‫ Developing and Assessing your DLP Strategy (Part 1)-section 2

Number: IRCAR201509273

Date: 2015-09-16


The consequences of data loss or leakage

You might think, given the statements above, that creating an effective data loss prevention strategy is a lot of work – and you would be right. However, it’s worth it, because the consequences of data loss can range from annoying to catastrophic. The damage is multiplied if you deal with particularly sensitive information and/or if you operate in a regulated industry.

In some fields, such as healthcare, data loss could literally be a life or death matter, and in others, such as military defense, the national security of an entire country could hang in the balance. For most organizations, the consequences of data loss won’t be quite as dire as this, but could still have a profound effect on the company’s bottom line and even its very continued existence. Consequences of the loss or unauthorized exposure of data could include:

  • Down time and loss of productivity
  • Damage to the company’s public reputation
  • Loss of clients or customers and thus loss of market share
  • Loss of faith in the business by investors, resulting in decreased market value
  • Loss of status/reputation within your industry
  • Loss of certifications, licenses, ratings, etc.
  • Fines or other penalties for compliance failure or violation of statutes or administrative regulations
  • Decreased revenues leading to financial instability and even bankruptcy

That is a pretty serious list to contemplate. We all know that an ounce of prevention is worth a pound of cure and in the case of data loss, there may be no cure.

Elements of an effective DLP strategy

Now that we understand both the consequences of data loss or leakage and some of the most common ways by which data is lost or leaked to unauthorized persons, we can start to formulate a strategy for prevention. We can start with determining where the data that needs to be protected is located, keeping mind that data moves and also that copies of the same data may (should) be in at least two different places.

Basically, we need to look at protecting data in the following locations/situations:

  • Data that resides on endpoint devices. This includes data that is created or residing temporarily or permanently on workstations or servers within the local network as well as that which is created or residing on computers, tablets or smart phones of mobile workers.
  • Data in storage (also called data at rest). This includes data that is stored on file servers, network attached storage systems, storage area networks, USB sticks, flash memory cards, optical discs, magnetic tape and other media, including backup copies of data and temporary files that hold data from various applications.
  • Data in transit (also called data in motion). This includes data that is in the process of being sent, copied or moved over the local network or across the Internet.

Intrusion and Extrusion Prevention

Intrusion detection systems (IDS) and intrusion prevention systems (IPS) have long been a part of the enterprise security defense in depth matrix, and part of a DLP strategy involves keeping unauthorized persons out of the local network. However, DLP is actually more focused on the prevention of extrusion, that is, data going out of the network, and so while IDS/IPS is aimed primarily at filtering inbound traffic, DLP aims at filtering outbound traffic. The goal of DLP is to prevent anything from leaving the network that could, in the wrong hands, be detrimental to the organization.

Extrusion prevention isn’t easy in today’s network environment that encompasses Bring Your Own Device (BYOD), easy peer-to-peer file sharing, free web mail, IM/chat programs that support file sharing, a proliferation of readily available and easy to use cloud-based storage services and other means of transferring files across the Internet, along with cheap and almost universally compatible physical storage devices that can be easily plugged in via USB, writable optical drives, tiny and easy to conceal/smuggle out flash memory cards, and so forth.

Data classification

An important part of an effective DLP strategy includes the classification of data to allow you to accurately identify the sensitivity level of data and the impact of loss or disclosure of each data set. The FIPS-199 federal government publication can serve as a guideline for the development of a data classification scheme. This document bases the impact classifications on the three FISMA (Federal Information Security Management Act) security objectives: confidentiality, integrity and availability. Thus potential impact from a security breach could result in:

  • Unauthorized disclosure of information (loss of confidentiality)
  • Unauthorized change or destruction of information (loss of integrity)
  • Disruption of access or use of information (loss of availability

After you have determined a classification for each piece of data, you can use tagging to embed that classification into the metadata and tools can be used to enforce security measures that are based on the data classification.


A data loss and data leakage prevention strategy is a must for any organization that creates, uses, stores, moves or accesses any type of data that is sensitive, confidential or falls under regulatory privacy protection mandates. In Part 1 of this article, we’ve provided a high level overview of what DLP is, some of the possible consequences of data loss or leakage, and the essential elements of an effective DLP strategy. In subsequent installments, we will delve more deeply into the intricacies of DLP, characteristics of good DLP software solutions, and how to implement your DLP plan.





The Wall

No comments
You need to sign in to comment