QUESTION & ANSWER

What is data loss prevention? -- An introduction to DLP

By Tessa Parmenter 14 May 2008 | SearchNetworking.com

Digg This!     StumbleUpon     Del.icio.us

Marketers use various terms when they refer to DLP. Some examples I've seen are information leak prevention (ILP), content monitoring and filtering (CMF) and extrusion prevention system. Is there a difference among any of those terms?
Eric Ogren: I would say DLP [data loss prevention] is the industry-wide term. Usually where some of the other [terms come in] might be a company trying to differentiate themselves. Reconnex would talk about intellectual property prevention or extrusion prevention, for instance, but that's just marketers trying to be different.

So there's no difference between data loss prevention and data leakage prevention?

The characteristics of DLP are almost like a backward firewall . . . DLP looks at data flowing out of your network and [asks] 'Is this data something I care about? Is it confidential?' Eric Ogren Security Analyst, Ogren Group

Ogren: Nope, not at all.

How does DLP fit in terms of network security, and how does [DLP] mesh in with what already [exists]?
Ogren: Five years ago, everything in security used to be [based on] trying to keep the bad people out…. But now the problem that enterprises are really trying to grapple with is how to protect their confidential data -- whether it's customer data from PCI, like charge card data, or it's health records or just intellectual property -- and that's a huge problem. It's a big business problem because as it gets out, businesses have to disclose the breach, and they have to track it down, and then it just gets nasty [chuckles] – "nasty" being my technical term.

So there's a big demand to help businesses make sure that their data stays secure in the data center and that as it moves around their network, there are controls in place to make sure it doesn't escape in an unauthorized manner.

In a nutshell, that's the whole deal with DLP -- just to protect the crown jewels [/corporate data], so to speak.

How is that different from Network Access Control (NAC)? Is there a difference or similarity between NAC and DLP?
Ogren: Yes. All the other stuff, like network access control, is more geared toward keeping malicious code out of the network. It's more oriented toward: "Is your antivirus installed? Do you have all the right patches in place?" It comes much more from an operational integrity issue than from a data leak issue.

The characteristics of DLP are almost like a backward firewall. Where a firewall looks at data coming into the network and says, "Do I want to allow this?" DLP looks at data flowing out of your network and says, "Is this data something I care about? Is it confidential?"

More resources on DLP This article proves that when it comes to data loss prevention, networking should be part of the conversation. Learn where DLP fits into the network in this article. Discover the new way to prevent identity theft in this tip discussing DLP tools. Read more on what DLP is and how it matters to telecom service providers in this Q&A.

In the network, it actually looks at the data packets and data flow. Instead of … looking for attacks, it finds [traffic] that's actually confidential data and then makes a decision on whether or not to allow that to go forward.

What other ways does information leak from the network besides email? Does DLP track these as well?
Ogren: There's lots of ways. The three big ways are email -- where you send something out, usually it's to a business partner, but sometimes mistakes happen and it doesn't go to that person. The second way is on your laptop, or a USB drive -- so you've actually made a local copy of it, and [y]our laptop gets stolen or somebody's got something on a memory stick, and that's got a lot of data on it. The third way is through a piece of malicious code -- as with the Hannaford incident -- that sits there and just sends automatically. This is spyware; it steals data and sends it out over the Internet.

That's pretty much it. The challenge with DLP is [figuring out] … how to look at everything in the network. Also, once the data gets to a laptop -- which you usually have to do for an employee -- or desktop, how do you make sure that it gets cleaned up from that endpoint so that it doesn't sit on a local drive or sit on a removable drive?

Some vendors describe DLP as being broken up into three essential parts: network endpoint security, endpoint protection, and the discovery. What is the most important component of DLP?
Ogren: I think data discovery is the most important. Because I find that if IT knows what is there, they can do a reasonably good job of either putting technology in place or of educating the user. Much of the time, IT doesn't really know what or where all the sensitive data is, from a security standpoint. So just being able to say, "There's confidential data in this database or around this file share or SharePoint," is useful information for the security [team] to have, because then they can put controls in place so that only authorized people can access it. Then those authorized people are educated as to what their responsibilities are...

The reason I think discovery is the most important is that if security knows where the confidential data is, then they can put a little bit extra vigilance into making sure that the access control policies are in place. They can make sure that all the accounts are active, that people who do access it know their responsibilities and the rules, that there is a little bit of social education a little bit above and beyond what they would normally do: They might look and be a little bit tighter with their audits of machines if they know they have consumer data on them, for instance. They would audit them more often or change the policy or look for things that don't belong there. If you were banking, you might have 10,000 applications, with 10,000 databases, so it helps to narrow it down to the ones that should get special attention.

What else does the network admin have to do? Is it just to find that material and make a stronger algorithm for it?
Ogren: Yes, find the security controls around it. When I talk to security people on the enterprise, I think they've been pretty good if they know there's a problem: They want to do the right thing. So if they know a company is at risk, they'll take care of it. It's just that if they don't know, what can they do? So half the game is letting them know that there's a resource like a database or a file or information that really needs some TLC -- some extra care.

Tags: Network Security Monitoring and Analysis,  Network Access Control,  Network Security Best Practices and Products,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Security Monitoring and Analysis Network penetration testing guide Performing a penetration test Penetration testing strategies Penetration testing methodology and standards Types of penetration tests Network security forecast 2010: Startups cash out, uber-devices step up Mobile computing security concerns lead to more IPS, SSL VPN spending Application-specific network intrusion detection systems emerge Anomaly-based intrusion protection configuration and installation How can I calculate perimeter firewall throughput? Network Access Control Using NAC endpoint fingerprinting to inventory dumb devices What are two common devices that control outbound network access? Using NAC for smartphone security on wireless LAN Network security risks multiply when enterprises begin outsourcing Dynamic policy ensures faster, safer network for school district NAC appliance vendors: Can you depend on them? NAC integration at the endpoint Extending NAC enforcement to network security devices Integrating NAC with network security tools Network access control market crushed by economy, but future is bright Network Security Best Practices and Products 2010 predictions: What's the worst network security threat this year? Best of 2009: Computer networking advice Network security forecast 2010: Startups cash out, uber-devices step up Mobile computing security concerns lead to more IPS, SSL VPN spending How do I change my security setting to allow ActiveX? What are two common devices that control outbound network access? 3Com acquisition confirms HP-Cisco battle for China Enterprises demand next-generation firewalls with IPS, app visibility Preventing hacker attacks with network behavior analysis IPS Is there a way to trace my stolen laptop computer?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary deep packet inspection (DPI)  (SearchNetworking.com) FCAPS  (SearchNetworking.com) Nessus  (SearchNetworking.com) netstat  (SearchNetworking.com) port mirroring  (SearchNetworking.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary