Preventative controls for addressing data loss issues are generally in the form of monitoring activities and appropriate actions. For each of the data states, various types of controls are required to ensure security.
Data breach or loss can happen in any of the three states, that is, data in motion, data at rest, or data in use. Controls to prevent data loss can be either preventative or detective. Preventative controls include access restrictions based on the classification of the data. However, a 100% preventative environment is not feasible as the information technology components are heterogeneous in nature. Since different products and technologies from different vendors are used, a uniform policy to prevent data breach may be difficult to implement.
Data loss is an incident. An attempt, whether malicious or inadvertent, to steal data or cause data to be exposed should be identified through proper incident management controls and appropriate actions have to be taken based on the criticality of the data.
Generally, DLP controls are based on the following:
- What is the sensitivity or value of the information?
- Who is causing the incident?
- What actions were carried out by the individual to cause such an incident?
- Who else is involved and where?
- What action is taken?
For example, a user may be attaching a document containing confidential or PII to a web mail website or saving company confidential financial information to a USB stick. Such incidents require appropriate controls and actions to detect and prevent data loss or leakage:
Data in motion, such as e-mails or posting to the web, requires controls, such as blocking such an attempt, warning the user, alerting the monitoring team or the owner, and/or forcing encryption for sensitive data.
Additional controls, such as informing the security team, capturing the data for investigation, and redirecting the user to the appropriate training in data-handling requirements can also be considered. If the data is malicious, then quarantining such data may be necessary. Furthermore, and based on the incident's analysis, classifying the data and/or additional supervision based on user behavior would be necessary to ensure security.
Data at rest, such as files in file servers or records in databases, may require controls, such as copying the data for analysis, moving the data to a safer location, stubbing the data with a warning file, or reclassifying the data to prevent inadvertent or unauthorized access. Besides these steps, reviewing, deleting malicious files, or capturing the event are some of the additional actions that can be considered.
Data in use is data that is being printed or saved to external devices, such as USB or portable hard disks. Suitable controls include blocking such activities, supervising the activity, forcing encryption, and informing the monitoring team.
Furthermore, actions such as warning the user about the security policies, capturing the data being copied for further analysis, and reclassification can be used to strengthen the control environment.