If you would like to read the other parts in this article series please go to:
- Developing and Assessing your DLP Strategy (Part 1)
- Developing and Assessing your DLP Strategy (Part 3)
- Developing and Assessing your DLP Strategy (Part 4)
A data loss and data leakage prevention strategy is a must for any organization that creates, uses, stores, moves or accesses any type of data that is sensitive, confidential or falls under regulatory privacy protection mandates. In Part 1 of this article, we provided a high level overview of what DLP is, some of the possible consequences of data loss or leakage, and the essential elements of an effective DLP strategy.
Policies, Programs, Practices and People
Your data loss and data leakage prevention strategy will revolve around four major components (all of which just happen to start with a P, which makes it a little easier to remember):
- Policies. Before you can implement a system for enforcement of data loss and data leakage prevention, you have to determine what to enforce. Some organizations look first at DLP software solutions, but I put policies as the first step because unless you know specifically what you want to accomplish with your DLP solution, it’s difficult to evaluate the different packages and know which one(s) can best handle your needs.
- Programs. Data loss and data leakage prevention software can take many forms. Some vendors attempt to provide an all-in-one turn-key solution. DLP can also be accomplished by the implementation of different solutions at different layers – network edge, server, endpoints – and a comprehensive DLP strategy is likely to include a number of solutions working together.
- Practices. Best practices can make or break the effectiveness of your DLP solution. This refers to how your DLP solution is architected, configured and managed.
- People. The human factor is always present in any security-related issue, and data loss/data leakage prevention is no exception. The people involved include your end users who legitimately have access to your data, unauthorized users whose intent it is to access your data (both insiders and outside attackers), and you and the other network administrators and security professionals who are tasked with protecting that data, along with your organization’s managers and executives and perhaps directors who make decisions that impact your DLP strategy.
Now we’ll look at each of the above components in more detail.
Policies: The Foundation of your DLP Strategy
The creation of your DLP policies is the two-part process of deciding the rules that will govern the detection of sensitive information and the implementation of controls to protect it when it is detected.
For example, you might want to identify the following types of information as sensitive/personal information, the privacy of which must be protected (by law, if you operate in certain regulated industries):
- Social security numbers
- Driver’s license numbers
- State and national ID card numbers
- Passport numbers
- Health services/medical account numbers
- Credit and debit card numbers
- Voter registration numbers
- Employer Taxpayer identification numbers
- DEA numbers
- Bank account numbers
- IP addresses
These are just a few of the types of numerical information that constitute sensitive personal data, the transmission of which outside your network you might logically want to restrict or at least monitor. But how do you identify these and differentiate them from other, non-sensitive strings of numbers?
That’s where DLP software comes in.
Programs: To Detect and Protect
A good DLP solution will include software that can check for patterns indicating that the types of information for which you’ve set up monitoring has been detected. It will be usable in either of two modes:
- Monitor and alert mode. The software will scan for sensitive data that is in danger of being exposed and will notify you.
- Enforcement mode. The software will apply rules that you specify to block or remove sensitive data that is being sent or shared in violation of the policies you have set.
But first things first: how does the software detect the sensitive information?
It can look for patterns in numerical information. For instance, U.S. social security numbers are always in the format XXX-XX-XXXX. The software will also be programmed to look for particular number sequences. For example, credit card numbers for a particular bank/card type will all start with the same sequence of numbers. The software will also be on the lookout for certain key words that indicate sensitive information is involved, such as “account number,” “driver’s license” or “income tax.”
The software can identify sensitive information in a couple of different ways. The rules for detecting well-defined information types such as social security or credit card numbers are relatively simple. It’s more difficult to identify, for example, a particular type of company document that you want to protect, such as the company’s financial statement. Here the software would evaluate the entire document and look for a group of pattern types instead of just one.
Good DLP software will allow you to customize the built-in sensitive information types so that it can, for example, detect email that includes your company’s own numbering scheme for personnel information or customer accounts. This allows you to apply policies that are specific to your organization or to a particular set of regulatory rules as well as those pertaining to information that is universally considered sensitive. Depending on the DLP software, writing your own policy templates may or may not require some programming skill.
Your DLP software should be able to scan and inventory all of the different types of data in different locations that we discussed in Part 1 of this series. If your organization stores some or all of its data in the cloud, your DLP solution must be able to detect and protect sensitive information both on local systems and in the cloud. Two of the most common points of data loss or leakage or web sites and email.
Part of the problem that makes it difficult for DLP software (and security in general) is that employees today, thanks to BYOD and cloud services, enjoy a very fluid online environment in which work and personnel lives are intertwined. Many employees use their personal email accounts in addition to their official corporate accounts when sending work related messages to colleagues. These are often web mail accounts such as Gmail, Hotmail/Outlook.com or Yahoo mail, which can further complicate your DLP efforts.
Your DLP software should be able to detect sensitive data sent via SMTP, HTTP, HTTPS, NNTP, FTP, IM, and so forth, as well as custom protocols (identified by port). Good DLP software will be able to block messages containing sensitive data and/or remove sensitive data from web sites. It should also be configurable to notify the offending users of the policy violations and that their data has been blocked/removed.
Of course, in today’s litigious business world, detecting and protecting is not enough. Your DLP software must also be able to provide you with documentation of the actions that it takes. Logging and reporting is an increasingly important feature in all security-related software. You need to be able to generate reports in various formats to allow you to review incidents and remediate risks based on analytics.
Finally, your DLP software should integrate with your other security solutions for optimum protection and performance. For example, it needs to be able to integrate with your backup software to scan backups for sensitive data, with your endpoint protection software, your mobile device management software and so forth. Your DLP solution should either be capable itself of forcing encryption on designated types of data or integrate with your encryption software.
In this, the second part of our multi-part series of articles on developing and assessing an effective DLP strategy for your organization, we focused in on two of the four important elements that make up such a strategy: policies and programs. In the next installment of the series, Part 3, we will pick up where we left off and address the last two elements: practices and people.
If you would like to read the other parts in this article series please go to: