This is Part 7 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.
Far too many organizations place Data Loss Prevention (DLP) and Data Protection at the bottom of their priority list due to the perceived difficulty in its deployment. When there are in fact some easy approaches to getting started with protecting your data. Encrypting sensitive data can be automated in just a few steps so this ‘secret cipher’ is hardly noticed until it’s needed.
Today, let’s conduct an overview of the topics of DLP and Data Protection.
First, let’s provide a simple description of the topics at hand:
Data Protection
Data protection has several meanings, but for the scope of this discussion, it is the process of protecting sensitive data from unauthorized access. Consider the scenario where a laptop containing sensitive files is stolen giving the thief access thief or an email included an attachment with a sensitive file, the file should be encrypted and require authentication every time it is accessed.
Data Loss Prevention - DLP
DLP is the ability to prevent sensitive data from being passed outside of its assigned trusted zones. For example, a spreadsheet containing financial data is allowed to be viewed by the accounting team, but it is not allowed to be emailed.
Compliance
The simple answer for some is “because I was told to.” If your organization must follow one or more compliance standards, then it’s very likely data protection is part of those controls. For example, NIST has several mentions of data protection under data at rest (SC-28) and in motion categories (SC-8). CIS has a Control 3 named Data Protection.
Intellectual Property Theft Preparedness
Most likely there’s not a company in the modern world that hasn’t heard of ransomware and how much a successful attack can cost an organization. Preparing for IP theft is much cheaper than the alternative of dealing with the cost of recovering from a ransomware attack. Data Protection and DLP are at the center of IP theft preparedness. If the data is protected it will be safe in a worst-case scenario ransomware incident.
Public / Media Exposure
The cost to a company’s reputation can be more than the cost of recovering from a data breach. After all, wouldn’t a corporate executive rather say “our company was breached but all our data was encrypted” as opposed to ‘we were breached and none of our data was encrypted.’
Data Protection usually involves the following steps:
Figure 1: Applying a sensitivity label in Microsoft Purview Information Protection
DLP is basically a more condition-based application of the data protection mentioned above:
Note that when you apply sensitivity labels the associated document(s) are not automatically encrypted unless your label options say the sender must do so.
Figure 2: A DLP Policy to block email containing sensitive data. Courtesy Microsoft Purview
Some of the hardest challenges with data protection aren’t the technologies used, but instead:
Finding your sensitive data
If all your sensitive data is stored on a SharePoint drive, then there’s not much effort in finding sensitive data, but that’s hardly a real-world example. Sensitive data can be on-prem, in the cloud, and it can be stored in numerous formats: spreadsheet, database, data lake, etc.
Creating Data Protection Policies
If you’re lucky enough to be a one-person security department, then you’ll only have yourself to argue with about the best data protection policies – again, not real-world, so there’s often much discussion on how to protect data. Depending on the size of your organization, there could be dozens of data protection policies required.
Creating Sensitivity Labels
Data protection tools will provide a default set of common sensitivity labels, for example:
Figure 3: Default Sensitivity Labels: Courtesy Microsoft Purview
Often, the default labels are a great starting point from where additional labels can be added at a future phase of your data protection deployment.
And Then Some...
Additional challenges will arise such as what actions should be taken if sensitive data policies are violated, and how you test your data protection policies without disrupting operations. So, it’s recommended to plan things out in a spreadsheet before getting to the technical parts.
The bottom line is: Good planning for data protection and DLP can save a lot of meetings and contractor hours!
DLP depends on applications that understand the sensitivity labels assigned to the files. For Example, Microsoft’s Purview provides DLP policies that work great with Microsoft Exchange and other Microsoft-based applications. But if you’re using Microsoft Purview with other non-Microsoft applications, those apps likely won’t understand the applied sensitivity labels and be capable of using the DLP policies created in Purview.
The hard truth is that Data Loss Prevention is far from perfect since it’s dependent on the applications it's used with. On the brighter side, Data Protection can be quite effective if all your data is in the cloud and/or your data protection solution has easy access to your data.
Figure 4: Purview DLP Supported Applications – Courtesy Microsoft
Don’t put data loss prevention and Data Protection at the bottom of your priority list. Move sensitive data to the cloud, apply data protection and data loss policies, and evolve your data protection methods over time as priorities allow.
References
About This Blog Series
Follow the full series here: Building Defenses with Modern Security Solutions
This series discusses a list of key cybersecurity defense topics. The full collection of posts and labs can be used as an educational tool for implementing cybersecurity defenses.
Labs
For quick walkthrough labs on the topics in this blog series, check out the story of “ZPM Incorporated” and their steps to implementing all the solutions discussed here.
Compliance
All topics mentioned in this series have been mapped to several compliance controls here.