The term data loss prevention or DLP is used throughout the information security industry to mean any technology that can stop users from sending sensitive information outside the corporate network. It can take many forms and can include locking down USB ports on PCs, stopping emails from leaving the company and preventing documents from moving outside of your firewall. DLP can mean many things to different people.
While DLP can enhance your information security by changing employee behavior, it does so by limiting activities and is dependent on creating adequate policies. It acts to restrict data use, not enable it. Business users need to legitimately share and use information and preventing that can cause problems.
DLP has two main functions, monitoring and blocking. Many organizations only monitor activity to understand usage patterns. Once they start blocking the movement of information, there are typically a lot of exceptions because people need to get their jobs done. If you are only monitoring data access and movement, you are not protecting the data. You are only aware of a problem after the data has left your organization and already gotten into the wrong hands. If you throttle back blocking to the point where it is primarily monitoring, you have the same situation.
DLP depends on policies to govern the movement of information. A lot of companies will monitor and potentially block personally identifiable information (PII), personal health information (PHI), social security numbers, PCI data and any data that is governed by regulations. You can easily write policies to block this information, but what about all the trade secrets and intellectual property (IP) that really drives your business?
DLP is a great way to discover and monitor confidential data, but it’s policies may not catch all compliance data and most likely won’t protect the sensitive IP you create everyday.
By adding context aware data protection to DLP, you can ensure that only authorized people can access sensitive information no matter where it is. By encrypting the data and applying persistent security policies to it, you can extend the monitoring capabilities of DLP. If information does leave your network, it is still protected and always under your control. If an unauthorized person tries to access that information, the protected data will appear as useless bits. This policy could even apply to authorized people who are on the wrong device, in the wrong place.
Today data is everywhere and continues to grow. I could access a file on my mobile device, move it to the cloud, copy it onto my PC and then move it into a document repository. Keeping up by managing and monitoring every location and every device is almost impossible. It’s like playing whack-a-mole. You plug one hole and another appears.
You need to expand your thinking on how you protect your data, by locking it at the moment you create it. This gives you visibility and control through its entire lifecycle.
Photo credit Ambuj Saxena