The rapidly increasing number of security breaches and data loss incidents is driving companies to implement data loss prevention (DLP) solutions as part of their overall endpoint security systems to prevent sensitive information from making its way out of the corporate network. Data must be accessible to mobile workers, partners, and the supply chain, but at the same time a company must prevent that data being accidentally or intentionally delivered into the wrong hands. Consequently, DLP software has become just as important as antivirus, host intrusion prevention, firewalls, and other security technologies and must be incorporated into an overall enterprise security system.
As more organizations look to incorporate this promising technology into their infrastructure, it is critical to understand what makes some DLP solutions more effective than others. The most comprehensive DLP tools enable organizations to discover data as well as monitor, protect and manage it.
Locate Sensitive Data
The proliferation of mobile computing devices as well as the use of portable media, such as USB flash drives, signal that today's workforce is becoming more and more mobile. In such an environment, simply knowing which desktops, laptops, or other devices contain the most sensitive data is a monumental challenge. Worse yet, it is impossible to track how sensitive information is being accessed and manipulated without first knowing where that information is stored across the thousands of laptops, desktops and other endpoints in the enterprise. Indeed, unless such information is first found, it cannot be secured.
DLP addresses this challenge by providing visibility into where confidential data is stored. DLP scans for sensitive data on the endpoint, whether local or remote and regardless of whether the user is on or off the network. Armed with this information, IT can then take steps to inventory, secure or even relocate this data.
Furthermore, by pinpointing systems on which the most sensitive data is found, DLP also makes it easier to prioritize which laptops and desktops need encryption.
Track Data Use
Once sensitive data is located, its use must also be monitored to ensure that it remains private. To that end, DLP tracks how confidential data is being used at the endpoint, whether or not that endpoint is attached to the network.
DLP monitors files that are downloaded to local drives, copied to USB or other removable media, or burned to CD/DVDs as well as data transferred over email, IM, FTP or HTTP. It also monitors for sensitive information that is copied, pasted, printed, or faxed electronically.
DLP takes the guesswork out of secure data handling. With it, organizations can be sure that customer lists are not copied to USB flash drives or other removable media, source code is not copied or pasted to a new file, design documents are not being burned to CDs or DVDs, price lists are not being printed out or faxed to competitors and much more.
Stop Data Loss
Without DLP, organizations committed to protecting information are often relegated to simply preventing employees from transferring or even accessing data via their mobile phones, laptops or home computers. While this reduces the risk for data loss, it also reduces productivity as employees can no longer do their work anytime and anywhere.
DLP removes this productivity obstacle by automatically monitoring and blocking endpoint activity that violates data security policies. Through continuous online and offline monitoring of both managed and unmanaged devices, together with advanced location-aware policies for detecting and blocking endpoint events, DLP ensures the legitimate use of sensitive data on or off the corporate network.
With DLP, organizations can prevent customer data from being sent or transferred outside the organization and safeguard intellectual property from being printed, faxed, copied or otherwise handled in violation with corporate policy. In addition, a number of DLP tools also provide immediate notification of policy violations to promote user awareness and education.
Manage Data Security
Deploying an endpoint DLP solution requires the installation of a small agent on each endpoint. Should deployment to a specific endpoint be unsuccessful, the DLP solution must be able alert the organization to where and why the deployment failed. Furthermore, when new endpoints are added to the network, the DLP solution must be able to scale accordingly, without increasing complexity.
While endpoint protection is imperative in today's world, most organizations view data loss prevention as a company-wide concern. Consequently, DLP must automatically and consistently enforce the company's security policies across the enterprise, wherever sensitive data may be. With a DLP solution that manages data protection policies from a single console and is deployable across a global enterprise's network, endpoints and storage systems, organizations can more easily mitigate their risk of data loss. Indeed, a DLP solution with robust policy management capabilities enables organizations to define their policies once and enforce them everywhere.
DLP solutions may also allow business units to manage their data protection policies by leveraging role-based access to the DLP console. Furthermore, DLP solutions that leverage more advanced detection technology help ensure the highest level of accuracy by analyzing both content and context on an enterprise scale. This, in turn, not only strengthens data loss prevention but also helps maintain a low total cost of ownership.
Perhaps one of the most valuable benefits of a DLP implementation is that it enables organizations to better align specific remediation steps with regulatory notification requirements. Should a laptop be lost or stolen, a DLP solution enables the organization to quickly and accurately determine what confidential data resides on that laptop. Without DLP, this would typically require countless employee interviews, email and backup archive searches, and more-often taking days or weeks and delivering uncertain results.
As today's highly connected business environment relies increasingly on a productive, mobile workforce, preventing the loss of confidential data has become a greater priority. Organizations must be sure their data is accessible yet secure at all times.
By enabling organizations to know where their confidential data is, how it is being used, and how to prevent its loss, DLP extends beyond the network-focused security approaches of yesterday and, instead, focuses on securing data itself-no matter where it is used or stored.
About the Author
Michael Wolfe serves as vice president of Data Loss Prevention (DLP) Solutions at Symantec where he oversees product development, sales, professional services and marketing for the company's DLP solutions. Wolfe joined Symantec in 2007 as part of the Vontu acquisition. Wolfe co-founded Vontu 2001 and served as vice president of technology and support. Before Vontu, Wolfe served as an Entrepreneur in Residence at Benchmark Capital. Prior to that, he founded the engineering team at Kana, Inc. in 1997 where he held the roles of vice president of engineering, Chief Technology Officer and vice president of products in succession.