Preventing an organization's most valuable and critical information from walking out the door is one of the biggest challenges facing IT and security administrators. It's also a pain point that routinely keeps them up at night.
Perhaps most of the time, data loss is unintentional, attributed to employees that unknowingly violate security policy or attempt to get around e-mail based security solutions by using a personal Web-based e-mail, IM or online file sharing application to transmit sensitive documents.
That said, the consequences of lost or stolen data can be disastrous for an organization. Valuable information, such as intellectual property, blueprints and other trade secrets, acquired by a competitor can potentially cost an organization hundreds of thousands or millions in losses. Classified government information that falls into the wrong hands can compromise a nation's safety and security. Exposure of customer data can leave an organization susceptible to law suits, as well as customer attrition and damage to brand and reputation. And data leakage is often red flag that signals other compliance violations costing an organization hefty fines or loss of credit card processing rights.
That's where Data Loss Prevention (DLP) comes into play. DLP is a solution, applied to endpoint, network, data center and e-mail, preventing end users from sending sensitive or valuable information outside of the network.
DLP can also be a valuable tool for IT administrators, enabling them to create, refine and enforce policy, gain finite visibility into data flow, filter data streams on the network and protect information both in transit and at rest.
A robust and respectable DLP solution should be able to define sensitive data, identify and locate where it resides, and then assign and tailor levels of access for various users and groups. Specifically, the solution "tags" certain categories of information - such as credit card numbers or customer account data -- in need of protection based on sets of business security policies.
Perhaps one of the areas where DLP is most useful is in preventing information from walking out of organization is via one of the most widely used mediums: e-mail. While not only a popular threat vector, e-mail provides a ready made tunnel through which cybercriminals and malicious insiders can easily siphon critical information from the network.
A good DLP solution, however, is heralded as a line of defense that's designed to spot e-mails containing coveted data. From there, the DLP solution might move messages containing sensitive information to a secure method of transit - encrypting messages while notifying the senders of a policy violation. It also has the ability to deny the sender the transmission of the e-mail altogether.
Meanwhile, DLP never experienced the same explosive popularity as many other security solutions and technology trends. However, it has no doubt carved its own niche in the security market place. In recent years, the solution has enjoyed a bit of an uptick, thanks in part to increasingly stringent and enforceable compliance regulations now mandatory for most organizations. DLP, in fact, satisfies a wide array of those requirements by giving organizations the ability to discover and preemptively act on data loss, while documenting the process for impending audits.
But it fulfills other niches too, such as tracking and identifying digital assets. Before data can be prevented from exiting on disks, USB drives, or over cloud platforms, organizations first have to know where it is located. That ultimately arms organizations with the knowledge that simultaneously fulfills a multitude of objectives ranging from security strategy to Big Data and asset management projects.
And DLP represents an invaluable tool behind it all.
DLP should be used as a gateway to either move emails with sensitive data to a secure transfer method or deny based on a violation of policy. Leaders in this space have built in libraries for keywords and popular compliance standards. Best practice not only denies or auto encrypts sensitive emails but includes a return email to the sender explaining what policy was violated.