Why Data Loss Prevention Matters: Principles, Risks, and Cloud Challenges

In this article, I explain the principles, challenges, and consequences of Data Loss Prevention (DLP).

What is Data Loss Prevention?

Data Loss Prevention, or DLP as it is often referred to, is a set of policies and technologies that are collectively designed to prevent an organization’s sensitive data from being leaked.

How does data leakage occur?

Data leakage can occur either intentionally or unintentionally. Unintentional leakage might occur when a user shares sensitive data through an insecure channel, such as email, consumer grade cloud storage, or portable media.

Of course, data leakage can also be malicious in nature. Some ransomware for example, is designed to exfiltrate an organization’s most sensitive data and intellectual property. Upon doing so, the attacker may threaten to expose this data unless a ransom is paid. This type of data leakage does not always stem from ransomware or a cybersecurity incident. They may also occur as a result of insider threats. A disgruntled user might deliberately exfiltrate sensitive information in an effort to steal the organization’s customers or its intellectual property.

The consequences of data leakage

Regardless of how it might have occurred, data leaks can have catastrophic consequences. At the very least, data leaks may cause reputational damage, where customers and partners lose trust in the organization and its ability to keep data secure.

If an organization operates within a regulated industry, then a data breach will almost always be accompanied by a hefty fine. Regulations such as GDPR, HIPAA, and PCI-DSS impose severe financial penalties in response to policy violations. This holds true whether the policy violation is a result of malicious insiders, malware, cyberattacks, or end user behavior.

The core principles of Data Loss Prevention

Although Data Loss Prevention can take various forms, most DLP solutions are built around three core principles.

1. Data identification and classification

The first step in protecting an organization’s data is to identify and classify the data. This usually means taking the time to inventory all data and then tagging data as public, internal, confidential, or highly sensitive. The data classification process usually involves using data discovery tools that are designed to scan file servers, databases, endpoints, cloud storage, and cloud applications in an effort to locate and classify data.

The data discovery process often automates the data classification process for structured and unstructured data. If automation is used, the tool can perform metadata analysis to detect patterns that could point to the presence of Personally Identifiable Information (PII). This often means looking for alphanumeric strings that match the patterns used by data types such as drivers’ license numbers, credit card numbers, or social security numbers.

2. Data monitoring

Data monitoring is the second pillar of DLP. Monitoring involves tracking the access to and movement of sensitive data in real time. Monitoring often involves various use cases. For example, an organization might monitor endpoints as a way of observing how end users copy, transfer, or access data from their devices, which is sometimes referred to as endpoint DLP, and it protects data access and data transfers from laptops, mobile devices, and other endpoint systems.

Organizations usually also implement monitoring at the network level (network DLP), allowing it to track data in motion and making it easier to spot attempted data exfiltration and data access.

Since most organizations have a heavy cloud presence, monitoring also takes place in the cloud (cloud DLP) to keep an eye on cloud data and cloud applications, including custom applications running in Infrastructure as a Service (IaaS) clouds, as well as Software-as-a-Service (SaaS) applications.

3. Data protection

Data protection is the third pillar of DLP. It is not enough to identify and monitor sensitive and confidential data. An organization must take steps to actively protect the data. Information protection becomes especially important if the organization is subject to regulatory compliance mandates such as HIPAA, GDPR, PCI-DSS or other data privacy laws, because policy violations carry serious consequences. So, organizations must take care to ensure that their security policies are being carefully followed.

Data protection is a form of risk management

Data protection is a form of risk management that involves determining where vulnerabilities could potentially exist and then putting controls in place to prevent those vulnerabilities from being exploited.

As an example, most organizations take advantage of encryption to protect data at rest and data in motion. Similarly, security teams use other security measures such as using firewalls or Intrusion Protection Systems (IPS) systems to protect access to critical data.

Many organizations have adopted zero trust as a philosophy for protecting their data. Zero trust is based on the idea that nothing on a network should be inherently trusted. Identities must be verified at the time when data access is attempted. Additionally, organizations often practice least user access, meaning that access controls are implemented in a way that cause users to receive access to the information that they need in order to function, but nothing more. Access control permissions are intentionally restrictive.

Lifecycle policies focus on data retention

Another way that organizations often protect their critical data is by implementing lifecycle policies as a part of their DLP strategy. Whereas DLP largely focuses on preventing accidental or deliberate data exposure, lifecycle policies focus on data retention. These types of policies ensure that data containing PII is retained for the period of time required by law.

In many cases, lifecycle policies purge data that is no longer legally required to be retained. The idea is that the organization will not have to worry about leakage or unauthorized access to the data since the data has been purged and no longer exists.

DLP implementation challenges

Although there are many excellent DLP tools available from Microsoft and other vendors, DLP is not without its challenges. One of the primary challenges in creating a DLP policy is identifying all of the data in use throughout the organization. After all, most organizations have data on premises, in the cloud, or even in multi-cloud environments.

Data residing in the cloud might exist in cloud storage or it could reside in SaaS applications. Simply put, locating and classifying data becomes more difficult when the data is spread across many data repositories. An organization’s approach to cloud security must be flexible enough to work regardless of where data actually resides.

Balancing security with usability

Another challenge is balancing security with usability. Most security solutions excel at helping an organization to lock down its IT infrastructure. However, when security measures become excessive, IT resources become less usable. So, security platforms must be configured in a way that protects data, without making life overly difficult for users.

Compatibility and DLP

Compatibility can pose another challenge. An organization might discover that its DLP systems are not fully compatible with the rest of its IT resources, thereby making it difficult to fully protect all of the organization’s data.

Insider threats

Finally, the implementation of a data loss prevention solution can be hampered by insider threats. An insider may bypass DLP controls.