Data Loss Prevention (DLP)
Data Leak Prevention
Data Leak Prevention
Data Loss Prevention (DLP) is a set of technologies and business policies to make sure end-users do not send sensitive or confidential data outside the organization without proper authorization. Sensitive information might include financial records, customer data, credit card data, or other protected information. The most common method that this data is leaked is via email.
An effective DLP system will scan all outbound emails and other network traffic to look for pre-determined patterns that might indicate sensitive data. For example, this might include credit card numbers, social security numbers, HIPAA medical terms, or specific keywords relevant to your organization. Emails containing sensitive data will then be automatically encrypted, blocked, or quarantined for review. The specific security policy can depend on factors such as the sender, recipient, time of day, etc.
It is critical to implement effective DLP strategy to protect your organization’s sensitive information from being breached by criminals or accidentally leaked by careless users. Many data leaks are the result of users responding to a phishing or spear phishing email in which the sender is impersonating someone authorized to receive the data. Data can also be leaked by malware and viruses that read private data and then transmit it to a hacker.
To protect your organization from data loss, you must implement a comprehensive strategy that covers all the potential threat vectors. This starts with user education to make employees aware of suspicious emails and minimize behavior such as downloading files from websites, using unsecured Wi-Fi connections, etc.
You must secure critical data whether it is in use, in motion, or at rest:
- Data In-Use. Data that is being used by applications such as email clients, web browsers, and SaaS applications can be stolen by hackers or accidentally deleted by users. The risks can be greatly minimized by implementing data loss prevention at the mail server level and implementing a web security gateway or web filter to protect web browsers.
- Data In-Motion. Data that is in transit across a network is also at risk of theft. For emails, outbound filters and encryption can help protect data in motion. For the most complete possible protection, your network firewall must protect and encrypt all network traffic.
- Data At-Rest. This applies to data residing in storage. Protecting this data requires backup tools that, at a minimum, should encrypt the backed-up data and replicate it off-site.
It is critical that you implement data loss prevention technology to all surfaces that potentially expose your organization to data theft—including your email server, web browsers, web server, and network firewall. A data prevention strategy typically consists of the following components.
Implementing Email-Based Data Loss
The most common source of data loss is email. If you have not implemented a DLP system, the first step is to secure your email. Barracuda Essentials and the Barracuda Email Security Gateway include outbound email inspection capabilities. Both products protect against data loss caused by malicious data leaks, malware exfiltration of data, users being hijacked as spambots, and numerous other causes of data loss. They also provide inbound filtering to block malware, viruses, phishing, spear phishing, and advanced threats that can be used to steal data.
In addition to email filtering, email encryption is an important part of a data loss prevention strategy. Barracuda also encrypts emails containing sensitive data. Users can encrypt emails on demand, or you can set up policies to automatically encrypt emails based on the sender, recipient, and content.
Implementing Data Loss Prevention for Web Browsing
Another common source of data loss is via web browsers which can infect users with malware or spyware, as well as websites that collect sensitive data. The Barracuda Web Security Gateway and Barracuda Web Security Service provide comprehensive filtering of all downloaded internet content. They protect users from malware, spyware, ransomware, and viruses. They also monitor web browsing, searches, and social media for specific patterns and keywords. A tamper-proof web security agent and SSL packet inspection block advanced threats and alert you of suspicious activity.
Implementing Data Loss Prevention for Websites
Your website and hosted web applications are another attractive target for hackers looking to steal data. The Barracuda Web Application Firewall inspects all inbound traffic for attacks and outbound traffic for sensitive data. When any sensitive or malicious data is identified, it can be blocked or masked automatically. Comprehensive traffic logging helps you identify the source of any potential leaks.
Implementing Data Loss Prevention in Network Firewalls
Your network firewall should serve as the final and more comprehensive layer of data loss protection. Barracuda NextGen Firewalls include advanced threat protection to check every file that enters or leaves your network. If a file type is unknown, it is emulated in a virtual sandbox where any malicious behavior can be discovered. Botnet and spyware protection blocks access to malicious sites and servers. The Intrusion Detection and Prevention System (IDS/IPS) provides real-time network protection from a wide range of network threats and vulnerabilities in operating systems, applications, and databases.
Implementing Data Backup and Recovery
Data at rest must be safely backed up as frequently as possible. The backup device should be able to compress the data and eliminate duplicate records to minimize storage space and network bandwidth requirements. The backup system should also be able to automatically schedule backup in such a way as to avoid large data transfers during periods of high network usage. The more efficient the backup technology, the more frequently the data can be backed up.
Barracuda provides several solutions for managing backup and recovery. The Barracuda Backup provides near real-time backup of data regardless of its location and replicates the backed-up data to Barracuda’s secure cloud. For data protection of email, files, Office 365 documents, and SharePoint, Barracuda Essentials automatically enforces email retention policies by storing emails and files in a tamper-proof cloud archive. The Barracuda Message Archiver provides similar capabilities in a physical or virtual appliance that can be installed on-premises or in the cloud.