3D illustration of computer keyboard with the script "Data Loss Prevention" on two adjacent pale blue buttons

Introduction

Our last blog examined what Data Loss Prevention is, and the three major types data categories of DLP Systems which are as follows:

  • In Use Protection;
  • In Motion Protection;
  • At Rest Protection.

In this blog, we examine the controls that are needed to prevent data loss.

The Required Controls for Data Loss Prevention

Before any DLP technologies can be evaluated, it is first important to understand the controls that are needed for each focus area of the data described in the last section.  Once this has been established, then the appropriate DLP software package can be selected and deployed.  The following depicts the necessary controls for each type of data:

Data in Motion

Focus Area:

  • Perimeter Security
  • Network monitoring
  • Internet Access Control
  • Data collection and exchange with third parties
  • Use of instant messaging
  • Remote Access

Technological Control:

  • Firewalls, Proxy Servers
  • Selected DLP Technology
  • Proxy Servers, Content filters
  • Secure email, Secure FTP, Secure API’s, Encrypted Physical Media
  • Firewalls, Proxy Servers, Workstations Restrictions,
  • Encrypted remote access, Restrictions on use of remote access tools to prevent data leakage

(SOURCE:  http://www.ey.com/Publication/vwLUAssets/EY_Data_Loss_Prevention/$FILE/EY_Data_Loss_Prevention.pdf).

Data in Use

Focus Area

  • Privileged user monitoring
  • Access/ usage monitoring
  • Data sanitation
  • Use of test data
  • Data redaction
  • Export/save control

Technological Control

  • Event monitoring related to databases and application log files
  • Data sanitations routines and programs
  • Data redaction tools
  • Application controls

(SOURCE:  http://www.ey.com/Publication/vwLUAssets/EY_Data_Loss_Prevention/$FILE/EY_Data_Loss_Prevention.pdf).

Data at Rest

Focus Area

  • Endpoint security
  • Host encryption
  • Mobile device protection
  • Network/Intranet storage
  • Physical media control
  • Disposal and destruction

Technological Control

  • Operating system workstation restrictions
  • Full disk encryption tools
  • Built-in security features, third party mobile device control products
  • Access control software and permission control in all operating systems, databases and file storage systems
  • Endpoint media encryption tools, operating system workstation restrictions
  • Data erasure and data wiping software

(SOURCE:  http://www.ey.com/Publication/vwLUAssets/EY_Data_Loss_Prevention/$FILE/EY_Data_Loss_Prevention.pdf).

Conclusions

Our next blog will examine the important features of DLP Systems.