Data Loss Prevention: Fundamentals and Best Practices

Emily Heaslip
August 30, 2022
Data Loss Prevention: Fundamentals and Best PracticesData Loss Prevention: Fundamentals and Best Practices
Emily Heaslip
August 30, 2022
On this page

Every year, business owners grapple with the same question: how can I keep my data safe? 

The cost of a data leak can quickly escalate to over $7 million per incident, not to mention the damage to a business’s brand reputation and competitive advantage. And, unfortunately, cyber attacks are getting more sophisticated every year.

There are many solutions on the market to help businesses protect their information. And, it’s considered best practice to layer these solutions to provide the best possible protection against cyber threats. But understanding what a specific tool protects and how it works can help IT teams make smarter spending decisions. 

In this guide, we’ll break down the fundamentals of one of the most important security approaches at your disposal: data loss prevention. Data loss prevention solutions have evolved significantly in recent years. And, with the rise of cloud DLP, IT teams can improve how sensitive data shared over SaaS, IaaS, and PaaS platforms are controlled and protected.

Here’s what you need to know about data loss prevention, the various tools that provide data loss prevention, and how to implement a DLP approach for your business. 

What is data loss prevention?

Data loss prevention (DLP) is a set of tools, practices, and technologies that classify, detect, and protect information (data) in three states: data in use, data at rest, and data in motion. 

  • Data in use relates to when data is being accessed within a system at any time. Security gaps can occur as data is used, undergoes updates, readings, and even erasures across a network or database. 
  • Data in motion, or data in transit, means that information is moving both on and off the network or database. A typical security vulnerability for data in motion is when users send sensitive data to personal email accounts or cloud drives to work remotely. 
  • Data at rest refers to where data is located on a network or database. Insecure storage locations and unencrypted backup copies of sensitive data pose the biggest risks for data at rest.

The role of a data loss prevention tool is to identify sensitive data that organizations need to keep safe, and constantly monitor and take action to prevent this information from being leaked or shared inappropriately. 

Tools alone, however, won’t protect your data. Data loss prevention is also a specific approach to data security. Companies need to implement a DLP policy that governs how employees access, manipulate, and share data in use, in motion, and at rest. 

DLP policy best practices

The practice of data loss prevention serves three main purposes. 

  1. Protect personally-identifying information (PII) and help organizations stay compliant with regulations such as HIPAA, GDPR, and the new CCPA.
  2. Protect your company’s intellectual property and trade secrets that could give your competitors an advantage.
  3. Provide data visibility: help companies understand where data lives and how it moves to ensure all systems are secure from other threats (such as ransomware or malware).

As a result, your DLP policy should address these specific goals. Ultimately, your DLP policy will define which content needs to be protected. This varies based on your industry and the type of data you collect. For instance, organizations in the health industry need to protect PHI as defined by HIPAA. Other companies may need to protect Social Security Numbers, credit card information, or blueprints. 

In addition, you’ll need to map where this data resides. Your DLP policy should achieve a detailed degree of data visibility. What shared drives, databases, cloud storage tools, email and instant messaging apps, and devices do your employees use during their daily work? 

Many companies choose to include the parameters and conditions for accessing data in their DLP policy. Different types of data will require different levels of access. Doctors, for instance, can have full access to patient data; insurance companies may have a more limited scope.

[Read more: 5 Identity and Access Management Best Practices]

Finally, your DLP policy should cover the worst-case scenario: what actions will be taken, and by whom, when suspicious activity is detected? Some DLP solutions are set up to automate a response, but it’s important to define who is responsible for overseeing alerts and activities not covered by automatic monitoring tools.

[Read more: 6 Updates to Make to Your Cloud Security Policy]

It’s important to have a comprehensive DLP policy in place as you vet different data loss prevention options and other security tools. Make sure this policy is updated regularly to provide full data visibility over your company’s environment.

How does DLP work?

Data loss prevention tools use different strategies depending on the type of tool and your configuration. Broadly speaking, these are some of the more common strategies employed by DLP platforms.

  1. Rule-based matching: The DLP solution uses known patterns to find data that matches specific rules. For instance, a Social Security number is nine digits: so, the tool will flag any nine-digit numbers for further review and analysis.
  2. Database fingerprinting: The DLP solution looks for an exact match to structured data that has been supplied by the client. For instance, the client searches for “Patent No. 123.”
  3. Exact file matching: The DLP solution looks for documents based on their hashes, rather than their contents.
  4. Partial document matching: The DLP solution looks for files that partially match pre-set patterns. For instance, a form that has been filled out by different users has the same structure across the board.
  5. Statistical analysis: The DLP solution uses machine learning or Bayesian analysis to identify sensitive data. This results in higher accuracy results, since these approaches are able to take into account the context surrounding findings (like leading and trailing characters, content location, and more).

