Sergio Bertoni, the Leading Analyst at SearchInform, reflects on the future development of DLP class systems and analyzes the report by Gartner experts.
DLP systems were initially developed as solutions for data leak prevention; however, by now, they have evolved into key components of systems for the prevention of the widest range of internal threats.
Within the column, I will focus on major trends in the sphere of DLP system evolution, examine Gartner experts’ predictions, and reveal details on the essential features of an efficient solution.
“A few DLP providers are gradually coming come to understand that the traditional approach, according to which DLP systems used to develop, no longer matched the current business realities.”
Sergio Bertoni, the Leading Analyst at SearchInform
What types of DLP systems exist?
Let’s start with a description of the types of DLP systems that exist on the market. Gartner experts divide DLP systems into three major categories:
- Enterprise DLP (EDLP) solutions offer centralized policy management and reporting functionalities.
- Integrated DLP (IDLP) solutions are natively integrated within a service, such as a secure email or web gateway or an endpoint protection product.
- Cloud-native DLP solutions fundamentally address cloud DLP use cases, including SaaS application data security and public cloud data security.
Nowadays, we can witness the tendency to blur boundaries because the concept of dividing DLP systems does not meet the real needs of organizations. I believe that any more or less advanced solution should offer a complex approach. The solution that ensures the protection of email servers or web gateways solely is not efficient in the current circumstances. The decentralization, for example, between integrated DLP, which works for email and for some other components like endpoints, should not exist. An advanced DLP solution must include eDLP, integrated DLP, and cloud-native components simultaneously.
What is the core principle of a truly advanced DLP class system?
All the abovementioned approaches can be effective for dealing with specific tasks; however, overall, they do not ensure adequate protection of corporate assets.
The most advanced approach today is ensuring the protection of data at the corporate perimeter level. The DLP system should decide what parts of the infrastructure should be available for the specific workstation/user and what the legitimate access level is for this very device/user. Today, the DLP system’s major task is to prevent illicit access to data arrays containing confidential data. Technically, this is to be implemented on the basis of content attributes.
Thus, the system must be equipped with powerful analytical capabilities for performing content analysis. The functionality will ensure that users who should not have access to some type of data will not be able to access it, as the system will block attempts to access the prohibited types of data. It should not matter which device is used—corporate or non-corporate—the system must implement flexible, precise limitations in both cases.
In real life, blocking must be flexible; it is often not enough to completely restrict access. It is a widely spread scenario when you need to allow a user to access data, but in a limited (secure) manner. In this regard, it’s an efficient option to grant permission to perform such operations as data processing and transmission only within the corporate perimeter, but if the user accesses data via personal device, simply prohibit such operations.
Briefly speaking, a user simply must not have access to data that is not intended for him/her under any circumstances.
The main task is to prevent the occurrence of the situation when there is a risk, which can be mitigated with the help of an endpoint agent deployed on the user’s workstation. A user simply must not have access to confidential data that is not meant for them under any circumstances. I will illustrate the idea with an example. A link is provided to the user to access the files stored in the cloud. If the file contains some confidential data and the endpoint agent is not deployed on the workstation, the user still should not get access to the file. This is only achieved when an approach such as ensuring the protection of data at the corporate perimeter level is adopted.
Revealing the limitations of traditional approaches
Think about an email system, the basic channel of corporate data transmission. For an advanced DLP system, it does not matter how exactly to control information transferred via this channel. It does not matter whether it is a cloud-based email or email server deployed within the corporate infrastructure. The control may be implemented through direct integration with this service with the help of an agent deployed on the device and on the network level. All options should be available in the solution to enable customers to choose how to deal with the risk at each stage.
One more example. Let’s suppose that a DLP solution vendor sees the risk of data leakage via cloud storage as the most significant. In this case, it is of crucial importance to equally reliably protect all types of cloud storage. For example, commercial cloud services, such as Dropbox, Google Drive, and Synology, which are deployed locally at the customers’ side, or cloud storages, which have servers deployed within the corporate infrastructure, should be protected at different levels simultaneously: on the network level, on the level of the agent, and on the integration level. An advanced DLP system has the components for protection at all levels, not just one.
What’s more, the task of ensuring email security corresponds with the general logic of the integrative DLP solution work process. It does not matter if the DLP system is implemented for protection of corporate email, messenger, storage, SAN, CRM system, task tracker, or something else used for keeping data. Data from all the sources is transmitted to DLP via various integrations and is analyzed by the system.
The same is true for the endpoint DLP approach. This approach ensures reliable protection against a wide range of threats, including preventing data leakage through removable media such as USB drives, identifying and controlling sensitive data that has been uploaded through a browser, and preventing sensitive information from being transferred to a clipboard or to applications. However, in some cases, the approach is useless. For example, if the bring-your-own-device approach is implemented in the organization or if employees work with documents kept in cloud services, which are available from any device, endpoint protection turns out to be inefficient. If employees can use their own devices and the organization is protected with Endpoint DLP, the organization may face limitations that prevent ensuring reliable protection. It is typically required to receive the user’s permission for ensuring control (for deploying the DLP agent on the employee’s personal device). Obviously, not all employees would agree with this; besides, such actions may even violate some countries’ regulatory acts. Thus, there is a chance that the organization will not only fail to protect confidential data but will also violate local legislation.
What are the other major attributes of the next-generation DLP system?
Let’s get back to the guide by Gartner experts. One of the key recommendations provided by the analysts is the convergence of DLP with insider risk management platforms.
A few DLP providers are gradually coming come to understand that the traditional approach, according to which DLP systems used to develop, no longer matched the current business realities. Thus, some of them began to develop risk management platforms for comprehensive protection against internal threats.
In addition to the traditional task of data leak prevention, a next-generation system must be capable of detecting and preventing internal threats such as various corporate fraud schemes, theft, bribery, kickbacks, document forgery, etc. In order to mitigate the abovementioned risks, it’s required to ensure control and analysis of data transmission channels and perform in-depth analysis based on additional attributes. Thus, these kinds of risk management platforms must be based on the DLP system’s architecture.
Another important point is whether a risk management solution has an integrated set of essential components. It is required to complement the DLP system’s functionality with a set of tools required for performing complex corporate investigations. Finally, UBA/UEBA functionality and modules for control of work time and efficiency should be added to the system. Appropriate integration of these components ensures compliance with the requirements of both user-centric and data-centric approaches, which is a major element in ensuring compliance with the insider risk management approach offered by Gartner experts.
