ISACA Journal
Volume 1, 2,018 

Features 

Data Loss Prevention—Next Steps 

Larry G. Wlosinski, CISA, CRISC, CISM, CAP, CBCP, CCSP, CDP, CIPM, CISSP, ITIL V3, PMP 

Around 2007, it became obvious that the information security defenses that were implemented by the government and businesses to prevent data loss were not totally effective. Malware and malicious individuals and organizations were wreaking havoc for many enterprises by capturing their sensitive data. These events became known as data breaches.

To help shore up deficient cyberdefenses, the security industry decided it was time to protect information at the data layer. This effort is now known as data loss prevention or data loss protection, DLP for short. This article is intended to:

  • Identify and understand the data and areas of concern, such as ever-growing, persistent threats
  • Develop an understanding of DLP, along with the associated threats and risk
  • Identify causes of data loss so they can be addressed
  • Examine the capabilities of current and future DLP tools and products
  • Review DLP best practices to identify missing DLP program components
  • Review technology and industry trends to be aware of what is on the horizon
  • Provide recommendations and next steps for vendors, companies and other organizations

For this article, DLP encompasses not only information technology, but also other methods to protect data and prevent loss. This expanded definition is required because management and data owners need to understand that IT does not provide all the solutions.

Areas to Protect

From an IT perspective, there are three areas to protect: data at rest, data in motion and data in use. Before determining the steps missing from an enterprise’s DLP program, it is important to know where its data are located. Figure 1 contains examples of locations where data exist, along with an indication of the functional areas of where to implement or enhance applicable security and privacy controls. Items with an asterisk indicate noncyber/ IT locations.

Figure 1—Informational Areas to Protect

Area of Concern

Locations

Functional Areas

Data at Rest
  • Databases
  • Local computers
  • Controlling access ports (e.g., USB drives)
  • Intranet/internal websites
  • Internal directory shares
  • Organizational data and email archives
  • Mobile devices (e.g., laptop at home or in car)
  • CDs and DVDs*
  • Printed/hard-copy reports*
  • Fax machines*
  • Copiers*
  • File cabinets*
  • Mobile device protection (identification and authentication)
  • Network/Internet storage
  • Physical media (storage, data transfer or archive)
  • Disposal and destruction
Data in Motion
  • Email (organization and personal)
  • Web/Internet
  • File transfers
  • Data sharing
  • Social media (e.g., Facebook, Twitter, LinkedIn)
  • Instant messaging (IM)
  • Blogs (Internet and intranet)
  • Website postings
  • Paper mail with sensitive data (e.g., personally identifiable information [PII], driver’s license/ID, Social Security number [SSN]) *
  • Perimeter security
  • Network monitoring
  • Internet access control
  • Data collection and exchange
  • Information messaging
  • Remote access—must use virtual private network (VPN)
Data in Use
  • Workstation
  • Server
  • Mobile device/endpoint
  • Privileged user monitoring
  • Access/usage monitoring
  • Data anonymization (i.e., use codes as substitutes)
  • Use of test data
  • Data redaction
  • Export/save controls


Threats and Areas of Risk

There are many types of data. Each type has associated security and privacy threats and risk that can have a severe impact on an enterprise if management, employees and supporting contractors are not aware of them. Addressing the threats and risk factors is critical to protecting data.

Figure 2 breaks down threats and risk factors by data type. Examples of each data type show what documents, repositories and media need to be protected. It is important that everyone in the enterprise understands this so that every person can be part of the solution, not the problem.

