Data Loss Prevention — Policies and Best Practices

Russell Smith by   08.07.2019   Data Security

With the ever-increasing amount of data that companies collect from customers and the changing threat landscape, it’s important to make sure that personally identifiable information (PII) is safeguarded so that it doesn’t end up in the wrong hands. Data breaches are hitting the headlines more frequently and can result in major reputational damage and large fines from data commissioners and regulatory bodies.

In the first half of 2019, according to IT security company Protenus, healthcare data breaches are already double of all 2018. Other high-profile breaches in 2019 include Flipboard, where unauthorized access to databases containing user information occurred, and First American Corporation leaked mortgage deal documents including bank account numbers, tax records, social security numbers, and driving license images.

While many breaches occur through hacked databases or websites, employees can also accidently leak information by forwarding emails and/or attachments to people outside the company or others who are not authorized to view the information. Ransomware attacks are also increasing, and companies can lose access to data permanently if the right steps are not taken to protect it. Some organizations, like law firms, should take special care to ensure that client and case information is not leaked or viewed by unauthorized employees.

Classify Data

Before you can protect data, you need to understand what data you have, where it is located, and how it is stored. It makes little sense to encrypt or otherwise protect data that isn’t sensitive. Identify data that contains PII or intellectual property (IP) that might be a target for hackers or create a problem if accidentally leaked. A good place to start is with a regulatory code that is relevant to your industry. For instance, if you accept credit card data, you need to comply with the Payment Card Industry Data Security Standard (PCI DSS); or if you are in health care in the U.S., the Health Insurance Portability and Accountability Act (HIPIAA). Regulations can help you get started with understanding exactly what data should be designated as classified.

The Data Loss Prevention (DLP) solution you choose to implement will also play a part in how data is classified. When choosing a solution, it’s important to understand how it classifies data and whether the process is manual, automatic, or a combination of both. There are many DLP solutions on the market, including Microsoft Azure Information Protection (AIP) and Symantec Data Loss Prevention. Microsoft’s solution works with data stored in Azure, Office 365, and Windows, and protection stays with documents as they are shared. Documents originating in other systems, like Dropbox, can be protected using Microsoft Cloud App Security.

Set Up Policies

Once your sensitive data is classified, set up policies in your chosen DLP solution to determine what users can do with the data. Some points to consider when designing DLP policies include preventing unauthorized personnel from viewing or modifying data; protecting data when it is stored, in transit, and shared; separating personal and corporate data; and designing policies that make it easy for employees to work with DLP.

When designing policies, make sure that data is protected in its three main states: at rest, in motion, and in use. Data at rest refers to when it is stored on disk or backup medium. In motion describes when data is travelling across a network, like your company intranet or the public Internet. And data in use is when it is being viewed or processed in an application, like when it is opened in Word or when it is being processed by a backend database.

Microsoft has several DLP technologies that work together, and they can help you build your DLP policies. Windows Information Protection (WIP) helps protect data that has a sensitivity label and separates personal and business data on Windows devices, making it easy to remotely wipe corporate data without touching a user’s personal files. WIP encrypts data using the Encrypting File System (EFS) but doesn’t protect data if it leaves a Windows device.

Azure Information Protection is a cloud-based solution for classifying and protecting documents and emails by applying labels. It is a superset of Active Directory Rights Management System (RMS) and Office 365 RMS, and it protects content moved between devices and cloud services. Finally, Windows Server File Classification Infrastructure (FCI) scans server files to determine whether they contain sensitive data, and can take automatic action according to rules you define, like protecting data using Azure RMS.

Device Protection

To provide complete protection, it is best practice to enable full-drive encryption on endpoints and servers storing sensitive data, so they are protected against physical theft. DLP can’t protect you against physical theft if a hacker is able to compromise credentials and log in as genuine user on a stolen device. Full-drive encryption makes it almost impossible for a hacker to compromise data on a device. Windows has a built-in full-drive encryption feature called BitLocker and it should be enabled on all devices that handle sensitive data.

Ransomware often takes hold via compromised endpoints. It’s important to make sure that you have current backups of all data, with at least one kept offsite. Patching Windows and applications is critical for making sure ransomware can’t infect devices and spread from one to another. Removing administrative rights from end users and restricting use of privileged Active Directory accounts also significantly reduces the chances of malware infection.

Data Loss Prevention can be complex to deploy if you are looking at a complete solution. But some simple steps, like educating users, patching servers and applications, and following basic security best practices, go a long way to helping reduce the chances of sensitive data getting into the wrong hands.

How LepideAuditor Can Help You

If you would like to see how Lepide can help you prevent data loss, come and take a look at our award-winning data security platform, LepideAuditor. Our solution will enable you to locate and classify your sensitive data, monitor access rights and analyze user behavior to help you spot a data breach before it manifests. Schedule a demo today to see how LepideAuditor can help secure your data.

If you liked this, you might also like...