Understanding Data Loss Prevention

Understanding Data Loss Prevention

Preventing data loss is a best practice approach to avoiding potential breach, damage, or loss of confidential, private, or proprietary information.

It applies most importantly to preventing movement of sensitive data outside an organization’s secure perimeter. Data loss prevention (DLP), also known as data leak or simply leak protection, describes systems and technologies designed to detect potential data breaches, or attempts to move data outside an organization’s secure storage and systems, and beyond its control. The prevention aspect comes into play as such systems monitor, detect, and then block access to or transmission of sensitive or proprietary data and information.

In general, data loss prevention systems provide three distinct types of protection:

  • In-use protection applies when sensitive data is in use by applications or for service delivery, and generally depends on various types of user authentication to establish identity for those requesting access to the data, along with access control systems that permit or deny such requests depending on user identity, job role, and security policy governing such data. In addition, such data is likely to remain encrypted at all times, so that attempts to access paging files, memory snapshots, or temporary working files will yield no plaintext data of any kind.
  • In-motion protection applies when sensitive data is in transit on a network of any kind, and generally depends on sufficiently strong encryption tools and technologies to mitigate the risk of eavesdropping, and to significantly lower the probability of a successful decryption attack. The more valuable (or regulated) the data, the stronger such encryption is likely to be.
  • At-rest protection applies to data as it resides on some kind of persistent storage medium. This usually involves access controls to limit access to programs and users with a legitimate need to know, access monitoring to track and log all access to such information, and strong encryption to protect against theft or attack against the physical media where such data is stored.

The overall idea behind DLP is to watch for unauthorized attempts to access sensitive data and information, and to take all possible measure to block or prevent its egress at the organization’s perimeter. There are numerous technologies and systems involved, not all of which may be labeled “DLP,” but all of which are equally important.

Important DLP Technologies

The tools and technologies used for DLP fall into four broad categories, as follows:

  • Standard Security Measures: DLP is no substitute for a complete and well-designed information security infrastructure, including firewalls, intrusion detection or prevention systems, anti-malware software, and vulnerability or threat management systems that scan for, prioritize, and track patches and fixes for critical and important elements in need of migitation. DLP does often figure into a class of systems known as Unified Threat Management (UTM), where it generally cooperates with a full battery of standard security measures.
  • Advanced security measures: Depending on the level of risk involved, organizations may choose to employ various advanced security measures to obtain the benefits of the extra protection and monitoring such measures can provide. These include heuristics and analytical tools that detect and react to abnormal patterns of system behavior, especially where access to sensitive data is concerned, highly granular data integrity controls (e.g. TripWire), network traffic and protocol analyzers, honeypots or honeynets to lure in attackers, and additional checks on user identity while accessing sensitive data (such as keyboard dynamics, which associate keystroke patterns with specific user identities, and can thus detect impersonation attempts, even when account and password information may be compromised).
  • Specific DLP solutions: Such systems detect and block attempts to copy or transmit sensitive data, either intentionally or accidentally. This is particularly important when individuals with authorized access attempt to exceed the bounds of their authorized access and usage profiles.

For DLP to work properly, it must operate in an information processing environment in which a well-defined security policy is at work, where regular audits are undertaken to ensure that policy design and policy implementation match up closely, and that outright attacks, data loss and leakage, and other important threats to security, confidentiality and privacy are properly addressed.

Ed Tittel is a 30-year-plus veteran of the computing industry, who’s worked as a programmer, a technical manager, a classroom instructor, a network consultant and a technical evangelist for companies that include Burroughs, Schlumberger, Novell, IBM/Tivoli and NetQoS. He has written and blogged for numerous publications, including Tom's Hardware, and is the author of over 140 computing books with a special emphasis on information security, Web markup languages and development tools, and Windows operating systems.

Check out Ed's Tom's IT Pro  Making It in IT - Certification & Training blog here.

See here for all of Ed's Tom's IT Pro articles.

Check Out These IT Security Videos

(Shutterstock cover image credit: Data Security)