This is the fourth post in the GDPR Fever series aimed at explaining whether and how DLP technologies could be used for achieving GDPR compliance.
Which existing IT security technologies fit to those key technical requirements derived from the GDPR's I&C principle that are essential for protecting personal data against leakage: automatic real-time content analysis and protective action enforcement for various types of data in all their states (in use, in motion, and at rest)?
An evaluation of several potential candidates conducted on the basis of these criteria has revealed that only one currently available technology fully satisfies them – it is content-aware data leak prevention (DLP).
What is DLP?
DLP is a system of integrated technologies that detect and prevent unauthorized use, transmission, and storage of confidential, protected, or sensitive data by applying a combination of contextual and content analysis methods and enforcing centrally managed data protection policies.
In order to protect digital data in its three fundamental states, DLP solutions implement three DLP functional types: “Data In Use” (DIU) DLP, “Data In Motion” (DIM) DLP and “Data At Rest” (DAR) DLP.
“Data In Use” DLP controls data access and transfer operations in local channels, peripherals, and applications on endpoint computers including removable, fixed and redirected storage, clipboard, printing, screenshot captures, etc.
“Data In Motion” DLP prevents data leakage through network communications – for instance, email, webmail, Instant Messaging, social media, cloud-based and P2P file sharing, HTTP/HTTPS, FTP/FTPS, SSL/TLS protocols, etc.
“Data At Rest” DLP discovers exposed confidential content in data stored on corporate IT assets, such as file shares and Network Attached Storage (NAS), endpoint file systems, databases, document repositories and cloud-based storage. If unprotected data are located at a wrong place, DAR DLP can automatically initiate various remediation actions to prevent uncontrolled potential access, use, and transmission of these data.
Different DLP functional types use various types of enforcement agents. Only endpoint-resident agents can be used to enforce DIU DLP, while endpoint agents and network-resident hardware, software, or virtual appliances can complement each other to enforce DIM DLP. In its turn, DAR DLP uses (temporary or resident) endpoint agents to scan local file systems, and network-resident discovery servers can be used to perform remote scanning of file shares, NAS, databases, document repositories, and cloud storage.
Why DLP but Not Other Infosecurity Technologies?
The reason is that functional capabilities of other evaluated technologies on the edges of DLP, including information rights management (IRM) and pure data classification, do not fully fit to the specified criteria. It is important to note that neither IRM nor data classification technologies originally support automatic analysis of data content – both of them assign the task of content classification to either end users, as document authors, or to security administrators. And, few have access, etc. enforcement mechanisms. It is worth mentioning that although some modern data classification and IRM-based systems have recently started offering automated content analysis capabilities, these additional functions are actually implemented by integrating mainstream DLP technologies in system components.
On the other hand, DLP’s own capabilities meet all the criteria. What are these defining DLP features and functions?
The first, and the most important, is the ability to automatically analyze and classify the informational content of transmitted, used, and stored data of many formats and types. These must include not only files and emails, but also instant messages, posts to social media, web forms and webmails, raw textual data and, in some scenarios, even metadata and binaries. In DLP, content analysis is used to detect data with “confidential”, “classified”, or similarly restricted content and prevent their uncontrolled use, release, or delivery to specific destinations or recipients, as well as their storage at prohibited locations. This functional fusion enables DLP to meet the key criterion of automatic content analysis of data in all their states – in use, in motion, and at rest.
Secondly, the criterion of real-time protective actions, again for all data states, is fulfilled by the DLP’s ability to enforce real-time preventive security controls in a wide range of data leakage channels and scenarios. These must include practically all local channels on endpoint computers, most risky network communications, as well as various data storage devices, systems, and repositories. Specifically, DLP components can apply a whole set of protective actions, such as block, remediate, alert, log, shadow-copy, and more.
Another essential DLP capability is the control of data operations based on their context. Context is indispensable for preventing data leakage in a multitude of use cases when the detection of security policy violations does not require content analysis, which can be quite CPU-intensive and take considerable time to complete. Another substantial advantage of using contextual DLP controls whenever possible is the simplicity of relevant DLP policies, their configuration, and troubleshooting. To control data operations, top DLP systems support a comprehensive set of contextual parameters including users, computers and their groups, sender and recipient email addresses, user identifiers (IDs) for instant messaging, types of local ports and peripherals, device serial numbers in combination with vendor and product IDs, data transfer directions, time/day, network ports and addresses, etc. – there might be dozens of such parameters used in DLP policies.
The last defining DLP feature is that DLP policies are managed centrally by IT security administrators rather than by end users or local systems administrators.
Important is that in DLP systems, these defining functions and features are deeply integrated on both management and execution levels. This integration also uniquely differentiates DLP in comparison with other IT security technologies when it comes to protecting IT systems against data leaks.
Today, there is no real substitute for DLP for achieving GDPR compliance – in other words, no other existing information security technology has the same set of functional capabilities dedicated to and optimized for the mission of data leak prevention or personal data or other data as desired. A compelling evidence of this comes from the fact that many IT and IT security solutions use DLP as an add-on component to implement data leak prevention functions in their specific areas. Examples from the IT security industry include endpoint protection platforms (EPP), UTM appliances, email gateways, and even some modern IRM and data classification solutions. In the IT field, DLP functions are often integrated in advanced email and document management systems, cloud-based file sharing services, and software as a service (SaaS) platforms.
To summarize: as DLP technologies are indispensable for preventing leakage of personal data in IT systems, so DLP is necessary for implementing the GDPR’s “integrity and confidentiality” principle and achieving compliance with the regulation.
Indeed, neither DLP nor any other particular technology alone can be a “silver bullet” for the GDPR. A whole puzzle of various complementary information security and privacy enhancing technologies should be put together to ensure full compliance with all provisions of the regulation. Yet, DLP is a critical piece of the GDPR compliance puzzle.
There Is No Privacy Without Security
Deciphering the "Integrity & Confidentiality" Principle
From Legal to Technical – Landing the GDPR at the IT Field
DLP Is Necessary for GDPR Compliance
Engineering Information Privacy
DLP by Design