What is DLP?
Today’s digital age has produced unprecedented amounts of data. Much of this data is considered sensitive, such as personal information about customers and employees, financial data, and intellectual property. This data is an organization’s lifeblood and the organization has been entrusted to keep it safe. In another day and age, this information was printed on paper and secured in a locked file cabinet. Now, these highly valuable zeros and ones race from one place to another, more vulnerable than ever. Thus, it has become incumbent on organizations to implement comprehensive data loss prevention (DLP) solutions.
DLP is a set of technologies and processes that monitors and inspects data on the corporate network to ensure sensitive data is not lost or stolen.
A DLP tool should always be part of an organization-wide data protection initiative, which gets business and IT leaders together to identify what constitutes “sensitive data” for the particular organization, and agree upon how this data should be used and what a violation would look like. These guidelines can then be translated into a set of rules within a DLP tool.
While many organizations have an incentive to deploy DLP to be compliant with regulations and to avoid fines or even restrictions to their business operations, data loss bears much broader financial and reputational risk, such as losing customers, incurring brand damage or even facing legal ramifications. With a well-defined DLP process that is bolstered by well-managed supporting technology, organizations are able to significantly reduce these risks.
From enterprise DLP to integrated DLP
DLP solutions have been around for 15 years and have reached a high level of maturity. The market has seen very little differentiation between Enterprise DLP solutions, compelling analyst firm Gartner to retire its Magic Quadrant for Enterprise DLP. Instead, Gartner is focusing on a market guide that highlights the importance of a holistic data protection strategy and educates readers on the use of integrated DLP solutions.
Traditional enterprise DLP solutions have typically provided a variety of products across all channels (endpoint, storage, in motion) on which data is either stored or passes through, and from which data can potentially be lost. And they all require a different set of tools or techniques to prevent data loss.
Digital transformation, however, has created a shift in user behavior and traffic patterns, placing more importance on securing the data that flows between endpoints, cloud applications, and storage with a data-in-motion/network DLP solution. This protection can be natively provided by technologies, such as secure web gateways, content management, or CASB, and is referred to as integrated DLP.
Enterprise DLP solutions are notorious for being overly complex and costly. Organizations that purchase enterprise DLP often end up using only a small subset of its capabilities and address only basic use cases that could be solved with an integrated DLP solution, thus sparing the organization from costly and time-intensive setup and integration.
DLP can’t prevent data loss if it is blind to traffic
As organizations continue to move to the cloud, three challenges have emerged that leave network DLP solutions unable to see the traffic they are supposed to inspect:
- Remote users: When relying on network DLP, the level of visibility and protection depends on where users are located. They can easily bypass inspection when off network, connecting directly to cloud applications.
- Encryption: The tremendous growth of SSL-encrypted traffic has created a significant blind spot for network-based DLP.
- Performance limitations: Traditional network DLP appliances have finite resources and can’t scale to inspect the constantly growing amount of internet traffic inline.
Data loss prevention in a cloud- and mobile-first world requires a new mindset and modern technology
To address the data protection challenges that have emerged with digital transformation and to overcome the shortcomings of traditional enterprise DLP solutions, it is not enough to reconfigure a traditional hardware stack for the cloud as it is inefficient and doesn’t provide the protections and services of a cloud-build solution. Any cloud-based DLP solution should provide the following three elements:
Identical protection for all users on or off network
To provide comprehensive data protection, a DLP solution should provide identical protection to all users, regardless of their location, whether they are in the office, an airport lounge or a home office.
Inspection of encrypted traffic
With more than 70 percent of today’s traffic being encrypted, it is incumbent upon organizations to inspect this traffic. The only way to get visibility into encrypted traffic is to use a DLP solution that natively inspects SSL.
Elastic scalability for inline inspection
A cloud solution with elastically scalable inspection capacity can prevent data loss by inspecting all traffic inline in the first place, instead of doing damage control after the data has been compromised.
Where your enterprise should start when it comes to data loss prevention
With increasing risks and expanding regulations for data protection, organizations must close security gaps created by cloud and mobility. In fact, Cybersecurity Insiders found that preventing data loss is the second most important priority for IT executives, according to a recent study.
In the past, that would have meant adding more appliances to an already complex security stack. But there is a better way: With a cloud DLP solution that is part of a broader secure access service edge (SASE) platform organizations can close data protection gaps, regardless of where users connect from or where applications are hosted, while reducing IT cost and complexity.