Data Loss Prevention Articles

Database Security

Database security - Data Leakage Prevention by DeviceLock DLP

In modern organizations, business interactions between employees as well as their communications with external users of corporate IT systems such as clients, contractors, and partners take many various forms and are not limited to pure business applications and the confines of corporate IT systems.

Practically for all organizations, social media has evolved into a vital tool to support and speed up business processes. Nowadays, social networking is used both internally and externally to build the corporate brand, improve the company's reputation and customer loyalty, hire talented staff, mobilize the collective knowledge of employees, shorten the development cycle, and improve the responsiveness of technical support processes.

"Instant Messaging" has become another undeniably useful IT "utility" for organizations of any kind. Its simplicity and automatic self-configuration, ability to punch through network perimeters in combination with high quality multimedia calls and large savings from using the Internet as the medium have made Instant Messengers a truly indispensable communications platform for business and personal use.

With USB and other small form factor removable storage, it is much easier today to exchange data with colleagues, partners, and clients.

File sharing services have become a new incarnation of ultra-portable "storage devices": essentially virtual drives living in the Cloud. They could be "plugged in" to any computer via the Internet and used as easily as physical hard drives or, alternatively, accessed from a web browser. Today, most organizations, regardless of size, allow employees to use file sharing services for simplifying internal and external information exchange.

Not to forget, email applications and webmail services remain the most widely used business communications channels both inside and outside of organizations.

In such a hyper-connected business environment, protecting valuable information stored and accessible in corporate databases requires more than just restricting user access to the database to minimally sufficient permissions. For properly strengthened database security practices, it is also critically important that data users are trained to not leave the corporate workspace unprotected so as not to expose the database data to accidental or deliberate actions committed by insiders - employees, partners and clients.

Further, security is weakened if a user copies information from the database and temporarily stores it on their computer in an otherwise unsecured file, for instance, a spreadsheet or csv type and then sends this file through personal webmail to a friend by mistake later. In another scenario, a malicious employee could deliberately copy the file with valuable data pulled from the corporate database to a USB thumb drive and later on take it away for use at a competitor. Notably, these and many other exfiltration scenarios are equally dangerous while corporate users work inside the office or use laptops outside - on a business trip or from home.

As for the absolute majority of these users, it is endpoint computers, such as physical or virtual desktops and laptops that are used for processing and storing business data, preventing the exfiltration of information from databases while it is used by insiders requires a content-aware data leak prevention (DLP) solution that effectively protects corporate endpoints regardless of whether they are used inside of outside of the office network.

This aspect is exactly what DeviceLock DLP is designed to do. The solution includes a lightweight enforcement agent installed on every computer and central management through traditional consoles or Active Directory Group Policy Objects that scale to the size and type of corporate network. Running transparently for users and applications , DeviceLock Agents detect and prevent unauthorized data access and transfer through local ports and peripheral devices, as well as via popular network applications and services like email, web browsers, instant messengers, and more.

In the above mentioned leakage scenarios, DeviceLock Agents can directly inspect the data contained in some common and legacy end-user, or lower order, database formats (ex. Access, Excel, Quattro, and csv files) or in 150+other file formats and compare that detectable data with identifiably sensitive information originally gleaned from the higher order corporate database that can be logically specified in the DLP policy by using keywords, pre-built or custom dictionaries and regular expression (RegExp) pattern validators. If the presence of data "stubs" or patterns originally from the higher order corporate database is detected in the users' files and it violates DLP policy rules, the transfer of the file via webmail or copying it to the USB drive can be blocked, logged, and/or alerted in real-time. In addition, the violating file itself can be copied to the central shadow log for further analysis, such as IT security audit and incident investigations.

With its unique set of techniques designed to intercept and analyze data transfers though local and network channels, as well as effective content-aware mechanisms, DeviceLock DLP is seamlessly suited for detecting structured data extracts usually stored originally in databases, such as credit card, bank account or social security numbers, and effectively preventing transfers of detected data in case these operations violate corporate data use policies.