Best Practices for Data Loss Prevention

data loss prevention DLP v2


Just about every organization or business that exists today has an ingrained fear when it comes to protecting information. No-one wants to lose their confidential, critical or highly restricted data, and the fear of losing this data becomes even more amplified for organizations when their information is hosted beyond their premises, onto a cloud model, for example. In order to address this fear proactively, a security concept has been introduced, known widely as “Data Loss Prevention” or DLP. This concept has evolved over the years to provide different flavors and options within the market. However, each solution has been designed with the intention of detecting flaws, and preventing data from being leaked.

The Types of Data that Needs Protecting

When it comes to understanding the best practices available for data loss prevention, the first thing that organizations need to recognize is what data should be protected. In DLP applications, data is generally classified into three categories:

  1. Data that is in use: Information that resides on the workstation of an end user and must be protected from leakage through various removable devices for media such as CDs, DVDs and USBs.
  2. Data that is in motion: Information that has to be protected during a process of transit. For example, this could be data that is moving through the wire, on channels like HTTP/S, IM, FTP, P2P and SMTP.
  3. Data at rest: Information that resides on databases and file services needs to be monitored regularly within this category to ensure that it doesn’t become leaked.

Strategy for Data Loss Prevention

Most data loss prevention products will come with policies that have been built into them. These policies should already be compliant with various standards such as SOX and PCI. As a result, organizations will just need to tune the policies into the footprint of their business or company. The most important thing about establishing a DLP strategy is to identify which sensitive data needs to be protected. The reason for this is that if an organization simply pushes DLP across the entire organization, a number of false positives are likely to take place.

Identify Your Sensitive Data

Often, the first thing that any organization should do in the process of DLP is define which restricted, and confidential data throughout the organization needs the most protection across all through channels. To identify critical data, an organization may choose to use a product known as fingerprinting. Data can be stored in numerous different forms, across various locations within an organization, and each piece of data needs to be given its own specific fingerprint. Today, a lot of data protection products come with an engine for discovery which crawls through the data and ensures that it is accessible through an interface capable of allowing quick searching.

Define Your Policies

Once you have accurately determined which data is your most sensitive, you need to start building policies to protect it. Every policy should come with a distinct set of rules that will help to keep security numbers, credit card numbers and other information safe. If an organization needs to defend sensitive information that a DLP product cannot support automatically, they will need to create rules with regular expressions. At this stage, policies should only be defined, not necessarily applied.

Determine the Flow of Information

It is crucial for an organization to be able to identify the flow of their business information. Organizations need to prepare questionnaires so that useful information can be extracted once identified. For example, consider where the destination and source of the identified data should be. Think about where the egress points should present in the network, and which processes can be put in place to control the flow of information. Furthermore, organizations also need to make sure that they can identify the owners of data when planning DLP.

How to Implement DLP Successfully

Following are some of the primary practices that should be considered when it comes to deploying a DLP successfully:

  • Before a DLP product is purchased, organizations will need to identify the need of the business for that DLP.
  • Organizations should always identify which pieces of information are sensitive before a DLP is deployed.
  • Organizations need to check whether the DLP product they choose is capable of supporting the formats in which data is stored within their environment.
  • DLP implementation should always begin with a small base, so that false positives can be minimized. The base can eventually begin to increase as the organization further identifies sensitive or critical data.
  • DLP operations need to be effective in eliminating false positives and improving their policies.
  • Risk profiles should be updated as regularly as possible, alongside constant documentation of any DLP incidents that take place.

DLP is an important preventive and defensive technology that always results in very high ROI for organizations when it comes to protecting the data of their company or clients.

FileCloud offers some of the best features to prevent data loss when running a self-hosted file sharing solution. Learn more FileCloud’s DLP features  here.

Author: Rahul Sharma

Image courtesy: iosphere/