Data Loss Prevention Pt. 1



To any business or corporation, information and data are the blood flow of daily operations. This consists of market intelligence as it relates to your competition, the sensitive customer information (such as contact info, credit card/banking numbers, etc.), and even your own internal data. Safeguarding all of this is a must, not only from it being hacked into, but also making sure that only the authorized employees have access to it.

This is technically known as “Data Loss Prevention”, or “DLP” for short. A specific definition is as follows:
“It is a set of tools and processes used to ensure that sensitive data is not lost, misused, or accessed by unauthorized users. DLP software classifies regulated, confidential and business critical data and identifies violations of policies . . . typically driven by regulatory compliance such as HIPAA, PCI-DSS, or GDPR. Once those violations are identified, DLP enforces remediation with alerts, encryption, and other protective actions to prevent end users from accidentally or maliciously sharing data.” that could put the organization at risk.” (source 1)

The Basic Concepts of DLP

There are three types of DLP Systems that are used today in organizations, and they are as follows:

  1. In Use Protection:
    This is the information/data that is generally used on a daily by authorized employees or even software applications within the organization. Typically, these types of datasets are used to deliver products and services to customers as they are being requested or purchased. This type of information is normally encrypted constantly, so that if they were to be intercepted by a malicious third party, it would remain in a garbled and undecipherable state.
  2. In Motion Protection:
    This is the information/data that is in transit across a particular network segment, and typically requires a higher level of encryption given this dynamic nature, to prevent against any form of Eavesdropping and Decryption related attacks. The basic rule of thumb here is that the more sensitive (or even more valuable) the information/data is, equally higher levels of encryption are needed as well.
  3. At Rest Protection:
    This is the information/data that is not actively being used in any form, and as a result, it typically resides on a database server. These datasets still need to have some layer of encryption, but not to the level of the data that is In Use or In Motion. At this point, it is important to implement the principle of “Need to Know” access to those employees who have to have access to these datasets.

Our next blog will examine these three types of data sets in more detail, as well as the controls that are required to protect them.