The definitive guide to developing and deploying data loss prevention strategy, from tips for quick wins to DLP software and tools. Show
Data Loss Prevention (DLP) has always been a concern for businesses. In earlier days, the focus was on the protection of physical documents. This could be accomplished by penetrating physical perimeters or theft of documents from couriers. While these tactics may continue today, the growth of the Internet has increased the magnitude and likelihood of data theft. In short, the proliferation of data and communication channels has made the criminal’s job easier. DLP has a reputation for being an enormous, multi-year undertaking, yet it need not be. A DLP program can be a manageable, progressive process, if organizations focus on a progressive approach. In the words of Gartner Research VP Anton Chuvakin: “Deployment of a DLP tool should go from one tactical success to another (a "quick-wins" approach) to avoid outright failure due to complexity and organizational politics.” A 7 Step Framework for Developing and Deploying Data Loss Prevention StrategyThere are a number of fundamental activities that must occur when initiating a data loss prevention program. This framework provides general guidelines that your DLP strategy should follow. These requirements can also be used to help choose the right DLP solution for your organization. 1. Prioritize data 2. Categorize (classify) the data 3. Understand when data is at risk 4. Monitor all data movement Not all data movement represents data loss. However, many actions can increase risk of data loss. Organizations should monitor all data movement to gain visibility into what’s happening to their sensitive data and determine the scope of the issues that their DLP strategy must address. 5. Communicate and develop controls 6. Train employees and provide continuous guidance 7. Roll Out Of course, data loss prevention is an ongoing process, not a single set of steps. By starting with a focused effort to secure a subset of your most critical data, DLP is simpler to implement and manage. A successful pilot will also provide lessons for expanding the program. Over time, a larger percentage of your sensitive information will be included, with minimal disruption to business processes. 5 Myths that are Killing your DLP StrategyAlthough the need for data loss prevention has gained visibility among security and compliance communities in recent years, many organizations are still reluctant to adopt DLP programs. Often, this hesitation is based on a misunderstanding of the technology. The following are, in my opinion, the top 5 myths that detract from effective DLP strategy development. Myth #1 – DLP is not for the faint of heart For example, pick a data category that is particularly sensitive, such as design documents. These are easy to identify, as they are created by a fixed set of applications (e.g. CAD applications) and have a defined user group that requires access rights. Include business process owners in the discussion to ensure their understanding and buy-in. As discussed in the data loss prevention framework, you can add another data category once the pilot DLP program is running smoothly. Myth #2 – My network will choke Fortunately, inspecting each data packet as it travels on the network isn’t necessary. Instead, data can be classified as it is created or modified on the endpoint (using contextual classification, content inspection, user classification, or some combination thereof). Once classified, a persistent classification tag is added to the data. Intelligent endpoint agents can read these tags and enforce usage rules based on data classification, user type, the requested action, and other contextual aspects of data activity. This results in better visibility and control, without network latency. Myth #3 – DLP won’t work outside my network DLP applied at the data level can automatically prevent sensitive data from leaving your network. It can also force any data that does leave to be encrypted (and decrypted only by devices you manage) or be transferred to approved devices. Myth #4 – Content analysis is required, and complicated Contextual awareness allows for a simpler means of classifying data automatically, simplifying classification and accelerating DLP adoption while preserving the privacy of employee communications. Rather than examining the data content, it associates a classification with the application(s) used to create the data (e.g. financial or design software), the users creating the data (e.g. a member of the legal team), the storage location of the data (e.g. a finance folder on a drive), and other pre-defined characteristics. Myth #5 – DLP will interfere with legitimate use of data and affect productivity Additional DLP ResourcesWant to learn more about data loss prevention? Here are some of our favorite DLP resources:
What are the controls for DLP?Data Loss Prevention Best Practices. Identify and classify sensitive data. ... . Use data encryption. ... . Harden your systems. ... . Implement a rigorous patch management strategy. ... . Allocate roles. ... . Automate as much as possible. ... . Use anomaly detection. ... . Educate stakeholders.. How do you implement a DLP solution?A 7 Step Framework for Developing and Deploying Data Loss Prevention Strategy. Prioritize data. Not all data is equally critical. ... . Categorize (classify) the data. ... . Understand when data is at risk. ... . Monitor all data movement. ... . Communicate and develop controls. ... . Train employees and provide continuous guidance. ... . Roll Out.. What is DLP in security with example?Data loss prevention (DLP), per Gartner, may be defined as technologies which perform both content inspection and contextual analysis of data sent via messaging applications such as email and instant messaging, in motion over the network, in use on a managed endpoint device, and at rest in on-premises file servers or ...
Which of the following can be monitored in DLP endpoint?Monitored files. Endpoint DLP supports monitoring of these file types through policy: Word files. PowerPoint files.
|