Data Loss Prevention (DLP) is a term referring to systems designed to detect and prevent the unauthorized transmission of information from the computer systems of an organisation to outsiders. It is also referred to by various vendors as Data Leak Prevention, Information Leak Detection and Prevention (ILDP), Information Leak Prevention (ILP), Content Monitoring and Filtering (CMF) or Extrusion Prevention System by analogy to Intrusion-prevention system.

Gartner defines DLP technologies as those that - as a core function - perform deep content inspection of data at rest or in motion and can perform seom level of remedial action based on policy settings, which can range from simple notification to blocking.

Products must support sophisticated detection techniques that extend beyond simple key word matching (for example, advanced regular expressions, partial document matching, Bayesian techniques and machine learning).

Background

Organisations process information that can be often classified as sensitive, either from a business or legal point of view. In addition to risk of intrusion and gaining access to sensitive information by unauthorized persons, there's also risk of intentional or spontaneous transmission of the information to the outside of organization.

Regulatory compliance

Many large companies now fall under oversight of government of commercial regulations that mandate controls over information, including HIPAA in health and benefits, GLBA and BASEL II in finance, and Payment Card Industry DSS standards. Some of these regulations stipulate a regular information technology audit, commonly known as IT audit, which organisations can fail if they lack suitable IT security controls and due-care (processes) standards. Companies with enterprise resource planning ERP software (e.g., SAP and Oracle Corporation find compliance especially challenging (see erm or enterprise risk management. Others mandate significant penalties in the event of a breach.

New costs arising from breaches

Loss of large volumes of protected information has become a regular headline event, forcing companies to re-issue cards, notify customers, and mitigate loss of goodwill from negative publicity.

Government and industry regulations are arguably the biggest influencers. Besides HIPAA, GLBA, and Sarbanes-Oxley.

Types of DLP systems

Network DLP

Also referred to as gateway-based systems. These are usually dedicated hardware/software platforms, typically installed on the organisation's internet network connection, that analyse network traffic to search for unauthorized information transmissions. They have the advantage that they are simple to install, and provide a relatively low cost of ownership. Because decoding network traffic at high speed is extremely complex and difficult (transmitted objects are broken into small parts, often encoded, and then mixed with other traffic), Network based systems typically integrate with or include technologies to discover information 'at rest' while it is stored in file systems and databases. Discovering sensitive data at rest is far simpler and less time critical, thereby allowing greater levels of accuracy. Taking 'signatures' of data identified at rest, and then looking for such signatures as data passes over the network boundary, is a technique favored by virtually all Network system vendors to improve accuracy, and to identify sensitive data that would otherwise be missed.

Host-based DLP systems

Such systems run on end-user workstations or servers in the organisation. Like network-based systems, host-based can address internal as well as external communications, and can therefore be used to control information flow between groups or types of users (eg 'Chinese walls'). They can also control email and Instant Messaging communications before they are stored in the corporate archive, such that a blocked communication (ie one which was never sent, and therefore not subject to retention rules) will not be identifed in a subsequent legal discovery situation.

Host systems have the advantage that they can monitor and control access to physical devices (such as mobile devices with data storage capabilities) and in some cases can access information before it has been encrypted. Some host based systems can also provide application controls to block attempted transmissions of confidential information, and provide immediate feedback to the user. They have the disadvantage that they need to be installed on every workstation in the network, cannot be used on mobile devices, or where they cannot be practically installed (for example on a workstation in an internet café).

Some intrusion prevention systems utilise "pattern matching" rules, while others utilise "exact copies" of sensitive data and/or text in order to determine when a potential breach is occurring.

The Ten Commandments of DLP

As Data Loss Prevention (DLP) emerges as one of today’s hottest technologies, it remains among the least understood.

Organisations continue to invest in tools and processes that make information available and portable. This availability risks leaking confidential data into the public domain and potentially the hands of competitors.

The vast majority of data leaks are the results of good employees making mistakes - an email sent to the wrong person or an upload of the wrong document.  Data loss is as pervasive and complex as the business itself. Fortunately with the right technology the solution is far less complex. To effectively address the problem, however, organizations must implement a data loss prevention solution that addresses ten key requirements.

1.    Thou shall accurately identify data

Whether it's credit card numbers (CCNs), social security numbers (SSNs), source code, or business plans, the key to an effective DLP solution is its ability to identify all forms of confidential data accurately. Many solutions come with built-in policy templates covering a broad array of data types, but few offer fingerprinting, the most accurate form of data identification. Accurate data identification reduces false positives and negatives, simplifies workflow, requires fewer management resources (i.e., lowers cost of ownership), and provides a solid platform for automated enforcement.

