Over the last several posts, we’ve been discussing the need for a modern security strategy that protects the “identity perimeter” with special emphasis on securing privileged accounts. We also explained how user and entity behavior analytics can break the cyberattack chain by identifying and mitigating insider threats and compromised user credentials.
These tools and techniques play an essential role in keeping hackers out of the enterprise IT infrastructure. However, they are not effective at protecting sensitive data that travels outside corporate boundaries. Data breaches often occur when users share data with the wrong person or store it in an unsecure manner.
Data loss prevention (DLP) solutions can reduce the risk of data loss or exposure by helping companies discover, monitor and manage sensitive data in flight across networks, at rest in storage, or in use on devices. These solutions also facilitate compliance with government and industry regulations, and ensure that all users adhere to internal policies regarding data protection.
Few organizations know where all of their sensitive data resides, and that lack of visibility is a contributing factor in many data loss incidents. As a result, the first step in preventing data loss is to identify data that needs protection — including both corporate secrets such as financial data and trade secrets and custodial data such as customer and payment card information.
Comprehensive DLP solutions include discovery components that identify sensitive data in file shares, databases and email, as well as endpoints and removable storage. Once sensitive data is identified, the DLP solution serves as a centralized platform for setting, managing and enforcing policies governing the protection of that data.
Discovery and policy management functions combine to automatically protect data as it travels across the network and beyond. DLP solutions can also prevent unauthorized users from downloading or copying data onto an endpoint and inspect communications to ensure that confidential data is not transmitted via email, instant messaging or social networking sites.
Notification mechanisms alert organizations of security lapses so that sensitive data may be transferred to a more secure location. Reporting and analytics tools aid in regulatory compliance and in targeting employee training and awareness programs.
Microsoft offers several tools to aid data loss prevention:
- Azure Information Protection can automatically classify data and provide recommendations for manual classification. Users can apply sensitivity labels according to business policies and specify actions such as encryption or visual marking of the document. Users can also monitor access to shared files and revoke access if unexpected activity is detected. The solution provides IT teams with a rich set of logging and reporting tools for monitoring, analysis and regulatory compliance.
- The Office 365 Data Loss Prevention service uses deep content analysis to identify sensitive data in sources such as Exchange Online, SharePoint Online, OneDrive for Business and Office productivity software. Users create DLP policies based on the location of the information and action to be performed. The system includes predefined rules for common compliance requirements around the world and advanced features for organization-specific needs.
- Windows Information Protection protects against accidental data leaks across all Windows 10 devices without impacting the user experience. It ensures that only authorized users can access sensitive data and prevents the leakage of content from corporate documents through copy and paste functions. Because it integrates seamlessly into the platform, users can access protected information with their preferred apps.
The AdaptivEdge security team can help you select and implement the right DLP solution to meet your organization’s requirements. Contact us to discuss how DLP might fit into your cybersecurity strategy.
Written and composed by one of our Senior Managing Partner, Stephen Soper