Nowadays a lot of people work from their home instead of the office. And almost everyone has a smartphone which makes it easy to read work related emails or even having a meeting while taking the dog out for a walk. Or perhaps an employee connects to your network using it’s own device. How do you manage to keep your data secure? Can you always trust your employees to remove the data when finished reading, or to have a secure PIN or biometrics setup? Probably not…
The basic idea for Data Leakege Prevention (also called Data Loss Prevention) is to look for unauthorized storage and distribution. It does this by monitoring your file systems and network traffic for sensitive data and prevents unauthorized storage and distribution.
Data Leakage Prevention is different than Intrusion Detection/Response Systems. Data Leakage Prevention monitors your outgoing flows, while Intrusion Detection/Response Systems monitor the incoming flows.
Data Leakage Prevention is an additional measure and should be used next to other measures taken to secure your data. That is why Data Leakage Prevention is normally setup when a certain maturity in security is achieved.
How
There are a lot of Data Leakage Prevention systems out there. In the Related links section below you can find a list from Gartner. Each system has it’s own pro’s and cons and you should pick the one suitable for your business and IT setup. If you are fixed to Microsoft, you probably want to use the Microsoft 365 DLP solution, or if you have your IT setup in Amazon AWS or Google Cloud, there are Data Leakage Prevention solutions also available.
What ever solution you use there are always certain steps you must take:
- Classify your data accordingly.
Data Leakage Prevention does not work if it does not know what data is important to you. Most systems add a label in the metadata of a file which states the classification. Some systems can classify your data automaticly where it looks for certain data specifics, like PII data, credit card data, etc. - Setup rules
Now that you have classified your data, the Data Leakage Prevention system can detect how the data is used. But you need to setup rules where you determine what is acceptable for you. If you don’t want your data to be shared with any Dropbox account, you need to tell this system this. - Setup actions
When ever a rule is triggered you might want to report it to your security team or even block the connection and prevent the user from sharing files to a certain website. These actions need to be setup within the system so it can take these steps automaticly for you.
Risks
The main risk when using Data Leakage Prevention is having your data incorrectly classified. If you need to publish your annual report on your website, but the classification is still set to confidential, you will probably trigger an alert and it might even prevent you from publishing it. When the document has a lower classification than actually required, this also performs a problem.
A second risk is that your rules and actions are to strickt, preventing your organization from participating in new developments. Your security team should be an enabler, not a disabler.
Example Control Ruleset
When the following controls are used, you should be compliant for this topic:
- Data is correctly classified
- Sensitive data is being protected using Data Leakage Prevention systems
- Rules and actions are setup within the Data Leakage Prevention system according to the classification policy
Related links
Microsoft Azure DLP
DLP at Amazon AWS
DLP on Google Cloud
Gartner on DLP (Reviews & ratings)
