This can be a very difficult question. A question that has created many products and solutions (inside and outside of IT…think insurance.) Other than the people, the most critical asset we have in most organizations is the information. If it were not for that information we wouldn’t need all of the switches, routers, servers, and storage. If we aren’t protecting the data that we value most as a starting point then what are we doing?
DLP (Data Loss Prevention) has been one of the dirtiest words over the last ten years. It may be even considered worse than cloud, at least in security circles. What made this term so unpalatable is the fact that it somewhat implies that without these solutions branded Data Loss/Leakage Prevention that we are losing and leaking data. It implies that these solutions are the silver bullet. The end all to be all. Obviously marketing gone wild. There is definitely some merit in this though. And applied correctly with other technologies can actually provide a fantastic last line of defense, which used to be endpoint anti-virus.
If the attack traffic got through the firewall, then the Network Intrusion Prevention System, then hopefully the endpoint anti-virus software would pick it up. But what happens when it doesn’t? What happens when the system has been compromised without detecting for a while. This is where the data starts to get pulled out of the network, or exfiltrated.
Assuming there is a compromise, let’s delve into our solutions that make up a DLP strategy and provide some examples of when each of them is used. Ideally you’ll find which of these following solutions fit best in your environment today.
Network DLP – There are various forms of Network DLP. The idea is to monitor and protect data at the egress points of the network. The Network DLP solutions are very good at monitoring for structured data like credit card numbers, social insurance, and social security numbers. They can also monitor for things like invoice numbers, or CAD drawings that you only want to go to certain places. There is no agent required on the endpoints so that if a guest or partner manages to get access to data they will not be able to send it out of the network. For organizations that tightly restrict egress traffic on the firewall to permit outgoing email and web traffic only, you may be able to leverage existing infrastructure to get these results. Many Web Security Gateways and Mail Security Gateways have had DLP features added to them. If the egress traffic is not closely restricted and/or your gateway solutions do not have DLP functionality then a Network DLP solution is going to be the best fit for you. Network DLP can be the easiest first step in a DLP program.
Host DLP – Host DLP works in a very similar way that Network DLP does. It will monitor for data of a certain type that is trying to be moved in a certain way and prevent it from moving as required. The real value in deploying an endpoint agent is on mobile devices. When your corporate laptops leave the physical network and move to a coffee shop all of the restrictions in place for Network DLP will not apply. It is even more important to monitor mobile devices for Data Loss since they will often connect to much more volatile network access points that will not offer them as much network layered protection as your corporate network.
Full Disk Encryption – Full Disk Encryption has been around for quite a while now and has matured a lot. We fold this solution into a DLP strategy and would focus primarily on the mobile devices. If a corporate laptop is removed from the facility (on purpose or stolen) it is at further risk of being lost or stolen outside of the environment. If an intruder does not know the Operating System credentials they can easily remove the disk and plug it into a computer and view the files as easily as plugging in a USB key. With Full Disk Encryption the entire disk is encrypted until the user enters their credentials. The administrators can use unique credentials just for this purpose or they can integrate other systems such as Active Directory or Two-Factor Authentication. If an intruder removes the disk and plugs it into the new system they will not be able to read the contents no matter what they are.
Fully Encrypted USB Keys – There a couple of benefits to using Fully Encrypted USB Keys. The first is that any data copied from any computer to the key is encrypted all the time. So if someone finds or steals a key they will not be able to access the data until they authenticate. The other main benefit is that with Host DLP you can control that writing to USB can only be accomplished when the user plugs in a certain type of Fully Encrypted USB key. You may allow them to copy pictures or music files from the PC to any key, but when it comes to Health Care or CAD drawings they must use an encrypted key.
Contact your Softchoice representative and we can help you answer the question ‘What data do we need to protect?’. Our Data Loss Prevention Assessment services can help do just that.