In our previous post, we discussed how remote work strategies and unfettered access to data files have increased the risk of data loss and leakage. Data loss prevention (DLP) can reduce this risk by identifying sensitive information, monitoring its use and transmission, and enforcing policies governing its protection.
A DLP solution could, for example, spot bank account information in an email attachment. Depending upon the policy rules, the solution could pop up a warning, prevent the user from sending the file or require that the file be encrypted.
To get to this point, you have to know what sensitive data you have and establish policies for the governance of that data. DLP solutions do some of the work for you by discovering sensitive data across your environment. However, you still have to classify the data and develop information workflows for managing data throughout its lifecycle. Although this can be a complex exercise, it helps you adhere to security, regulatory and legal requirements.
The Classification Process
Data volumes are exploding and very little of the data fits neatly into a database that is easily searched. The vast majority is unstructured data generated in word processing documents, email, texts, instant messages, videos and images.
When data is difficult to organize, process and search, it becomes difficult to prioritize for protection. How much sensitive data do you have? Where and how is it being stored and shared? If you can’t answer these questions, developing a data protection strategy becomes far more complicated.
Data classification is the process of organizing data into defined categories so it can be easily found, accessed, managed and secured. This process should be based on a formal policy that defines the criteria for classifying data, the roles and responsibilities of those who manage each category, category-specific rules for handling data, and lifecycle requirements. On the most basic level, data is typically classified as restricted, private or public, although many organizations have additional, more specific categories.
There are a number of technology tools that allow you to use tags and labels to classify data based on type, confidentiality requirements, location and other criteria. Data can then be managed according to the policies defined for each category. DLP tools can force some action based upon the classification to ensure that sensitive data is accessed and shared according to business and regulatory requirements.
The Human Element
Of course, data is constantly being created, stored, moved and deleted. Data classification isn’t a one-time event but rather an ongoing process that should be ingrained in company culture. Everyone in the organization must understand why the data classification system has been implemented and why it must be maintained.
Full-lifecycle management of data begins with identifying data owners and defining their roles and responsibilities. The data owners need to understand the categories being used, how to classify sensitive data and which users should be given access.
Information workflows should be established so that data can be properly managed with minimal impact on business processes. In developing workflows, it’s important to consider how they will affect employees who use various data categories. The workflows should include procedures for granting temporary access when needed to minimize exceptions.
Legal and regulatory compliance requirements should be integrated with the information workflows. For example, the European Union General Data Protection Regulation (GDPR) gives individuals the right to request access to their data, and organizations must respond to these requests within one month. Emerging privacy laws have similar provisions. If data is classified correctly and data management processes are in place, compliance should be straightforward.
Before evaluating DLP tools, you should begin establishing a data classification system and information workflows. DLP is one element in an overarching strategy for protecting and managing sensitive data across its lifecycle.