Understanding Data Loss Prevention

Data is crucial to organisations and we need to keep it safe. However data leakage happens everyday and important data such as patient or customer personal records, payment details, intellectual property (such as source code and design specifications), price lists, trade secrets and anything else where a competitor or a criminal gains an advantage or an organisation reputation is affected heavily to the point of losing customers which is why our information and data needs to be monitored and protected.

This is also why strict Laws against protecting data such as Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act of 1996 (HIPPA), Data Protection Act 1998 (DPA), General Data Protection Regulation (GDPR) and Graham-Le achy have been introduced.

Due to the regulations mentioned above, organisations need to ensure preventative measures have been implemented against data loss. Protecting against data loss is a process and technical solutions are part of the process.

Initially, one of the first steps is to assess and analyse current data held on behalf of an organisation. This can be in privately owned data centres, public data centres, cloud services, on endpoint devices and other locations. To have a successful assessment on the current data will help provide an understanding on how to protect the data, weather this is using technical controls or implementing processes and procedures or more than likely the case, a combination of both.

To assess data thoroughly and to understand what would be required from a data loss strategy, the following are some key elements that should be followed:

- Understand the organisation's data
- Understand what type of data it is that needs protecting
- Know where the data is located and how it is transmitted and shared
- Analyse whether the data is supposed to be there
- Determine if this data be encrypted by analysing the sensitivity of the data and based on the organisations security policies
- Assess who has access to the data
- Determine who should have access to this data
- Determine if it would affect their job role if they didn't have access to it
- Assess if they can copy this data to their desktop or a USB stick
- Assess if they can open it with certain applications
- Assess if this data can be posted to a social website or attached to personal or corporate emails
- Assess if a user should have full rights to a document
- Understand how the data is transmitted internally within an organisation and externally out of the organisation
- Assess how the data is protected while it moves through the different hops. For example technology such as using encryption software or a DRM/IRM solutions are used to protect data.
-What existing technologies are already in place to aid in data protection? For example if the organisation uses web and email security technologies, then it is likely those solutions will have data loss prevention capabilities that can be used as part of the overall data loss prevention measures

After assessing the organisation's data thoroughly then policies and procedures need to be created for this data. These are just instructions to employees how to handle this data. It is important to define clear and thoroughly written policies such as acceptable usage handling policy. This would include what the consequences are if anyone does not follow these policies.

After creating policies employees need to be made aware of these policies and training should be provided to employees on the importance of DLP. This is in fact one of the most critical and important part of the process. Data loss occurs over 90 percent of the time due to employee errors. Some data loss cannot be avoided without employee education.

For example if an employee could not send/copy or paste his/her customer details to someone else, the employee may choose to physically write this on a piece of paper or take a picture of it. This is a simple example. A technical enforcement solution cannot block this, and therefore employee education as well as strict processes and procedures are crucial to the overall data loss prevention strategy.

Technical solution DLP Solution

A well planned and designed technical solution does play a big part and can protect an organisation from many data breaches. A technical solution can help educate employees and prevent loss of data.

Four leading data loss prevention solutions on the market are as follows:

- RSA DLP
- Websense Data Security
- Symantec's Vontu DLP
- Mcafee's DLP solution

A DLP solution concentrates on three main areas as detailed below;

Data at rest or storage (On file servers and database servers, etc)

Data in motion (Data travelling across the network such as when sending emails and posting data on the web)

Data on the endpoints or in use (Data on laptops and desktops or IOT devices)

It's important that the company has a plan to define what is important to them. This is one of the main processes within DLP. So a financial company may want to be compliant with PCI DSS, where a private health clinic may want to be in line with HIPPA. These may be the key areas that these two organisations may build their DLP solution upon, and some other areas in which they find important, valuable and confidential for their line of work.

If budget is tight, which is usually the case or difficult for many organisations to come to terms with the importance of investing in a DLP solution, vendors tend to sell parts of a DLP solution that are focussed on specific jobs. For example Websense provides a software product that scans the network for confidential data called Data Discover, and Websense offers a separate DLP product for endpoint systems known as Data Endpoint, and Websense has another point product to protect certain types of data from leaving the organisation known as Data Protect, amongst other DLP products. Finally Websense offer an all-in-one DLP solution that combines all of the DLP products to do all these things just mentioned called Data Security Suite. This is very much the kind of variations major DLP vendors provide to organisations who are only interested in securing a particular part of its data.

When investing in a technical DLP solution, it is important to understand the solution capabilities, such as the protocols it supports or from a network discovery perspective what type of services the solution will scan for, such as web servers, SMTP servers, database servers, and so on.

Some pointers on DLP

A discover utility should be able to scan the whole network and not just windows platforms. A solution may leave a file marker where confidential information did reside, though quarantining the original file. The marker would inform user on data protection policies and how they can regain access to the file.

An Endpoint solution should prevent from copying sensitive data to removable devices even when off the network, via an agent installed on the local machine. Endpoint Prevention should block files to removable media, or transferred over email, IM (Instant Messaging) or ftp. Endpoint agents should provide local detection for policies when the laptop is offline. It should be able to block users copying to removable disk and should ask a user to justify why they need to send this data. This is a good learning practice for both administrators on why users need to send such data and for end user’s making them aware of the sensitivity of data.

Data security policies should be defined using a policy builder within the centralised management platform. A user should be able to create a policy from scratch or use a policy template from a package of defined templates to meet different types of needs. A user should be able to write the policy once and enforce it across all defined data models.

Storage areas (data at rest) would need to be scanned and so scanned targets would need to be defined within the central interface.

Most important data first should be protected first, and then monitoring and testing this, and fine tuning where necessary.

To go a step further, a technical control which proves to be very powerful is the integration of IRM/DRM solutions. If employees are allowed to take documents off site such as Microsoft Office and PDF documents, a DRM/IRM policy will keep the document tightly controlled depending on the privileges assigned.

A common example of sensitive data when protected by DLP controls;

Step 1 – A user defines a data security policy, defining detection rules and response rules.

Once a policy is defined and active, network monitoring tools and or network prevention tools are able to inspect data and match this against defined policies. If network monitoring inspects and finds a match, it will report an incident.

Step 2 – An employee sends confidential data such as an attached diagram (Intellectual property, source code, payment details, etc).

Step 3 - Network prevention is able to block the email or any other type of data from leaving. The policy it hits will consist of defined detection rules and response rules. A response rule will specify how to respond to a detected incident, e.g., block email and send a notification to management. It may choose from blocking the transmission, tag for redirection or downstream processing.

Step 4 - The system can optionally send the employee a notification, referred to as a sender notification which provides real time security education of the organisations data security policy. Sender notifications should contain links to corporate policies, FAQ, and more assistance.

The incident will be logged and can later be used for reporting purposes. The notification can be customised to include variable data that was captured with the incident, for example, subject and violations or recipients email.

Maintenance of DLP processes

DLP processes need to tuned as things change, processes change, companies shrink and grow, employees take on more or less responsibilities, new servers and desktops are introduced, new technologies that process this data are implemented and data moves to new locations such as cloud services, and so it's important to monitor and maintain the overall DLP policies, processes and procedures.

Conclusion

A DLP process needs a lot of thought and planning. A technical solution will empower far more control of sensitive data; however points to consider is DLP will never be perfect. End of the day if a user wants a piece of data he or she can see in front of their screen, they can copy the whole thing onto a piece of paper or take an image of the screen with a camera, so there is no perfect remedy.