Protecting Data with DLP
- Scott Bancroft, Principal Consultant at Capco
- 24.08.2016 10:30 am data
The recent Brexit vote in the UK changes nothing from a GDPR perspective for those who wish to do business with EU entities.
In today’s always-connected world, where almost all information is stored digitally, it is critical that sensitive and privacy relevant data protection is assured. The advent of fast communication technologies such as 4G and home broadband, ubiquitous mobile devices and availability of free or low cost ‘Cloud’ services have resulted in easy and convenient transfer data options. Often this is in contravention of corporate policies and regulatory requirements and represents an increased risk to the company, its people and the data subjects. Loss of privacy relevant data is set to become a very big issue with the new EU General Data Protection Regulation (GDPR) on the horizon.
The European Union General Data Protection Regulation (GDPR) is the biggest change in data privacy protection for over 20 years. GDPR covers all of the EU and anywhere that does business with an EU based entity irrespective of their global location. If you want to do business with anyone in the EU, you must be GDPR compliant. Penalties for non-compliance are also severe with fines of up to €20m or 4% of group gross revenue, whichever is greater.
The recent Brexit vote in the UK changes nothing from a GDPR perspective for those who wish to do business with EU entities.
The deadline for compliance is 25 May 2018. After this the regulatory gloves will be off. This may seem a long way in the future but it is not that long given the amount that needs to be done to be able to demonstrate compliance, not just pay lip service!
Enter DLP
Data Loss Prevention (DLP) is not a new technology. It is already present in many companies, but few use it effectively.
Put simply, DLP is a combination of people, process and technology elements that can contribute to a wider security programme and assist with compliance. But like many complex security technologies DLP needs focus, resources and a clear understanding of how it works and how to deploy it to achieve your objectives effectively.
DLP can identify sensitive and privacy relevant data whether at rest, in use, or in transit - both in its content and its business context. It can warn users or take action, to prevent the data being disclosed in an unauthorised manner irrespective of whether this is malicious or accidental. Unfortunately, the identification of sensitive data can be a significant challenge due to the number of variables present across the vast number of different data types in any company. DLP can also enable the automated identification of sensitive data in a business process oriented manner. However, the effort required to tune content identifying rule sets to avoid false positives and false negatives should not be underestimated.
In legal and regulatory terms there are many factors to consider with the use of DLP. In some cases, it is mandatory to meet current and future regulations, e.g. EU GDPR, for protecting personally identifiable information. There are also considerations in the area of employee relations, unions and work councils.
Top 6 GDPR compliance requirements that DLP can help with
Can you meet the requirements? What can help you in meeting compliance? What can DLP help with?
- Controllers and processors must know the locations where personal data is stored or otherwise processed. Furthermore personal data must be erased when the purposes of use have ceased to exist – DLP Content Discovery.
- Processors do not use personal data for any other purposes beyond providing services to their customers –DLP Data in Use monitoring.
- Personal data are collected only as necessary to the purpose of use with limitations on processing of ‘special data’ and ‘sensitive data’ – DLP Data at Rest monitoring.
- Controllers must take adequate security measures to protect personal data from loss, alteration, or unauthorised processing – DLP Data in Use, at Rest and in Transit monitoring, fingerprinting.
- Controllers must prevent personal data from being uploaded to personal cloud services and personal devices (BYOD – bring your own device) or enforce the organisation’s security measures in personal clouds and devices - DLP Data in Transit.
- Controllers know the privacy and security standards the processor adheres to and assess those standards – DLP overall.
The ‘so what?’ question
DLP may be able to identify the transfer of sensitive data internally or externally. The question then becomes ‘So what do we do with this information?’
Different DLP solutions offer a variety of options. However, these can be classified into three large groups:
- Passive – No action is taken or made visible to the end user. The violation is logged on the DLP enterprise console only.
- Semi-active - Warn the user that they are, or may be, using classified data inappropriately but do not block or modify the data in any way.
- Active - Once a violation is identified a number of measures can be taken, for example:
- Warn the user that they are, or may be, using classified data inappropriately;
- Force an action, e.g. encryption, file quarantine or user acknowledgement of the non-compliance;
- Prevent the data from being sent and require authorization for the transfer.
Moving to active actions is a major step as this may impact employee’s ability to perform their role. Generally, DLP deployments start with passive monitoring to help tune the content recognition and discovery rules and ensure minimum business impact. Semi-active can then be initiated, to introduce employees to the new monitoring without affecting what they are doing. Active monitoring is a big step due to the business impact this can have and concerns over end user dissatisfaction. Some DLP solutions may be able to apply active monitoring to pre-defined data types to reduce the business impact, for example only privacy relevant data.
Employees rights and monitoring
Whilst it is recognised under law that companies have the right to protect their business and data, it is also recognised that employees do not lose the right to privacy upon hire and also that privacy is a fundamental human right that cannot be removed. In order to manage privacy effectively with regard to DLP there is no single, simple answer that can be applied everywhere. Technology solutions alone are not enough. Companies should follow recognised best practices and deploy the right framework of policies, training, user facilities, openness, communications and executive support to effectively implement DLP and maintain employee relations.
What’s next for DLP?
Implementation of DLP can help meet all the regulatory requirements stated earlier in this discussion. It cannot, however, do this in a fully automated fashion and so requires skilled resources to perform activities and make decisions. Further value from DLP can be leveraged via a Security Information Event Management (SIEM) system capable of cross referencing DLP information with other security relevant data sources. For example, you may have a monitoring system that tracks data going to Cloud applications or repositories, identifying the user name and type of sensitive information sent to them, rather than just knowing that an amount of data is transferred there, can be achieved via the big data analysis capabilities of a SIEM.
So although DLP can be a powerful tool, implementing it is not as simple as you may think. Analysing current usage patterns will enable you to ensure that authorised facilities are provided to the end user population and reduce the business impact of DLP, especially before moving to an active prevention model.