Maybe you’ve been appointed as the new Data Protection Officer. Maybe you’re part of the technical team planning data protection. If you’re somewhat new to data protection or data protection technology, this article may help you plan your data loss prevention program.
What is Data Loss Prevention (DLP)?
Data loss means information leakage. Intentional, accidental, the result of a security breach or any other cause of your information getting out of your company to an unwanted destination. Because of GDPR, we all started to look after protecting the personal information of humans our organization interacts with. But next to personal information there are other confidential information we don’t want to lose, like finance info, intellectual property, competitive information and more.
A data loss prevention program should watch over people, processes and systems and reduce to minimum the leakage of company information. From a more technical perspective, there are a few concepts useful to understand: data classification – categorizing the data within your organization , data states – how data flows around the company, the risks of data loss for each and how a DLP solution should address them. Each vendor provides a set of functionalities for each category and state and some controls/actions to stop the potential leakage. On top of technical measures, organizational measure should also be taken in order to minimize the data loss.
Encrypting everything in a company is unrealistic. Splitting data into categories, like confidential information, public information, project specific information is the foundation of defining a data protection program and it’s the starting point when planning how information within the organization should be handled and protected. After you define the categories and the sensitivity levels for each, your DLP systems can be configured to recognize in real time the type of data they discover, and once discovered, apply the controls required by your information security policy. For example, if you decide credit card information is confidential and should only be accessible by your finance department, then a file containing credit card data will be encrypted and only the finance roles in the company will be able to read it.
How a DLP solution can recognize your data category:
- Rule-based: some sets of data will always respect a rule or a pattern. For example a credit card number or a national identification number should follow a certain pattern(for example a romanian CNP – national identification number must have 13 digits,the first one can be 1-6,the next 6 digits can only have a date format YYMMDD, etc) . Once this rule is matched, the data can fall into a specific category.
- Context: who created the data (a user or an application) or where the data is stored (for example, all salary files may be handled by one application, therefore, we can name a storage)
- Database fingerprinting: matching different field combinations like a name or credit card number to data that was loaded from a database
- File matching: computes the hash of a file (a calculated code, much smaller than the file itself, that can match one file) and monitors if any other file matches that hash.
- Data at rest : Represents data that sits somewhere in the company , like all the records kept in a database or all the documents sitting on a drive or in some shared folder.
- Data in motion(in transit): Is information that moves across the enterprise networks.
- Data in use: Refers to data being handled by your end users.
For data at rest, a DLP discovery agent should be used to seek and find files sitting around the organization, inspect file content and act if a security policy is violated (encrypt, alert, block, etc). When information is flowing around, this is data in motion, a DLP gateway is used. When data travels from point A to point B, the DLP Gateway checks the type of the information and if it respects your policies. For the last state, data in use, data handled by your end users during their daily activities, a DLP agent gets installed on the user’s endpoint(laptop, mobile phone, etc) and when it moves from the user’s laptop to another place (to a USB stick, or a printer) if the data is sensitive and it should not leave the company, the agent can block or report this action, preventing the data loss.
Planning a DLP program
Understand your business
I often see customers delegating the DLP program solely to the technical team (or the technical guy). It is true that this will involve technical knowledge, but your DLP strategy won’t work unless you understand how the people in your organization work, and the technical team alone may lose many important aspects. A DLP program’s purpose is to allow business as usual, without any information leakage. If you miss the first part and you focus only on the data leakage part, you’re missing the point.
I’ve met several customers where, because of the nature of the sales activities, more than 50% of their customer data was received by WhatsApp, personal email addresses or Facebook before getting into the company’s systems. Some may say it’s not company data before it gets into the company. Most of you will know this is not something to ignore. When you read in the news about a set of customer sensitive information leaked our of salespeople personal phones, your company will be affected and you should consider adjusting the process as pre-sales activities are still under your brand.
Understand what sensitive data you handle in the organization and how it flows throughout your environment, including people, processes and systems. Only then you know what to look for in your DLP program and your next DLP tool. DPO, technical and business lines owners should team up at this point, otherwise, important points can be missed out.
DLP should not block your user’s from doing their job, otherwise they will use it as an excuses for poor results and they will find workarounds to move data around. Which completely cancels all your DLP efforts. Don’t forget, some data may get to your users before getting into your systems.
Before looking into DLP solutions, think about compatibility required by applications and systems what will use it. Consider also old systems, personal devices and their performance may be impacted by the technology you choose.
Also, don’t forget to consider the impact of a potential crash. If you’ve done the DPIA required by GDPR you may want to extend this to all your sensitive information and evaluate what would be the impact if your DLP stopping for one day.
Business involving when defining impact is crucial. You understanding their requirements and they understanding the impact of a potential data loss is key to rolling out an effective DLP program in your organization. Data leakage estimated from the technical team’s perspective may hugely undermine the potiential business loss, counting brand, trust and profit.
Ok, we’ve established you need to understand the company and team up with business owners. That will help you with in your planning phase. Next on the list, is researching for DLP technolog, choosing the best solutions and implementing them.
You will only be able to do your research once you undeerstand the data categories in the company and the data flow.
Some solutions are not called DLP, but some integrated DLP functionalities in your already implemented technology play key roles in your data protection program. Make sure you do an inventory of existing technology in the company, such as encryption solutions, mobile device and application management, data classification and discovery tools, secure email gateways, firewalls, intrusion detection/prevention systems.
Ask vendors for product demonstrations and include the main business scenarios you have sketched. Don’t settle for reading online product reviews and price comparisons. One hour invested in a solution demo can bring more value than individual research, which you can reduce to cover the essential concepts you should understand. Instead, use this time in planning and get a clear understanding of what you need covered by a DLP solution.
Once you end up with a short list, plan a pilot ! Don’t rush this phase. It make cost you more time and money to unblock or configure incomplete or complex technlogy than to spot out potential blockers or incompatibilities with your use cases during a pilot phase.
Stay away from lengthly and complex implementations and keep in mind, with the dynamics of the technology today, business needs and the technology used might change faster than your deployment!
Once you’ve selected your technology,plan the deployment together with your business team. Start small, document well and communicate often.
- Define roles and responsibilities. Define who is responsible, who is accountable, who needs to be consulted and who needs to be informed. A DLP system prevents what data goes out of your company. It can block certain activities, but it can also inspect files.
- Communicate your data classification to your employees and make sure they understand how data is categorized in the company. Involve them in your data protectin program, by raising awareness and clearly explain in your communication what’s in it for them.
It may be their personal information you are looking after, customer data is their customers data, intellectual property can mean the prortection of their work and talent and the perception of trust you protect for the organization is part of their professional brand as well. Stay away of the big brother or blocker role, by positioning the data protection program as a team effort for a safe work environment.
- Start with monitoring functionalities for a while. Don’t start blocking or encrypting data. Choose a small group of pilot users an slowly expand by adding groups, adjusting continuously based on feedback.
- Document every step and keep employees aware of any changes that may impact their daily tasks. Don’t let them block and provide fast support, in order to avoid their workarounds. Respect their skills, which may not be technical, respect their deadlines or their commitments to their partners/customers. Team up with them and you’ll have less documents flying around on personal Dropbox accounts, Whatsapp or any other easier way to send out information when needed.
Some good reads about Data Loss Prevention: