We are living in a time where sensitive information flows seamlessly through organizations and out to employees across the country and around the globe. The amount of data shared among employees from business to business and that is stored within corporate servers, workstations, and in cloud-based solutions continues to grow exponentially every day. And with that exponential growth comes increased opportunities for theft, accidental disclosure of sensitive information, and a huge potential for data loss.
Unfortunately, this data often winds up in the hands of unintended recipients who utilize the data for their own profit. Data loss is a serious problem for all organizations, regardless of their size. Losing data means losing time and money. It costs both to restore or recover essential business information, and it can cost even more in terms of value, such as the reputation of the company, disruption of the day-to-day business, loss of productivity, or even worse, profits.
An organization can minimize the potential for data loss by understanding what it is. Data loss, also known as data leakage, is the intentional or unintentional loss or destruction of sensitive information, or the unauthorized movement of sensitive data. The types of data that are most commonly affected are Personally Identifiable Information (PII), such as social security numbers and credit card numbers, and electronic Protected Health Information (ePHI), including medical records.
On average, data loss is mostly connected to our normal mode of operations, the way we save, store, and handle data. Here are the top 10 most common causes of data loss:
- Human error
- Viruses and malware
- Hard drive damage
- Power outages
- Computer theft
- Liquid damage
- Disasters
- Software corruption
- Hard drive formatting
- Hackers and malicious insiders
I won’t go into detail on the causes here, but for an understanding of how human error factors into data loss, I invite you to access the Clearwater CyberIntelligence Institute® bulletin Analyzing Careless Users, An Often Overlooked Threat.
Centered on Three Main Elements
Data loss prevention can come in a form of a strategy or a technological tool, and to ensure maximum protection of a company’s data, it will often consist of both. Regardless of how you choose to address your data loss, the focus should be centered around three main elements: data security, access control, and data protection.
Element #1: Data Security
Data security focuses on putting into practice the procedures and the technology that’s needed to protect your organization’s data, and it’s the process of protecting files, databases and accounts on a network through the implementation of controls, applications and techniques. You achieve data security through four main ways: data auditing, log reviews, activity reviews, taking a look at who accessed the data, when and where it was accessed, and reporting on those changes to your data. The second way is through real-time and learning through information protection systems. You have data risk assessments performed that helps you to identify overexposed sensitive data in any areas of vulnerabilities. And lastly, data minimization. Too much data can be a huge liability.
Element #2: Access Control
In every breach or for every loss of data incident, what is the first thing that is investigated? It is the access controls, right? That’s because access control is a selective restriction of access to your organization’s data. It consists of three main components: identification, authentication, and authorization. It’s a method of guaranteeing that users are who they say they are and that they have the appropriate access to your company’s data. An access control policy is a critical component of information security and organizations must determine the appropriate access control model to adopt based on the type and the sensitivity of data they’re processing and storing.
There are four main types of access control systems:
- Discretionary access control, allowing access to resources based on the identity of the users or the groups
- Role-based access control, which is exactly how it sounds; access is determined based on your organizational role
- Mandatory access control, which allows a system administrator to strictly control access to all information
- Attribute-based access control where a user will have their access determined based on a set of pre-defined attributes
Element #3: Data Protection
Data protection is safeguarding and making data available under all circumstances. Some of the key principles of data protection are implementing policies, training and testing, data privacy, operational backups of your data, and technology. One of the core elements of data protection is having formalized and adopted policies. They ensure data security as well as data protection. To ensure data protection, every organization should have an acceptable use policy, an acceptable data security plan, and I strongly recommend a data loss prevention (DLP) policy. A DLP policy defines how data can be shared within and outside of your organization, and it will help to ensure the data is managed uniformly across the enterprise.
The term data protection also describes the operational backup of data. Backup and recovery describes the process of creating and storing copies of data that can be used in the event of a data loss. A back-up policy outlining your back-up schedule, the assets that were backed up, recovery, and recovery testing are key to ensuring the protection of critical information. Data protection is also provided through deploying and configuring your technology such as hardening of your devices, encryption, security information and event management systems, or SIEMS, and through the deployment of data loss prevention systems.
Three Types of DLP Tools
Data loss prevention (DLP) tools are designed to monitor and protect three types of data – data in use, data in motion, and data at rest. There are three different types of DLPs – network DLP, endpoint DLP, and storage DLP. They each provide protection against mistakes that can lead to data leakage, intentional misuse by insiders, as well as external attacks on a company’s information infrastructure.
Network DLP
A network DLP is integrated with data points on the corporate network either through software or a hardware platform. Once installed, this solution monitors, traces, and reports all data in transit on the network. It is often referred to as data-in-motion protection. It is the ideal type of DLP to scan all content passing through your organization’s ports and protocols.
A network DLP is mostly commonly installed as software. This software will monitor internal network traffic and the outflow of information looking for indicators of data breaches, and it uses business rules to classify and protect sensitive information from accidental deletion or from being maliciously shared outside the organization.
Endpoint DLP
Although most organizations start with a network DLP to gain the broadest coverage as quickly as possible, loss of sensitive data isn’t a problem limited to the network or stored repositories. There are many remote users who utilize portable storage, and the endpoint is not only a significant repository for sensitive information, it’s where users spend most of their time accessing your organization’s data. An endpoint DLP consists of endpoint clients and software that are installed on endpoint machines, and they can be a complement to your overall network DLP. They provide complete discovery, monitoring, and protection for the data in use across multiple platforms to include email, cloud apps, network protocols, external storage, virtual desktops, and servers.
One of the main benefits of an endpoint DLP is that it is not dependent on a company’s network to function. Its policies can be applied at the computer level, and they will continue to protect sensitive information whether an employee is in the office or working remotely. Even if the device that’s storing or processing the data is off of the corporate network, it will still be functioning as it should. Some additional advantages are that they can see processes such as cut, paste, burn, and can protect sensitive data from being burned from a CD, DVD, or being saved to a USB device. Endpoint DLP can provide a wide range of responses, including local and remote file quarantining, policy-based encryption, and digital rights for files transferred to a USB.
Storage DLP
Storage DLP allows for scanning of any file type, expression patterns, and unstructured data that’s stored in any location and owned by anyone. It can trigger a policy-based alarm for unusual events, such as when someone accesses sensitive data for the first time or downloads a confidential file or downloads a unusual number of files in a short period of time. Storage DLP works by controlling information that employees retain and share and alerts organizational leaders if their information can easily be obtained by outsiders. It’s very useful for monitoring data stored in the cloud.
Sensitive data is moving to the cloud at a rapid pace, but many organizations lack policy controls for the type of data that is stored in cloud services. The average organization uses 1,427 cloud services[1]. And employees often introduce new ones without knowledge or consent of the IT department. According to McAfee, 21% of documents uploaded to file-sharing services contain sensitive information such as PII, ePHI, payment card data, or even intellectual property. This creates concerns with cloud compliance, but a Cloud DLP can help to ensure that sensitive data does not make its way into the cloud without first being encrypted, and then it’s only sent to authorized cloud applications. A Cloud DLP can give the power to scan, discover, classify, and report on data from virtually anywhere. Another major benefit is that a Cloud DLP can provide protection for email, software-as-a-service, and information-as-a-service applications.
In Summary
Having full control of your environment, as well as an understanding of the different types of DLPs and their applications, are first steps taken in order to implement a solution that can help you to avoid data loss across your IT ecosystem. The ultimate choice of a DLP solution should focus on the needs of your business and your management requirements, including transparency, performance, compatibility, and availability.
If you have questions or need assistance with developing your DLP strategy, reach out to the Clearwater team at info@clearwatercompliance.com.
