What is Data Loss Prevention (DLP)? Tips and Best Practices

What is Data Loss Prevention (DLP)? A Definition

In summary, data loss prevention, or DLP, is a set of policies, practices, and solutions that combine to prevent sensitive data from escaping the organization’s internal data stores. DLP strategies and solutions focus on both protecting data from outside interference and internal threats.

DLP technologies often use rules to discover and classify sensitive data, so that administrators can identify areas of risk. Extra layers of protection can then be applied to those areas. DLP technologies often have methods of automatically detecting anomalous or unwanted behavior and triggering automated responses to shut down threats.

Organizations often adopt data loss prevention solutions because they struggle to manage the sheer volume of internal data natively. Most governments and industries will also have regulations that make adopting a data loss prevention solution a necessity.

Why You Need a Data Loss Prevention Solution

We all know that data leakage can be damaging for both the reputation and bottom line of any organization. We also know that if we do not have sufficient security measures in place, then a data loss incident is likely.

Even though we are well aware of these dangers and data protection has become a hot topic, many of us are still not fully convinced of the need for data loss prevention solutions.

So, here are 9 reasons why data loss prevention solutions are a necessity.

1. You don’t know who’s accessing your most sensitive data

You will not get a 360-degree view of the data location, flow, and usage across your enterprise if you’re relying on native auditing. Once you have a thorough understanding of this data, you can choose what data to protect, set the appropriate policies and define the cost.

You can use third-party, off-the-shelf, solutions to monitor data access. This way you will be better able to protect and control sensitive data.

2. Your company does not have a plan to deal with insider threats

If your company does not have a plan to deal with insider threats, unintentional confidential data disclosure or data leakage by internal employees is a serious threat.

As part of your data loss prevention plan, you must be tracking who logs on to your file servers and protect files that contain sensitive information.

3. You are concerned about the effect data breaches could have on your business

This one probably applies more to C-level executives than anyone else. In recent years, data breaches have been making headlines. Organizations worldwide are concerned about the state of their enterprises because of the data breach incidents.

If you can detect breaches early, you can contain the damage of a data leak. Real-time alerts can inform you of the data breaches as soon as they happen.

4. You are not sure how you will meet compliance regulations

There are global compliance requirements that require organizations in both the public and private sectors to safeguard sensitive information.

Compliance requirements such as SOX, HIPAA, PCI, GLBA, and others have to be met, otherwise heavy penalties can be applied. Many data loss prevention solutions will come with compliance-ready reports built in to speed up this process.

5. You are concerned about wide adoption of BYOD

Many organizations allow BYOD (bring your own device) which supports social networking, instant messaging, and other Web 2.0 applications. Data loss prevention programs prevent the exposure of confidential information across these unsecured communication lines.

Mobile phones and tablets are difficult to defend from attackers; they also require regular patch updates. As the security of these devices mainly falls on the shoulders of the user, they are vulnerable to theft, poor maintenance, and personal misuse.

6. You want to protect your confidential data in the cloud

Many enterprises are choosing to move their confidential data to applications to the cloud. You want to secure the points where data enters and leaves your organization. You should be able to prioritize data, recognize sensitive information that is flowing to the cloud and encrypt it to prevent information leaks.

7. You want to improve corporate governance

Data leak prevention capabilities will improve overall corporate governance in general, and information governance in particular. Having a thorough and efficient data leak prevention capability can improve organizational policies and processes, promote compliance and give way to more comprehensive information governance.

8. You want a competitive advantage

If you can identify sensitive data and protect it from loss or misuse, you are in a better position to compete with others. If you fail to protect confidential data, it can irreparably damage your company’s brand, unnerve your investors, lower share prices and cause financial losses. If you have a data loss prevention plan, you can protect valuable trade secrets, vital intelligence and prevent data loss that leads to negative publicity.

9. You want to maintain forensic records of security events

A full-fledged data loss prevention solution allows you to capture and archive change events for auditing and forensic analysis. You can take backups of key infrastructure and keep them for data restoration and as evidence for security analysis.

