What is DLP?
The term DLP stands for Data Loss Prevention, although it’s also referred to it as Data Leak Prevention.
In a nutshell, DLP pertains to identification, monitoring and protection of sensitive data from transmittal outside of set perimeters and ensuring it’s accessed only by authorized entities.
Who should be concerned with DLP?
In ever-evolving security threat landscape and with ever-increasing amounts of data collected and stored online, it’s imperative to ensure that data is safeguarded against unauthorized access and misused by malevolent actors. Almost every day we read and hear news about data breaches affecting verticals across the whole spectrum, which often result in substantial losses (monetary and otherwise), lawsuits, fines and penalties imposed by regulatory compliance institutions.
Disgruntled or careless employees can and will steal or leak information by forwarding it outside allowed perimeter or to recipients unauthorized to view the information.
Numbers speak
According to Techopedia, year 2006 saw wide adoption of DLP methods and tools after rampant insider threats as well as more stringent state privacy laws.
Fast forward to 2019, in healthcare alone, data breaches doubled of as compared to 2018. Inform Diagnostics and CompuNet Clinical Laboratories, recently announced data of nearly 25 million patients was compromised during the eight-month breach of American Medical Collection Agency. Another major data breach was sustained by Presbyterian Healthcare services and it resulted in total 183K patient health records exposed. Compromised data included names, dates of birth, Social Security numbers, and health plan info!
Identity and classify protected data
One needs to understand what type of data they have and what kind of regulatory compliance measures they need to abide by, where data is stored and/or transmitted, before deciding on DLP approach. A good starting point is to review your industry specific regulatory code.
If you’re in healthcare sector you’re likely already familiar with the regulatory code for data, your organization deals with. Most common and mostly misunderstood in the U.S. is HIPAA (Health Insurance Portability and Accountability Act). Its Privacy Rule is to provide protections for personal health information (PHI) held by covered entities among other things.
If you process and/or store credit card data, you need to comply with the Payment Card Industry (PCI) and Data Security Standard (DSS). Familiarity with industry specific regulations will help to get started with understanding what data should be designated as classified and protected.
Law firms should take special measures to ensure that client privileged, and case information is not viewed by unauthorized users or leaked beyond firm’s secure network.
DLP Tools and Solutions
The DLP solution selected determines how sensitive data is classified. Therefore, it’s important to understand how it classifies data and whether it automates the process or whether the process is manual. As an example, Microsoft Azure Information Protection (AIP) and Symantec Data Loss Prevention works with data stored in Azure, Office 365 E3, and Windows ecosystem. Data protection stays with documents as they are shared within the environment. Documents originating in other systems, like Box.com can be protected using Microsoft Cloud App Security.
Email DLP protection
Barracuda offers Advanced Email Security platform that lets admins set up DLP to prevent data leaks via email. One can choose to encrypt, block or quarantine email traffic containing sensitive data like credit cards, social security numbers or HIPAA regulated data.
Data at rest protection
One of the best practices to protect sensitive data at rest is to enable full-drive encryption on client computers and servers so they are protected against physical theft. Full drive encryption makes it virtually impossible to access that data once encrypted on a device. Windows has a built-in BitLocker feature facilitates it and should be enabled on all devices with sensitive data, especially those mobile endpoints.
Ransomware often enters via compromised endpoints. It’s critical to have working and tested backup system of critical data, with at least one backup set kept offsite. Follow 3-2-1 rule. Keep Windows security updtes and applications patches current to make sure ransomware can’t infect vulnerable systems and spread across the networks.
Implement and enact policies
Once sensitive and protected data has been identified, the next step is to implement and enforce proper policies. The scope of DLP policies covers prevention of unauthorized users from viewing, transferring or modifying data, protecting data in use, at rest and in transit, separating personal and corporate data, etc. Finding the right balance between designing effective policies and not inhibiting users’ work is key.
Microsoft offers several DLP technologies that work cohesively and can aid in designing DLP policies. Windows Information Protection (WIP) helps protect data that has a sensitivity label and separates personal and business data on Windows devices. They all for remote data wipe without affecting user’s personal files. WIP encrypts data using the Encrypting File System (EFS), however it doesn’t protect data once it leaves a Windows device.
Microsoft’s Azure Information Protection is used for classifying and protecting documents and emails by applying labels. It protects content transferred between devices and cloud services. Windows Server File Classification Infrastructure (FCI) scans server files to identify and determine whether they contain sensitive data, which in turn can trigger an action according to predefined rules.
Although Data Loss Prevention implementation can be a complex and taxing endeavor, one can get started by taking the basic steps to reduce the chances of sensitive data getting into the wrong hands. Steps like users’ education, security awareness training, regular patch regimen, enabling file auditing on servers, enforceable policies and procedures for company’s network usage will go a long way.
Give us a ring if your organization needs assistance with implementation of Data Loss Prevention. Our solutions enable you to identity and classify your sensitive data, monitor access rights and analyze user behavior to detect a data leak before it becomes a crisis. Prevention is always better than cure.