Our Approach to Data Loss Prevention
The Need for a Comprehensive Strategy
In light of recent global cyber-attacks, concerns over insufficient information security standards have increased dramatically, particularly for large enterprises who want to protect their critical data. In both the private and the public sector, data vulnerability has been a long-standing security issue that needs to be thoroughly addressed with a competent and comprehensive Data Loss Prevention (DLP) strategy.
DLP—for those who aren’t already aware—deals with a corporation’s strategy for maintaining control of critical information that, if leaked, could cause serious harm both to itself and the clients it serves. Serious harm includes—but is not limited to—ruined reputations, damaged financial interests, loss of intellectual property, breach of private client or patient information, so forth, and so on.
Ensuring sensitive information remains uncompromised seems like it would be an easy thing on the surface. All you have to do is make sure nothing escapes your environment—either accidentally or willfully—right? Set up a perimeter, secure the access points, and control who gets access. Easy enough? The problem is we’re not talking about securing physical structures with a simple lock and key. With information infrastructures, there are multiple ways in and out, especially in large corporate environments with hundreds, if not thousands, of end-users regularly accessing and transmitting Terabytes worth of digital data every single day.
The Fundamental Flaw with the Perimeter Centric Approach
This is the fundamental flaw with perimeter centricity when it comes to keeping sensitive data under control: the end-user is (and always will be) the weakest link in the chain of data security. Every end-user is an access point and has the potential to cause leakage.
Some DLP strategies focus on perimeter defense because of an outmoded pre-digital era concept of security that has proven flawed time-and-time again in the major data breaches of recent years. Perimeter centricity focuses on protecting content within the environment, but doesn’t sufficiently account for what a user can and will do (intentionally or otherwise) once they have access to it. Instead of focusing on building protection around our sensitive information, we need to shift our focus onto building security into both the content and the processes end-users access to manipulate, store, and transmit that content.
Content Centric Security and End-User Awareness
If we boil it down to the fundamentals, there are two kinds data loss that need to be guarded against, the intentional and the unintentional. The intentional could be malicious, or it could be someone trying to find a more efficient workaround for their workflow that goes against security best practices (like using a personal cloud account to store and share sensitive company files). The unintentional happens when someone who, ignorant of the risks, uses unsecure workflow practices (like replying all to an email chain that includes external recipients). Either way, we believe the best way to guard against data loss is to implement solutions that center around protecting the content itself, and making it easy for end-users to do the right thing (and by the right thing, I mean the secure thing).
How do we make it easy for end-users to do the right thing, and how do we make it easier for administrators to seamlessly control data flowing in and out of the corporate environment? How is our approach multi-faceted and how do these facets work in tandem to strengthen data security overall?
A Multi-Faceted Approach
Our approach is multi-faceted because data is multi-faceted, but we mainly focus on preventing non-malicious inadvertent disclosures. Malicious threats are serious and need to be addressed seriously, but malicious data loss is the exception, not the rule. Most data leakage is accidental and easily avoided with the right safe-guards in place. Identifying where data loss occurs is key in developing an effective prevention strategy; from there, we can implement content-centric security solutions that supplement and integrate with the workflow processes end-users operate every day, starting with email.
Email is the most common corporate communications platform; as the main contact point with the outside world, it’s one of the easiest ways for a company to lose control of data. Proper administrative controls and audit capabilities need to be put in place, but it’s also essential to equip end-users with integrated and easy ways to send email securely and safeguard them from accidentally making any inadvertent disclosures. Sending files and attachments without cleaning metadata, for example, is one of the most common kinds of inadvertent disclosure that could result in major repercussions.
Our solutions make it easy for end-users to send emails without worrying if there are any sensitive metadata in their attachments, and protects them from inadvertently replying to threads or sending to distribution groups that would disclose internal communications and information to outside sources.
Metadata management is essential to DLP. We make it easy to clean any sensitive information from any kind of file with customizable granular administrative controls and settings. This prevents users from accidentally sending a file to an external recipient that contains revealing underlying information. Administrators can also control metadata cleaning settings for all users no matter where they are or what device they are using.
At-Rest and In-Transit Encryption
In addition to cleaning metadata, utilizing advanced file encryption is a key component of any plan to prevent data leakage. We secure files individually at-rest with AES 256 block-level encryption. When you need to send, we use the most up-to-date advanced TLS cyphers for in-transit data. All of this is available through our secure file transfer solution that puts no limits on file type or size, and gives administrators granular audit and tracking capabilities, along with the ability to revoke access to files or set custom expiration dates. It integrates with Microsoft Outlook and is accessible via an https secure web portal and a mobile app for portable devices.
Storing documents in various cloud repositories has become common practice in many enterprise environments, but it’s a high-risk vulnerability from a DLP standpoint. A Cloud Access Security Broker (CASB) mitigates the risk by providing administrative auditing and control of individual files and folders no matter where they are stored in the cloud, be it Dropbox, Google Drive, OneDrive, or any other type of cloud storage service, on-premises or otherwise. The CASB links every repository to a single administrative security control center making the nebulous Cloud much more manageable.
We offer this as well as secure on-premises storage with advanced administrative abilities. If an employee ever leaves a company, administrators can archive all employee accounts and retain control of all the data. Sharing is also much more secure with advanced file permission settings that make sure no one intentionally or unintentionally loses control of data.
Information Rights Management
Information Rights Management (IRM) technology prevents unauthorized users from accessing individual folders or files. Even if a user has access to a certain file, permissions can be revoked remotely, no matter where the file is stored, even if the file has been copied or shared. This allows administrators to secure the content itself with the ability to specify access rights to individual users, devices, and geographic locations. Applying this technology into a DLP strategy gives more granular control of content in today’s fast-paced mobile economy.
Our Approach: Content Centric Security Empowering Cloud Mobility
Data is everywhere, and it tends to proliferate. Our approach allows organizations to benefit from the advantages of the Cloud without exposing themselves to the risks. Just because your data leaves your environment does not mean it should leave your control. Building security into the information and workflow processes end-users deal with daily addresses the root issues of data leakage and builds a better foundation for a comprehensive DLP strategy. We make it easy for users to do the right thing because we’ve built security into the processes they’re using and simplified the UI of those processes. This greatly reduces worry over accidental leakage, and cuts out the cumbersome workflow that causes people to look for less secure workarounds.
Staff Writer – Litéra