Understanding Data Loss Prevention Strategies
Data loss is becoming an issue of increasing concern for data-driven enterprises of all sizes. When a major data breach occurs, it can cost businesses millions of dollars. More importantly, it can sever the bonds of trust between a brand and its target market, sparking a mass exodus to competing products and services. In compliance-focused enterprises, it can lead to millions in fines and increased regulatory overhead even when all procedures were followed closely.
When the average person thinks of data loss, they probably think of hackers disrupting businesses as part of an international criminal network. While outside agents do drive millions in cybercrime losses every year, information security professionals understand that the outside threat is not the only one. Authorized individuals working within the corporate network can “lose” sensitive data or disseminate it unintentionally to others. Data loss prevention (DLP) is a method to ensure users do not send critical information outside of the protected network while DLP strategies can help provide protection to an organization’s own sensitive data.
Managing Internal and External Stakeholders
A data loss prevention strategy can help an organization focus on internal threats from the accidental and intentional activity by authorized individuals. There are many situations where an enterprise should be especially alert to data loss threats:
- Workforce Reduction: During a workforce reduction, stakeholders whose loyalty to the enterprise is tenuous may have access to a wide range of data resources, including sensitive intellectual property.
- Vendor Partnerships: Outside vendors may have access to identifiable customer data in the course of executing their duties. Even if they have no intention of misusing the data, they could be storing it improperly.
- Third-Party Software: Many companies use a range of software for planning purposes. The weak link in this chain is frequently the free, personal email addresses team members might use on services like Google or Yahoo because these services are accessed out of the secure company network and situations of weak passwords and non-secure networks leave data security gaps.
- Ambiguous Resources: In many cases, important data can become “lost” in the daily operations of complex enterprises. In such situations, securing key assets becomes impossible until they are identified and rediscovered.
Paradigms and Practices in Data Loss Prevention
Information security professionals have a wide range of tools at their disposal when it comes to establishing a DLP strategy. As with any security protocol, it’s important to quantify risk and know what investment will offset it adequately without undercutting the value of the assets being protected. Luckily, many DLP approaches can be both cost-efficient and effective if implemented correctly.
The choice of DLP strategy is primarily a choice of architecture. Vendors may provide many options that could work within the context of an organization’s existing systems, but the choice of which one is appropriate will hinge on a variety of factors:
- Is there an in-house team that can manage the DLP or should it be a managed service?
- Is the enterprise fully fluent in cloud applications or does it prefer on-site hardware?
- What solutions are most suitable for the size, scope, and geography of the enterprise?
- Which stakeholders need to be briefed or trained to secure return on investment from the new system?
- Whose buy-in is needed in order to procure and implement the most suitable system?
DLP solutions can be broken down into the following:
Software-based solutions typically require a subscription to cover the enterprise’s endpoints and the management server. As the number of endpoints expands, the system becomes more expensive. Before a software solution can be implemented, the enterprise must have the necessary hardware, operating system, and virtualization. Although these tools provide a great deal of control, they may not be as scalable as cloud-based solutions for growing enterprises.
Hardware-based solutions focus on the use of DLP appliances to encrypt and monitor certain sensitive transmissions, particularly email. A hardware-based solution can be ideal for a smaller network where stakeholders typically log in using standardized, on-site terminals. A common setup for hardware-based DLP includes at least one Mail Transfer Agent (MTA), a management server, and a database server, all of which are maintained “in-house”.
DLP can be provided as a service from a number of cloud-focused vendors. As with many cloud applications, this requires no investment for hardware. Web Cache Communication Protocol is used to direct corporate endpoint users to the DLP provider’s cloud network. Alternately, a PAC file can be installed on each endpoint so all traffic is automatically redirected. Cloud-based DLP can be the easiest type of system to implement and scale.
Managing the DLP Strategy
In most enterprises, key stakeholders from IT, human resources, legal, and any internal auditing team will typically be involved in DLP implementation. Many non-technical stakeholders may have some reservations about the data capture capabilities of DLP tools – it is up to the information security professional to communicate the value, in terms of avoided liability and greater compliance, that DLP can offer.
As part of the implementation, it will be necessary to develop an internal infrastructure to manage the solution. Most solutions are not managed completely by the vendor, and it’ll be necessary to devote internal expertise to maintenance and monitoring. A responsibility assignment matrix, also called a RACI chart (Responsible, Accountable, Consulted, Informed) can be used to assign responsibilities to internal experts. This will reduce duplication of effort and ensure that stakeholders do not have conflicting mandates. For example, the security team should have the capacity to develop DLP policies, but implementing them should fall to the IT or support team.
Since DLP systems discover and catalog all of the events related to the most sensitive data on the system, there will inevitably be some degree of stratification in who can access DLP event logs. Ensure that appropriate stakeholders can address individual DLP events without actually seeing the contents of those events. If this distinction is not implemented throughout the system, it will be easy to create the very type of data breach situation that DLP aims to prevent.
Data loss prevention represents a crucial internal control that will be valuable to growing enterprises, global brands, and any company that follows strict compliance standards. When implementing, organizations should take the needed time to carefully select the proper solution, as well as document processes. True security is achieved only when policies and procedures are fully aligned with the technical capabilities of the system. Equally important to the success of the DLP strategy is for the information security team to guide this process, with both the technical and human elements in mind.
As the nation’s oldest private military college, Norwich University has been a leader in innovative education since 1819. Through its online programs, Norwich delivers relevant and applicable curricula that allow its students to make a positive impact on their places of work and their communities.
At Norwich University, we extend a tradition of values-based education, where structured, disciplined, and rigorous studies create a challenging and rewarding experience. Online programs, such as the Master of Science in Information Security & Assurance, have made our comprehensive curriculum available to more students than ever before.
Norwich University has been designated as a Center for Academic Excellence in Cyber Defense Education by the National Security Agency and Department of Homeland Security. Through your program, you can choose from the five unique concentrations that are uniquely designed to provide an in-depth examination of policies, procedures, and overall structure of an information assurance program.