Data Loss Prevention (DLP)
Data loss prevention (DLP) is a software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks.
- aka egress monitoring
- automates the discovery and classification of data types and enforces rules so that data is not viewed or transferred without a proper authorization
- serves as a key mechanism to ensure compliance with regulations
- e.g., GDPR, HIPAA, PCI DSS
- significantly mitigates the risk of data loss
- prevent unauthorized sharing or dissemination of sensitive information
- often enforced using email gateways and security policies on endpoint protection tools
- can be:
- host-based
- network-based
- vendors
- Trellix
- Symantec/Broadcom
- Digital Garden
- now Fortra
- Microsoft
DLP Goals
- Security Control
- used as a control in a layered defense strategy
- designed to mitigate inadvertent release or malicious disclosure of information
- Policy Enforcement
- enforce policies by alerting users when attempting to perform an action that would violate policy
- e.g.,
- encrypting data as it leaves organization or storage point
- requiring decryption and authentication to access data
- Enhanced Monitoring
- can set DLP tool to provide log streams to the organization’s monitoring suite
- Regulatory Compliance
- Specific types and kinds of data can be identified by DLP tools
- dissemination of data can be controlled in order to adhere to regulatory mandates
DLP Policy
A DLP policy is a policy detailing DLP efforts.
- essential for monitoring and controlling the content used in communication platforms like email
- scans emails and attachments for certain types of sensitive information defined by the organization’s DLP policies
- e.g., credit card numbers, social security numbers, proprietary information, or any sensitive or confidential data
- can take several actions based on predefined rules:
- blocking the email
- alerting the sender or administrator
- or automatically encrypting it before transmission
- scans emails and attachments for certain types of sensitive information defined by the organization’s DLP policies
Supporting DLP Policies
- password policy
- is a policy detailing password complexity and password expiration requirements known as password aging
- acceptable use policy (AUP)
- is a policy detailing the valid, or acceptable, use of network resources
- BYOD policy
- is a policy detailing if and how BYOD connects to network resources
- remote access policy (RAP)
- is a policy detailing if and how network resources are remotely accessed
- onboarding policy
- is a policy detailing how a new employee accesses network resources
- offboarding policy
- is a policy detailing the removal of network resource access for a resigning or resigned employee
- retention policy
- is a policy detailing archiving processes for data and sensitive documentation
- credential policy
- is a policy detailing processes for identity and authentication, or credentials, management
Components
- Policy server
- configure classification, confidentiality, and privacy rules and policies
- log incidents
- and compile reports
- Endpoint agents
- enforce policy on client computers
- even when they are not connected to the network
- enforce policy on client computers
- Network agents
- scan communications at network borders and interface with web and messaging servers to enforce policy
How it Works
- DLP agents scan content in
- structured formats
- e.g., database with a formal access control model
- or unstructured formats
- e.g., email or word processing documents
- structured formats
- Data transformation is applied to unstructured data to render it in a consistent, scannable format for policy enforcement
- transfer of content can be blocked if it does not conform to a predefined policy
- can extend the protection mechanisms to cloud storage services
- using either
- a proxy to mediate access
- or the cloud service provider’s API to perform scanning and policy enforcement
- using either
- use:
- pattern matching
- watermarking
Remediation
- Remediation
- is the action the DLP software takes when it detects a policy violation
- typical actions:
- Alert only
- copying is allowed
- management system records an incident and may alert an administrator
- Block
- user is prevented from copying the original file but retains access to it
- user may or may not be alerted to the policy violation
- will be logged as an incident by the management engine
- Quarantine
- access to the original file is denied to the user
- might be accomplished by
- encrypting the file in place
- or by moving it to a quarantine area in the file system
- Tombstone
- original file is quarantined and replaced with one describing the policy violation and how the user can release it again
- Alert only
- when protecting a communications channel
- may use client-side or server-side mechanisms
- e.g.,
- prevent the attaching of files before it is sent
- scan the email attachments and message contents, then strip out data or stop transmission
Example
Scenario Description Blocking use of external media Preventing sensitive data from being copied to external drives and USB flash storage. Print blocking Preventing the printing of sensitive information or controlled documents. This is particularly important in the healthcare industry. Remote Desktop Protocol (RDP) blocking RDP allows for data to be copied and pasted from the session. DLP can be configured to monitor and block this when sensitive data is detected. Clipboard privacy controls Limiting access to the clipboard and preventing sensitive data from being placed on the clipboard for use elsewhere. Restricted Virtual Desktop Infrastructure (VDI) implementation Incorporating DLP features within the underlying VDI infrastructure to protect all virtual desktops and govern how data is used and shared in the environment. Data classification blocking Using metadata or other mechanisms to tag data with its classification in order to limit how it can be accessed and used.