Data Loss Prevention (DLP) is one of those hot topics that every executive will agree they should have, but may not fully understand what it is. The desire to implement Data Loss Prevention usually falls into one of two categories… ensuring that sensitive data doesn’t accidentally leave the organization due to regulatory concern, or ensuring that intellectual property doesn’t intentionally leave the organization by the wrong people.
Once an organization decides they have data that needs protecting, they need to consider what data needs to leave the organization, then how that data could leave the organization. The what varies by organization… storage locations, file types, metadata? The how could be just as varied… email, web or FTP upload, removable media (CD, DVD, USB flash drives), or even printed paper. What happens if a user’s laptop is stolen? Can someone access your network with an unauthorized device and download data?
The first step is to use existing technology such as Active Directory to control who has access to what. If your shared drives or SharePoint are setup so that all domain users have full rights to all files, the most inexpensive (although sometimes most complicated) place to begin is to lock down the file level permissions. Restructure shared folders or SharePoint collections to use group membership and assign users to security groups that only have access to what they need. After all, if an employee in housekeeping doesn’t have access to even open sensitive CAD drawings of your flagship product, how can they steal it?
The next step is to ensure that your employee handbooks or acceptable use policies are up to date. Spell out the penalties for data breach and outline your internal procedures for protecting data. Ensure your users understand and acknowledge that sharing passwords or leaving their computer unlocked are not acceptable actions.
Finally, consider different enforcement technologies. Look at all the how’s and determine the risk level of each. Microsoft Exchange Server 2013 (including Office 365 and Exchange Online) offer basic Data Loss Prevention policies. Go even deeper with a solution such as ProofPoint Enterprise Privacy and filter all outbound email for keywords. Choose whether data can leave to accepted parties encrypted, or whether emails are not allowed at all. Use a Mobile Device Management product to ensure that you can wipe the email off a phone or tablet if stolen or the employee is terminated.
Consider implementing disk-based encryption such as Symantec PGP or McAfee Endpoint Encryption to ensure that stolen laptops and tablets cannot be booted. Use hardware encrypted flash drives, then use a product such as GFI Endpoint Protection to verify that no other removable media can be used on your network. Look at a Network Admission Control solution such as Cisco or configure Windows Network Policy Server to work with your existing 802.1x capable switches and wireless access points to make sure unauthorized computers, laptops, or tablets can’t access your network. Install a Barracuda web filter or Edgewave iPrism to restrict access to file upload sites such as Dropbox or other FTP sites.