Data Security Knowledge Base
What is Data Egress? Managing Data Egress to Prevent Sensitive Data Loss
Data egress refers to data leaving a network in transit to an external location. Outbound email messages, cloud uploads, or files being moved to external storage are simple examples of data egress. Data egress is a regular part of network activity, but can pose a threat to organizations when sensitive data is egressed to unauthorized recipients.
Examples of common channels for data egress include:
- Web uploads
- Cloud storage
- Removable media (USB, CD/DVD, external hard drives)
- FTP/HTTP transfers
Data Egress vs. Data Ingress
While data egress describes the outbound traffic originating from within a network, data ingress, in contrast, refers to the reverse: traffic that originates outside the network that is traveling into the network. Egress traffic is a term used to describe the volume and substance of traffic transferred from a host network to an outside network.
Egress filtering involves monitoring egress traffic to detect signs of malicious activity. If malicious activity is suspected or detected, transfers can be blocked to prevent sensitive data loss. Egress filtering can also limit egress traffic and block attempts at high volume data egress.
Threats Involving Data Egress
Sensitive, proprietary, or easily monetizable information is highly targeted by cyber criminals, competitors, nation states, and malicious insiders, and all share an ultimate goal of data egress. There are various data exfiltration techniques that can result in the loss, theft, or exposure of sensitive data. The release of sensitive or proprietary information to the public or competing organizations is a real concern for enterprises, governments, and organizations of all kinds. Some threat actors try to steal sensitive data through the same methods many employees use every day, such as email, USB, or cloud uploads. Others may incorporate stealthier methods for sensitive data egress, such as encrypting or modifying the data prior to exfiltration, or using services to mask location and traffic.
Best Practices for Data Egress Management and Preventing Sensitive Data Loss
Part of data egress management is finding out where sensitive data is located and where it is leaving the network, also known as data discovery and network monitoring. Both of these actions are necessary for securing the data egress points in your systems. A few best practices include:
- Create an acceptable use and data egress traffic enforcement policy. Include stakeholders to define your acceptable use policy. It should be a thorough policy that protects your company's resources, including a list of approved Internet-accessible services and guidelines for accessing and handling sensitive data.
- Implement firewall rules to block egress to malicious or unauthorized destinations. A network firewall is one of several lines of defense against threats. This is a starting point where you can ensure that data egress does not occur without explicit permission.
- Identify, classify, and apply protective measures to sensitive data. Data discovery and data classification solutions help to identify sensitive data and assign classification tags dictating the level of protection required. Data loss prevention solutions apply policy-based protections to sensitive data, such as encryption or blocking unauthorized actions, based on data classification and contextual factors including file type, user, intended recipient/destination, applications, and more. The combination of data discovery, classification, and DLP enable organizations to know what sensitive data they hold and where while ensuring that it's protected against unauthorized loss or exposure.