Figure 2—Data Types at Risk

Data Types
Examples
Threat(s)
Risk Factor(s)
Intellectual Property Patent portfolio development and management materials, for example:
  • Invention disclosures
  • Unpublished patent applications
  • Invention presentations
  • Related communications
  • Formulas
  • Competitors
  • Foreign governments
  • Discontent employees
  • Loss of company advantage to competitors
  • Brand damage
Legal Documents Memos, communications, presentations and notes pertaining to:
  • Litigation
  • Pre-litigation
  • Internal investigations
  • Corporate governance
  • Internal legal presentations
  • Contracts
  • Competitors
  • Litigation
  • Weak posture in a court of law
Strategic Planning
  • Strategic plans
  • Sales plans
  • Research for mergers and acquisitions
  • Unreleased merger or acquisition information
  • Drafts of press releases or other announcements
  • Pending patents
  • New designs
  • Information about purchasing power
  • Competitors
  • Weaker market position to competitors
  • Erosion of shareholder value
Sales Information
  • Price/cost lists
  • Target customer lists
  • Sales volume and projections
  • Revenue potential
  • Discount ratios
  • Business-to-business orders
  • Vendor data
  • Competitors
  • Employee discontent
  • Insider trading
  • Competing companies going after an enterprise’s market with lower prices
  • Regulatory fines or sanctions
Customer Data
  • Customer lists
  • Customer pricing
  • Customer volumes
  • Customer sales quotations
  • Internal spending habits
  • Contact details
  • User preferences
  • Customer profiles
  • Payment statuses
  • Contact history
  • Account balances
  • Purchase or transaction history
  • Payment or contract terms
  • Competitors
  • Loss of customers
  • Competitors leveraging the information against the enterprise
  • Significant cost to notify affected parties
Marketing
  • Marketing and business roadmaps
  • Business plans
  • Business forecasts
  • Competitive data
  • Product designs
  • Competitors
  • Loss of market share
  • Competing companies going after an enterprise’s market with lower prices
Operations
  • Process and procedure advantages
  • Productivity and efficiency strategies
  • Competitors
  • Competitors retooling or changing their processes to be like an enterprise and be more competitive
Finance
  • Pre-earnings releases
  • Bank statements
  • Financial statements
  • Periodic company performance filings
  • Payroll and equity data
  • Competitors
  • Loss of competitive advantage
Human Resources
  • Recruiting lists
  • Organization reporting structure
  • Salaries
  • Job titles and responsibilities
  • Competitors
  • Loss of key talent
  • Internal dissention
Personal
  • Bank or financial account numbers and statements
  • Health records and other personal health information (PHI)
  • Credit card numbers
  • Vehicle registration numbers
  • Associated demographics
  • Preferences
  • Criminals
  • Criminal organizations
  • Employee and family well-being
PII
  • Full names
  • Birthdays
  • Birthplaces
  • Biometric data
  • Social Security numbers (SSNs)
  • National identification numbers
  • Passport numbers
  • Driver’s license numbers
  • Passwords
  • Criminals
  • Criminal organizations
  • Impersonation
  • Fraud
  • Loss of savings
  • Drop in credit standing
Government/Country Data
  • Agency data (e.g., police and border protection)
  • Program design data (e.g., space programs)
  • Citizen data (e.g., criminal investigations)
  • Cyber security program data (e.g., Internet Protocol [IP] addresses, scan results)
  • Network infrastructure sector data (e.g., power companies, toxic data storage)
  • Criminal organizations
  • Foreign countries
  • Insiders
  • Increased risk to citizens
  • Increased risk to the country at large
Information Technology
  • Network diagrams
  • Configuration files (networks, systems, applications and databases)
  • Wireless access keys
  • Encrypted files (.zip, .pdf, .xls)
  • Files with names such as “Passwords”
  • Outlook offline files (PST, MSG)
  • Software source code
  • Spreadsheets with IP addresses
  • Hackers
  • Malware
  • Discontent employees
  • Loss of confidentiality
  • Loss of integrity
  • Loss of data availability
  • Damage to company mission and standing


Causes of Data Loss

Another step necessary to protecting data is understanding the reasons for data loss or theft. Figure 3 lists causes of data loss, broken down by potential area of weakness: people, process and technology. This list can also be viewed as organizational vulnerabilities. Enterprises that have not implemented countermeasures to combat causes and vulnerabilities should do so immediately.

