What is data loss prevention? -- An introduction to DLP

Most network security products focus on keeping the bad guys -- Trojans, viruses and hackers -- outside of the network, but data loss prevention (DLP) keeps the good stuff -- sensitive enterprise data -- in. With more business data leaks tainting the reputations of companies like TJX and Hannaford, it's important not only to keep your information secure but to keep it from getting into the wrong hands.

We chatted with enterprise security analyst Eric Ogren, founder of the Ogren Group, about the basics of DLP and how it differs from the network security products you may already have in place.

Marketers use various terms when they refer to DLP. Some examples I've seen are information leak prevention (ILP), content monitoring and filtering (CMF) and extrusion prevention system. Is there a difference among any of those terms?

Eric Ogren: I would say DLP [data loss prevention] is the industry-wide term. Usually where some of the other [terms come in] might be a company trying to differentiate themselves. Reconnex would talk about intellectual property prevention or extrusion prevention, for instance, but that's just marketers trying to be different.

So there's no difference between data loss prevention and data leakage prevention?

Ogren: Nope, not at all.

How does DLP fit in terms of network security, and how does [DLP] mesh in with what already [exists]?

Ogren: Five years ago, everything in security used to be [based on] trying to keep the bad people out…. But now the problem that enterprises are really trying to grapple with is how to protect their confidential data -- whether it's customer data from PCI, like charge card data, or it's health records or just intellectual property -- and that's a huge problem. It's a big business problem because as it gets out, businesses have to disclose the breach, and they have to track it down, and then it just gets nasty [chuckles] – "nasty" being my technical term.

So there's a big demand to help businesses make sure that their data stays secure in the data center and that as it moves around their network, there are controls in place to make sure it doesn't escape in an unauthorised manner.

In a nutshell, that's the whole deal with DLP -- just to protect the crown jewels [/corporate data], so to speak.

How is that different from Network Access Control (NAC)? Is there a difference or similarity between NAC and DLP?

Ogren: Yes. All the other stuff, like network access control, is more geared toward keeping malicious code out of the network. It's more oriented toward: "Is your antivirus installed? Do you have all the right patches in place?" It comes much more from an operational integrity issue than from a data leak issue.

The characteristics of DLP are almost like a backward firewall. Where a firewall looks at data coming into the network and says, "Do I want to allow this?" DLP looks at data flowing out of your network and says, "Is this data something I care about? Is it confidential?"

In the network, it actually looks at the data packets and data flow. Instead of … looking for attacks, it finds [traffic] that's actually confidential data and then makes a decision on whether or not to allow that to go forward.

What other ways does information leak from the network besides email? Does DLP track these as well?

Ogren: There's lots of ways. The three big ways are email -- where you send something out, usually it's to a business partner, but sometimes mistakes happen and it doesn't go to that person. The second way is on your laptop, or a USB drive -- so you've actually made a local copy of it, and [y]our laptop gets stolen or somebody's got something on a memory stick, and that's got a lot of data on it. The third way is through a piece of malicious code -- as with the Hannaford incident -- that sits there and just sends automatically. This is spyware; it steals data and sends it out over the Internet.

That's pretty much it. The challenge with DLP is [figuring out] … how to look at everything in the network. Also, once the data gets to a laptop -- which you usually have to do for an employee -- or desktop, how do you make sure that it gets cleaned up from that endpoint so that it doesn't sit on a local drive or sit on a removable drive?

Some vendors describe DLP as being broken up into three essential parts: network endpoint security, endpoint protection, and the discovery. What is the most important component of DLP?

Ogren: I think data discovery is the most important. Because I find that if IT knows what is there, they can do a reasonably good job of either putting technology in place or of educating the user. Much of the time, IT doesn't really know what or where all the sensitive data is, from a security standpoint. So just being able to say, "There's confidential data in this database or around this file share or SharePoint," is useful information for the security [team] to have, because then they can put controls in place so that only authorised people can access it. Then those authorised people are educated as to what their responsibilities are...

The reason I think discovery is the most important is that if security knows where the confidential data is, then they can put a little bit extra vigilance into making sure that the access control policies are in place. They can make sure that all the accounts are active, that people who do access it know their responsibilities and the rules, that there is a little bit of social education a little bit above and beyond what they would normally do: They might look and be a little bit tighter with their audits of machines if they know they have consumer data on them, for instance. They would audit them more often or change the policy or look for things that don't belong there. If you were banking, you might have 10,000 applications, with 10,000 databases, so it helps to narrow it down to the ones that should get special attention.

What else does the network admin have to do? Is it just to find that material and make a stronger algorithm for it?

Ogren: Yes, find the security controls around it. When I talk to security people on the enterprise, I think they've been pretty good if they know there's a problem: They want to do the right thing. So if they know a company is at risk, they'll take care of it. It's just that if they don't know, what can they do? So half the game is letting them know that there's a resource like a database or a file or information that really needs some TLC -- some extra care.