The last decade has shown a number of businesses transitioning to or emerging from the cloud. The days of operating strictly on-prem are gone, but with that shift there’s an added security risk.
In 2019, Gartner predicted that over the following six years, 90% of the organizations that failed to control public cloud use would inappropriately share sensitive data. Looking back on the number of data breaches that could have been prevented, it’s hard to say they were wrong. The reason behind this is that cloud strategies — including data loss prevention (DLP) strategies — tend to lag behind cloud adoption. Security and data protection are often afterthoughts, and that has only proven to put organizations at risk.
The alternative? Companies should adopt best-in-class data loss prevention tools that prevent the intentional and accidental egress of data. To make the most of these tools, security experts should be equipped to set up robust DLP policies.
In this post, we’re sharing best practices for setting up the DLP policies that make the most sense for your business.
First things first: What is a data loss prevention policy?
A DLP policy is a set of rules that governs how a DLP tool safeguards data. These policies can outline how internal and external users access, share, and use data within a company’s cloud environment.
Collectively, your DLP policies are responsible for preventing data loss, enforcing compliance, and protecting proprietary information and customer data. This is particularly important for companies that are subject to data regulations such as HIPAA and GDPR. Plus, it also ensures compliance with industry standards such as SOC 2 or ISO.
DLP policies can also be used to set parameters around what access can be viewed or accessed, by whom, and when. Plus, they are great tools for implementing least access or least privilege access controls.
7 tips for creating a DLP policy
Here are seven things you can do to build an effective DLP policy.
1. Establish where your data is located:
If you’re an organization that is the product of acquisitions or you’re a startup with various contributors, it’s likely that your data is all over the place. Take the time to understand where your data resides and don’t forget to check shared objects, files, block storage, data stores, and more. As you find each data source, make sure to find out who can access it at that location.
2. Figure out which data requires protection:
This prioritization exercise will have you determine which data could cause the most damage if it were leaked, or which data is most likely to be targeted by bad actors. Depending on your business and the type of data you have access to, this could be customer details, revenue information, product code, or even a list of employees. Understanding what data needs protecting will help set parameters for your DLP policies.
3. Classify your data:
Once you have a better sense of what data you have, you can then categorize the data based on criticality and sensitivity. This will help you establish the level and type of protection that’s required. A tagging system is also useful here, as that’s often a requirement for regulatory audits.
4. Establish roles and levels of data access:
Not everyone in your organization should have the same access to all of your corporate data. As such, you need to define what roles get access to what data, and allocate permissions accordingly. These permissions should be specific, and not broadly attributed to the whole organization. Your DLP policy can then have stipulations for what happens if a violation takes place.
5. Consider data in all its forms:
At any given time, your data exists in multiple forms. It can either be at rest in storage, in transit, or in use. Your DLP policy should account for all these eventualities and should ideally be supported by a monitoring system that tracks data movement.
6. Have a process for responding to potential leaks:
In the cloud, the perimeter is made up by your user identities. This means there are a multitude of entry points, and you need a system in place to mitigate unwanted access or data egress. Your DLP policy should thus have recourse in place to respond to situations and protect your most critical resources in the case of a potential breach.
7. Get your workforce on board:
The most effective way to roll out an effective strategy is to get your employees on board. Educate them on why the DLP policy exists and what it covers. Work with relevant teams to build a culture of security that introduces security earlier into the process, whether that’s in product development, procurement, or partnerships.
Making the most of your DLP tool
Your DLP tool will be an important component of your broader security strategy, and it’s important to set yourself up for success with it. Setting a clear and comprehensive DLP policy will ensure that your tool is doing the most for you and protecting your key assets from a potential leak.