IT Services

December 08, 2021

What is Data Loss Prevention?

Data Loss Prevention - BT Partners

As more and more businesses look for ways to protect their sensitive information, the solutions grow in tandem. A new market study states that the global data loss prevention market will reach $6 billion by 2026. Data loss prevention (DLP) is best described as a system that categorizes content within your network and necessarily restricts its movement both within the organization and outside the organization. This post covers what DLP is in more relatable details, as well as how you can incorporate Microsoft Office 365 DLP policies to help protect your data wherever you and your staff are.

What is a Data Loss Prevention Solution?

The purpose of DLP is not to restrict people, but to protect people. It’s an additional layer of protection in the event of unauthorized access, like in a situation where a user’s login credentials are compromised or shared by accident. According to BT Partner’s Technical Account Manager, Austin Germaine, “DLP is just another layer in the fight against data loss. Even if I can get in with another user’s credentials, there’s a DLP policy preventing me from accessing the data and possibly emailing it out to other restricted users.

DLP ties the user’s rights to the data itself, regardless of where a file is. That means you don’t need to create folder structures anymore and worry that if a confidential file is in a folder that someone has access to, they’ll be able to see it or share it out. If you can’t access a file through a DLP policy, then you will be unable to view it no matter what. You’re essentially stopping data from leaving the environment and only allowing certain people to have access to data that’s been tagged.

Two Parts – First, We Identify & Categorize

There are two main components associated with DLP. The first is to identify and categorize data based on content type, and then categorize the data as either ‘sensitive’ or ‘everything else’ basically. Sensitive data is anything that contains Personal Identifiable Information (PII) or trade secrets. The rest of the data isn’t necessarily “non-sensitive”, it’s just not identified as PII, so is not considered ‘Sensitive’. This categorization can happen manually or automated. While it’s possible to manually categorize your data, it’s a significant undertaking. Alternatively, with Office 365, we can simplify this for you – not only the audit of the data but the follow-up steps as well. Office365 affords you the ability to automatically categorize your data by over one hundred different privacy metrics, and it applies those metrics to metadata tags on a per-file basis.  Metadata, or “data about data”, is the key component to how DLP policies are applied.  The point we’re trying to make is you first need to figure out what data you have so that you know what data needs to be protected, and metadata tagging is generally is how this is more efficiently accomplished.

Two Parts – Next, We Create a Policy (no, not just a memo)

The second component with DLP is to create a policy that defines how that data can move and who can access it. At a high level, the policy can automatically prevent sensitive data from leaving the environment. More specifically, DLP policies provide the DLP mechanism with rules defining how files, by virtue of their metadata tags, can move or be accessed; an example would be restricting someone who has access to a spreadsheet from emailing it to others who maybe don’t have access to the spreadsheet. The policy is essentially scanning, identifying, and restricting export from the environment. This is where DLP comes in.

Then you can get even more granular, breaking it down to who can access certain data and how they can access it. The historical method was location-based access, like when people would create folder structures and restrict users’ access to certain folders. As mentioned earlier, with DLP you remove the location from the equation and tie the user rights to the data itself. It proactively secures sensitive data without it mattering where that data is in your network. DLP is proactive, instead of reactive, and is something all businesses should strive for. Think of it as a “set and forget” tool that runs in the background and doesn’t need to be audited or maintained because it’s happening regularly automatically.

What is Data Loss Prevention Policy?

The concept behind the DLP policy is that everything is driven by authorization. There is an overarching authorization form to whatever data you can access by virtue of their authentication, which is driven and decided upon by the business.

The DLP policy is created through discussions with the leadership and the management team. They must identify and layout who should get access and to what information. Once this is determined, they bring it forward to their IT department who will then program it into the DLP policy. Then, with that DLP policy coded into your system, there are two steps. – First, the authentication process where a user logs into a system with a username and password. Second is the authorization process where the system agrees if the user is allowed access to a file. For example, in your restaurant or franchise(s), all staff might need to access the system, but do they all need to know grandma’s “secret sauce” recipe? Or is there a risk that if they have access to the recipe, they may share it with customers or suppliers, even accidentally? Think of it as the more responsibility someone has, the more liability they carry with that responsibility. Using DLP is another layer of protection against unauthorized access that protects you, your staff, and ultimately your business.

DLP policies are created and designed by your team to block accidental (or intentional) prohibited activities, like sharing PII and putting you at legal risk or emailing trade secrets, without hindering your regular business operations. Businesses own a massive amount of data. Every day, we create roughly 2.5 quintillion bytes of data, and it’s up to us to put in place measures to protect it. With the help of Microsoft 365 and our Managed IT Service team, you can sleep well at night knowing that you can better control, monitor, and manage all your business data.

Business insights and resources

Zero Day Vulnerability - BT Partners

The Zero-Day Threat - BT Partners

The Zero-Day Threat

What is DNS

Understanding DNS – What Is DNS & Why Does It Matter

Ready to optimize?