Data is the world’s currency and has been for some time. Protecting data should be at the top of the list for organizations of any size, and the heart of any security strategy. Think about it: the purpose of any firewall, email solution, compliance regulation, or XDR platform is to keep data safe. Why not cut to the heart of it with a dedicated Data Loss Prevention (DLP) solution? And why not optimize that solution with Data Classification?
A good data protection strategy involves three parts:
- Discovery and Redaction: Finding (and hiding) your data
- Classification: Organizing your data with Data Classification
- Prevention: Implementing Data Loss Prevention (DLP) policies
Partnering with a security provider who knows the data landscape can give you access to a suite of best-in-class solutions for maturing your data security posture.
Discovery and Redaction: Finding (and Hiding) Your Data
Data Classification begins with data discovery. You can’t organize data you don’t know you have, nor can you offer any insights. That being said, you want key data to be accessible to only you, not the bad guys. That’s why this step must be done in two parts.
Data Discovery
Hidden data cuts both ways: documents created with sensitive information and then abandoned don’t get the policy protection they need and sit as latent vulnerabilities for the next cybercriminal who scans the network. Documents (Excel, Word, even screenshots, and anything attached to an email) can be a treasure-trove of hidden goods, so policies need to be created around their creation, use, and storage.
The first step, therefore, is to discover the data you have on your network. In the Forrester Now Tech Q4 2020 Report, Forrester defines sensitive data discovery and classification as: “The capability to provide visibility into where sensitive data is located, identify what this sensitive data is and why it’s considered sensitive, and tag or label this data based on its level of sensitivity.”
Two of Fortra’s flagship data classification providers, Boldon James and Titus, were named in the recent Forrester Report, and acknowledged for ways companies can improve data protection with data discovery and classification.
Additionally, Fortra’s Digital Guardian for Data Discovery provides ways to locate sensitive data at rest and speed up discovery of PHI, PCI, and PII data with pre-configured templates.
Data Redaction
Removing sensitive information can be done automatically with the right solutions. Clearswift Secure Email Gateway offers Adaptive Redaction technology that’s designed to automatically remove, delete, or sanitize files based on rules set by your organization.
It leverages a feature uncommon to most other email security solutions (including Microsoft 365). Through Optical Character Recognition (OCR), sensitive data can automatically be redacted from a file (image, document scan, or image within an electronic document) and reduce the risk of breach.
Classification: Organizing Your Data with Data Classification
To craft the most effective DLP approach, you first need to understand the type of data you’re dealing with.
What is data classification?
Data classification is “the process of organizing and coherently labeling data using predefined criteria to determine its type, business value, and degree of sensitivity.” In other words, it’s getting clear on what data you have and how it needs to be categorized. This step is key to further determining how you will protect it, since each classification type warrants a different level of protection.
A data classification policy is also integral to erasing the high number of false positives that Data Loss Prevention solutions accumulate. To combat this, DLP tools are often detuned to the point where they only perform high-level scans, making them less effective and dulling their edge. Data classification puts the specifics back into DLP capabilities, supplying them with meaningful metadata that leads to more detailed checks and better outcomes.
Data classification tools
There are a number of tools for classifying data. Often contained in a single suite, they can include:
- Email classifiers to sift and sort information within an email client and prevent sensitive data from being sent to the wrong person.
- Global data protection regulations like GDPR, CCPA, HIPAA, CMMC, ITAR, and CUI to help you stay compliant.
- Metadata needed to present the classified data in context.
Prevention: Implementing Data Loss Prevention (DLP) Policies
Network DLP
Also referred to as data-in-motion protection, Network DLP (NDLP) secures communications on an organization’s network. It’s easy to deploy and does not require a dedicated resource, but it does only secure within the network, making a VPN necessary for remote compatibility.
NDLP sees data as it flows through the network (or email, or web) and can take action based on predefined policies such as block, audit, forward, notify, encrypt, and quarantine.
Endpoint DLP
Endpoint DLP (EDLP) monitors communications on the endpoint and requires deployment of agent software on every device.
It allows you visibility into data as it is created (or updated). The data is then flagged if it contains sensitive information. EDLP can also restrict actions such as copy/paste, screenshots, and printing, and can prevent data from being saved on external devices. It also secures communications both on and off the network, so there’s no need for a VPN – even if users are working remotely.
The amount of upkeep can be high, depending on the number of devices within an organization, but that cost should be considered against the benefit of protecting data at the source.
Integrated DLP vs. Enterprise DLP
Employing a single DLP solution for a specific vector (say email) is known as Integrated DLP. Deploying an overarching DLP solution across all channels is referred to as Enterprise DLP.
Integrated DLP gives you high fidelity alerts across specific channels and redacts sensitive information in documents and images as they pass through. It also integrates with existing security investments. Meanwhile, Enterprise DLP provides a centralized, all-in-one DLP agent that eliminates the need for multiple agents and has a greater depth and breadth of data detection capabilities.
Enterprise DLP is more resource intensive but managed Enterprise DLP solutions have evolved to offset the burden.
Comprehensive Data Protection from Fortra
As you progress along your data protection journey, keep in mind that the goal is maturity; not completion. So long as evolving exploits plague the landscape, security strategies will always have to evolve along with them. The best we can do is keep pace with the threats of today and build out data protection frameworks that are cohesive, comprehensive, and scalable.
Fortra offers a complete data protection suite. For an additional layer of protection beyond the enterprise, pair DLP and Data Classification with a Managed File Transfer (MFT) and Data Rights Management (DRM) solution to secure data from creation to endpoint – in the cloud and anywhere.
Fortra’s Digital Guardian builds off data classification by bringing the metadata to life. In this scenario, DLP becomes the data’s traffic cop, triaging what users can do with specific types of data. Specific Digital Guardian capabilities include:
- Analytics & Reporting Cloud
- Endpoint DLP
- Network DLP
- Cloud Data Protection
- Data Discovery
- Managed Security Program
- Managed Data Loss Prevention
Securing data is the sole focus of cybersecurity practice today. In an age of information, the job of security practitioners is to keep data confidential, intact, and available. Fortra’s data protection offerings provide enterprises with the tools they need to deliver on those promises, and to do so at scale.
Learn More
Discover the 5 Reasons Classification is the First Step to Successful Data Loss Prevention in our new guide.