Data Loss Prevention (DLP) and Data Classification
15/08/2023Thanks to development in technology, it is easier to reach data and information nowadays. On the other hand, our living conditions which is shaped by technology is actually bringing the data security concerns in our lives. Therefore, the data security sector emerges as a critically important branch of cyber security.
Enormous amount of work has been carried on such as restricting the number of users who can reach data, providing authorization, prevention of reaching the data by unauthorized persons and third- party users, classification, and storage of the data for the cause of security. DLP (Data Loss Prevention) is one of those efforts which are concerned with data security, and it can be applied at different layers including network, endpoints and cloud - based solutions.
Main objective of DLP and Data Classification is to protect critical data. There are some necessary precautions to be applied in order to achieve this objective such as authorization controls and restrictions, encryption, content filtering and monitoring of users and networks. Adaptation to data protection regulations is also needed and it is achieved by applying an extensive DLP and Data Classification strategy.
Data Analysis
The way of data processing of organizations in their operational activities differs from each other. Although pre-defined policies come with the DLP technologies, most of the time they are insufficient for the organizations due to this reason. Therefore, the gathered data should be blended with pre-defined policies and adjusted to fit for the specific needs of the organization.
Most of the time data is collected, processed, and used by the departments other than IT in organizations, and DLP solutions do not succeed without the contribution of other departments of the organization because of this reason.
Data analysis should be conducted by including all the departments in an organization that process and use data. Business processes should also be included in data analysis through which the gathered data is used. It is not possible to detect, monitor and protect the actual critical data of an organization with a poorly made data analysis as the efficiency of DLP technology is directly related to, and limited by the policies defined on it.
There are also regulations and rules that are set by the authorities and administrative fines apply within the scope of KVKK (Law on Protection of Personal Data) and rules specified within the constitution when organizations and data supervisors do not follow these rules and regulations.
Why is Data Classification Important?
It is a process of personal and corporate data classification based on predefined criteria. Data is effectively and actively protected in this way. Some of the data might be shared with the personnel of the organization only, whereas some other is shared with a specifically designated group of people or person. A precondition to implement this is to make a correct data classification. Therefore, data collection and classification are the foundational rule.
As critically important documents are frequently audited and subject to certain legal compliance requirements, classification will also provide access to the source of this document. For instance, classification plays a key role in finding which department is document belongs to. While there may be no designated security level for the sales-marketing department data of a company, the data which belong to accounting department such as sales volume and prices might be strategically important. Because of this reason, data should be classified and protected also based on their importance level.
DLP Data Types
Critical data in DLP systems exist in three situations: data at rest, data in use, and data in motion.
Data at Rest:
Type of the data which is used when necessary, only and rests in storage, databases and file systems. With DLP, you can scan data at rest, and you can find sensitive data by specific content, filename or a compatibility profile.
Data in Use:
Type of active data that is in use, including sensitive and private information. Data in use is often updated by multiple users. DLP products can take action regarding copy-paste operations as well as transfer with policies created as updates are made by the user on the data in use.
Data in Motion:
It is the type of data which moves within the network, for example, in email, instant messaging, in the cloud, and is constantly in motion to portable devices or other outlets. Data in motion is vulnerable to various threats stemming from human mistakes, network errors, insecure file sharing and malicious activities. DLP products often focus on breaches and human errors in data in motion, scan network traffic for sensitive information and prevent critical information from leaving the enterprise environment.
DLP Types
Network DLP:
It is designed to protect the data transferred by monitoring the traffic generated using SMTP/TLS, HTTP/HTTPS, IM, and FTP protocols on the network. It can be used to stop data loss through email, the Web etc.
Endpoint DLP
Enables the protection of data on the actively used desktops and laptops by monitoring the data stored on them. It discovers, monitors, and protects confidential/critic information by scanning the environments where information is used and stored such as Local Disks, Portable Drives, E-mail, Web, and IM on client settings. It also provides copying of data to USB drives, burning CD/DVD, downloading information to local disks as well as printing, faxing, transfer of the information over network and control of encrypted information with high security content.
Data Security within the Scope of Law on Protection of Personal Data (KVKK)
KVKK requires a structured approach to managing private data.
Within the law of harmonization code of the European Union framework and with connection to the GDPR (General Data Protection Regulation); the Law on the Protection of Personal Data No. 6698 quickly came into force in our country. Therefore, as a result of these regulations, it is of particular importance that companies and institutions comply with these provisions in the country.
Concerned provision indicates that, KVKK Data Controller must take all necessary technical and administrative measures to ensure the appropriate level of security.
Author
Serkan Avcı
Enterprise Security Architect