DLP-systems - what is it? Selecting a DLP system

Nowadays you can often hear about such technology as DLP-systems. What is it, and where is it used? This software is designed to prevent data loss by detecting possible violations when they are sent and filtered. In addition, such services monitor, detect and block sensitive information when it is used, traffic (network traffic), and storage.

As a rule, the leakage of confidential data occurs because of working with the technology of inexperienced users or is the result of malicious acts. Such information in the form of private or corporate information, intellectual property (IP) objects, financial or medical information, credit card information, and the like, requires enhanced protection measures that modern information technologies can offer.

The terms "data loss" and "data leakage" are interrelated and often used as synonyms, although they are somewhat different. Cases of loss of information turn into her leakage when the source containing confidential information disappears and subsequently comes to an unauthorized party. Nevertheless, data leakage is possible without loss of data.

Categories DLP

Technological means used to combat data leakage can be divided into the following categories: standard security measures, intelligent (advanced) measures, access control and encryption, as well as specialized DLP-systems (what this is - described in detail below).

Standard measures

Such standard security measures as firewalls, intrusion detection systems (IDS) and antivirus software, are the usual mechanisms available that protect computers from an outsider, as well as insider attacks. Connecting a firewall, for example, excludes access to the internal network of unauthorized persons, and the intrusion detection system detects attempts to penetrate. Internal attacks can be prevented by antivirus scanning, detecting Trojan horses installed on PCs that send confidential information, as well as by using services that work in the client-server architecture without any personal or confidential data stored on the computer.

Additional security measures

Additional security measures use highly specialized services and time algorithms to detect abnormal access to data (i.e., to databases or information retrieval systems) or abnormal e-mail exchange. In addition, such modern information technology identifies programs and requests that come with malicious intentions, and carry out in-depth checks of computer systems (for example, recognition of keystrokes or sounds of the speaker). Some of these services can even monitor user activity to detect unusual access to data.

Specially developed DLP-systems - what is it?

Designed to protect information, DLP solutions are used to detect and prevent unauthorized attempts to copy or transfer sensitive data (intentionally or unintentionally) without permission or access, usually by users who have the right to access sensitive data.

In order to classify certain information and regulate access to it, these systems use such mechanisms as exact data consistency, structured fingerprinting, statistical methods, the reception of rules and regular expressions, the publication of code phrases, conceptual definitions and keywords. Types and comparison of DLP-systems can be represented as follows.

Network DLP (also known as data analysis in motion or DiM)

As a rule, it is a hardware solution or software that is installed at network points that emanate near the perimeter. It analyzes network traffic to detect sensitive data sent in violation of the information security policy.

Endpoint DLP (data when using )

Such systems operate on workstations of end users or servers in various organizations.

As with other network systems, the endpoint can be addressed to both internal and external connections, and can therefore be used to control the flow of information between types or groups of users (for example, "firewalls"). They are also capable of monitoring e-mail and instant messaging. This happens in the following way - before messages are downloaded to the device, they are checked by the service, and if they contain an adverse request they are blocked. As a result, they become unmanaged and are not subject to data storage rules on the device.

The DLP system (technology) has the advantage that it can monitor and control access to physical type devices (eg, mobile devices with data storage capabilities), and sometimes access information before it is encrypted.

Some systems that operate on the basis of endpoints can also provide application control to block attempts to transmit confidential information, as well as provide immediate feedback to the user. However, they have the disadvantage that they must be installed on each workstation on the network and can not be used on mobile devices (for example, on cell phones and PDAs) or where they can not be practically installed (for example , On a workstation in an Internet cafe). This circumstance must be taken into account when making the choice of DLP-system for any purpose.

Identification of data

DLP-systems include several methods aimed at identifying sensitive or confidential information. Sometimes this process is confused with decoding. However, data identification is the process by which organizations use DLP technology to determine what to look for (in motion, at rest or in use).

The data are classified as structured or unstructured. The first type is stored in fixed fields inside the file (for example, in the form of spreadsheets), while unstructured refers to free text form (in the form of text documents or PDF files).

According to experts, 80% of all data is unstructured. Accordingly, 20% are structured. Classification of information is based on content analysis, focused on structured information and context analysis. It is done at the place of creation of the application or the system in which the data originated. Thus, the answer to the question "DLP-system - what is it?" Will serve as the definition of the algorithm for analyzing information.

Methods used

Methods for describing confidential content are numerous today. They can be divided into two categories: accurate and inaccurate.

Exact methods are those that involve content analysis and virtually nullify false positive answers to queries.

All the rest are inaccurate and can include: dictionaries, keywords, regular expressions, extended regular expressions, meta-data tags, Bayesian analysis, statistical analysis, and so on.

The effectiveness of the analysis directly depends on its accuracy. DLP-system, whose rating is high, has high indicators for this parameter. The accuracy of identifying DLP is important to avoid false positives and negative consequences. Accuracy can depend on many factors, some of which may be situational or technological. Accuracy testing can ensure the reliability of the DLP system - almost zero false positives.

Detection and prevention of information leaks

Sometimes the source of data distribution makes confidential information available to third parties. After a while, some of it will most likely be found in an unauthorized place (for example, on the Internet or on a laptop of another user). DLP-systems, the price of which is provided by developers on request and can range from a few tens to several thousand rubles, must then investigate how the data leaked - from one or more third parties, whether it was independent of each other, Then by other means, etc.

Data at rest

"Quiesced data" refers to the old archive information stored on any of the hard drives of the client PC, on a remote file server, on a network storage drive . Also this definition refers to the data stored in the backup system (on a flash drive or CD-ROM). This information is of great interest to enterprises and government agencies simply because a large amount of data is kept unused in memory devices and it is more likely that access to them can be obtained by unauthorized persons outside the network.