DLP – Data Loss Prevention

With the release of OpenDLP, more and more people are hearing about DLP. What is it and how does it work?

Fundamentally, security is about protecting important data – whatever that data happens to be – a formula, a trade secret, social security numbers, etc. We have all kinds of tools and techniques to help us encrypt and protect our data from someone outside of the company, but what about from people inside the company, people who go against company policy and use gmail, rapidshare, or other convenient tools to let them work at home or on the road? While seemingly innocent, these users are the ones that can cause the most problems.

DLP or Data Loss Prevention is not one tool, but a set of tools that allows management to watch, prevent, and react to any “sensitive” data being where it should not be, or being transmitted in a non-permissible way (i.e. unencrypted). There are three main parts to DLP:

• Data in Motion – network traffic, anytime data is being transferred from one place to another.
• Data in Use – when users are actually *using* the data, such as in memory
• Data at Rest – when the data is being stored, such as on a hard drive or on removable media

A DLP solution has to consider all of these. Some companies may choose to only implement one type of DLP based on their threats and risks.

DLP solutions typically start with a definition of what is “sensitive” data. A social security number or a credit card number is pretty easy to pick out of “random” data. A trade secret – not so much. This is probably the most difficult part of the process, and continual refinement is necessary to a successful solution. Second, management must define what uses are acceptable and not acceptable for that data. Is it OK if that data is sent via encrypted e-mail, but not uploaded to a web page? These two pieces of information make up the policies or rules that the DLP solution must enforce.

Once sensitive data is defined, the solution must start looking at the data. Generally, for data in transit, this is done with proxies – web proxies, FTP proxies, e-mail gateways, etc. The software sniffs all traffic and flags those that are in violation of the “rules”. Data at rest DLP solutions tend to use agents that look through file servers and disks for the data and flag anywhere it finds the data that it shouldn’t be. Data in use is generally found on end-user systems as an agent that prevents you from copying files to a USB device, etc.

Finally, management has to decide what to do with offenses. Does the DLP system just flag the offense? Does it prevent the offense? Who does it report the offense to? What happens to the user who offended the system? These are all policy questions that must be addressed in parallel with implementing a DLP solution.

DLP is a hard problem to solve. There are many difficult choices and issues to be addressed that are more than just “what software do we use”. A full evaluation of your goals up front will help you select the “right” implementation for your organization.