Figure 3

Addressing these potential vulnerabilities will help to reduce the level of risk.

DLP Product Capabilities

Enterprises that have not considered obtaining a DLP automated measure for monitoring and protecting their cyberenvironment data need to do so. However, it is important to be aware that vendor offerings and product capabilities vary. Some automated protective measures can be implemented at the network perimeter. Some require new programs to be installed on the computing devices and storage devices. Additionally, not all vendors provide the same product capabilities and features. In some cases, they can be complicated and may require technical staff to implement and maintain them.

Figure 4 lists examples of capabilities that exist in DLP products. To stay a step ahead of malware and malicious individuals, it is critical to watch for and implement DLP product changes and upgrades. Doing so will improve defenses, reduce the likelihood of data breaches and minimize any impact if one does occur.

Figure 4

Best Practices for DLP Planning and Preparation

When preparing to implement a DLP program in an enterprise, the following best practices are critical to success and following them will reduce the likelihood of a data breach:1, 2, 3, 4, 5

  • Management approval—Obtain support from top executives, system owners and stakeholders. This includes identifying and involving representatives from all departments to obtain buy-in.
  • Data comprehension—Develop an understanding of the data. To accomplish this:
    • Define the enterprise’s critical and sensitive data elements. Definitions should include exposure condition severity (i.e., low, medium and high).
    • Determine the DLP requirements. This includes understanding where the data originate, the value of the data, where they reside, enterprise obligations for protecting the data, who is accessing them and where the data are going. It is important to be aware that there is strict regulatory legislation coming into force in the European Union (EU) (i.e., the General Data Protection Regulation [GDPR]),6 where a breach could cause a large fine or a portion of an enterprise’s annual revenue and may affect enterprises outside of the EU). Other countries have also implemented data protection and privacy legislation that readers may need to become familiar with (e.g., Australia’s Data Privacy Laws7 and the United Kingdom’s Data Protection Act).8 Additionally, in the United States, the state of California has expanded its privacy laws.9
    • Conduct a gap and risk analysis, and then determine the steps necessary to protect the data.
    • Design and/or update the enterprise’s security architecture (hardware and software).
  • Records management—Identify the data owner or custodian who should be responsible for managing the data throughout their life cycle, which includes data in use, in motion and at rest. Records management not only concerns data backups, archives and retention, but also data destruction. This best practice is especially important regarding the types of data discussed in figure 2.
  • Cost-benefit analysis (CBA)—Perform a cost-benefit analysis of the DLP tools under consideration. This will help to understand the cost of ownership of DLP solutions/tools. The analysis should cover both implementation and operational costs.
  • DLP strategy—Define a data protection strategy that can function as a business case. The strategy objectives should cover the following, at a minimum:
    • Prevent the intentional or unintentional disclosure of sensitive data at rest, in use and in motion to unauthorized parties.
    • Maintain adequate security and simultaneously provide data usability.
    • Protect customer data, brand reputation (if applicable) and company secrets.
    • Protect PII, intellectual property and other information as described in figure 2.
    • Reduce the enterprise’s risk and the cost of compliance. Consider government oversight requirements regarding financial, personal and health data.
    • Establish security, privacy and compliance measures.
    • Consider having a security partner to protect web and mobile applications from critical data loss.
  • Risk assessment—Conduct a risk assessment that involves a cross-departmental team that can create meaningful policies and procedures and effective oversight requirements.
  • Policies and processes—Establish DLP egress policies and policy management processes that cover:
    • How to securely send sensitive data to third parties
    • Whether employees may send sensitive data to their home computers and personal email
    • How to handle data that are considered sensitive and that require data protection controls
    • A response plan for data leakage events, which includes how to deal with those who break policy
  • Awareness and training—Establish the enterprise’s awareness and role-based training program. Areas to cover include:
    • Educating business units on business, security and privacy risk
    • Educating staff on what is sensitive and the risk associated with breaking the rules/policies
    • Explaining to everyone the policies on proper use of email, the Internet and security tools (e.g., file encryption)
    • Explaining applicable local, state and federal/country laws
    • Training key staff on personal responsibilities and complying with information security and data protection policies

Best Practices for DLP Implementation

When implementing a DLP program and/or deploying DLP tools, the best practices listed in figure 5 should be used to minimize vulnerabilities. Not implementing these best practices can cause setbacks and problems.

