Data Loss Prevention (DLP) involves a set of technologies and processes used to discover, monitor and control sensitive data. Organizations use DLP to prevent data breaches and comply with regulations such as GDPR, HIPAA, PCI DSS, and others. DLP tools allow security staff and network administrators to set business rules, also known as policies, that determine what's sensitive while also providing insight into the use of content within an enterprise. The basic elements of our DLP solution include centralized management, policy creation, and enforcement workflow dedicated to the monitoring and protection of data.
Why do I need DLP?
Data loss or exfiltration is bad for business. It degrades confidence in your brand and can result in financial losses from losing customers, lawsuits, regulatory non-compliance fines, and exposure of intellectual property. Here are some other cases that drive the need for DLP:
1. Compliance with industry and government regulations
Many private- and public-sector organizations, including healthcare, government, and financial services are required by law to safeguard sensitive personal data. Regulations include:
- HIPAA (Health Insurance Portability and Accountability Act)
- GDPR (General Data Protection Regulation)
- PCI DSS (Payment Card Information Data Security Standard)
- CCPA (California Consumer Privacy Act)
- PIPEDA (Personal Information Protection and Electronic Documents Act)
Common to all these regulations is the requirement that sensitive data must be kept in a secure location and isolated from unauthorized users. Companies must have DLP strategies and tools in place to prevent unintentional or malicious access to, and exfiltration from, data sources.
2. Protecting proprietary information
While some hackers steal information just to see if they can, most do it for the financial benefit of selling or exposing that information. Today, many ransomware attackers not only encrypt a victim’s data and demand money for unlocking it, but also exfiltrate some of it and demand payment for not releasing it to the public.
Data loss prevention strategies help keep intellectual property safe, not only from outside attacks and exfiltration, but also from unintentional data leaks caused by employees. Careless sharing of confidential data and information over unsecured public cloud accounts can cause just as much damage as malicious acts of data theft.
How does DLP work?
Data Loss Prevention (DLP) encompasses a set of practices and tools meant to prevent data leakage, also known as data exfiltration, by intentional or unintentional misuse. The practices and tools include encryption, detection, preventative measures, and machine learning to assess user risk scores. DLP solutions use data classification labels and tags, content inspection techniques and contextual analysis to identify sensitive content and analyze actions related to the use of that content. They then monitor data activity and evaluate the appropriateness of attempted actions against a predefined DLP policy that details acceptable uses.
The best data loss prevention strategies include a variety of approaches to cover all potential breach vectors. Essentially, it’s primary job is to identify sensitive data that needs to be protected, and then preventing its loss.The task of identifying sensitive data can be tricky, as data can exist in several different states in your infrastructure:
- Data-in-use: Data that a user is currently interacting with. DLP systems that protect data in-use may monitor and flag unauthorized activities. These activities include screen-capture, copy/paste, print operations involving sensitive data.
- Data in motion: Data being transmitted via a network, either one that's internal and secure or across the public internet
- Data at rest: Data stored in a database, on a filesystem, or in some sort of backup storage infrastructure
Data loss prevention best practices
1. Educate employees
A best practice for preventing data loss starts with training employees about the do’s and don’ts for handling your organization’s valuable data. Employee training should include safe practices for transferring, viewing, and storing data. For maximum effect, training should be sponsored at the executive level and should be repeated regularly to reinforce and update best-practice behavior.
2. Establish data handling policies
Best-practice data handling policies include:
- Where data can be stored
- How data is to be transferred
- Who can view certain types of data
- What types of data you are allowed to store
- What is the time allowed to store customer data
Since these policies drive all other data handling behaviors and assessments, they should be established early on. Policies should also be updated regularly to reflect changes in the organization, its industry, and in regulations. Once data handling policies are in place you can move onto more technical remedies to ensure data remains where it ought to be.
3. Create a data classification system
The third step to creating DLP policies is to start with a data classification system. This taxonomy will provide a reference for talking about the methods of protection needed for different types of data. Common classifications include personally identifiable information (PII), financial information, public data, intellectual property (IP), and many others. A unique set of protection protocols can be established for each classification.
4. Monitor sensitive data
Successful data protection requires the ability to monitor your sensitive data. DLP solutions typically include capabilities for monitoring all aspects of data access, use and storage, including:
- User access
- Device access
- Application access
- Threat types
- Geographical locations
- Access times
- Data context
As part of the monitoring process, DLP software sends alerts to security professionals when data is used, moved, deleted or altered in an unauthorized manner.
5. Implement DLP that accommodates Shadow IT
It can be complicated enough to protect data used by your organization’s known inventory of sanctioned apps, however, you also need to account for data accessed by shadow IT. This is the growing trove of software-as-a-service (SaaS) apps that employees may use, often without approval from the IT department.
Under most SaaS models, the SaaS provider is responsible for the apps themselves, but users are responsible for the data that the apps use. Users, who are focused on achieving business objectives, are not in a position to protect data from attacks that may come through compromised SaaS apps. It is up to you to prevent data leakage and misuse. DLP software is able to recognize shadow IT and prevent users from accessing data or moving data to these apps, until you can bring them into the fold of secure IT operations.
6. Establish different levels of authorization and access
This best practice goes hand-in-hand with data classification, as the combination of the two will allow you to grant data access only to those who have clearance. Your DLP software should also incorporate certain zero trust data protection policies that consistently verify user identities and status before trusting users and granting access.
7. Adopt complementary DLP companion tools
An effective DLP strategy relies on an ecosystem of tools that work together to provide insights, plans of action, and active protection of data. These tools include secure web gateways (SWG), cloud access security brokers (CASB) and email security.
As a core element of the Lookout Cloud Security platform, Lookout provides an integrated, cloud native advanced DLP engine to identify sensitive data based on policy - helping organizations to prevent data exfiltration and to meet security and compliance requirements, such as GDPR, PCI, HIPAA, and CCPA.
The Lookout cloud DLP engine, when combined with our context-based Policy Engine, Data Classification integration and EDRM capabilities, provides the highest level of data security for cloud apps - spanning SaaS, IaaS deployed apps and even customer on-premise apps as well as email platforms such as Gmail and Microsoft Exchange Online.
The Lookout Security platform can also integrate with a customer’s existing on-premise EDLP platforms such as Symantec and Forcepoint, to leverage existing DLP policies and protect existing investments. Lookout also supports a dual mode, where both Lookout Cloud DLP and customers’ on-premise EDLP can be combined for maximum flexibility and data protection.
With data centricity in mind, we have built-in technologies that most other security companies don’t have. These include data loss prevention (DLP), exact data match (EDM), optical character recognition (OCR) and enterprise digital rights management (E-DRM).
Having these native functionalities, we can restrict access to data with varying degrees of granularity. For example, in addition to enabling or disabling downloading, we can take specific action on the data itself, such as redacting keywords, adding watermarking and applying encryption.
We also have advanced key management with bring-your-own-key (BYOK) abilities, enabling organizations to be in full control of their sensitive data across all cloud and SaaS applications