How to lock down your data with data loss prevention systems
Most of the highly publicized data breaches involve credit card or bank account numbers, but other sensitive data is also at risk, including Social Security numbers, medical records, personal information like your mother’s maiden name, and more. Sensitive data can also be trade secrets or any other type of intellectual property that, if stolen, could damage a company’s ability to compete in the marketplace.
Enterprise companies are responding to this threat by choosing specialized data loss prevention (DLP) solutions that use policy rules to detect, classify, manage, and protect confidential and critical information. Complete DLP solutions integrate deeply into an organization’s network, file storage, SharePoint, databases, and endpoint PCs, and they offer incredibly detailed reporting and tight security controls, but only when implemented and configured correctly.
Interestingly enough, the biggest challenges to most DLP deployments involve integrating business processes, not technology. To understand the underlying problems organizations often face with DLP implementations, we must examine the three questions every DLP solution must answer.
- What kind of data needs protecting?
- Where is the data located?
- What should we do when we find the data outside of approved locations?
Each of the above questions should be answered before technical installation for any DLP system begins, regardless of vendor. Successful DLP implementations occur when organizations adopt the correct business procedures and policies that fully support the solution, and ease the challenges DLP engineers face.
What kind of data needs protecting?
Sensitive data falls under a broad umbrella, but most DLP systems can define data points through either policy templates that contain definitions based on regulatory rules, or by manually entering samples of the data such as keywords or entire documents. The challenges most organizations experience in this area involve the accuracy of data, and being thorough enough to determine all types of sensitive data and where it’s located.
Creating accurate data descriptors that match sensitive information often requires input from the data owners and department managers. Although it sounds impossible, an accurate sensitive data definition can be accomplished by permitting DLP engineers to interview IT directors and business unit managers. Accurate input and classification, as well as honest communication, bridges the gap between technical DLP discovery controls and real business needs, and helps solve the problem of unstructured data.
Where is the data located?
DLP solutions inspect files and data in three major categories: data at rest on file shares, SharePoint, databases, and even flash drives; data in motion, traveling on networks and endpoints; and data in use while running in applications, in memory like copy and paste, and browsing.
Combing through the data raises a difficult challenge for DLP engineers: identifying all relevant locations where sensitive data may reside, or how employees modify and transfer files to varying locations. The good news is most DLP solutions offer some data discovery features capable of scanning file and database stores that identify where sensitive data exists.
Still, most DLP implementations operate for a period of time detecting data in motion in order to build a profile of how employees handle and process information. This process creates incident reports that identify locations outside of expected areas where users store sensitive data.
What to do when we find the data outside of approved locations?
The incident reports generated by DLP systems contain details of each violation of policy at a given location. For example, each time employees copy a file containing sensitive information to a flash drive without encryption, the DLP system creates an incident that captures their name, filename, and location where it was copied. Incident alerts can be configured to even notify their manager each time a violation occurs.
Often, the challenge presented by an incident report is not what data was improperly moved or stored, but how to handle the incident information. In a perfect world, organizations would have established policies and procedures to discipline employees who violate their policies. However, the vast majority of companies have inadequate internal policies to correctly process employee violations when they mishandle sensitive data.
DLP professional services can assist companies in developing the proper procedures to complement the technology solution. However, company officials must identify the individuals in charge of responding to incident reports, and leverage the technical DLP controls to match business procedures.
Developing best practices for DLP
DLP solutions greatly reduce overall risk of data exposure, but only when engineered and implemented correctly. These solutions are powerful tools that can help manage data, but it’s a very hands-on system that requires managers to take action on the relevant incident information presented to them.
At its core, DLP classifies data and reports the improper handling of sensitive information. But employees often lack proper training on how to securely manage and move information resources. Through DLP, companies can determine how employees use and handle sensitive information after discovering and examining actual data usage.
DLP systems help organizations understand how their sensitive data is stored. However, that is only one piece of the puzzle, and senior management must conduct employee training on how to properly move and store information. Finally, organizations should assign appropriate personnel to incident handling roles that best take advantage of the data reports a DLP system presents.