What is data loss prevention?
Data loss prevention is a set of practices that ensure that an organisation's sensitive or critical data remains available to authorised users and is not shared with unauthorised users.
Data loss prevention (DLP) is a set of practices (and products) that ensure that an organisation's sensitive or critical data remains available to authorised users and is not shared with unauthorised users. With many companies building their entire business model around the collection and analysis of data, it is increasingly necessary to implement a rigorous defence of that data to match its growing value.
What is the purpose of data loss prevention?
Use cases of data loss prevention:
Protecting personally identifiable information and ensuring legal compliance. Many organisations have huge databases full of potentially sensitive information about their customers and business contacts, ranging from email addresses to medical and financial records, which could cause damage if they fall into the wrong hands. You have to make sure that data remains secure, not only because it is the right thing to do, but also because a number of laws require you to do so.
Protect intellectual property. Your organisation almost certainly has intellectual property and trade secrets that you want to keep out of the hands of competitors. Data loss prevention aims to prevent data from being stolen through corporate espionage or inadvertently exposed online.
Gain visibility into your data. Part of the process of securing data involves understanding where data resides in your infrastructure and how it 'moves'. In the era of public and hybrid clouds, this can be a complex task, and DLP tools have the added benefit of providing insight into your data infrastructure.
DLP can be reduced to a simple pair of directives: identify sensitive data that needs to be protected and then prevent its loss. The task of identifying sensitive data can be complicated, as data can exist in different states in your infrastructure:
Data in use: active data in RAM, cache memory or CPU registers
Data in motion: data that is transmitted via a network, either internally or securely, or publicly on the Internet
Data at rest: data stored in a database, on a filesystem or in some kind of backup storage infrastructure
In each case, DLP solutions implement programmes to search through their data. These programmes use a variety of DLP techniques to recognise sensitive or data worthy of protection, using some techniques:
some of these techniques, which include:
Rule-based matching or regular expressions: agents use known patterns to find data that meets specific rules, e.g. 16-digit numbers are credit card numbers, while 9-digit numbers are generally social security numbers. This is often a first step to mark documents for later analysis
Database fingerprinting or exact data matching: agents search for exact matches with pre-filled structured dataExact file matching: agents search for documents based on their hashes, rather than their content
Partial document matching: agents search for files that partially match the assumed patterns. For example, different versions of a form filled in by different users will have the same 'skeleton', which can be used to fingerprint the file
Statistical analysis: some DLP solutions use machine learning or Bayesian analysis to try to identify sensitive data. You will need a large volume of data to train the system, which may still be subject to false positives and negatives
There are a number of DLP solutions available online, such as Symantec Data Loss Prevention: if you are unable to implement one of these solutions yourself, contact your IT consultant or contact our support.