Understanding Data Loss Prevention (DLP)

Understanding Data Loss Prevention (DLP)
By

Preventing data loss is a best practice approach to avoiding potential breach, damage, or loss of confidential, private, or proprietary information.

It applies most importantly to preventing movement of sensitive data outside an organization’s secure perimeter. Data loss prevention (DLP), also known as data leak or simply leak protection, describes systems and technologies designed to detect potential data breaches, or attempts to move data outside an organization’s secure storage and systems, and beyond its control. The prevention aspect comes into play as such systems monitor, detect, and then block access to or transmission of sensitive or proprietary data and information.

In general, data loss prevention systems provide three distinct types of protection:

  • In-use protection applies when sensitive data is in use by applications or for service delivery, and generally depends on various types of user authentication to establish identity for those requesting access to the data, along with access control systems that permit or deny such requests depending on user identity, job role, and security policy governing such data. In addition, such data is likely to remain encrypted at all times, so that attempts to access paging files, memory snapshots, or temporary working files will yield no plaintext data of any kind.
  • In-motion protection applies when sensitive data is in transit on a network of any kind, and generally depends on sufficiently strong encryption tools and technologies to mitigate the risk of eavesdropping, and to significantly lower the probability of a successful decryption attack. The more valuable (or regulated) the data, the stronger such encryption is likely to be.
  • At-rest protection applies to data as it resides on some kind of persistent storage medium. This usually involves access controls to limit access to programs and users with a legitimate need to know, access monitoring to track and log all access to such information, and strong encryption to protect against theft or attack against the physical media where such data is stored.

The overall idea behind DLP is to watch for unauthorized attempts to access sensitive data and information, and to take all possible measure to block or prevent its egress at the organization’s perimeter. There are numerous technologies and systems involved, not all of which may be labeled “DLP,” but all of which are equally important.

MORE: Preventing Data Breaches: New Tools And Technologies
MORE: A Guide To Security Information And Event Management (SIEM) Tools

Important DLP Technologies

The tools and technologies used for DLP fall into four broad categories, as follows:

  • Standard Security Measures: DLP is no substitute for a complete and well-designed information security infrastructure, including firewalls, intrusion detection or prevention systems, anti-malware software, and vulnerability or threat management systems that scan for, prioritize, and track patches and fixes for critical and important elements in need of migitation. DLP does often figure into a class of systems known as Unified Threat Management (UTM), where it generally cooperates with a full battery of standard security measures.
  • Advanced security measures: Depending on the level of risk involved, organizations may choose to employ various advanced security measures to obtain the benefits of the extra protection and monitoring such measures can provide. These include heuristics and analytical tools that detect and react to abnormal patterns of system behavior, especially where access to sensitive data is concerned, highly granular data integrity controls (e.g. TripWire), network traffic and protocol analyzers, honeypots or honeynets to lure in attackers, and additional checks on user identity while accessing sensitive data (such as keyboard dynamics, which associate keystroke patterns with specific user identities, and can thus detect impersonation attempts, even when account and password information may be compromised).
  • Specific DLP solutions: Such systems detect and block attempts to copy or transmit sensitive data, either intentionally or accidentally. This is particularly important when individuals with authorized access attempt to exceed the bounds of their authorized access and usage profiles.

For DLP to work properly, it must operate in an information processing environment in which a well-defined security policy is at work, where regular audits are undertaken to ensure that policy design and policy implementation match up closely, and that outright attacks, data loss and leakage, and other important threats to security, confidentiality and privacy are properly addressed.

Evaluating DLP Tools

Numerous encryption and data leakage prevention products are available to provide protection against such threats. Here’s a laundry list of key features and functions that buyers should insist upon when evaluating and choosing such products for commercial and professional use:

  • Fingerprinting of document files and document file sources, so that any and all copies of data can be uniquely identified. This might include a watermark (or rather, digital mark) associated with the identity of a user account that accessed specific data.
  • Multiple inspection modes, both proxy and flow-based, to look for sensitive data in motion on organizational networks, or at their network boundaries or perimeters.
  •  Enhanced pattern matching capabilities to permit sensitive data to be easily and correctly identified as such, even when encrypted.
  • Ability to monitor a wide range of Internet, e-mail, and instant messaging protocols for sensitive data (this kind of pattern-matching capability is critical for detecting and blocking data in motion, particularly at the organization’s perimeter). This depends on intelligent pattern matching that can search content in a wide variety of forms (including social security or credit card numbers). Properly implemented, DLP can block sensitive information on its way into a network, or on its way out.
  • Centralized controls for DLP information, which may then be used to specify document file fingerprints, document file sources, inspection modes, pattern matching, and logging and archiving behavior.
  • General archiving capabilities also permit any and all sensitive information or content to be recorded and archived, according to a broad range of parameters (file fingerprints, file sources, inspection modes, patterns matched, protocols used, and so forth). Such systems can even save complete Web pages, email messages, or files for later inspection and analysis.

As best information security practicesdictate, the best DLP systems monitor all traffic, log (and perhaps even record) any traffic of potential interest or impact, and define mechanisms to block ingress of unwanted or suspect sensitive data, and prevent leakage of valuable sensitive, proprietary or confidential data.

This must occur in an environment with a well-defined (and regularly audited) security policy, where sensitive data has been identified and classified. That makes it much easier to segregate and flag sensitive, confidential, or proprietary data, and make sure all accesses are monitored and logged, and DLP solutions brought into play for extra protection.

MORE: 5 Security Best Practices Ever IT Pro Needs To Know
MORE: A Guide to Physical Data Center Security Solutions

Data Loss Prevention Certifications

There are more than 100 active and ongoing credentials in this broad field of data loss prevention currently available to IT professionals interested in acquiring these skills. Not all of them address DLP directly or explicitly, however. And while there is no credential that focuses exclusively on this aspect of information security, the following well-known certifications include coverage of this subject matter in their exam objectives or associated common body of knowledge that candidates for such credentials must master.

  • EC-Council Certified Ethical Hacker (CEH)
  • ISACA Certified Information Systems Auditor (CISA)
  • (ISC)2 Certified Information Systems Security Professional (CISSP)
  • SANS GIAC Certified Incident Handler (GCIH)
  • SANS GIAC Windows Security Administrator (GCWN)
  • DHS Certified in Homeland Security (CHS) Level I-III (and beyond)
  • Symantec Certified Specialist (SCS): Administration of Data Loss Prevention

Of these credentials, the generalist items such as CEH, CISA, CISSP, CHS, and the two SANS GIAC items (GCIH and GCWN) provide varying levels of coverage on the basic principles that govern DLP, and best practices for its application and use within the context of a well-defined security policy. Of these, the CISSP and CISA are the most senior and demanding.

On the other hand, the Cisco and Symantec credentials concentrate more on the details involved with specific platforms and systems from those vendors designed to provide working DLP solutions.

MORE: Best Information Security Certifications
MORE: Best Computer Forensics Certifications
MORE: Best IT Training