The Pros and Cons of Data Loss Prevention
Thu, 04/18/2019
Data Loss Prevention (DLP) is one of the long-standing and more traditional approaches to securing enterprise data. It can be either network or endpoint-based, each having their own unique benefits and challenges. DLP technologies have traditionally been prone to false positives, and as such, some of their best use-cases are for controlling very predictable and structured content in very specific situations.
The Benefits
We can all agree that nobody wants to lose their data. Every organization wants the confidence that its users are not pilfering data and sending it places it doesn’t belong, or attempting to access certain kinds of data without authorization. If you know where your data is at rest, where it’s going when it’s sent, and who’s using that data, DLP can be a great solution.
DLP uses rules to classify and protect sensitive data, and provide content inspection for data flowing through the corporate network, so that unauthorized users can’t accidentally or intentionally share data whose disclosure could potentially put the organization at risk. For example, if someone tried to forward a business email outside the corporate domain, or upload files to a personal cloud storage solution like Box or Dropbox, that person would be denied permission. Often, the motivation for DLP is driven by insider threats, as well as privacy laws that have strict data protection and access rule components.
The Challenges: Positive vs. Negative Controls
A core challenge of DLP is that it is based on a negative control model. In many ways, you can think of DLP as an IPS (Intrusion Prevention System), where instead of trying to match malicious exploits coming into the environment, DLP tries to match sensitive content going out. In InfoSec parlance this is a “negative control” where the goal is to detect something bad and block it (and conversely let everything else go through). And this model is why DLP has earned the reputation for being both slow and prone to false positives. It must analyze all content and try to match it to block lists. This requires lots of analysis and the matching can be wrong as enterprise content is constantly changing.
The counterpoint to negative control models is the positive control model. Once again using a network example, a firewall is an example of a positive control. Security specifies what should be allowed (e.g. port 80) and everything else is denied by default. Digital Guardian Secure Collaboration takes a much more positive approach although at the content level instead of the network level. Digital Guardian Secure Collaboration policy defines who should have access to the content and what they should be able to do with it. Everything else is denied by default. This not only makes policy much simpler, but it removes the constant specter of false positives.
Moving Beyond Trusted Walls
This lack of control after data is accessed highlights another major challenge in information security today. Just because a user can access an asset should not mean that they are inherently trusted going forward. Even in traditional on-premise networks, organizations are increasingly moving to “zero trust architectures”, where all users are presumed to be compromised and every access to data is reviewed and approved based on policy. Centralization of policy management and administration is critical, ensuring that copies of documents or edited versions do not lose the original’s security.
A Data-Centric Approach Solves This Problem
Digital Guardian Secure Collaboration ensures that policy is checked and enforced whenever data is accessed regardless of where or how the access takes place. Instead of trying to control everything around the data, Digital Guardian Secure Collaboration extends control to the data itself. Trust is adaptive, can be defined down to an individual and controlled in terms of what the user is allowed to do with the data, and can be revoked at any time.
This provides a logical approach to protecting data in a truly modern way that neither DLP or CASB can accomplish. Data and content can move, yet IT and Security teams remain in control and can adapt as situations change.
We discuss DLP (and CASB) more, in this in-depth whitepaper, “The Acronym Jungle: Understanding the Benefits and Challenges of Data Loss Prevention (DLP) and Cloud Access Security Brokers (CASB).” Check it out!