This document discusses data loss prevention (DLP) concepts and implementations. It begins with an overview of data governance and the data lifecycle. It then defines DLP, explaining how DLP solutions protect data in motion, at rest, and in use. Sample DLP deployments are shown, outlining key activities and considerations for implementation such as governance, infrastructure, and a phased approach. Finally, examples of DLP use cases are provided for data in motion like email and data in use on workstations.
08448380779 Call Girls In Friends Colony Women Seeking Men
Data Loss Prevention Fundamentals
1. 11
DATA LOSS PREVENTION
Eryk B. Pratama, M.Kom, MM,
IT Advisory & Cyber Security Consultant at Global Consulting Firm
APTIKNAS Webinar
Fundamental Concept in Enabling DLP System
Asosiasi Pengusaha TIK Nasional
Indonesian ICT Business Association
4. Data/Information Lifecycle
Data Governance
Source: ISACA – Getting Started with Data Governance with COBIT 5
It is important to plan the life cycle of data along with their placement within the governance structure. As practices
operate, the data supporting or underlying them reach the various levels of their natural life cycles. Data is planned,
designed, acquired, used, monitored and disposed of.
Critical information security control
Store | Data at Rest Share | Data in Motion Use | Data in Use
5. Data Governance: Common Area
Data Governance
Source: https://www.pinterest.com/pin/838584393089888744/
Data Security is one of
foundational and important
area in Data Governance
6. Data Governance: Practical Area
Data Governance
Data Lifecycle
Data
Classification
Data Loss
Prevention
Data
Retention &
Destruction
Data
Encryption /
Obfuscation
Data Access
Assesses the organization’s current practices in
the analysis of data risks from data creation, to
transfer, storage, process and destruction.
Assesses categorization of data based on
criticality / sensitivity and value to the
organization.
This refers to the protection of data in
motion and at rest, using content inspection
and analysis.
Assesses storage or archival and destruction of
data to support regulatory requirements as well
as business/operational needs
Assesses the conversion of data to an
unreadable format to protect data from
access and leakage.
Assesses the control of access to data
ensuring that only authorized
individuals or groups have access.
Practical Area of
Data Governance
8. Data Loss/Leakage Prevention Solution
Data Loss / Leakage Prevention Concept
A Data Loss Prevention (DLP) solution typically incorporates people, process, and technology to protect sensitive data traversing
throughout an organization. Data within an organization is often categorized and protected by DLP in the following three different
forms:
Data in Motion Data at Rest Data in Use
Data that is transmitted or moved, both
through electronic or non-electronic
means. Data that is actively traveling on
a network, such as email or web traffic.
Data that resides on a stable medium,
including servers, network shares,
databases, individual computers, and
portable media.
Data that has been obtained and are
being processed or actively used.
Typically, referring to data on end-user
computing device or host systems.
Structured Data Unstructured Data Semi-structured Data
Data commonly stored in
databases or applications
Exists in filesystems or
documents
Examples of such data format
types include email
Data Type
11. DLP Implementation Key Activities
Data Loss / Leakage Prevention Concept
Review of the organisation data protection policy and conduct gap assessment
Define data flows, data classification and information asset list
DLP Framework and High-level Policy Definition
Base policy creation and tuning
Metrics definition
Incident response workflow creation
User awareness
12. DLP Implementation Consideration
Data Loss / Leakage Prevention Concept
Governance & Process
▪ Data handling requirements are clearly defined by data classification level.
▪ Data protection and data management requirements are clearly defined for DLP use cases.
▪ “Steering Committee” is established to serve as project sponsor and to review and approve of all business rules and tool
administration processes.
▪ DLP solution is started in monitoring mode to help ensure policy/rule effectiveness and assess the business impact before turning
on any prevent functions.
▪ All “at rest” and “in motion” rules are deployed with very high thresholds initially, so that a manageable number of findings are
discovered during the initial tests.
Governance and processes establish the foundation for the DLP implementation. The
following elements are critical to DLP program success.
Infrastructure
DLP can add overhead to organization’s infrastructure. Considering the following elements
to ensure DLP does not become a “bottle neck” to the organization’s infrastructure.
▪ Implement redundancy for all network DLP components.
▪ Ensure the endpoint DLP agent does not conflict with deployed endpoint security solution.
▪ Adoption of a single vendor DLP solution for both network and endpoint allows uniform enforcement of defined policies and rules.
▪ Test the DLP solution extensively within a lab or test environment.
▪ The DLP management console should be placed in a segregated network or trusted network zone as incidents captured by DLP
management console may contain sensitive data.
13. DLP Implementation Strategy
Data Loss / Leakage Prevention Concept
Organizations often deploy DLP solutions using a phased approach. This includes initial implementation of the DLP solution in monitoring
mode and/or within selected business unit(s) to help ensure policies/rules effectiveness and assess business impact before turning on any
automated “prevent “functions.
LowHigh
Near Term Long Term
ImplementationComplexity
Email
Monitoring
Network
Monitoring
Endpoint Monitoring
and Discovery
Email
Filtering/Blocking
Network
Filtering/Blocking
Endpoint
Filtering/Blocking
Timeline
Prevent PhaseMonitor Phase
Benefits
▪ By performing Email DLP first, existing technology is utilized and a high-risk use case is addressed quickly
▪ Implementing endpoint DLP after email DLP allows company to address the remaining high-risk use cases.
▪ Deploying DLP in monitoring mode followed by preventive mode allows company to pilot solution
15. Risk-based DLP Use Case: Data in Motion
DLP Use Case
Data Origination Outbound Email from Internal Source (Sensitive Information)
User Action
Internal user sends email with sensitive information (e.g. PII, PCI, HR files, etc.) outbound to an external
user or personal email address.
DLP Response
DLP monitors and analyzes outbound traffic based on policies for predefined data elements and
company document tags. Document tagging allows DLP to fingerprint files in order to monitor and/or prohibit
the movement of sensitive information based on policies.
Available Action Monitor, record/block/encrypt, and notify
Result
Sensitive information is tracked and prevented from reaching unauthorized recipient. Sender, manager, security,
and/or HR notified of policy violation or actions required/taken for authorized recipients (e.g. email and
attachments marked to indicate level of confidentiality and encrypted, as required).
16. Risk-based DLP Use Case: Data in Use
DLP Use Case
Data Origination Unauthorized Sensitive Information Download
User Action
User attempts to retain sensitive information for unauthorized use from an application or database through
copy/paste functions, the “print screen” command, hard copy printing, or exploitation of current access
privileges to execute excessive sensitive information downloads (e.g. prior to departure).
DLP Response
DLP monitors workstation and mobile device activity for the use and/or transfer of sensitive information based
on policies for predefined data elements and company document tags. Company document tagging and user-
defined fingerprinting allow DLP to monitor and/or prohibit the movement of sensitive information based on
policies.
Available Action Monitor/inventory, block, and notify
Result
Sensitive information is monitored, blocking the “print screen,” paste, and hard copy print actions. The user,
manager, security, and/or HR are notified of policy violation. Utilize scan results to update/maintain inventory of
endpoints containing sensitive information.