To any business or corporation, information and data are the blood flow of daily operations. This consists of market intelligence as it relates to your competition, the sensitive customer information (such as contact info, credit card/banking numbers, etc.) and even your own internal data. Safeguarding all of this data is a must, not only from it being hacked into, but also by making sure that only the authorized employees have access to it.
This is technically known as “Data Loss Prevention,” or “DLP” for short. A specific definition is as follows:
“[Data Loss Prevention] is a set of tools and processes used to ensure that sensitive data is not lost, misused, or accessed by unauthorized users. DLP software classifies regulated, confidential and business critical data and identifies violations of policies . . . typically driven by regulatory compliance such as HIPAA, PCI-DSS, or GDPR. Once those violations are identified, DLP enforces remediation with alerts, encryption, and other protective actions to prevent end users from accidentally or maliciously sharing data.” that could put the organization at risk.”
Three types of DLP Systems are used today in organizations:
- In Use Protection:
This is the information/data that is generally used on a daily basis by authorized employees or even software applications within the organization. Typically, these types of data sets are used to deliver products and services to customers as they are being requested or purchased. This type of information is normally encrypted constantly so that if they were to be intercepted by a malicious third party, it would remain in a garbled and undecipherable state.
- In Motion Protection:
This is the information/data that is in transit across a particular network segment, and typically requires a higher level of encryption, given this dynamic nature, to prevent against any form of Eavesdropping and Decryption related attacks. The basic rule of thumb here is that the more sensitive, or even more valuable, the information/data is, equally higher levels of encryption are needed as well.
- At Rest Protection:
This is the information/data that is not actively being used in any form, and as a result, typically resides on a database server. These data sets still need to have some layer of encryption but not to the level of the data that requires In Use or In Motion protection. At this point, it is important to implement the principle of “need to know” access to only those employees who need to have access to these data sets.
The diagram below further illustrates these three concepts:
As we continue our series on data loss protection, our next blog will examine these three types of data sets in more detail, as well as the controls that are required to protect them.