Detecting Sensitive Data Patterns
The first step to preventing leakage is identifying the sensitive information that you need to keep from leaking. Consequently, leading DLP solutions come equipped with predefined identifiers that can be used out of the box to detect sensitive patterns like personally identifiable information (PII), Social Security numbers (SSN), protected health information (PHI), and credit card numbers. They also offer prebuilt identifiers for information regulated under compliance frameworks like GDPR, HIPAA, HITEC, PCI-DSS, FISMA, FERPA, SOX, and GLBA, and equip your organization with the ability to create custom data patterns as needed.
Organizations can leverage their libraries of prebuilt and custom identifiers in tandem with a variety of other capabilities to detect sensitive data. For example, simpler tools scan for keywords like "confidential" or "sensitive" within documents to identify what should be protected. More developed solutions provide advanced regex to scan concurrently for multiple data patterns while using logical operators (and, or, not) and mathematical operators (count). Additionally, advanced solutions can scan for file formats (MIME types) and file fingerprints (templates), use exact data match to find specific values contained in reference databases, and leverage all of the above detection mechanisms to scan data at rest as well as in real time at upload and at download.
Where secure access service edge offerings (described more below) are used to prevent leakage, Field Programmable SASE Logic (FPSL) offers admins the freedom to code to their exact needs directly in the platform dashboard, giving unprecedented granularity and control to their DLP policies. This is accomplished by scrutinizing attributes like domain, URI, query string, cookie, and method (PUT, POST, GET, and others), as well as scanning for data patterns. The unlimited flexibility that this customization provides allows organizations to address any use case in a highly surgical fashion.
Remediation Options for Stopping Leakage
Once sensitive or regulated files and data patterns are identified, DLP solutions can take a variety of actions that are designed to prevent leakage at rest or in transit. Importantly, leading DLP solutions can import data patterns and policies from on-premises systems to extend them to other environments like the cloud. Different remediation actions can be enforced for different users whose permissions may vary; DLP policies can be triggered based on user identity, group, device, or location at access.
As an illustration, if a user attempts to download a document that contains sensitive data such as a handful of customer credit card numbers, the solution can identify said data at access. Consequently, depending on the user's authorization, it can encrypt the file on download or enforce digital rights management (DRM), which requires additional authentication and provides read-only access to the file via the web browser. Likewise, if an uploaded file is deemed sensitive or suspect, the upload can be prevented or a copy can be created in an admin-only folder for review. Similarly, documents already at rest can be quarantined and moved to admin-only folders, or, along with sensitive field-level data, be encrypted.
Secure Access Service Edge
SASE (secure access service edge) offerings integrate complementary technologies so that they can secure any interactions between any devices, apps, web destinations, on-premises resources, or infrastructure. In this way, they provide comprehensive, integrated protection against all risk of data leakage. Through a single portal, admins can customize a single set of automated policies which enforce DLP measures that secure data consistently wherever it goes. Detailed dashboards give visibility into policy violations over time to enable audit and demonstrate regulatory compliance. To achieve all of this, a SASE offering must contain SWG, CASB, and ZTNA technologies.
Secure web gateways (SWGs) are solutions designed to stop data leakage, block malware, and prevent access to sensitive destinations as users leverage the web and unmanaged applications which are not sanctioned by IT. They do this by scanning file uploads and downloads and stopping them as needed, filtering malicious or unproductive URLs, rendering unmanaged apps read only, and more. Where SWGs are deployed locally on users' endpoints, scalability and performance are enhanced.
Through cloud access security broker (CASB) functionality, SASE platforms deliver end-to-end protection for data in sanctioned cloud resources, including IaaS platforms like AWS and Azure as well as managed SaaS like Office 365 and Salesforce. When it comes to stopping data leakage, it is critically important that a CASB provides a reverse proxy deployment mode so that it can agentlessly secure access from any device, including personal endpoints where controlling software installations is infeasible.
Zero trust network access (ZTNA) is another key component of SASE. Unlike VPN (which typically provides access to every resource on the network simultaneously), ZTNA provides secure access to specific on-premises resources individually, reducing data exposure. Additionally, ZTNA enforces granular, real-time data and threat protection policies. Through an agentless deployment option, ZTNA can even extend secure access to personal devices without the need for software installations.
SASE DLP Use Case
Kaito is a physician for a healthcare firm. While collaborating with a colleague, he decides to download some of a patient’s PHI from an internal application onto his personal device so that he can send it to his peer’s personal email for her inspection. However, the healthcare firm has a SASE platform that identifies the sensitive information, determines the data shouldn’t be on an unmanaged endpoint, and blocks the download. Next, while using a managed device, Kaito tries to upload the patient’s record to his personal Dropbox instance so that he can access it on his personal phone. Upon accessing Dropbox, he is presented with a coaching reminder from IT to use his organization’s secure OneDrive instance instead. He disregards the message, but when he attempts the upload, the sensitive data pattern is detected once again, and the leakage is prevented in real time. Only SASE platforms can prevent data leakage in this consistent, comprehensive fashion.
Want to learn more about Bitglass' DLP offering?
Download the technical brief below.