Network perimeter erosion is a challenging reality for modern IT and security teams. Unfortunately, the erosion is a symptom of a more fundamental challenge. If that challenge isn’t properly addressed, an organization runs a high risk of building a new, costly perimeter with the same problems as the old one. Practically speaking, perimeter security typically does a very good job under the right circumstances―at a specific point-in-time and when content traverses a specific point of control. The challenge lies in sharing data beyond the perimeter’s boundaries, a requisite in today’s business dynamic of continuous productivity, collaboration across companies and services, and productive mobility. Data Protection Challenges and Requirements Data Loss Prevention (DLP) products are often evaluated as an option to securing enterprise data in a “post-perimeter” architecture. They can be either network- or endpoint-based, each model having its own unique benefits and challenges. However, DLP technologies are traditionally prone to yielding false positives. Consequently, their best use-cases are mostly limited to controlling very predictable and structured content in very specific situations. For example, DLP might be used for ensuring that credit card numbers do not leave the Cardholder Data Environment of the network. As content and locations get more complex, DLP can develop problems very quickly. It simply doesn’t solve the fundamental problem of keeping data secure in the real world where content moves and is always accessible. Positive vs. Negative Controls A core challenge of DLP is that it is based on a negative control model. In many ways, you can think of DLP as an Intrusion Prevention System (IPS), where instead of trying to match malicious exploits coming into the environment, DLP tries to match sensitive content going out. In InfoSec parlance, this is called a “negative control,” where the goal is to detect something bad and block it (and conversely let everything else go through). While there are some related activities such as warning the user that data is suspect, or requiring approval for certain content, the end result of using DLP is still going to be either allow or block. This model is why DLP has earned the reputation for being both slow and prone to false positives. It must analyze all content and try to match it to ‘blocked’ lists. That requires lots of analysis; what’s more, the matching can be wrong because enterprise content is constantly changing. The counterpoint to the negative control model is the positive control model. For example, in the network model, a firewall is an example of a positive control. Security specifies exactly what should be allowed (e.g., port 80) and everything else is denied by default, making policy much simpler. >Beyond false positives, DLP carries a number of additional challenges. As previously noted, it makes a point-in-time decision. Users can also evade DLP either intentionally or accidentally. For instance, data moved on a USB drive would be invisible to the DLP. An employee accessing their webmail on an unmanaged device could easily circumvent a host-based control. A user (or malware) encrypting the content or sending it through encrypted channels could also evade DLP controls. Once data leaves either the endpoint or the network, the DLP no longer has control over it. If that data is forwarded, copied, stolen, or accidentally exposed, there is nothing that a DLP product can do. Realistically, to effectively protect any kind of data, organizations need a way to secure it at the point of origin, then track, audit and manage the policies securing it in real-time, no matter where it travels. The Data-Centric Approach A data-centric security approach solves this problem. Instead of trying to control everything around the data, the Digital Guardian Secure Collaboration platform extends control to the data itself. Our Secure Collaboration functionality also allows DLP administrators to relax stringent rules around unstructured data, which provides a better experience for users. When security tools are actually used by employees, the security posture of the organization increases. Our product also ensures that policy is checked and enforced whenever data is accessed regardless of where or how the access takes place. Trust can be defined down to an individual and controlled in terms of what a specific user is allowed to do with the data. Access is also adaptive and can be revoked at any time, whether for an internal or an external user. This logical approach protects data in a modern way that DLP just can’t accomplish. Data and content can move, but IT and Security teams remain in control and can adapt as situations change. Truly protecting an organization’s ‘crown jewels’ in the modern, collaborative environment demands nothing less. Keep your most sensitive data in the right hands Schedule a demo

Virginia appears to be following in the footsteps of California with new legislation, the Virginia Privacy Act, that would strengthen the data privacy rights of Virginians.

The European Data Protection Supervisor has issued a preliminary opinion on how data protection obligations should factor into scientific research in the EU.

The company alleges a former employee violated company policy and betrayed its trust as he "intentionally decimated" its North American business.

Access to advanced technology and expertise at a cost-effective price is making managed security services an increasingly attractive prospect for many organizations.

In this blog, a complement to our Biggest Incidents in Cybersecurity (in the Past 10 Years) infographic, we look back at some of the biggest moments in cybersecurity history from 2009-2019.

What a cloud access security broker, or CASB? Learn about the benefits, best practices, and use cases in this week's Data Protection 101, our series on the fundamentals of information security.

Learn about identity and access management (IAM), how IAM works, and why organizations should have IAM in Data Protection 101, our series on the fundamentals of information security.

As the adage goes, you can't secure what you can't see. With that in mind we asked 21 security experts what they think the best tools and practices for data visibility and monitoring are.

We count down 10 steps that can be followed to ensure manufacturers are better equipped to deal with IP theft.

The General Data Protection Regulation (GDPR) has become the norm for data privacy in the European Union. What have we learned in the time since its been in effect? We asked 24 data privacy and compliance experts.

Looking to protect your data? We've compiled 101 data protection and data privacy tips to to keep your data safe.

In a lawsuit filed last week, the company claims the ex-executive stole and retained confidential and trade secret data and lied to cover it up.

The New York Department of Financial Services' Cybersecurity Regulation was implemented years ago but one of the regulation's compliance deadlines remains.

In this Q&A, we sit down with Harlan Carvey, Digital Guardian's new Senior Threat Hunter, to dig into how he approaches threat hunting, incident response, and more.

Digital Guardian is pleased to share that effective today, version 7.6, the latest Data Loss Prevention (DLP) agent for macOS is generally available.

In an advisory published this week, the NSA outlined the risks of Transport Layer Security Inspection (TLSI) and provided security mitigations for organizations.

In this post, Tim Bandos helps break down the DFIR tools and processes he uses to carry out investigations.