Every organization generates and manages, to a greater or lesser extent, sensitive information stored in different locations: User computers, document managers, cloud storage, file servers, etc.
On the one hand, organizations need to prevent internal threats: Information extracted by employees leaving the organization, loss of information through suppliers or the supply chain, etc. Many organizations believe that this problem only affects large government agencies and other entities that manage very sensitive information, but this type of leakage is a bigger problem than most companies believe and a one of the type of leaks that generates more costs to organizations according to the Ponemon Institute.
In addition, organizations are subject to data protection regulations such as the EU-GDPR, PCI in the financial sector, etc. Suffering a data leak or a breach of one of these regulations can be very costly for an organization, as demonstrated by the recent examples of British Airways (£183M) and Marriott (£ 99M) involving the loss/theft of data of millions of users.
Faced with this problem, many CISOs or CIOs have to decide which technologies to use in order to avoid or mitigate a potential sensitive date leak.
Two of the technologies that are usually considered are DLP (Context-Aware Data Loss Prevention) and IRM (Information Rights Management).
This article explains how both technologies can help prevent data leaks, their differences and how they can complement each other.
DLP – Data Loss Prevention / Data Leak Prevention
A DLP solution tries to prevent the leakage or loss of sensitive data in different ways. On the one hand, when data is in storage, by scanning the file servers, endpoints, etc. and locating or classifying sensitive data. Also in transit, when documentation or sensitive data is moving through the network, to removable devices, etc. And finally while the data is in use, controlling whether or not a user of the corporate network has access to it. Usually, hackers try to find personal, financial, intellectual property, data and the like based on pre-established dictionaries.
DLP is like a “policeman” located at the network exit, computer ports and check what is trying to leave and who is trying to extract it from the network perimeter. It also monitors network repositories for sensitive data that is breaching some type of corporate rule.
Although this is tremendously powerful technology, it has to overcome significant challenges in protecting sensitive data:
- How can it efficiently determine what can leave and what can’t?
- Is it possible to efficiently “close” all of the possible exit points of company data or control them?
- Can I control all types of company devices including mobile phones, the cloud, etc.?
- And what if something leaves the network and escapes the control of this “policeman?” Can I restrict access?
Traditional DLP solutions can only examine what is trying to leave and decide whether or not it should leave. It is a binary process. However, day-to-day situations are not “binary”. It is very difficult for an IT professional to define policies that describe requirements for data leaving the organization in an efficient manner without generating a number of “false positives”. If the data or the information is not classified, it is difficult to respond effectively. That is why in many it is first necessary to classify or catalogue the data, indicating to the DLP what repositories to scan and determining what is confidential and what is not.
This requires the IT Department to make considerable effort during the configuration, classification and policy management of the DLP in order to refine them sufficiently and generate the minimum number of false positives. However, keep in mind that it is difficult for an IT department to determine what is confidential and what is not. The users who work daily with this data are the ones who really know what is important and should be protected and what is not.
Another challenge is what happens with the documents once they have been distributed. Once the data is outside of the organization, nothing prevents the recipients from forwarding it to unauthorized users, saving it on USBs, etc. This also applies to mobile devices, where the approach to protection tends to be “all or nothing”. Companies often delegate control of data on mobile devices to MDM applications to prevent certain data from being opened outside of corporate or controlled applications.
By requiring a refined management of policies and classification, companies usually start with a “monitoring” phase to detect what type of data leaves the network, before moving on to a “blocking” phase. If the policy is refined, the control of outgoing data will be efficient and blocking processes won’t generate false positives. If not, the noise generated in the organization due to the blocking of data that should be accessible or that should be sent may be significant.
To summarize, DLP tools are very powerful and can classify, monitor and block the output of sensitive data from the network, but the effort require to implement them, refine them and avoid false positives should not be underestimated. Finally, although they protect the “perimeter” of the network, the data may be transferred anywhere.
IRM – Information Rights Management
This technology, within the scope of Data-Centric Security, enables a form of protection to be applied to files that travels with the files wherever they go. It is also known as E-DRM (Enterprise Digital Rights Management) or EIP&C (Enterprise Information Protection & Control).It makes it possible to monitor who accesses the files, when they do so, and whether anybody tries to access without permission, whether the files are inside or outside the organization. Permissions can also be restricted on documents (only Read, Edit, Print, Copy and Paste, etc.). You can revoke access to files in real time if you don’t want certain people to access them again.
When you send a document to someone, within 3 minutes it might have been printed, sent to 5 other people who in turn have sent it to 10 more and made changes to it. We only own the document at the time we create it, but once it is shared, the document ceases to have an owner and the recipient can do whatever they want with it. This is one of the problems that this technology tries to resolve: To ensure that a user continues to be the owner of the data regardless of who it has been shared with.
Bearing in mind how difficult it is to determine the perimeter of the corporate network, the IRM’s approach is to apply a layer of protection to the data that can be controlled even if it is no longer in the network, whether it is in a cloud, on a mobile device, etc.
If the data reaches someone it shouldn’t of whom you consider shouldn’t have access to it, you can revoke the access remotely. You can set expiry dates for documents. Give users more or fewer permissions in real time (Edit when before they could only Read, or restrict the permission to read-only if we don’t want them to edit or print).
An advantage of this type of solution is the ease with which it can be implemented allowing you to start using it efficiently from day one and enabling you to encrypt and control the sensitive data that the company manages internally or with third parties.
One of the main challenges of this technology making it easy for users to use so that they can manage protected data almost as if it were unprotected data. Also, making it compatible with the applications that users use on a regular basis, such as Office, Adobe, AutoCAD or making it compatible with the repositories of information that organizations usually use: File Servers, SharePoint, Office 365 Cloud applications, G-Suite, Box, etc.
Another challenge of IRM solutions is automatic protection. That is, the protection of data regardless of the user’s decision to do so. In this case, the automatic protection of folders on file servers, or document managers is especially useful.
Also in this regard, integration with a DLP tool can be very useful and provide the perfect combination.
How can DLP and IRM complement each other?
As mentioned, the administrator can establish rules to identify sensitive information using the DLP tool. Once detected, in storage, transit or in use, the administrator can apply a remedial action such as creating a log, blocking access, deleting the file, etc.
Through integration with the IRM, the DLP can establish the automatic protection of the file as a remedial action using an IRM protection policy. For example, if an endpoint, or a network folder is scanned and any credit card data, personal information, etc. is detected in the documents, the DLP can ensure they are automatically protected with an “Internal Use” policy so that only people in the domain or certain departments can access it.
What advantages does this integration provide? Below are some of the advantages:
- Sensitive documents can protect themselves without relying on user action.
- These will be protected whether they are transferred inside or outside the corporate network.
- You can monitor their access regardless of where they are.
- You can revoke access to sensitive data even if it is outside the organization.
SealPath can protect information easily and efficiently by integrating with the main DLP solutions on the market such as ForcePoint, McAfee or Symantec, facilitating the protection of sensitive data in the organization and its control regardless of where it is.
SealPath is focused on creating the best user experience, integrating with users’ normal work tools, offering a product specially designed for large companies and integrated with a multitude of corporate systems such as DLPs, SIEMs, Office 365, SharePoint, G-Suite, Alfresco, OneDrive, etc.
Would you like to see a demo of how SealPath integrates with DLPs? Contact us here.