DLP – Data Loss Prevention : What & How Data Loss is Prevented?
With so many ways/ devices to transfer data, it is becoming difficult for companies to track and prevent confidential documents/ files from being copied and sent to unwanted sources. But there are Comprehensive DLP solutions in the market which analyze endpoint, network and storage systems continuously to monitor for confidential data from being leaked out. What more, they can even prevent the transfer of confidential information.
Is it even possible for monitoring all the various enterprise systems (including the Internet communications, USB drives, NAS boxes, etc) and identify that certain confidential information is being sent/ stored in them?
The answer, is surprisingly ‘yes’. There are comprehensive DLP (Data Loss Prevention) systems that are available, which can, from a central location monitor most of the enterprise networks/ devices/ communications to identify and even prevent data loss. Of course, they are far from being accurate/ efficient, but could be sufficient for most cases of accidental or malicious data breaches.
So, what are the sources from which data loss is continuously monitored/prevented by the DLP systems?
Well, think of the common sources through which employees (or guests) can send confidential data from the company – Email, Web-mail, Instant Messengers/ Skype, FTP, USB Pen-drives, DVD disks? Well, the good news is, all these common methods of communications can be monitored. Of course, certain uncommon programs (with uncommon protocols) on the web/ network cannot be monitored, but nevertheless enough progress has been made to cover the common modes of communications.
Employees transferring data is one thing, but what if an employee or a system is not supposed to read/ hold a certain confidential file? Can this be detected?
The answer, again surprisingly is ‘yes’. DLP systems can monitor employee computers/ laptops/ Storage devices/ Servers etc, and can either notify the administrator of the presence of a confidential document there / just delete them automatically, if found.
What all can be monitored by using DLP systems?
Most of the common types of files/ email – web communications etc can be monitored. Even a spreadsheet embedded in to a word document / email can be monitored. Even an encrypted email/ web-page communications can be monitored! For doing this, DLP systems re-construct the whole file/ message at the gateway, and then apply the rules/ policies to them. As you can guess, there is some processing overhead, but most of the DLP systems have enough processing power to monitor enterprise level communications without inducing noticeable latencies/ delays.
But one wonders – how is this even possible? Well, there are so many methods used by DLP vendors, but I will just highlight some of them here, for a better understanding of how DLP systems detect/ prevent confidential data from leaking out.
- Rules. There are certain common types of data (like credit card numbers, social security numbers, etc) that have a common structure (number of digits, checksum, etc). So, rules can be created to scan all the outgoing messages/ communications for such patterns. This is simple, but may not be accurate as even an employee doing some online shopping/ booking flight tickets online might be scrutinized.
- Databases. Well, if a customer credit card data-base is available, the above mentioned rules might be tweaked to monitor – not for any credit card number, but the credit card numbers of the customers present in the database alone, to reduce the number of false positives.
- Pre-configured rules/ categories. Credit card numbers is just one type of data that needs to be monitored, but there are a lot of other common information that can be leaked out from a company, and most DLP vendors have assimilated and organized these rules as categories in their DLP systems. The administrators can choose which rules (or) categories they want to use in their environment. Of course, they can make their own rules as well.
- Contextual Analysis. Some times, we want to prevent certain communications (like harassment, obscene words, etc). In these cases, the context of the communication is analyzed for identifying such incidents. Similarly, statistical analysis can be done for mapping/ detecting large files (Like AutoCAD files) from being leaked out of the company.
- Partial or Complete File Matching. The content of the files can be hashed and be compared with the outgoing messages, either fully or partially.
- Agent/ Agent-less monitoring. For monitoring computers, servers, storage systems etc, where confidential data is not supposed to be stored – but still is, agents can either be installed on those devices which can search for confidential documents (or) DLP systems can send temporary agents to search those systems at regular intervals.
A Gateway level hardware appliance / server is used by Data Loss Prevention (DLP) systems. Some vendors use separate devices for End point DLP/ Network DLP/ Monitoring-Reporting etc. If multiple branches are present, one appliance (minimum) at each location would be required.
There are Comprehensive DLP Systems which can provide a centralized policy creation, monitoring/ reporting interface through a GUI based analysis tool for the DLP system as a whole, including multiple branches/ locations. Individual versions (that scan email only/ network devices only, etc) are also available.
False positives, are the biggest problem with DLP systems. For example, a number in an email message that closely resembles a credit card number might be identified as a data breach. Another issue is the sheer size and diversity of Web based systems (which use different protocols) that makes it almost impossible to scan each and every web-based system used by the employees to communicate. Also, unless a data breach actually happens, its difficult to quantify the losses, and hence the value offered by the DLP systems to an organization.
You could stay up to date on various computer networking/ related IT technologies by subscribing to this blog with you email address in the sidebar box that says, ‘Get email updates when new articles are published’.