Demystifying Security: Data Loss Protection (DLP)

It’s not just the occasional malicious insider that puts the company in jeopardy, it’s a complacent user that compromises the everyday, involuntary mishandling of critical, corporate, regulated, and sensitive information by many employees and the grave mistakes they make without realizing.

This week, we introduce another layer of the cybersecurity concept that addresses insider threats and protects corporate information: Data Loss Prevention (DLP).

Data Loss Prevention (DLP) is the practice of detecting and preventing the loss or unauthorized exfiltration of data in any form. The goal is to protect your organization from potential financial and reputational losses by preventing unauthorized exfiltration of business and regulatory sensitive information, as well as ensuring compliancy with existing data regulations.
 
There are different ways to implement DLP in your organization, depending on the type of devices (e.g., desktop vs. mobile), ownership model (e.g., corporate-owned vs. personal), and usage (e.g., business only).

With desktop computers, everything happens at the filesystem level, i.e., dealing with documents and their content. If sensitive information will be handled and resides on desktop computers, it is recommended to use a proper DLP solution that will use a software agent to perform inventory, detection, and reports, usually working in combination with an EPP/EDR agent that will ultimately take mitigations as dictated by the corporate policy.  

The solution will first categorize discovered documents that match the company-defined policies, such as documents that contain corporate information (e.g., company name, address, VAT number) or regulated information (e.g., social security number, healthcare information). This is the first step to determine which documents are sensitive and need to be watched closely.

Then it will detect and prevent data exfiltration, which can happen in different ways such as uploading a document to an external and/or non-authorized website, sending an email that contains sensitive information in the body or as an attachment, or copying files to a removable media (e.g., USB drive) or over the network to another computer. All of these are innocent, daily actions taken by any employee working with a computer, whatever his or her role in the organization is, but they can have huge consequences if they end up compromising sensitive information. 

Finally, it will report back to the security administrator by email and/or using a dedicated Critical Event Management (CEM) solution.

It is important to mention that, unlike other products, DLP software will technically “read” emails and a document’s content – not just the name, header, or hash – seeking sensitive or regulated data in them for inventory. Also, in the case of exfiltration, a copy of said document is usually placed into an evidence vault to ensure that information can be retrieved and reviewed to estimate any impact. That vault could be on the cloud, hosted and managed by the vendor, or eventually onsite, inside the customer infrastructure, to ensure no data leaves the premises to end-up at a third-party provider; this is something that must be confirmed with the vendor before going forward with any solution.

Another alternative to protect corporate data is to leverage virtualization, and by doing so, avoiding any data being handled or residing on the desktop computer, no matter if corporate-owned or personal. The concept is to allow employees to handle corporate data from any type of device, from anywhere, within a secure container, ensuring no information can neither leave nor enter the internal infrastructure. No corporate data is ever delivered to the employee device itself, but only graphics are sent to the device in an encrypted pixel stream, using specific protocols. This can be used on any type of device anywhere, whether corporate or employee owned.

Because data on mobile devices is handled differently, detection and prevention are not done at the filesystem level but the mobile application level instead, ensuring sensitive corporate data cannot be shared nor sent outside of the defined boundaries. This includes copying information from a managed, approved work app to an unmanaged personal app (e.g., using typical copy/paste), sending an email with sensitive content from a work email account to an external address, or the other way around, and accessing corporate information from a personal app.

As always with security, it is not about turning it all on or off but finding the right balance between security and usability to ensure user acceptance. A typical use case is either to allow or deny access to work contacts from the unmanaged phone app (BYOD) or to personal apps (BYOD/COPE), to provide caller ID and contacts sync features.

With COBO deployments, since the device is fully managed already and only authorized, managed apps can be deployed, DLP should focus on preventing exfiltration from within the app itself, for example, using an authorized, managed email app to send an email with information and/or documents to an external email address, outside of the organization boundaries.

With BYOD or COPE deployments, DLP should additionally control data flow between apps, ensuring that only data exchanges between work and personal apps required by employees to perform specific business tasks are specifically allowed.

In all cases, this requires the use of containerized mobile apps that include embedded DLP features that can be enabled accordingly and enforced using policies deployed with a UEM solution.

It’s always a good idea to periodically reassess your critical infrastructure and see where you can improve and strengthen your security. With your new knowledge of DLP, you can consider how this might be implemented in your environment and further improve the chances of keeping your infrastructure safe and sound. 
 
For more comprehensive information about security posture, please review our recent post regarding cybersecurity products. Please feel free to contact the team at ISEC7, and we can help you navigate the options available to you to help strengthen and protect your infrastructure.
 

(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group