Data Loss Prevention Best Practices and Policies

Classify Data

Before you can protect data, you need to understand what data you have, where it is located, and how it is stored. It makes little sense to encrypt or otherwise protect data that isn’t sensitive.

Identify data that contains PII or intellectual property (IP) that might be a target for hackers or create a problem if accidentally leaked. A good place to start is with a regulatory code that is relevant to your industry. For instance, if you accept credit card data, you need to comply with the Payment Card Industry Data Security Standard (PCI DSS); or if you are in health care in the U.S., the Health Insurance Portability and Accountability Act (HIPAA). Regulations can help you get started with understanding exactly what data should be designated as classified.

The Data Loss Prevention (DLP) solution you choose to implement will also play a part in how data is classified. When choosing a solution, it’s important to understand how it classifies data and whether the process is manual, automatic, or a combination of both. There are many DLP solutions on the market, including Microsoft Azure Information Protection (AIP) and Symantec Data Loss Prevention. Microsoft’s solution works with data stored in Azure, Office 365, and Windows, and protection stays with documents as they are shared. Documents originating in other systems, like Dropbox, can be protected using Microsoft Cloud App Security.

Set Up Policies

Once your sensitive data is classified, set up policies in your chosen DLP solution to determine what users can do with the data. Some points to consider when designing DLP policies include preventing unauthorized personnel from viewing or modifying data; protecting data when it is stored, in transit, and shared; separating personal and corporate data; and designing policies that make it easy for employees to work with DLP.

When designing policies, make sure that data is protected in its three main states: at rest, in motion, and in use. Data at rest refers to when it is stored on disk or backup medium. In motion describes when data is traveling across a network, like your company’s intranet or the public Internet. And data in use is when it is being viewed or processed in an application, like when it is opened in Word or when it is being processed by a backend database.

Microsoft has several DLP technologies that work together, and they can help you build your DLP policies. Windows Information Protection (WIP) helps protect data that has a sensitivity label and separates personal and business data on Windows devices, making it easy to remotely wipe corporate data without touching a user’s personal files. WIP encrypts data using the Encrypting File System (EFS) but doesn’t protect data if it leaves a Windows device.

Azure Information Protection is a cloud-based solution for classifying and protecting documents and emails by applying labels. It is a superset of Active Directory Rights Management System (RMS) and Office 365 RMS, and it protects content moved between devices and cloud services. Finally, Windows Server File Classification Infrastructure (FCI) scans server files to determine whether they contain sensitive data and can take automatic action according to rules you define, like protecting data using Azure RMS.

Device Protection

To provide complete protection, it is best practice to enable full-drive encryption on endpoints and servers storing sensitive data, so they are protected against physical theft. DLP can’t protect you against physical theft if a hacker is able to compromise credentials and log in as a genuine user on a stolen device. Full-drive encryption makes it almost impossible for a hacker to compromise data on a device. Windows has a built-in full-drive encryption feature called BitLocker and it should be enabled on all devices that handle sensitive data.

Ransomware often takes hold via compromised endpoints. It’s important to make sure that you have current backups of all data, with at least one kept offsite. Patching Windows and applications is critical for making sure ransomware can’t infect devices and spread from one to another. Removing administrative rights from end users and restricting the use of privileged Active Directory accounts also significantly reduces the chances of malware infection.

Data Loss Prevention can be complex to deploy if you are looking at a complete solution. But some simple steps, like educating users, patching servers and applications, and following basic security best practices, go a long way to helping reduce the chances of sensitive data getting into the wrong hands.

How Lepide Can Help You Implement Data Loss Prevention

If you would like to see how Lepide can help you prevent data loss, come and take a look at our award-winning Lepide Data Security Platform. Our solution will enable you to locate and classify your sensitive data, monitor access rights and analyze user behavior to help you spot a data breach before it manifests. Schedule a demo today to see how Lepide can help secure your data.