Data loss prevention

from Wikipedia, the free encyclopedia

Data Loss Prevention ( DLP ) is a marketing term from the field of information security . Also known as data leak / leakage prevention , DLP emerged from "extrusion prevention" technology. From a classic point of view, DLP is one of the protective measures that directly support the protection of the confidentiality of data and, depending on the form, directly or indirectly its integrity and relatability .

"Data Loss Prevention" and "Data Leakage Prevention" are mostly used synonymously, but are also differentiated by some specialists in the technical discussion: "Data Loss Prevention" is the protection against the undesired outflow of data, which causes damage and is therefore noticed, while “Data Leakage Prevention” stands for protection against a suspected but not measurable and sometimes even in individual cases not detectable transfer of information to undesired recipients.

History and creation

  • DLP products existed long before this term began to establish itself as a general term ( Avant la lettre ).

Since around 2007, manufacturers of IT security solutions have been referring to DLP as one or more functions of their products that are used to protect data from unauthorized access. Because many manufacturers meanwhile believe that their products are approximately capable of offering DLP, DLP describes an extensive hodgepodge of different IT security technologies and measures. Depending on the technology used, more or less accompanying measures are required to ensure complete protection of confidentiality.

Examples: A very simple DLP solution logs file names written to and from all USB devices. A more comprehensive DLP solution recognizes every change to confidential data, especially with the help of third-party software, and, depending on the security policy, can carry out any actions that cannot be averted even with the user's administrative rights.

The first DLP solutions were used in the military and offered a combination of hardware and software control. With the hardware control z. For example, a USB stick can only be assigned to a specific user with an individual serial number who is allowed to write to it. The stick is of course encrypted, ideally completely transparent for all employees. The data on the stick can be read by colleagues from the department and of course by line managers.

The software control regulates which applications may be executed. And because everything is standardized at the authorities, such solutions were easy to use. In the free economy, on the other hand - with the exception of banks and some insurance companies - there is a certain diversity that cannot easily be represented with a positive security approach.

background

The industry, especially the innovative and technically leading middle class , is affected by data theft.

In most cases it is very easy to smuggle confidential data out of the company and sell it for a profit. In addition to the lack or deficiencies in IT security, there is often a lack of sufficiently secure physical access controls. The annual damage caused by industrial espionage in Western Europe is estimated to be in the three-digit billion range.

Products that u. a. to protect against industrial espionage, after purchasing the Liechtenstein account data of the BND, the term "Data Loss Prevention" is added. But most of the products are only a small fragment of the mosaic that forms the protection of confidentiality. For example, due to the technical limitations of most products, not all the transmission paths necessary for daily work can be secured. Or very few file types are supported. Often the protective measures are not granular enough either, there is only "On" or "Off", but not "Group A is allowed under the condition that ...". For example, many DLP products no longer work when a file is renamed or compressed.

If you get involved in technically inadequate solutions, that's a drop in the ocean - but if you are serious, technical limitations inevitably lead to changes in all work processes with confidential data throughout the company. The protection of the confidentiality of information in an information security management system is comprehensively described. Approached in this way, data loss prevention affects almost all classic security systems in an organization and aims far more at perfecting security measures that have already been introduced for a long time than at the introduction of new, specialized products. The existing systems such as identity management , encryption , monitoring and access control must, however, be supplemented by the DLP approach and supplemented by a uniform management system that is geared towards DLP purposes. With these considerations, the protection of information goes much further than if data were viewed.

It makes sense to involve the loyal employees of an organization in the measures for data loss prevention and, in particular, to arm them against espionage attacks by means of training. This also applies because the ever-improving protection technology is increasingly allowing spies to resort to direct manipulation of people using social engineering . However, effective training must take into account that social engineering puts the target persons under massive pressure, which makes it difficult for the victims to proceed in a systematic manner and makes it necessary to learn special evasive techniques.

When introducing and implementing data loss prevention in the company, careful coordination and balancing with data protection regulations and the personal rights of employees must take place in order to avoid violations of these rules and rights. If it becomes known that a company is violating relevant rights, it can suffer considerable reputational damage.

Technical details

From a technical point of view, all conceivable scenarios of data theft can be secured with modern DLP. Reading or writing to all removable media is supported, e.g. B. USB sticks and burners, as well as the transfer of data via volatile memory, e.g. B. via email or file uploads . Depending on the integration, the cut & paste and print screen functions can even be prevented. There are also approaches to proactively identify data leaks through static code analysis . Only filming or photographing the screen is very difficult to prevent, if at all.

Hardware and software

DLP products are either software or modules made up of software and hardware .

There are modules for the network and also as extensions to existing security technology. They work as a proxy or sniffer , for existing proxies or mail filters. These modules currently have the lowest recognition rate, support the fewest file formats and are the easiest to bypass. And since everyone knows that every single email is logged, spies are guaranteed not to send unencrypted content via email.

Because with most encryption solutions the user has the right to decrypt the data with the help of a password, it is up to the voluntary cooperation of each individual whether the protection is maintained.

An effective DLP solution can only be agent-based. In principle, it is an intelligently controlled encryption. First of all, the software itself must be secure, so it must not have been hacked before and consider a computer as a functional unit. In addition to encryption, additional functions must be available that can regulate the handling of certain users with certain data. The functions required of a DLP solution are

  • Document what was done with certain data,
  • User information, awareness-raising in handling confidential data, e.g. B. through a pop-up ,
  • Obtain confirmation from the user, e.g. B. through an input field in the pop-up,
  • Block all actions that are possible with data,
  • Alert.

DLP agents on workstation computers and servers with sensitive data are always managed centrally. Specific rights are granted to user groups or individual users on the administration computer. However, these rights cannot be fine-tuned for most products. It must therefore always be checked whether a product actually meets the requirements. Otherwise, the company would have to be adapted to the limitations of a DLP solution, e.g. B. that certain file types may no longer be used.

Legal Limits

The introduction of DLP in a company raises significant privacy concerns . In particular, employee data protection must be taken into account.

References and comments

  1. Vontu, founded in 12/2001
  2. Data theft: SMEs are particularly at risk . In: Deutsche Handwerkszeitung , August 28, 2007
  3. ^ A b Johannes Wiele: Data Loss Prevention: From Leak to Valve . In: Lanline 3/2009
  4. Axel Mario Tietz: Data Leakage Prevention . In: Patrick Horster, Peter Schartner (Ed.): DACH Security 2009 - Inventory, Concepts, Applications, Perspectives . ISBN 978-3-00-027488-6 , pp. 42–48 (also conference proceedings of the DACH Security Conference 2009, Bochum)
  5. Bettina Wesselmann: Internal counterintelligence . In: kes 1/2011, pp. 66-69. kes online under "Kes aktuell / Current Issue / Employees vs. Espionage"
  6. Detecting Data Leaks in SAP - The Next Level of Static Code Analysis . ( Memento of the original from October 24, 2014 in the Internet Archive ) Info: The archive link was automatically inserted and not yet checked. Please check the original and archive link according to the instructions and then remove this notice. (PDF; 2.1 MB) Conference: IT Defense , January 31, 2013 @1@ 2Template: Webachiv / IABot / virtualforge.com
  7. datenschutzzentrum.de ( Memento of the original from March 5, 2016 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot / www.datenschutzzentrum.de