Data Loss Prevention system or DLP system is one of the most indispensable system in our IT-Industry. Most of our clients, auditors are keen to understand how we are implementing this DLP and how they will be benefitted with this. As per my personal experience I have seen many auditors/legal teams spending innumerable hours on understanding DLP. Let us discuss in brief about what DLP is and how we can implement it in the current digital transformation phase.
DLP system can be defined as a mechanism, which detects potential data breaches, and data exfiltration. So far, we understand DLP is system is an integral part of our cyber security/digital security system. it is obvious that a single software cannot full fill entire protection required for a DLP system since data leakage/loss may happen from any cyber security layer.
Let us consider an example of a banking or a financial sector who wants to create their banking system through a software co-creation and application prototyping. The first and most primary item required to prepare this software is their client database and their entire banking procedure. Due to confidentiality, they would never share their customer data but what they can share is their banking procedure. Now data leakage possibility starts from this point where we get access to entire banking process. The created application will directly interact with the client database. Now that the application is created, the client would like to know how secure is the application and what are the chances of data leakage.
Below are the layers and steps to mitigate data leakage
a) Securing the perimeter:
The very first step in order to mitigate this is by securing our perimeter through UTM devices, for example IPS/IDS, firewalls etc. Let us discuss about these devices:
- Firewall: Firewall works as a security guard for entry /exit of any data, (the analogy is when we enter/exit in our office premises, we swipe our ID card to prove our identity, similarly when traffic comes in their identity is also checked with their pre-existing policy, if it matches, they are allowed otherwise dropped). Like our entry register, firewalls also maintain a log for all the traffics that is allowed as well as dropped for future audit purpose.
- IPS/IDS: The analogy with IDS/IPS device is like a scanning machine present in Airport/railway station. These scanning devices checks whether we are carrying any unwanted material, if any of it alerts with sound. This IPS/IDS also scans the traffics and if found malicious it will send an alert in the form of E-mail to corresponding team.These above points so far we discussed are the basic protection on the perimeter side. There are another two levels of security systems that we can implement.
b) Securing the application:
Application level security is the next important aspect through, which we can decide the request is from a legitimate application or fake. There are number of tools available, which can scan the data through its payload (you can consider it as pattern), and decide the same. All the next generation firewalls are incorporated with this technology. Another way of application filtering is done through Circuit filtering, which examines information, exchanged during the TCP handshake to evaluate its legitimacy.
c) Direct access on database:
This is most important layer is direct access on database. So far, we discussed is about how to make our infrastructure secure but this aspect directly deals with the database.
i) This database can be accessed multiple ways but we need to make it more secure on its transit path by following way:
- There will be direct/indirect connection from the application software to the client database server,
- The database systems are DBMS (Distributed Database Management System-Database system distributed in several geographical location) in order to share the load of a single server.
In both the cases the data base is accessed, hence the first part of DLP should hide this raw data and that is possible if we cypher this data (we can use different encryption mechanism) so that raw data will be encrypted while travelling from one location to another location and after reaching there it will be decrypted again.
ii) Another part will be from non-legitimate users in internet:
For any Banking or financial sector always wants to be available in internet to facilitate their customers on-line profile. Now whenever any application is exposed to internet there is always a chance that a non-legitimate user will try to access any legitimate user’s profile using some trapdoor mechanism, (there are thousands of software available which can guess password), hence there should be at least 2 way or if possible 3 way mechanism (we can use OTP system / token system) to protect their online profile.
d) The final part is by legitimate persons who directly have the access to this is most dangerous, as because the first two ways there is no direct access hence we can use some mechanism to protect them, but here it is. Hence instead of protection here prevention mechanism will be more effective. We need to create an automatic logging system which will always keep the record of each concerned persons logging as well as their activity with real time stamp in case if there is any unusual activity it should alert us with E-mail, even if there is a chance of direct copy/delete it should not allow in a single step and raise a critical alert through E-Mail.
So far we discussed are some part of the entire DLP system. In one word DLP system cannot be made full proof but possible to make 99% accurate depending on how many fragmented we make our entire system. Because each small part is easy to protect instead of the entire system.