Not only will DLP solutions identify sensitive data, but they will also allow an organization to set a strategy to protect this data. This strategy is usually a set of rules set by the administrator to determine how different kinds of data will be treated. It also defines sensitive data types, DLP policies, and expected data flows. As your company scales and your work environment changes, this strategy should be updated regularly.

Understanding data loss prevention tools

There are a broad range of platforms on the market that offer data loss prevention. But, it can be complex to understand how these tools work together and what the differences are between solutions.

Gartner classifies data loss prevention solutions into three categories: enterprise data loss prevention (EDLP), integrated data loss prevention (IDLP), and cloud DLP (or CSP-Native DLP).

Simply put, an EDLP tool focuses on data in all three states (in motion, in use, and at rest) while an IDLP tool focuses on one specific state.

Source: Gartner

Enterprise DLP solutions are broad and flexible, built for highly diverse use cases. They tend to offer not only data loss protection but also regulatory compliance and intellectual property protection. 

Integrated DLP tools are natively integrated into a specific service, such as secure email or a web gateway. These solutions are limited in their policy and reporting capabilities and must be manually integrated with other IDLP or EDLP solutions. 

And lastly, cloud data loss prevention programs are specifically designed to protect data stored in the cloud. A cloud DLP will scan and audit data to detect and encrypt PII and other valuable information shared across IaaS, PaaS, and SaaS programs. 

Within each of these categories, there are solutions covering network, endpoint, email, and cloud DLP.

4 Types of DLP

Data loss prevention can be secured on the network, endpoint, email, or cloud solution layers. Understanding how these different types of DLP solutions work can help your team design a secure system, lower the risk of data exposure incidents, and prevent malicious hackers from accessing your sensitive information.

[Read more: Network, Endpoint, and Cloud DLP: A Quick Guide]  

Network DLP

Network data loss prevention tools secure an organization’s network communications, including, but not limited to: email, web applications, and data transfer mechanisms like FTP. Network DLP tools track and analyze all the traffic and activity taking place across the organization’s network, including messaging and file transfers. This software alerts the administrator when data is being sent in violation of your DLP policy. 

Network DLP tools also create a database that records when, and who accesses sensitive information. These tools can also tell you where data was moved on a network. These capabilities help decrease the risk of data exfiltration.

Network data loss prevention offers companies the ability to: 

  • Inspect and control traffic on email, webmail, web applications, HTTP/S, FTP/S, and TCP/IP
  • Prevent sensitive data from being exfiltrated from the network, regardless of port or protocol
  • Create and enforce policy-based monitoring and blocking of web applications
  • Encrypt email content
  • Notify users and administrators there’s a violation of corporate data protection policies

Many companies use a network DLP solution to mitigate some of the risks of insider threats and stay compliant with industry-specific regulations. However, it’s worth noting that network DLP can’t completely prevent insider threats from authorized users. These solutions are only able to monitor when data is accessed and report who accessed it. If an authorized user decides to steal information, there’s little that these tools can do.

Endpoint DLP

Endpoint DLP adds another layer of protection in addition to network DLP. Endpoint data loss prevention tools monitor servers, computers, laptops, and mobile devices on which data is used, moved, or saved. 

Endpoint DLP tools not only monitor network endpoints, but they are also able to classify data according to compliance regimes or administrator rules. These platforms track data on all endpoints, regardless of if the device is connected to the network. Many endpoint DLP solutions are also able to encrypt data. 

Network DLP tools are efficient in protecting sensitive data in motion. However, these solutions can only protect data when a device is connected to the company network. Endpoint DLP enables companies to extend protection onto devices where data is transferred. Any device on which data is used, moved, or saved can leverage endpoint DLP security to prevent data leakage, loss, or misuse.

Endpoint DLP solutions are particularly important as companies continue to support hybrid/remote work and allow employees to use their own devices. And, the rise of remote work has led to the adoption of cloud-based platforms, making the next type of data loss prevention the final piece of the DLP puzzle. 

Cloud DLP

Whereas endpoint and network DLP platforms focus on securing data in use – on laptops, phones, servers, and networks — data in motion and at rest from an unauthorized device or from an authorized device not within the company network will remain largely vulnerable.

Additionally, traditional network and endpoint security solutions lack visibility into cloud applications and cloud data infrastructure – tools many businesses are using more frequently as we move toward remote work. One survey found that, on average, only 45% of company apps are being used on a regular basis. In addition, 56% of all apps are “shadow IT”, meaning applications owned and managed outside of IT.

These apps open your company to a huge amount of risk. Too often, companies provide access to vendors, partners, and contractors through apps no longer in use, creating an opportunity for theft or malware. Or, employees seeking to make remote work easier implement cloud-based programs without the approval and oversight of an IT administrator, leading to a similar vulnerability. 