2.    Thou shall address data in three states: data at rest, data in use, and data in motion

Data can be stored, used, and exchanged in many places and ways. A DLP solution must provide the necessary coverage to identify, monitor, and protect the data regardless of where the data is and how the data is being used. A DLP solution must be able to discover where users store confidential data (data at rest), and monitor and protect how data is used (data in use) and transmitted over the Web, email, and other business communication channels (data in motion).

3.     Thou shall provide content and context analysis

Employees will have varying needs and rights to store and use different types of data. An employee in human resources, for example, may have permission to access and use confidential employee information whereas a salesperson would be prohibited. That salesperson, however, may be authorized to send customer information (not employee) to SalesForce.com. A DLP solution must discern both the content (the data) - including meta data - that is being stored, used, or transmitted, as well as the context (the user and destination) of who is using it, how they’re using it, and where it is sent. Having integrated content and context awareness provides the necessary visibility to secure data without inhibiting business.

4.     Thou shall include an advanced policy framework

The four key variables used to design a business intelligent policy are:

a) What data was sent, used, or stored
b) Who sent, used, or stored the data
c) Where data was sent, used, or stored
d) How data was sent, used, or stored

An effective DLP framework will marry these variables together in a policy so that you can manage who and what go where and how, or in the case of data at rest, who stores what, where, and how. A mature solution, for example, can prohibit financial consultants from posting confidential information over HTTP to blogs and chat Web sites, but allow those employees to post non confidential data to those same sites. With an advanced policy framework, administrators can identify bad business processes, secure good business processes, and remediate violations.

5.     Thou shall include robust workflow and reporting

Data loss prevention is a business problem, not an IT problem. The burden, however, falls on IT. The technology in place must offer robust workflow and reporting with full automation. DLP solutions provide visibility into business communications and processes. Administrators and policy makers can use this visibility to design controls and automated workflow, and to pre-assign specific types of incidents to specific personnel. For example, HIPAA related incidents may automatically route to human resources while patent violations go to legal. Likewise, weekly and monthly reports can be created and distributed automatically, putting the onus of day-to-day incident management and reporting on the folks that own and use the data, the business units.

6.    Thou shall be manageable

To be effective a solution must be easy to deployment and manage. A mature DLP solution comes preloaded with wizards and hundreds of policy templates. It will be relatively easy to deploy and train on, and include clear documentation. It will also offer Web-based administration with role-based access and control (RBAC), so multiple users can logon to the system concurrently and yet have different views depending on their role in the organization. Finally, it will offer centralized management of all product modules and throughout a distributed environment, without having to purchase and deploy a management system.

7.     Thou shall be scalable

A DLP solution must meet the demands of a growing enterprise. DLP solutions will include features such as high availability, load balancing, and archiving. Data loss prevention technologies must be able to perform continued deep content inspection amidst spikes in traffic, and consolidate events on the network and endpoint across a distributed organization. Finally, the solution must have a flexible architecture so that it can meet the constraints of a non-standard deployment.

8.     Thou shall integrate with a wide range of technologies

Organizations today use many integrated security and networking tools. A DLP solution must leverage and extend these tools, including directory services, mail, web filtering, proxy, SIEM, ticketing, and encryption. Integration creates efficiencies and eases system management. A DLP technology, for example, should be able to manage policies by users in directory services, automatically route mail to an encryption gateway, and create tickets within support desk systems.

9.     Thou shall be from a viable vendor

The DLP market has consolidated. Security vendors have acquired the most mature and comprehensive solutions leaving behind a few remaining startups faced with a challenging economy. It’s important that the solution purchased be from a reputable vendor with a strong cash flow and balance sheet. In addition to financial strength, the vendor should be technologically strong and be able to demonstrate a history of and roadmap for investment in DLP technology, validated by customer acquisition and references.

10.     Thou shall offer a reasonable cost of ownership

A DLP solution must provide a reasonable return on investment and cost of ownership. This can sometimes be difficult to quantify since DLP technology is a risk management tool. When evaluating DLP, management must fully weight the cost of the solution, not just acquisition and deployment costs, against a quantified risk. A full cost analysis will include costs of ongoing management, maintenance, and remediation, as well as the impact to other systems and processes that may require attention to support the solution’s operational readiness. For more information on the return on investment of DLP technology, contact Sales at KL on sales@klltd.co.uk.

DLP technology offers many benefits to organisations. A DLP solution reports on and ensures regulatory compliance, protects an organisation’s crown jewels, secures a competitive advantage, and safeguards brand and reputation. The key to unlocking the power of data loss prevention is to make sure that the solution in place can address all of the organisation’s requirements, both now and in the future. Many technologies have “data loss prevention” affixed to their marketing materials. Few of them, however, address the ten commandments of DLP and are capable of solving the problem of data loss.