Developing and Assessing your DLP Strategy (Part 3)

By /

If you would like to read the other parts in this article series please go to:

Introduction

A data loss and data leakage prevention strategy is a must for any organization that creates, uses, stores, moves or accesses any type of data that is sensitive, confidential or falls under regulatory privacy protection mandates. In Part 1 of this multi-article series, we provided a high level overview of what DLP is, some of the possible consequences of data loss or leakage, and the essential elements of an effective DLP strategy.

In Part 2, we started to delve more deeply into the intricacies of DLP, characteristics of good DLP software solutions, discussing two of four important elements: policies and programs.

DLP best practices

In Part 2, we talked about how you need to identify and categorize the types of sensitive data that you want to protect, and how software monitoring and alerting can detect sensitive data that is at risk and notify you, and/or technologically enforce the data protection rules that you set up. But it’s not enough to just configure monitoring and then “set it and forget it”. Data loss and leakage protection is an ongoing process and it’s important to ensure that it’s properly implemented to begin with and that it adapts as your data protection needs grow and change.

Basic Guidelines

Some guidelines to follow in implementing a DLP solution include:

  • If you fall under regulatory compliance mandates, identify the governing bodies, statutes and/or industry rules that are applicable to ensure that your DLP strategy will comply with their requirements regarding protection of sensitive data.
  • Identify and categorize sensitive data that needs protecting prior to choosing and deploying your DLP solution, as this will aid you in making the selection and determining the best deployment strategy. In particular, determine the file types and formats in which the data is stored so you can ensure that the DLP solution you select supports those formats.
  • Ensure that your comprehensive solution will cover sensitive data at all stages: data at rest, data in transit and data in use.
  • Create a test environment to allow you to evaluate the effectiveness of your solution and detect problems, identify false positives, etc. This will make it possible to test and fine tune your policies and procedures without disrupting the business process.
  • Educate data owners, data stewards and data custodians as well as all of those who will access or manipulate the data and include your compliance team, human resources and business units that are impacted by the data.
  • Ensure that you have safeguards against “data drift,” the unintentional and/or unauthorized moving or copying of sensitive data to unprotected devices via email, through BYOD devices and telecommuter access, removable media, etc. and even through data backup mechanisms that copy data to locations without strong controls.
  • Regularly update risk profiles.
  • Establish a procedure for documenting DLP incidents.

Your DLP solution should be “content aware” – that is, according to Gartner’s definition, it should enable you to apply policy dynamically based on the content and context at the time of an operation.

DLP tools

DLP solutions can consist of a number of different tools such as data discovery tools, network tools, monitoring tools, reporting tools, etc.

Data discovery is a very important element of data loss and leakage prevention because you can’t protect the sensitive information if you don’t know which information is sensitive and where it is located – and that means all copies, not just the primary copy. One thing that a good data discovery tool can do is find unencrypted data and then carry out your policies by automatically encrypting the data, removing it, notifying the data owner and/or stakeholders, or other action that you specify. In addition to detecting unencrypted individual files, it can find those shares/folders that are not encrypted and move the data to a location that has better access controls or encrypt the data in its current location.

Remember that data discovery is not just a one-time process. You can set your DLP tools to continuously scan for sensitive data, you can do it at pre-determined intervals such as daily, weekly or monthly, or you can perform data scanning on demand, for example in preparation for or as part of a security audit or in response to a known or suspected change in the data status.

Whereas discovery tools are focused more on data within the organization’s network, network tools can be used to identify sensitive data that is about to leave the network and ensure that it is encrypted while in transit. Remember that different encryption technologies are used to encrypt data at rest vs. data in transit; in the latter case you want to encrypt not just the data itself but the channel over which it is transmitted.

Monitoring tools can log who accesses (or attempts to access) data that has been classified as sensitive, and can record any changes that are made to the data itself, to its metadata, permissions, and so forth. Monitoring tools can detect when sensitive data is copied, moved or deleted, as well.

Reporting tools are capable of taking the information that is collected by the monitoring tools and putting it into usable and easily understandable format for the use of administrators, auditors, and managers. Reporting features can generate incident reports when DLP policy violations are detected and allow you to set alerts to automatically email or otherwise notify admins of the situation so that you can remedy it as quickly as possible.

DLP reporting should be configurable so that you can view lists of incidents over a specified time period and see detailed or summary information about each of the incidents in order to better detect patterns and trends. You should be able to sort and view incidents in different ways, such as chronologically, by severity, by incident type, etc. To enable you to better perform risk assessment, you should be able to see which policies were violated most frequently over a specified period, which users generated the most incidents, the locations from which and to which sensitive data was most often leaked, and so forth.

DLP best practices in a “mobile first, cloud first” era

Microsoft’s Satya Nadella has defined the company’s vision for the next years as “mobile first, cloud first.” Of course, this is the prevailing philosophy throughout the IT industry, not just at Microsoft. Mobility and the cloud bring heretofore unheard-of convenience for users but they complicate the lives of those charged with maintaining security. Data loss and leakage prevention in a mobile + cloud world has many inherent challenges, not the least of which is the shift of focus from protecting just the network to protecting the endpoints.

The biggest challenge is how to protect the data without unduly restricting what users can do. In the past, IT often took a “scorched earth” approach to security, locking down everything and allowing users as little leeway as possible on the premise that it’s better to be safe than sorry. In today’s BYOD, telecommuting, team-oriented business environment, that’s no longer desirable or even possible. Security has to be minimally intrusive while still protecting what needs to be protected.

Today’s DLP solutions must now be able to protect data according to corporate policies even when that data is on devices that are outside of the corporate network. This means managed devices. Endpoint DLP relies not on just one technology but a combination: host-based firewalls, anti-malware software, encryption, rights management, content-aware USB/removable media controls, and so forth. 

Of course, there are practical/technological problems with implementing endpoint DLP on mobile and off-premises devices. Encryption and content analysis-based software can be resource-intensive, which means there might be an unacceptable performance hit on low-end devices. Thus endpoint DLP, to be effective, must be implemented in conjunction with, not in place of, network-based DLP solutions. Both network and endpoint DLP solutions also should be fully integrated with your infrastructure. A multi-phased rollout is best, as it allows you to gradually introduce employees to the changes and get feedback to make modifications as the deployment proceeds.

Summary

Here in Part 3 of our series of articles on how to go about developing an effective data loss and leakage prevention strategy, we took a look at the third element that impacts planning for DLP: practices. In the fourth and final installment in this series, we will focus on the last and in many ways the most important element: people.

If you would like to read the other parts in this article series please go to:

About The Author

Debra Littlejohn Shinder is a technology and security analyst and author specializing in identity, security and cybercrime, utilizing her past experience as a police officer and police academy/criminal justice instructor. She has written numerous books and articles for web and print publications and has been awarded the Microsoft MVP designation for fourteen years in a row.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top