This is where cloud DLP plays an integral role in protecting your company data. Cloud data loss prevention is specifically designed to protect data stored in the cloud. A cloud DLP tool will scan and audit data to detect and encrypt PII and other valuable information shared across IaaS, PaaS, and SaaS programs. 

[Read more: How To Protect and Store Sensitive Data in SaaS Platforms with Cloud DLP

Cloud DLP like Nightfall can mitigate some of this risk. Nightfall is the industry’s first cloud DLP program that uses AI to discover, classify, and protect data in the cloud by integrating directly with popular platforms – like Slack, Jira, and Google Drive on the API level. 

Email DLP

Finally, email DLP is often considered a subset of network DLP — and many network DLP platforms monitor email for inappropriate use of data. However, organizations that take an integrated data loss prevention (IDLP) approach and use discrete, decentralized tools, may need to implement a separate email DLP solution.

Email data loss prevention tools monitor a company’s email communications to determine whether data is at risk of loss or theft. Email is an important channel for hackers: phishing attacks and malware usually originate from email. Therefore, adding email DLP can help prevent criminals from exfiltrating your company’s data.

Traditional email DLP tools prevent sensitive information from being sent or shared outside the organization. Some tools also include features to defend against inbound threats, such as spear phishing, business email compromise, or CEO fraud. As you vet different vendors, make sure you understand if email DLP is integrated into your network DLP, or if you’ll need a specific standalone solution. 

The evolution of DLP to cloud DLP

Cloud data loss prevention is a relatively new set of tools compared to legacy solutions. And before there was cloud DLP, there were CASBs: cloud access security brokers

CASBs are a type of security platform that sits between an enterprise network and a cloud provider’s infrastructure, allowing for the monitoring and remediation of incidents that occur between the network layer and the cloud. CASBs offered an early solution to enterprises looking to protect data as it moves to and from unsecured devices. 

Today, however, cloud DLP offers the solution CASBs once promised. The rise of remote work and an increase in the number of devices we’re using has meant that cloud DLP is augmenting – and sometimes replacing – the efficacy of CASBs. Cloud DLP solutions like Nightfall connect with cloud applications through APIs, giving application-layer visibility to security teams who need to remediate data security incidents in the cloud. 

Cloud DLP programs offer better visibility, detection, and remediation tools than most CASBs. And, cloud DLP programs are easier to implement. Nightfall, for instance, can be set up in seconds through API connectors, whereas a CASB requires a fair amount of technical expertise to set up.

What about the future of cloud DLP? Where will this segment grow next? McKinsey’s analysis suggests that machine learning and AI are critical components to add to your DLP capabilities. 

“Developing in-house capabilities in advanced analytics and artificial intelligence enables organizations to not only improve their own in-house data-management solutions but also better integrate vendor tools and gain a clearer picture of their data-loss risk, making incidents easier to prevent and contain,” wrote their 2022 study.

Why should you use DLP?

Data loss prevention is integral to compliance, cybersecurity, and business continuity. DLP tools make it easy for businesses to protect PHI and PII, reduce the risks of insider threats, and stay protected even as threats like ransomware and malware evolve. Likewise, businesses can keep their customer and employee privacy safe, building trust and allowing the company to thrive.

How to choose the best DLP solution

Choosing a new DLP solution means not only finding the right vendor with which to partner but creating alignment over your DLP policy and approach. Often, companies are vetting multiple vendors for endpoint, cloud, and network data loss prevention tools. As a result, it’s critical to involve the main stakeholders early in the discovery process.

Bring together everyone who will have a say in your company’s cybersecurity as you begin vetting different vendors. Give stakeholders the chance to view demos and ask questions before signing off on the final decision. It helps to have leaders from engineering, operations, legal, and even sales and marketing involved. 

Next, create a list of metrics that will define success for the tool or solution you are vetting. Consider what your current KPIs are and how a data breach can negatively impact those metrics. If you’re not sure where to start, we recommend basic KPIs for DLP from Infosec Writeups on Medium, like data classification success rate. Or, start simple by considering how a data breach would impact the current loss rate of your business or pull resources from another department to staff damage control.

Finally, pull information from your DLP policy: you’ll want to find a solution that covers the systems, data, and devices and can be implemented easily by your stakeholders. 

[Read more: Choosing a DLP solution: A guided plan]  

DLP can address security issues and save organizations time, money, and lost productivity. An automated DLP solution is the fastest, most complete, and most cost-effective way to get up to speed on your privacy requirements.

Want to learn more? You can find out more about data loss prevention and get started with Nightfall by scheduling a demo at the link below.

Nightfall Mini Logo

Getting started is easy

Install in minutes to start protecting your sensitive data.

Get a demo