation of Data loss prevention should support business objectives and provide a tangible benefit to the business. The following list highlights some of the most direct benefits of a wellimplemented Data loss prevention solution:
- Protect critical business data and intellectual property
- Improve compliance
- Reduce data breach risk
- Enhance training and awareness
- Improve business processes
- Optimize disk space and network bandwidth
- Detect rogue/malicious software
While Data loss prevention solutions can go far in helping an enterprise gain greater insight over and control of sensitive data, stakeholders need to be apprised of limitations and gaps in Data loss prevention solutions. Understanding these limitations is the first step in the development of strategies and policies to help compensate for the limitations of the technology. Some of the most significant limitations common among Data loss prevention solutions are:
- Encryption — Data loss prevention solutions can only inspect encrypted information that they can first decrypt. To do this, Data loss prevention agents, network appliances and crawlers must have access to, and be able to utilize, the appropriate decryption keys. If users have the ability to use personal encryption packages where keys are not managed by the enterprise and provided to the Data loss prevention solution, the files cannot be analyzed. To mitigate this risk, policies should forbid the installation and use of encryption solutions that are not centrally managed, and users should be educated that anything that cannot be decrypted for inspection will ultimately be blocked.
- Graphics — Data loss prevention solutions cannot intelligently interpret graphics files. Short of blocking or manually inspecting all such information, a significant gap will exist in an enterprise’s control of its information. Sensitive information scanned into a graphics file, or intellectual property that exists in a graphics format, such as design documents, would fall into this category. Enteprises that have significant IP in a graphics format should develop strong policies that govern the use and dissemination of this information. While Data loss prevention solutions cannot intelligently read the contents of a graphics file, they can identify specific file types, their source and destination. This capability, combined with well-defined traffic analysis, can flag uncharacteristic movement of this type of information and provide some level of control.
- Third-party service providers — When an enterprise sends its sensitive information to a trusted third party, it is inherently trusting that the service provider mirrors the same level of control over information leaks since the enterprise’s Data loss prevention solutions rarely extend to the service provider’s network. A robust third-party management program that incorporates effective contract language and a supporting audit program can help mitigate this risk.
- Mobile devices — With the advent of mobile computing devices, such as smart phones, invariably there are communication channels that are not easily monitored or controlled. Short message service (SMS) is the communication protocol that allows text messaging and is a key example. Another consideration is the ability of many of these devices to utilize Wi-Fi or even to become a Wi-Fi hotspot themselves. Both cases allow for out-of-band communication that cannot be monitored by most enterprises. Finally, the ability of many of these devices to capture and store digital photographs and audio information presents yet another potential gap. While some progress is being made in this area, the significant limitations of processing power and centralized management remain a challenge. Again, this situation is best addressed by the development of strong policies and supporting user education to compel appropriate use of these devices.
- Multilingual support — A few Data loss prevention solutions support multiple languages, but virtually all management consoles support only English. It is also true that for each additional language and character set the system must support, processing requirements and time windows for analysis increase. Until such time that vendors recognize sufficient market demand to address this gap, there is little recourse but to seek other methods to control information leaks in languages other than English. Multinational enterprises must carefully consider this potential gap when evaluating and deploying a Data loss prevention solution.
These points are not intended to discourage the adoption of Data loss prevention technology. The only recourse for most enterprises is the adoption of behavioral policies and physical security controls that complement the suite of technology controls that is available today, such as:
- Solution lock-in — At this time there is no portability of rule sets across various Data loss prevention platforms, which means that changing from one vendor to another or integration with an acquired organization’s solution can require significant work to replicate a complex rule set in a different product.
- Limited client OS support — Many Data loss prevention solutions do not provide end-point Data loss prevention agents for operating systems such as Linux and Mac because their use as clients in the enterprise is much less common. This does, however, leave a potentially significant gap for enterprises that have a number of these clients. This risk can only be addressed by behavior-oriented policies or requires the use of customized solutions that are typically not integrated with the enterprise Data loss prevention platform.
- Cross-application support — Data loss prevention functions can also be limited by application types. A Data loss prevention agent that can monitor the data manipulations of one application may not be able to do so for another application on the same system. Enterprises must ensure that all applications that can manipulate sensitive data are identified and must verify that the Data loss prevention solution supports them. In cases where nonsupported applications exist, other actions may be required through policy, or if feasible, through removal of the application in question.
Assurance professionals have the task of ensuring that the Data loss prevention solution is properly deployed, managed and governed. This involves having a clear understanding of the risks as well as ongoing monitoring of four key areas:
- Enterprise strategy and governance — Review the data protection strategy to examine whether it is in line with the business objectives and risks. Pay attention to indirect risks where confidential information may be abused by competitors. Assess whether there are checkpoints to keep data strategy aligned with changing business objectives. Verify whether a clear governance framework is in place to orchestrate actions across people, process and technology. Verify whether all applicable regulations, legislation, and privacy laws are considered.
- People — Verify whether appropriate stakeholders are engaged during and after Data loss prevention implementation. Key stakeholders include:
- Legal, privacy, corporate security, information security
- IT engineering and operations
- HR and employee representatives
- Key business line representatives
- Executive management
- Business process — Review business processes with access to confidential information and determine whether that access is required to perform each process. Identifying the need for access to confidential information from business processes is one of the strongest methods of protecting such data. In addition, appropriate processes for monitoring, detecting, qualifying, handling and closing data leakage incidents should exist.
- Technology — Review the specific technology that has been deployed and determine whether it is installed as designed. For example, determine whether it covers all egress points and devices critical to the enterprise. This should include business partner egress points and devices with access to sensitive information. In addition, ensure that it covers all of the required elements of the technology in use at the enterprise. Finally, periodic reviews of logs and event handling processes ensure that the solution is being utilized in an appropriate and optimized manner.