Data loss prevention (DLP) is a broad term that refers to a collection of techniques designed to prevent sensitive data either falling into the wrong hands or being corrupted in some way. Such techniques include controlling and monitoring access to sensitive data, and any devices/networks that store the data.
While firewalls, IDPS and anti-virus solutions are useful for analysing and restricting inbound network traffic, DLP is more focused on what is happening within the network perimeter, including any outbound network traffic. This will also include the loss of data via portable storage devices, mobile devices, as well physical copies of documents containing sensitive data. With remote working becoming an increasingly popular trend, it has never been so important to have a Data Loss Prevention policy in place.
Below are 5 tips to help you design an effective policy:
1. Discover and classify sensitive data
DLP starts with some basic housekeeping. There are number of solutions available that can automatically discover and classify a wide range of data types such as PII, PHI and PCI. Some will even encrypt certain types of information as they are found. Naturally, it’s a good idea to delete any data you don’t need before going any further.
2. Use role-based access control (RBAC)
Once you know where your sensitive data resides, you can assign access controls in a more organized manner. Create a list of roles and their access rights, then go through a list of employees and assign them to these roles. Roles could include admin, billing, sales, technical support, and so on. They could also be based on other factors such as competency, responsibility and the number of years an employee has worked for the company. Be careful not to create too many roles as that would defeat the object of RBAC. Make sure that you conduct periodic audits of these roles and adhere to the “principal of least privilege” at all times.
3. Encrypt everything you can
All sensitive data both at rest and in transit should be encrypted. Most companies that encrypt sensitive data will put all of their sensitive files in an encrypted container. There are third-party tools such as BitLocker which can do this automatically. Windows Server provides a feature called Encrypting File System (EFS), which can encrypt all data stored on an NTFS-formatted partition, which is available to all users by default. There are also number of DLP solutions which can automatically encrypt sensitive data as it leaves the network.
4. Use an automated patch management tool
Unpatched software is one of the greatest causes of data loss. However, the process of manually patching thousands of systems would be an impossible job. There are number of solutions available that can automate the process. Your patch management solution should scan for updates on a daily or weekly basis. All patches will need to be tested in a controlled environment before they are rolled-out, and all production servers will need to be configured according to a standardized set of rules, as defined by the test server.
5. Monitor access to sensitive data
You need to know exactly who has access to what data, and when. You will be better off using an automated Data Security Platform like LepideAuditor, as they provide real-time alerts and detailed reports for changes, which can be used to meet regulatory compliance mandates. Additionally, some offer threshold alerting which can be used to detect and respond to events that match a pre-defined threshold condition, as well as anomaly spotting to detect potentially dangerous user behavior.