Data loss prevention software


Data loss prevention software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting and blocking sensitive data while in use, in motion, and at rest.
The terms "data loss" and "data leak" are related and are often used interchangeably. Data loss incidents turn into data leak incidents in cases where media containing sensitive information is lost and subsequently acquired by an unauthorized party. However, a data leak is possible without losing the data on the originating side. Other terms associated with data leakage prevention are information leak detection and prevention, information leak prevention, content monitoring and filtering, information protection and control and extrusion prevention system, as opposed to intrusion prevention system.

Categories

The technological means employed for dealing with data leakage incidents can be divided into categories: standard security measures, advanced/intelligent security measures, access control and encryption and designated DLP systems, although only the latter category are currently thought of as DLP today.

Standard measures

Standard security measures, such as firewalls, intrusion detection systems and antivirus software, are commonly available products that guard computers against outsider and insider attacks. The use of a firewall, for example, prevents the access of outsiders to the internal network and an intrusion detection system detects intrusion attempts by outsiders. Inside attacks can be averted through antivirus scans that detect Trojan horses that send confidential information, and by the use of thin clients that operate in a client-server architecture with no personal or sensitive data stored on a client device.

Advanced measures

Advanced security measures employ machine learning and temporal reasoning algorithms to detect abnormal access to data or abnormal email exchange, honeypots for detecting authorized personnel with malicious intentions and activity-based verification and user activity monitoring for detecting abnormal data access.

Designated systems

Designated systems detect and prevent unauthorized attempts to copy or send sensitive data, intentionally or unintentionally, mainly by personnel who are authorized to access the sensitive information. In order to classify certain information as sensitive, these use mechanisms, such as exact data matching, structured data fingerprinting, statistical methods, rule and regular expression matching, published lexicons, conceptual definitions, keywords and contextual information such as the source of the data.

Types

Network

Network technology is typically installed at network egress points near the perimeter. It analyzes network traffic to detect sensitive data that is being sent in violation of information security policies. Multiple security control points may report activity to be analyzed by a central management server.

Endpoint

Endpoint systems run on internal end-user workstations or servers. Like network-based systems, endpoint-based technology can address internal as well as external communications. it can therefore be used to control information flow between groups or types of users. They can also control email and Instant Messaging communications before they reach the corporate archive, such that a blocked communication will not be identified in a subsequent legal discovery situation. Endpoint systems have the advantage that they can monitor and control access to physical devices and in some cases can access information before it is encrypted. Endpoint systems also have access to the information needed to provide contextual classification; for example the source or author generating content. Some endpoint-based systems provide application controls to block attempted transmissions of confidential information and provide immediate user feedback. They must be installed on every workstation in the network, cannot be used on mobile devices or where they cannot be practically installed.

Data identification

DLP includes techniques for identifying confidential or sensitive information. Sometimes confused with discovery, data identification is a process by which organizations use a DLP technology to determine what to look for.
Data is classified as either structured or unstructured. Structured data resides in fixed fields within a file such as a spreadsheet, while unstructured data refers to free-form text or media in text documents, PDF files and video. An estimated 80% of all data is unstructured and 20% structured.

Data leak detection

Sometimes a data distributor gives sensitive data to one or more third parties. Sometime later, some of the data is found in an unauthorized place. The distributor must then investigate the source of the leak.

Data at rest

"Data at rest" specifically refers to old archived information. This information is of great concern to businesses and government institutions simply because the longer data is left unused in storage, the more likely it might be retrieved by unauthorized individuals. Protecting such data involves methods such as access control, data encryption and data retention policies.

Data in use

"Data in use" refers to data that the user is currently interacting with. DLP systems that protect data in-use may monitor and flag unauthorized activities. These activities include screen-capture, copy/paste, print and fax operations involving sensitive data. It can be intentional or unintentional attempts to transmit sensitive data over communication channels.

Data in motion

"Data in motion" is data that is traversing through a network to an endpoint. Networks can be internal or external. DLP systems that protect data in-motion monitor sensitive data traveling across a network through various communication channels.