Figure 5

Other DLP Recommendations

Sometimes, organizational program implementation policies display bad security practices and contribute to vulnerabilities that allow for data loss. Figure 6 presents some of those bad practices and recommendations on how to handle them.

Figure 6—Recommendations to Address Bad Practices

Bad Practice

Risk/Result

Recommendation

Implementing data shares (e.g., SharePoint) with no thought for least privilege Anyone in the organization can obtain the data and use them for their own gains. Implement least privilege for every data share.
Implementing an internal search engine that crawls the entire company network for data with no restrictions Everyone in the company can access and distribute the possibly sensitive or private data. Obtain information about what should not appear in the search engine results and apply appropriate filters.
Implementing an email data retention policy that is too short just to manage space and associated costs Employees and support contractors can lose valuable information about their contacts, supporting documents, deliverables, history, etc. This is an example of internal data loss. Obtain more storage space. The cloud was designed to scale when needed.
Having an intranet search engine that does not have accurate filtering or presentation limitations Retrieved results will include anything that has one character in common. Sensitive and PII may be part of the retrieval. Put restrictions on the search. If anything can be part of the results, then the user will obtain many irrelevant links and the search will take longer.
Not cleaning up the results of a search engine The engine will provide a lot of nonapplicable information. Additionally, data storage requirements will continue to grow without end. Aside from polluting the well, search engine performance is affected. In this case, bad data are retained for an unknown period. Implement a periodic cleanup process so that data management can be employed. This is important because old results will include not only bad, but also corrupted data. Data corruption can contribute to application failure.
Not following best practices The DLP program can fail. Critical data can be lost, resulting in response costs and possibly fines and/or the loss of market position. Implement DLP best practices as described in this article.


Technology and Industry Trends

Information-security-related organizations (e.g., McAfee, Symantec, RSA, Verizon, Ponemon, Fortinet, Gartner) have begun to study malicious cyberactivities, conduct surveys and report trends. Some experts have predicted the future of DLP technology to help professionals address threats.10 It is critical for an enterprise to stay on top of trends and ahead of those who may try to obtain their data. It is always better to be prepared than to react to the consequences of data loss.

DLP Technology

The following trends in technology can be expected to drive the creation of more and more DLP products:

  • Algorithms—Improved algorithms for recognizing sensitive data such as PII, PHI and nonpublic/private data will become more prominent.
  • Behavior products—New products will be based on automated human behavior identification and management. Some cybersecurity solutions can find internal organizational threats based on behavioral changes within the network.
  • Encryption—Enhanced encryption processes will combine consistently changing algorithms. Multilayer encryption key management technology will be needed to outwit cybercriminals.
  • Data manipulation—At-rest and in-motion security issues will be addressed by shredding, randomizing and placing sensitive data in globally diverse storage locations.
  • Authentication—Entering a password will no longer be the primary way to access data. Instead, access will involve knowing who someone is when they log in. Multiple layers of authentication will be required.

