Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer.
DLP software products use business rules to classify and protect confidential and critical information so that unauthorized end users cannot accidentally or maliciously share data whose disclosure could put the organization at risk. For example, if an employee tried to forward a business email outside the corporate domain or upload a corporate file to a consumer cloud storage service like Dropbox, the employee would be denied permission.
Adoption of DLP is being driven by insider threats and by more rigorous state privacy laws, many of which have stringent data protection or access components. In addition to being able to monitor and control endpoint activities, some DLP tools can also be used to filter data streams on the corporate network and protect data in motion.
Here is how to initiate a successful DLP deployment:
Not all data is equally critical. Every organization has its own definition of critical data. The first step is to decide which data would cause the biggest problem if it were stolen. DLP should start with the most valuable or sensitive data that is likely to be targeted by attackers.
Classify the data
A simple, scalable approach is to classify data by context. This means associating a classification with the source application, the data store or the user who created the data. Applying persistent classification tags to the data allows organizations to track their use. Content inspection is also useful. It examines data to identify regular expressions, such as Social Security and credit card numbers or keywords (for example “confidential”). The content inspection often comes with pre-configured rules for PCI, PII, and other standards.
Understand when data is at risk
There are different risks associated with data distributed to user devices or shared with partners, customers and the supply chain. In these cases, the data is often at highest risk at the moment it is in use on endpoints. Examples include attaching data to an email or moving it to a removable storage device. A robust DLP program must account for the mobility of data and when data is at risk.
Monitor data in motion
It is important to understand how data is used and to identify behavior that puts data at risk. Organizations need to monitor data in motion to gain visibility into what’s happening to their sensitive data and to determine the scope of the issues that their DLP strategy should address.
Communicate and develop controls
The next step is to work with business line managers to understand why this is happening and to create controls for reducing data risk. At the beginning of a DLP program, data usage controls may be simple. Controls can target common behaviors that most line managers would agree are risky. As the DLP program matures, organizations can develop more granular, fine-tuned controls to reduce specific risks.
Train employees and provide continuous guidance
Once an organization understands when data is moved, user training can reduce the risk of accidental data loss by insiders. Employees often don’t recognize that their actions can result in data loss and will do better when educated. Advanced DLP solutions offer user prompting to inform employees of data use that may violate company policy or increase risk. This is in addition to controls to outright block risky data activity.
Some organizations will repeat these steps with an expanded data set or extend data identification and classification to enable fine-tuned data controls. By initially focusing on securing a subset of the most critical data, DLP is simpler to implement and manage. A successful pilot program will also provide options for expanding the program. Over time, a larger percentage of sensitive information will be included, with minimal disruption to business processes.