What is data loss prevention?

Data loss prevention (DLP), also known as data leakage prevention or data loss protection, is a technique that protects sensitive corporate data from leaving the company due to user negligence, mishandling of data, or malicious intent. DLP technologies enforce data handling policies by allowing or blocking data access and transfer operations based on a set of predefined security rules.

Data can leave the company through two main groups of channels — local channels (e.g., peripheral devices, such as printers, and USB drives) and network-based channels (e.g., emails, web, and social media). Although some DLP solutions monitor only network communication, it is best to monitor both local and network channels to ensure efficient data loss prevention.

To protect digital data in their three fundamental states, DLP solutions implement three functional types to protect data in use, data in motion, and data at rest. 

Data in use (DIU) DLP controls data access and transfer operations in local channels, peripherals & applications on endpoint computers, including removable, fixed, and redirected storage, clipboard, printing, and screenshot captures.

Data in motion (DIM) DLP prevents data leakage through network communications, such as email, webmail, instant messaging, social media, cloud-based and P2P file sharing, as well as HTTP(S), FTP(S), and SMB protocols.

Data at Rest (DAR) DLP discovers exposed confidential content in data stored on corporate IT assets, such as file shares and NAS, endpoint file systems, databases, document repositories, and cloud-based storage. If unprotected data is in the wrong place, DAR DLP can automatically initiate various remediation actions to prevent uncontrolled access to this data and its exfiltration.   

DLP systems use contextual and content-aware methods to prevent data leaks.   

• Context-aware controls allow you to control data operations based on the operations’ context (environmental factors) — attributes such as involved users, channels used, type of accessed/transferred data, flow direction, or date and time.
• Content-aware controls allow you to control operations based on the actual information (data) that is being accessed or transferred.

There are many ways that data leaks can occur, including locally through peripheral devices and ports — such as printers and USBs — as well as through the network via email, social networks, instant messengers, or cloud-based file sharing. While some data access and transfer operations are legitimate, they still need to be strictly protected to ensure no inadvertent leakage due to user negligence. Others threaten to share sensitive data with unauthorized third parties and must be blocked entirely.

If sensitive data winds up in the hands of unauthorized parties, it can lead to:  

Loss of your intellectual property (IP)

Your organization manages and stores extremely sensitive business data that differentiates your company, products, and services. These include financial, customer, and R&D information, brand and trade secrets, patents, formulas, recipes, designs, software code, search algorithms, and so on. All this data must always remain secure and protected. If it is leaked or lost, it can impact your company’s success and competitive position in your marketplace.

Non-compliance with regulatory requirements

Your business maintains a wealth of information about your customers and prospects. For example, if you are a B-to-C business, much of the consumer data you hold is private, whether it be Personally Identifiable Information (PII), PCI (card information), or Protected Health Information (PHI) – and must be secure from prying eyes. If your business is subject to regulatory requirements – such as the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Payment Card Industry Data Security Standard (PCI DSS), and Health Insurance Portability and Accountability Act (HIPAA) – compliance fines, investigative and remediation costs can be significant if you experience a data breach or leak.

Brand damage

In addition to compliance fines and remediation costs, a data leak can require you to compensate affected customers and/or in the worst case, customers may choose NOT to do business with you. This can impact your brand reputation and ultimately your future revenues.

To implement a DLP solution, you should follow these recommended best practices.

1. Identify what assets should be protected against leakage. This is a big first step as many organizations do not have a listing of their information assets. 
2. Classify data by levels or categories based on what is sensitive and personal and what is not. You can use data classification software to help with this effort.
3. Analyze your operations to define the data flows that are necessary for the business and those that are unnecessary for the business. Each business data flow used in the organization must be specified – including its sender (or source), its recipient (or destination), the data channel used, and the classification of flowing data in terms of their allowed functional categories and sensitivities. The aggregate specification of all business data flow rules in the organization constitutes its data loss prevention policy. When fully specified, the organizational DLP policy is used as the authorization criterion when enforcing DLP controls over data transfer operations on protected endpoint computers: if a controlled operation matches to any of the allowing data flow rules in the policy, it is considered legitimate and allowed to proceed. However, any controlled operation that matches to a prohibitive rule in the policy or does not match any rule at all is unauthorized and must be blocked as a potential data leak. 
4. Pilot the system in a small part of the organization to test how it works and ensure there are no problems or business process interruptions.
5. Extend the deployment across the entire production environment.
6. As new units, organizations, or processes are added to the business, define and include in the DLP policy those data flow rules necessary to conduct and protect relevant new business operations.
7. Exceptions to the DLP policy must be managed on an ongoing basis. You can manage exceptions by having the system alert the security officer in real time for approval or have the security officer analyze the operation after the fact to determine if it was justified or malicious.  

Data leaks are a security breach in which confidential, sensitive, or protected data is accidentally or deliberately released in an untrusted environment or to unauthorized users either outside or inside the organization. Figure 2 shows the causes of data breaches with negligent insider breaches being the #1 cause, followed by cyberattacks and system glitches. Here are some other statistics that clearly demonstrate the data risks associated with malicious or accidental insider breaches.

• 90% of organizations feel vulnerable to insider threats.
• 53% report to have experienced an insider-related attack in the last 12 months.
• 72% of employees share sensitive, confidential, or regulated company information.
• 45% of employees who accidentally shared information sent it to the wrong person.
• 35% of employees have shared information that they were unaware should not be shared. 

Regardless of size, every company and organization needs to keep sensitive corporate information private. Examples of sensitive corporate information includes trade secrets, merger and acquisition plans, your corporate customer database, financial information, and planned product development activities. If this information gets leaked, your organization can suffer serious consequences, lose revenues and its competitive position in the marketplace, even go out of business.

Likewise, any organization that is in a highly regulated industry – such as government, healthcare, and financial services – and holds Personally Identifiable Information (PII), PCI (card information), Protected Health Information (PHI), or any consumer information that is subject to security/privacy requirements under a government or industry regulation needs a DLP solution.  

Acronis Advanced Data Loss Prevention is an endpoint data loss prevention solution that significantly reduces the risk of insider-related data leaks. It enforces fine-grained contextual controls in combination with content analysis and filtering to block or allow data access and transfer operations. To ensure the thorough protection of sensitive data in use, in motion, and at rest, Acronis Advanced Data Loss Prevention provides an extensive set of features that greatly decrease the risks from data breaches and support information security auditing and compliance efforts. Acronis Advanced Data Loss Prevention is comprised of multiple complementary, function-specific components, allowing customers to choose the best configuration for their security requirements and budget. 

With Acronis Advanced Data Loss Prevention, you can:  

Minimize insider threats. Prevent data leakage due to employee negligence or malicious insiders by blocking any unauthorized attempt to access or transfer data.

Gain visibility into data protection. Reduce the complexity of data protection by using a single solution for thorough visibility over data flows and user behavior. Cut reporting times with powerful built-in reporting tools.

Enforce process compliance. Reduce information security risks and comply with IT security standards and regulations by enforcing data use and handling policies that users cannot avoid.

Stop data leaks at the source and strengthen compliance by using Acronis Advanced Data Loss Prevention, an endpoint DLP that is easy to learn, deploy, and manage.