A Quick Guide to Data Loss Prevention Solutions
In this blog
Data loss prevention summary
Data loss prevention (DLP) is not a new concept, but as the risk of data theft grows, every organization will have to take a fresh look at innovative ways to maintain control over its most sensitive data. Overdone, DLP can be burdensome to administrators and users alike, hindering productivity and taxing technology resources. To prevent this, an organization should not only review what data is sensitive, but also exfiltration paths, and then prioritize controls based on the likelihood of exploitation. Leveraging a solution that can cover all paths sufficiently, or provide an avenue to lock down prioritized paths, while supporting integrations to cover lesser paths, will give an organization flexibility to deploy controls in a timely manner.
DLP approaches
In most corporate ecosystems, DLP can be prioritized by one of three different approaches.
Email DLP
Data exfiltration via email remains the number one data loss path. For that reason, no program can be complete without strong controls over the email platform. That doesn't mean that a solution focused solely on email is required. With most solutions storing mailboxes in the cloud, email DLP can often be implemented as an add-on to an endpoint or data-in-motion solution.
Endpoint DLP
There's been a long-standing negative sentiment in the industry about enforcing data controls at the endpoint. If you've been doing this long enough, you remember that endpoint DLP used to crush hosts and fight with anti-virus, but the solutions never went away. They found willing buyers in government and highly controlled environments, refining their technology and waiting for a day when greater adoption would return. An increase in hybrid work has led to a return of emphasis on endpoints for everything from web controls to data security. Although cloud services and storage have made data easier to access, many users still prefer to store data locally. Knowing what the liability is for lost endpoints and removable storage has been the bread and butter of endpoint DLP, with those solutions introducing CASB, web, and private access service offerings built around their endpoint footprint. Conversely, email and data-in-motion solutions have also expanded increasingly onto the endpoint, aiming to achieve "good enough" visibility to complete their suite portfolios.
Data-in-motion DLP
In the last decade, data storage has moved increasingly away from endpoints and into the cloud for organizations adopting a hybrid approach, both for user experience and for compute locations. This means that activities that were once exclusively done endpoint-to-server or endpoint-to-endpoint can now be done cloud-to-cloud. DLP done in the cloud, either out-of-band or via a proxy, offers great flexibility, less burden on endpoints, and controls that follow users everywhere. In a hybrid environment, gone are the traditional choke points that allow for traffic to be inspected with no exceptions. The drawbacks are usually less emphasis on the endpoint, more difficult traffic patterns to map, and no controls on inbound DLP, relying solely on outbound data scanning to spot email threats.
How to choose
Knowing the strengths and weaknesses of each approach, coupled with integration options, and layered with your own risk assessment, can usually lead you to the right approach. The industry is also making it harder to choose a vendor, or a collection of vendors with strong integrations, because of the rapid pace of acquisitions and questionable history of assimilating new products into existing platforms. World Wide Technology can help you pick the right approach and solutions, based on your needs and existing ecosystem.
Reach out to your account team to review our Data Loss Prevention 101 series to get started with your initial approach. Your account team can provide downloads of the information or set up a time to discuss this further with our subject matter experts.