The term data loss prevention or DLP is used throughout the information security industry to mean any technology that can stop users from sending sensitive information outside the corporate network. It can take many forms and can include locking down USB ports on PCs, stopping emails from leaving the company, and preventing documents from moving outside of your firewall. DLP can mean many things to different people.
While DLP can enhance your information security by changing employee behavior, it does so by limiting activities and is dependent on creating adequate policies. It acts to restrict data use, not enable it. Business users need to legitimately share and use information and preventing that can cause problems.
DLP has two main functions, monitoring, and blocking. Many organizations only monitor activity to understand usage patterns. Once they start blocking the movement of information, there are typically a lot of exceptions because people need to get their jobs done. If you are only monitoring data access and movement, you are not protecting the data. You are only aware of a problem after the data has left your organization and already gotten into the wrong hands. If you throttle back blocking to the point where it is primarily monitoring, you have the same situation.
What are some of DLP’s challenges?
DLP’s ability to scan, detect data patterns, and enforce appropriate actions using contextual awareness reduces the risk of losing sensitive data. It depends on policies to govern the movement of information, and those policies can become complex to manage. A lot of companies will monitor and potentially block personally identifiable information (PII), personal health information (PHI), social security numbers, PCI data, and any data that is governed by regulations. You can easily write policies to block this information, but what about all the trade secrets and intellectual property (IP) that really drive your business?
The problem is that most businesses need to share sensitive data with outside people. DLP does not provide any protection in case users have to send confidential information legitimately to a business partner or customer. It cannot protect information once it is outside the organization’s perimeter. This has become more of an issue with remote work becoming the norm for many businesses.
Considering most data leaks originate from trusted insiders who have or had access to sensitive documents, organizations must complement and empower the existing security infrastructure with a zero-trust data security solution that protects data in use persistently.
Add zero-trust data security
By adding context-aware data protection to DLP, you ensure that only authorized people can access sensitive information no matter where it is. The three key areas to consider are:
- Encryption – by encrypting the data with centralized security policies, you can extend the monitoring capabilities of DLP. If the information does leave your network, it is always protected and under your control. If an unauthorized person tries to access that information, the protected data will appear as useless bits. This policy can even apply to authorized people who are on the wrong device, or in the wrong place.
- Control use of the data – apply a persistent security policy that travels with the data and controls what a user can do with it when they open a file. By limiting editing, copy & paste, or printing, you eliminate sharing data with the wrong people. This can extend to immediately revoking access to files once shared, regardless of location or device.
- Monitor and validate use – continuously validating user access to sensitive data is critical since people’s roles change and the data may not be relevant if the person changes jobs or leaves your organization. This ensures you only grant access to sensitive data if and when a user needs it.
Today data is everywhere and continues to grow. I could access a file on my mobile device, move it to the cloud, copy it onto my PC, and then move it into a document repository. Keeping up by managing and monitoring every location and every device is almost impossible. It’s like playing whack-a-mole. You plug one hole and another appears.
You need to expand your thinking on how you protect your data, by locking it at the moment you create it and continuously validating user access. This gives you visibility and control through its entire lifecycle.