Understanding the Five Primary Types of Data Loss Prevention Solutions
by Farokh Karani
Unexpected data loss, either to insiders or hackers, continues to be a big threat these days. While in recent years, news of data breaches has centered around B2C businesses (e.g. retail stores, banks) and customer data, currently, the topic has even expanded into the political realm.
With the onslaught in high-profile breaches, the limitations and vulnerabilities of traditional security have been brought to light. In response, corporate IT executives proactively examine their own security strategies and methods for data protection. While the actual costs of data loss are hard to pin down – industry analysts estimate these to be anywhere from $0.58 to $201 per record – the market for data loss prevention (DLP), continues to grow. 451 Research predicts that by 2019, the DLP market will reach $1.7 billion, while Markets and Markets estimates total DLP revenue will expand from $0.96 billion in 2015 to $2.64 billion by 2020; a robust compound annual growth rate (CAGR) of 22.3% — among the fastest growing IT security segments.
Most company attempts to mitigate data loss can (and should) start with an internal assessment of their own data and the programs in place to protect this. Such an inventory should include understanding the most critical data at risk (e.g. intellectual property, enterprise information and customer data); understanding how data breaches can occur (e.g. accidental leaks vs. malicious internal or external threats); and informing and training employees on policies and procedures to safeguard sensitive company data.
Finally, when it comes to considering a DLP system, companies need to clearly understand the five primary types of available DLP solutions:
- Endpoint-Based DLP monitors myriad devices (e.g. desktops, laptops, smartphones, tablets, etc.) to discover and prevent data leakage. Here, for example, outgoing emails or print commands can be scrutinized for procedure violations or discrepancies. Centrally managed and policy driven, this method prevents data loss at the endpoint. However, to be effective, it must be deployed on all corporate devices to ensure comprehensive data protection.
- Network-Based DLP, installed at the perimeter of corporate networks, analyzes traffic to discover suspicious outgoing data. If data disclosure policies appear to be violated, the leak source is determined. This approach is also centrally managed and policy driven but cannot prevent data loss at the endpoint, such as through mobile storage devices (e.g. USB drives).
- Storage-Based DLP defends the storage of sensitive data. As storage risk is often due to insufficient data retention policies, these solutions can do far more than just protect critical data from leaking.
- Content-Aware DLP should be a key aspect of any security solution, as it monitors and enforces security policies based on the content and classification of sensitive data. Here, an alert is provided if a predefined keyword or file type is detected to be leaving the organization, which is effective in mitigating accidental or deliberate data leaks.
- Basic DLP Tools mitigate security leaks caused by rogue apps and malicious software. These tools scan installed programs and devices for security holes or blind spots, preventing attacks that come in via malware or other methods.
While understanding the primary DLP solution types is a start, determining the right approach and solution will vary based on a particular organization’s data, risk and threats. In any case, it’s clear that DLP should be an integral part of a company’s proactive program to manage and protect its most valuable and confidential information. The risk and consequences of data loss are just too great in the times we live in today.
Farokh Karani is director, North American Sales & Channels, for Quick Heal Technologies.