Data loss prevention products
From Wikipedia, the free encyclopedia
 |
This article does not cite any references or sources. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. (February 2008) |
Data Loss Prevention (DLP) is a computer security term referring to systems that identify, monitor, and protect data in use (e.g., endpoint actions), data in motion (e.g., network actions), and data at rest (e.g., data storage) through deep content inspection, contextual security analysis of transaction (attributes of originator, data object, medium, timing, recipient/destination, etc.), and with a centralized management framework. The systems are designed to detect and prevent the unauthorized use and transmission of confidential information.
It is also referred to by various vendors as Data Leak Prevention, Information Leak Detection and Prevention (ILDP), Information Leak Prevention (ILP), Content Monitoring and Filtering (CMF) or Extrusion Prevention System by analogy to Intrusion-prevention system.
Contents |
[edit] Background
Organizations process information that can be often classified as sensitive, either from a business or legal point of view. In addition to risk of intrusion and gaining access to sensitive information by unauthorized persons, there's also risk of intentional or spontaneous transmission of the information to the outside of organization.
Government and industry regulations are arguably the biggest influencers. Besides HIPAA, GLBA, and Sarbanes-Oxley, more than 25 states have passed data privacy or breach notification laws that require organizations to notify consumers when their information may have been exposed. One high-profile example is California SB 1386. The state of Tennessee has also passed the "Credit Security Act of 2007," which will result in a Class B misdemeanor for any use of a person's SSN in "direct mailings" or over the Internet.
[edit] Regulatory compliance
Many large companies now fall under oversight of government of commercial regulations that mandate controls over information, including HIPAA in health and benefits, GLBA and BASEL II in finance, and Payment Card Industry DSS standards. Some of these regulations stipulate a regular information technology audit, commonly known as IT audit, which organizations can fail if they lack suitable IT security controls and due-care (processes) standards. Companies with enterprise resource planning ERP software (e.g., SAP and Oracle Corporation) find compliance especially challenging (see erm or enterprise risk management). Others mandate significant penalties in the event of a breach.
[edit] New costs arising from breaches
Loss of large volumes of protected information has become a regular headline event, forcing companies to re-issue cards, notify customers, and mitigate loss of goodwill from negative publicity.
[edit] Types of DLP systems
[edit] Network DLP
Also referred to as gateway-based systems. These are usually dedicated hardware/software platforms, typically installed on the organization's internet network connection, that analyze network traffic to search for unauthorized information transmissions, including email, IM, FTP, HTTP, and HTTPS (called data in motion). They have the advantage that they are simple to install, and provide a relatively low cost of ownership. Network DLP systems can also discover data at rest (data stored throughout the enterprise) to identify areas of risk where confidential data is stored in inappropriate and/or unsecured locations.
[edit] Host-based DLP systems
Such systems run on end-user workstations or servers in the organization. Like network-based systems, host-based can address internal as well as external communications, and can therefore be used to control information flow between groups or types of users (e.g. 'Chinese walls'). They can also control email and Instant Messaging communications before they are stored in the corporate archive, such that a blocked communication (i.e., one that was never sent, and therefore not subject to retention rules) will not be identified in a subsequent legal discovery situation.
Host systems have the advantage that they can monitor and control access to physical devices (such as mobile devices with data storage capabilities) and in some cases can access information before it has been encrypted. Some host based systems can also provide application controls to block attempted transmissions of confidential information, and provide immediate feedback to the user. They have the disadvantage that they need to be installed on every workstation in the network, cannot be used on mobile devices (e.g., cell phones and PDAs) or where they cannot be practically installed (for example on a workstation in an internet café).
[edit] Data Identification
DLP solutions include a number of techniques for identifying confidential or sensitive information. Sometimes confused with discovery, data identification is a process by which organizations use a DLP technology to determine what to look for (in motion, at rest, or in use). DLP solutions use multiple methods for deep content analysis, ranging from keywords, dictionaries, and regular expressions to partial document matching and fingerprinting. The strength of the analysis engine directly correlates to its accuracy. The accuracy of DLP identification is important to lowering/avoiding false positives and negatives. Accuracy can depend on many variables, some of which may be situational or technological. Testing for accuracy is recommended to ensure a solution has virtually zero false positives/negatives.
