Data Loss and Data Leakage aren’t new subjects in our industry. But as often happens with a “hot topic” there is so much noise that it is nearly impossible to know what constitutes a full solution vs. marketing solution vs. very limited partial solution. Such is perhaps the case with DLP and DLL.
First, let’s start with what DLP and DLL are:
- DLP stands for Data Loss Prevention. It refers to the malicious taking or deleting of data that is either critical to the business (i.e., intellectual property, board meeting notes, etc.) or governed by compliance, PCI, HIPPA, GDPR or other regulatory requirement.
- DLL stands for Data Loss Leakage. It refers to the loss of data through negligence or through non-malicious means (i.e., sending medical data to a patient with a social security number in the doc but not encrypting the email when sensitive data transmission should be encrypted).
Too many companies today will say they have a DLP solution when all they do is limited in-line blocking of very specific structured traffic formats while the traffic is in motion. This limited functionality is often sold as a solution for stopping credit cards and social security numbers specifically from leaving the organization over the internet (think CASB providers, WAFS, Firewalls, Secure Web Gateways, endpoint security providers etc.). Having said that, most organizations should use these point solutions to solve tactical problems and/or to get a head start on a broader more complete DLP/DLL solution.
6 Steps to Implement an Effective DLP Program
The reality is that most organizations need a far more robust answer to data leakage and loss problems than most organizations have today. When exploring DLP solutions, there are six distinct steps that should be considered:
- Discovery and Analysis – On the surface this sounds simple, but it’s not. This is a very specialized area if you are going to do it right. The systems need to crawl your data stores and end devices and analyze the data beyond the basics (going beyond credit card numbers and social security numbers). Discovery and analysis should also be able to review unstructured data (including things like faxes, photographs, etc.).
- Classification/Categorization – Not all data is created equal, so to speak. In order to better protect the organization and the data at the right levels, we need to classify the different data types and there risk profiles. Some high-level examples might be client PII, PCI , company financials, company intellectual property, etc.
- Monitoring – The data must be monitored to understand how it is used. This will enable an assessment of any policies and mitigating controls you select to help you in your DLP journey and take into account the unique way your company needs to legitimately use the data. For example, while a hospital can’t share patient data with just anyone there are times they do need to share data on patients with outside groups… thus we might create a policy that says when transferring data off site it must use an encrypted secure FTP or an encrypted email system that uses a onetime random password. (Most organizations don’t require this, but the ones that do have compliance around this would need the correct policy in place.)
- Policy Creation – Once we understand where the data is, our company’s compliance requirements, how the data is used and the risk to the organization, we can create the correct data use and protection policy. This policy should be realistic and take into account that most data loss is through negligence. Don’t assume anything is too obvious to have a policy in place. This can be a point where many DLP programs fail. It’s also vital, here like most other well-meaning technology initiatives, to receive leadership buy in for your DLP program.
- Policy Roll Out – Once you’ve established your policies and received leadership buy-in, the policy needs to be rolled out, along with the associated technology to act enforcement points and compensating controls to support said policy. Yes, we need to use technology in each phase of this project but the enforcement tools and the architecture for DLP in your environment is somewhat constrained until you have finished the first three phases outlined above.
- Educate – Policy and controls can’t be effective without education. The things we can do with technology today would be mind-blowing to our forebearers, but in the end our employees are still human and thus fallible. People make mistakes and nefarious actors steal things. In the end, all we can do is make people as aware and educated as possible. Even the best policy and systems without training will fail.
In closing, please remember a data leakage/loss program truly fits the mantra of being a journey not a destination. It is important that your DLP program is constantly reviewed and updated to accommodate for both internal and external factors that may affect your policy, enforcement and technology effectiveness. The very best horse-drawn carriage is still obsolete when compared with a combustion driven car.
Verinext is proud to offer a full-lifecycle approach to DLP from tactical solutions and policy creation to building out a full DLP solution that includes lifecycle management, education, health checks a policy updating. Learn more about Verinext solutions for secure enterprises here then contact us to explore next steps.
7 Security Operations Challenges Alleviated by Managed Detection and Response (MDR) Solutions