DLP Industry

Malicious intent and product deficiencies are driving some organizations to implement, obtain and improve their DLP products. Predictions about the DLP industry include:

  • Vendor changes—Larger companies will acquire best-in-class cloud DLP companies and integrate the technology into their existing products. Other vendors will expand their own DLP capabilities.
  • DLP professionals—There will be an increase in the need for cybersecurity professionals who can implement DLP policies and tools. Medium and small enterprises will be affected the most if they cannot afford full-time DLP professionals.
  • DLP as a service—To leverage data protection as a service, IT teams can offload the management aspect to vendors so that they can focus on growing the business rather than managing the storage. Small enterprises will gravitate to these managed services.
  • Outsourcing—There will be an increase in the outsourcing of vulnerability and penetration testing to better identify points of weakness in the enterprise architecture and device configurations.
  • Awareness—Enterprises will develop awareness and role-based training programs (if they do not already have them in place) that have greater depth and more content to cover DLP concerns.

Conclusion

The next steps to a successful DLP program are the enterprise’s to decide. They include:

  • Developing an understanding of what data are sensitive and where to find them
  • Being aware of the threats and associated risk to data loss
  • Identifying the causes of data loss (i.e., internal vulnerabilities) to implement measures to prevent them
  • Understanding DLP product differences and selection criteria to better evaluate vendor tools and techniques
  • Determining the best practices to follow when developing and implementing a DLP program
  • Understanding areas of bad data-handling practices that are critical to address now
  • Determining what and where to implement or improve a program (via technology improvements and changes in activities)
  • Identifying information that can be used to develop a data protection awareness training program

As billions of devices are launched into circulation, it will be even easier for those with malicious intent to breach networks. Protecting data-sensitive systems is vital. This article can help enterprises harden their cyber and procedural defenses during preparation, deployment, awareness and training, and planning for the future.

As long as there is human involvement, the areas of concern will continue to evolve. It is essential to maintain vigilance to avoid and eliminate weakness in cyber and work environments.

Endnotes

1 Yamasani, L.; Data Leak Prevention: Best Practices, April 2015, http://m.isaca.org/chapters8/Silicon-Valley/Members/Documents/Monthly%20Meetings/2015%20-%20April%20Meeting%20%20-%20DLP%20-%20Lokesh%20Yamasani.pdf
2 Hall, S.; “Data Loss Prevention (DLP): Keeping Sensitive Data Safe From Leaks,” eSecurity Planet, 10 April 2017, https://www.esecurityplanet.com/network-security/data-loss-prevention-dlp.html
3 Garg, R.; “10 Considerations for Implementing a Data Loss Prevention (DLP) Solution,” Zecurion, 20 January 2017, http://zecurion.com/2017/01/30/10-considerations-for-implementing-a-data-loss-prevention-dlp-solution/
4 Ernst & Young, Data Loss Prevention, October 2011, www.ey.com/Publication/vwLUAssets/EY_Data_Loss_Prevention/$FILE/EY_Data_Loss_Prevention.pdf
5 IDG Enterprise, Five DLP Tips From Security Executives, http://resources.idgenterprise.com/original/AST-0079952_SymantecFINAL.pdf
6 European Commission, “Reform of EU Data Protection Rules,” http://ec.europa.eu/justice/data-protection/reform/index_en.htm
7 Electronic Frontiers Australia, “Data Protection Laws/Privacy Acts,” 21 January 2006, https://www.efa.org.au/Issues/Privacy/privacy.html
8 Legislation.gov.uk, “Data Protection Act 1998,” www.legislation.gov.uk/ukpga/1998/29/contents
9 State of California Department of Justice, “Privacy Enforcement and Protection,” USA, https://oag.ca.gov/privacy
10 Lord, N.; “Experts on the Data Loss Prevention (DLP) Market in 2016 and Beyond,” Digital Guardian, 27 July 2017, https://digitalguardian.com/blog/experts-data-loss-prevention-dlp-market-2016-beyond

Larry G. Wlosinski, CISA, CRISC, CISM, CAP, CBCP, CCSP, CDP, CIPM, CISSP, ITIL V3, PMP
Is a senior consultant at Coalfire with more than 18 years of experience in IT security and privacy. Wlosinski has been a speaker on a variety of IT security and privacy topics at US government and professional conferences and meetings, and he has written numerous articles for magazines and newspapers.

 

Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.