Data Loss Prevention (DLP)

One of the most effective best practices for preventing data loss starts with training your employees everything they should and shouldn’t do when handling your organization’s precious data. Employee DLP education should include safe practices for transferring, viewing, and storing data. For maximum effect, training should be sponsored at the executive level and should be repeated at regular intervals to reinforce and update best-practice behavior.

A key component of DLP best practices, data handling policies include:

• Where data can be stored
• How data is to be transferred
• Who can view certain types of data
• What types of data you are allowed to store
• And many others

Since these policies drive all other data handling behaviors and assessments, they should be established at your earliest opportunity. They should also be updated regularly to reflect changes in the organization, the industry, and in regulations. Once data handling policies are in place, you can move onto more technical remedies and best practices to ensure your data remains where it ought to be.

The key to creating data loss prevention policies is to start with a data classification system. This taxonomy will provide a reference for talking about the stringency and methods of protection needed for different types of data. Common classifications include personally identifiable information (PII), financial information, public data, and intellectual property. There are many others. A unique set of protection protocols can be established for each classification.

Successful data protection requires the ability to monitor your sensitive data. Data loss prevention software typically includes capabilities for monitoring all aspects of data use and storage, including:

• User access
• Device access
• Application access
• Threat types
• Geographical locations
• Access times
• Data context

As part of the monitoring process, DLP software sends alerts to relevant personnel when data is used, moved, deleted, or altered in an unauthorized manner.

It can be complicated enough to protect the data used by your known inventory of applications. But you also need to account for data accessed by shadow IT. This is the growing trove of software-as-a-service (SaaS) applications that employees subscribe to independently, without approval from the IT department—and often without its knowledge.

Even if employees are thoroughly trained in DLP best practices, it is hard for them to accurately assess the safety of these cloud-based applications. Under most SaaS models, the SaaS provider is responsible for the applications themselves, but users are responsible for the data that the application uses. Users, who are focused on achieving business objectives, are not in a position to protect data from attacks that may come through a compromised SaaS application. It is up to you to hold the line on data leakage and misuse. That’s why you need a DLP software solution that is able to recognize shadow IT and prevent users from accessing data or moving data to these applications, until you can bring them out of the shadows and into the fold of secure IT operations.

This best practice goes hand-in-hand with data classification, as the combination of these two will allow you to grant access to data only to those who have clearance to that information. Your DLP software should also incorporate certain zero trust data protection policies that don’t inherently grant trust to any users while consistently verifying identities and clearance.

DLP doesn’t live in a vacuum. The entire concept of DLP relies on an ecosystem of tools that work together to provide insights, plans of action, and active protections of your data. These tools include secure web gateways, cloud access security brokers, email security, and zero trust infrastructures.

Datasheet: Netskope Data Loss Prevention