If you would like to read the other parts in this article series please go to:
- Developing and Assessing your DLP Strategy (Part 2)
- Developing and Assessing your DLP Strategy (Part 3)
- Developing and Assessing your DLP Strategy (Part 4)
As IT security professionals, we spend a great deal of time worrying about how to secure the infrastructure, operating system and applications, but when it comes right down to it, in the end it’s all about the data. An OS or app can be reinstalled and will be good as new – albeit with administrative overhead and possible temporary loss of productivity – but lost data may be irreplaceable and in some cases its loss or exposure can have severe ramifications for your business.
That’s why DLP (Data Loss Prevention or Data Loss Protection, depending on the source) has turned into a whole security subset of its own. Of course, DLP ties into other security areas such as regulatory compliance and protection of trade secrets. In this multi-part article, we will discuss how your organization can develop an effective DLP strategy and/or how to assess your existing policy for holes that might need to be plugged.
The challenge of developing an effective DLP policy
Developing an effective DLP policy with broad coverage is especially challenging because data comes in so many different forms: word processing documents, spreadsheets, email communications, database entries, XML files, chat logs, proprietary formats created by custom line of business applications, and even graphics files. Then there are multiple methods by which that data can be lost, including but not limited to the following:
- Hack attacks from outside the local network
- Physical access to the local network by outsiders through social networking
- Deliberate insider data theft (corporate espionage, disgruntled employees, contractors, etc.)
- “Hacking the cloud” (if you store your data there)
- Interception of data in transit between one network and another or one endpoint and another
- Physical loss or theft of mobile devices
- Accidental leakage from inside the local network by authorized persons
- Insecure remote access/telecommuter practices, employees taking work home, etc.
All of these variables make it particularly important that your DLP strategy be multi-layered and that it be reassessed frequently to insure that methods of loss haven’t been overlooked or new ones introduced by changes to your network infrastructure and configuration (for example, a move to the cloud). Effective DLP is unlikely to be accomplished by a single turn-key solution, but will require a combination of security mechanisms to protect data in various locations and at various stages of creation, use, transit and storage.
DLLP: data loss and leakage
In fact, the most comprehensive strategy might be more accurately referred to as DLLP, or Data Loss and Leakage Prevention. Many IT professionals lump data loss and data leakage into the same basket, and they are related but there is a key difference. Data loss is what it sounds like: the data is either destroyed or taken away and you no longer have access to it. Data leakage is more insidious (and thus it can be more difficult to detect): the data is exposed or disclosed to persons who are not authorized to have access to it, but it is still left intact in its original location.
Thieves who only want to utilize the information in the data (for example, to use personal credit card information of your customers for identity theft or use information regarding your company’s trade secrets to sell to your competitors) would typically steal copies of the data and leave the originals alone so that you would not immediately be alerted to the fact that there had been a breach.
On the other hand, attackers who want to disrupt your business and cause you lost productivity in order to allow the competition to get ahead, or who want to get back at you over some grievance (such as a dissatisfied customer or a disgruntled employee or ex-employee) would more typically tend to destroy the data completely or copy it for themselves and then remove the original files from their location.
However, the common terminology is DLP and so, for the purposes of this document, we will use that verbiage to refer to both data loss prevention and data leakage prevention.
The consequences of data loss or leakage
You might think, given the statements above, that creating an effective data loss prevention strategy is a lot of work – and you would be right. However, it’s worth it, because the consequences of data loss can range from annoying to catastrophic. The damage is multiplied if you deal with particularly sensitive information and/or if you operate in a regulated industry.
In some fields, such as healthcare, data loss could literally be a life or death matter, and in others, such as military defense, the national security of an entire country could hang in the balance. For most organizations, the consequences of data loss won’t be quite as dire as this, but could still have a profound effect on the company’s bottom line and even its very continued existence. Consequences of the loss or unauthorized exposure of data could include:
- Down time and loss of productivity
- Damage to the company’s public reputation
- Loss of clients or customers and thus loss of market share
- Loss of faith in the business by investors, resulting in decreased market value
- Loss of status/reputation within your industry
- Loss of certifications, licenses, ratings, etc.
- Civil lawsuits resulting in monetary judgments and/or injunctions
- Fines or other penalties for compliance failure or violation of statutes or administrative regulations
- Decreased revenues leading to financial instability and even bankruptcy
That is a pretty serious list to contemplate. We all know that an ounce of prevention is worth a pound of cure and in the case of data loss, there may be no cure.
Elements of an effective DLP strategy
Now that we understand both the consequences of data loss or leakage and some of the most common ways by which data is lost or leaked to unauthorized persons, we can start to formulate a strategy for prevention. We can start with determining where the data that needs to be protected is located, keeping mind that data moves and also that copies of the same data may (should) be in at least two different places.
Basically, we need to look at protecting data in the following locations/situations:
- Data that resides on endpoint devices. This includes data that is created or residing temporarily or permanently on workstations or servers within the local network as well as that which is created or residing on computers, tablets or smart phones of mobile workers.
- Data in storage (also called data at rest). This includes data that is stored on file servers, network attached storage systems, storage area networks, USB sticks, flash memory cards, optical discs, magnetic tape and other media, including backup copies of data and temporary files that hold data from various applications.
- Data in transit (also called data in motion). This includes data that is in the process of being sent, copied or moved over the local network or across the Internet.
Intrusion and Extrusion Prevention
Intrusion detection systems (IDS) and intrusion prevention systems (IPS) have long been a part of the enterprise security defense in depth matrix, and part of a DLP strategy involves keeping unauthorized persons out of the local network. However, DLP is actually more focused on the prevention of extrusion, that is, data going out of the network, and so while IDS/IPS is aimed primarily at filtering inbound traffic, DLP aims at filtering outbound traffic. The goal of DLP is to prevent anything from leaving the network that could, in the wrong hands, be detrimental to the organization.
Extrusion prevention isn’t easy in today’s network environment that encompasses Bring Your Own Device (BYOD), easy peer-to-peer file sharing, free web mail, IM/chat programs that support file sharing, a proliferation of readily available and easy to use cloud-based storage services and other means of transferring files across the Internet, along with cheap and almost universally compatible physical storage devices that can be easily plugged in via USB, writable optical drives, tiny and easy to conceal/smuggle out flash memory cards, and so forth.
An important part of an effective DLP strategy includes the clasinsification of data to allow you to accurately identify the sensitivity level of data and the impact of loss or disclosure of each data set. The FIPS-199 federal government publication can serve as a guideline for the development of a data classification scheme. This document bases the impact classifications on the three FISMA (Federal Information Security Management Act) security objectives: confidentiality, integrity and availability. Thus potential impact from a security breach could result in:
- Unauthorized disclosure of information (loss of confidentiality)
- Unauthorized change or destruction of information (loss of integrity)
- Disruption of access or use of information (loss of availability
After you have determined a classification for each piece of data, you can use tagging to embed that classification into the metadata and tools can be used to enforce security measures that are based on the data classification.
A data loss and data leakage prevention strategy is a must for any organization that creates, uses, stores, moves or accesses any type of data that is sensitive, confidential or falls under regulatory privacy protection mandates. In Part 1 of this article, we’ve provided a high level overview of what DLP is, some of the possible consequences of data loss or leakage, and the essential elements of an effective DLP strategy. In subsequent installments, we will delve more deeply into the intricacies of DLP, characteristics of good DLP software solutions, and how to implement your DLP plan.
If you would like to read the other parts in this article series please go to: