These days you can often hear about technology such as DLP systems. What is it and where is it used? This software is designed to prevent data loss by detecting possible irregularities when sending and filtering it. In addition, such services monitor, detect and block confidential information during its use, movement (network traffic), as well as storage.
As a rule, confidential data leakage occurs due to work with inexperienced users or is the result of malicious actions. Such information in the form of private or corporate information, intellectual property (IP) objects, financial or medical information, credit card information and the like needs enhanced security measures that modern information technologies can offer.
The terms “data loss” and “data leakage” are related and are often used synonymously, although they are somewhat different. Cases of loss of information turn into its leak when the source containing confidential information disappears and subsequently ends up with an unauthorized party. Nevertheless, data leakage is possible without losing it.
DLP Categories
Technological tools used to combat data leakage can be divided into the following categories: standard security measures, intelligent (advanced) measures, access control and encryption, as well as specialized DLP systems (what it is is described in detail below).
Standard measures
Standard security measures such as firewalls, intrusion detection systems (IDS), and antivirus software are the usual affordable mechanisms that protect computers from outsiders, as well as insider attacks. Connecting a firewall, for example, eliminates access to the internal network of unauthorized persons, and the intrusion detection system detects penetration attempts. Internal attacks can be prevented by antivirus checks that detect Trojan horses installed on the PC that send confidential information, as well as through the use of services that operate in the client-server architecture without any personal or confidential data stored on the computer.
Additional security measures
Additional security measures use highly specialized services and temporary algorithms to detect abnormal access to data (i.e., databases or information retrieval systems) or abnormal email exchanges. In addition, such modern information technologies detect programs and requests arriving with malicious intentions and perform in-depth checks of computer systems (for example, recognition of keystrokes or speaker sounds). Some of these services can even monitor user activity to detect unusual data access.
Specially designed DLP systems - what is it?
Designed to protect information, DLP solutions are used to detect and prevent unauthorized attempts to copy or transfer confidential data (intentionally or unintentionally) without permission or access, usually from users who have the right to access confidential data.
In order to classify certain information and regulate access to it, these systems use such mechanisms as exact data matching, structured fingerprinting, statistical methods, accepting rules and regular expressions, publishing code phrases, conceptual definitions and keywords. Types and comparison of DLP systems can be represented as follows.
Network DLP (also known as motion analysis or DiM)
As a rule, it is a hardware solution or software that is installed at network points that originate near the perimeter. It analyzes network traffic to detect sensitive data sent in violation of an information security policy.
Endpoint DLP (data when using <Diu>)
Such systems operate on end-user workstations or servers in various organizations.
As in other network systems, the endpoint can be addressed to both internal and external communications and, therefore, can be used to control the flow of information between types or groups of users (for example, “firewalls”). They are also able to control e-mail and instant messaging. This happens as follows - before messages are downloaded to the device, they are checked by the service, and if they contain an unfavorable request, they are blocked. As a result, they become unrepaired and are not subject to the rules for storing data on the device.
A DLP system (technology) has the advantage that it can control and manage access to physical type devices (for example, mobile devices with data storage capabilities), and also sometimes access information before encrypting it.
Some endpoint-based systems can also provide application control to block attempts to transmit sensitive information, as well as provide immediate user feedback. However, they have the disadvantage that they must be installed on each workstation in the network, and cannot be used on mobile devices (for example, cell phones and PDAs) or where they cannot be practically installed (for example at a workstation in an Internet cafe). This circumstance must be taken into account when choosing a DLP system for any purpose.
Data identification
DLP systems include several methods aimed at revealing secret or confidential information. Sometimes this process is confused with decryption. However, data identification is the process by which organizations use DLP technology to determine what to look for (on the move, at rest, or in use).
The data is classified as structured or unstructured. The first type is stored in fixed fields inside the file (for example, in the form of spreadsheets), while unstructured refers to the free form of the text (in the form of text documents or PDF files).
According to experts, 80% of all data is unstructured. Accordingly, 20% are structured. The classification of information is based on content analysis focused on structured information and contextual analysis. It is done at the place of creation of the application or system in which the data originated. Thus, the answer to the question "DLP-systems - what is it?" will determine the algorithm for analyzing information.
Methods used
The methods for describing confidential content are numerous today. They can be divided into two categories: accurate and inaccurate.
Exact methods are those that are associated with content analysis and practically nullify false positive responses to queries.
All others are inaccurate and may include: dictionaries, keywords, regular expressions, extended regular expressions, meta data tags, Bayesian analysis, statistical analysis, etc.
The effectiveness of the analysis depends on its accuracy. The DLP system, whose rating is high, has high rates for this parameter. The accuracy of DLP identification is essential to avoid false positives and negative consequences. Accuracy may depend on many factors, some of which may be situational or technological. Accuracy testing can ensure the reliability of the DLP system - almost zero false positives.
Information leakage detection and prevention
Sometimes a data distribution source makes confidential information available to third parties. After some time, part of it is most likely to be found in an unauthorized place (for example, on the Internet or on a laptop of another user). DLP systems, the price of which is provided by developers upon request and can range from several tens to several thousand rubles, should then examine how the data leaked - from one or several third parties, whether it was independent of each other, whether the leak was ensured by any by other means, etc.
Data alone
“Data at rest” refers to old archive information stored on any of the hard drives of a client PC, on a remote file server, on a network attached storage drive . This definition also refers to data stored in the backup system (on flash drives or CDs). This information is of great interest to enterprises and government agencies simply because a large amount of data is contained unused in memory devices, and it is more likely that access to it can be obtained by unauthorized persons outside the network.