What is Data Loss Prevention Security?

Data Loss Prevention security is a collection of strategies, practices and technologies designed to prevent sensitive data from being purposely leaked, lost or destroyed. 

DLP security requires IT teams to identify and classify sensitive data throughout the network and set policies for how it may be accessed, stored, used and moved. Teams can then deploy Data Loss Prevention technology to monitor and track the activity of users and the movement of data, using policies to determine when data may be at risk of being lost, destroyed, exposed, accessed or exfiltrated without authorization.

Data Loss Prevention security can help to prevent the loss, destruction or public exposure of data such as credit card numbers, SSNs, customer records, account credentials, intellectual property, financial records, trade secrets, personal health information (PHI) and other confidential data.
 

As the lifeblood of any organization, data represents enormous value and is essential to business operations. A significant amount of that data is highly sensitive, proprietary, confidential or private – its loss or public exposure could cause great harm to the organization and to its partners, vendors and customers. Consequently, regulatory frameworks like GDPR, HIPAA, PCI DSS and hundreds of others have established strict rules for collecting, storing, accessing, using and retaining certain data. 

Protecting this data has grown more complex in recent years as the traditional network perimeter has disappeared. IT environments today are highly distributed, creating more opportunities for attackers to gain unauthorized access to IT systems and steal or exfiltrate sensitive information. As workforces become more distributed and employees often connect to the network on personal devices via unsecured connections, there are many more opportunities for sensitive information to be accidentally leaked or sent outside the organization.

As an integral part of an overall data security program, Data Loss Prevention security can help businesses avoid legal action, regulatory fines, damage to reputation and the loss of business that often results from the leak or loss of sensitive information. 

Data Loss Prevention security involves three main practices.

• Identify and classify sensitive information. The first step in Data Loss Prevention security is to discover all the potentially sensitive data assets within an IT environment. This task is often more challenging in hybrid cloud environments and the rapid proliferation of devices and technologies that may store or interact with sensitive information. Once a comprehensive data inventory has been developed, IT teams can prioritize it based on its value to the company, the risk it represents and the severity of impact if it is leaked or lost. IT teams can then create classifications to inform how each class of sensitive data should be protected and who can access it.
• Create security policies to control sensitive data. Once data has been prioritized and classified, IT teams establish security policies concerning protecting, storing, and handling data. Teams also identify the individuals or roles that may store, access, alter, transmit, or destroy sensitive information. Data Loss, Prevention security policies also determine the actions to be taken when a policy is violated. For example, DLP security policies may block an email that contains Social Security numbers or credit card information or require a user to encrypt an email attachment containing certain intellectual property.
• Implement technology to monitor data, track activity, and enforce DLP policy. Data Loss Prevention tools monitor data at rest, data in motion, and data in use to search for potential violations of the Data Loss Prevention security policy. DLP tools use various techniques to identify sensitive information and the users, devices, and applications attempting to access it. DLP technologies include user authentication and access control, firewalls, encryption, email security, endpoint protection tools, monitoring services, antivirus software and intrusion protection.

Data Loss Prevention services and solutions are designed to address various potential threats to data security.

• External threats include cyber criminals using stolen credentials, account hijacking and other methods to gain unauthorized access to an IT environment and exfiltrate sensitive data. Attackers may target intellectual property, financial records or private customer information.
• Insider threats are perpetrated by employees, contractors, partners or vendors with privileged access to an organization’s network. These attacks typically involve stealing business plans and intellectual property to share them with or sell them to competitors. Insider threats may also steal information to sell on the dark web and the black market.
• Human error is often the primary reason sensitive data is lost or leaked to the public. This negligence includes employees who fail to properly encrypt an email attachment or who forward an email thread with sensitive data to the wrong recipient list. Improperly configured security controls may leave sensitive data unprotected, allowing anyone who comes across it to view private and confidential information. Human error is also to blame when laptops or flash drives containing sensitive information are lost and recovered by unauthorized individuals.

Data Loss Prevention vendors offer a variety of solutions to address these threats. Network data loss solutions monitor network traffic in search of potential data leaks. In contrast, endpoint DLP solutions monitor the data stored on or sent to and from individual devices. 

Cloud Data Loss Prevention security monitors information uploaded and downloaded to cloud storage and applications. Email DLP technology monitors inbound and outbound messages for potential leaks, phishing scams, and other potential attacks.

As a leading user security and Data Loss Prevention company, Forcepoint provides DLP solutions that secure data across the web, cloud, email, networks, and endpoints. Forcepoint Data Loss Prevention security solutions enable businesses to intuitively discover, classify, monitor and protect data with zero friction to the user experience.

With Forcepoint DLP, organizations can:

• Simplify Data Loss Prevention security by controlling all data with one policy.
• Replace general rules with individualized, adaptive security that won’t slow employees down.
• Block actions only where needed to drive productivity.
• Streamline compliance with predefined policies for 80+ countries.
• Protect critical IP with unsurpassed accuracy, even data within images. 
• Follow movement and access of IP in both structured and unstructured forms.
• Stop low and slow data theft, even when user devices are off-network.
• Deploy Risk-Adaptive Protection to automatically block actions based on an individual user’s risk level.

Forcepoint solutions include enterprise DLP, Data Loss Prevention security as a service, and Data Loss Prevention for email platforms like G Suite and Office 365.