Today, I attended a meeting at a well-known security firm (no name given here). The topic was a presentation of their DLP (or “Data Loss Prevention“) solution.
I’ll not come back on the product itself. Such meetings, organized by companies to present their own product, are not very relevant. Often, they resume to “come to us, we have the best solution on the market”.
But the meeting was anyway interesting: the speaker insisted on the critical point to analyze in a DLP project: “Where are the data?”. Let’s have a look at the schema below:
Each company has “data”. They are critical for its business and any divulgation, loss or alteration could have strong negative impacts on the business: quantitative (loss of revenue) or qualitative (bad reputation). Data can be:
- Personal information (SSN, phone numbers, names, addresses, e-mail)
- Financial information (CC number, transactions)
- Medical information
- …
Data are stored in databases which are protected. Good! But we must take care of any access, transfer or alteration during the whole business process. An example?
Let’s examine the backup procedure on the schema. We assume that data are correctly protected in the DB system.
1. Data are mirrored to a backup system on a remote location. We need to protect the remote system as well. We also need to protect the media between the two sites (a VPN is a good solution).
2. Once a week, archives are performed on tapes. We need to protect the media. Who handle them? How are they recycled?
3. Finally, some tapes are stored on a remote location (third party storage company). Are the tapes correctly protected? Is there enough physical security control and protection (fire, water, …)
If you zoom in the schema, you’ll see that the original data move across the platform, the format change, the access methods change. They are many “access point” to the company data: end-users, customers, partners, outsourced development companies, etc. Each of them must be analyzed to protected to prevent any data loss.
We can resume the DLP process in three questions:
- Where to look for my data? (network taping, files scanning, protocol inspection)
- How to analyze my data? (based in fingerprinting, described contents – dictionaries)
- What to do in case of incident? (notify log, block, quarantine)
Finally, never forget that a DLP process will never fully protect you against loss of data! Evasive techniques are easy to find. DLP is important when your business is under regulatory compliance. With a DLP solution, you will be able to proof to auditors that a process is in place to reduce the risks.