Types of DLP Solutions: Network, Endpoint, and Cloud-Based DLP

The huge amount and speed of information being sent and received within and around organizations pose a serious security risk, preventing sensitive data from being compromised. Data Loss Prevention (DLP) solutions have come a long way in mitigating this risk by acting as digital guards that protect critical information. However, we need to understand that DLP is not a single entity. As we protect data in various environments, different types of Data Loss Prevention (DLP) have emerged: Network DLP, Endpoint DLP, and Cloud-Based DLP. Understanding the differences of each type of DLP is important for your organization’s data protection strategy.

Network DLP

Network DLP solutions are the watchdogs of network traffic. They are designed to be deployed in the most intensive locations, such as internet gateways, email servers, and internal network segments. Network DLP protects and inspects data in transit.

How Network DLP Works:

Network DLP solutions often rely on technology called deep packet inspection (DPI) to analyze the content of network traffic. Network DLP utilizes the packet’s content and compares the data against policies to identify sensitive data based on criteria, including:

• Keywords and regular expressions: Looking for patterns such as social security numbers, credit card numbers, and project codenames
• File Properties: Looking for file types, sizes, and metadata.
• Dictionary-aware analysis: Matching content against a set of dictionaries of sensitive words.
• Exact Data Matching (EDM): Matching contents against a secure hash of the real sensitive data.
• Machine learning and content analysis: Using AI to recognize context and understand sensitive data even if specific keywords don’t appear.

When network DLP sees a policy violation (e.g., an employee is about to email a document that contains confidential financial data to an external address), it can respond in real-time by taking any of the following actions:

• Blocking transmission: Stopping sensitive data from leaving the network.
• Quarantining communications: Holding the email or file pending review.
• Informing administrators: Alerting security staff that a policy was violated.
• Logging: Documenting the attempted data loss.

Advantages of Network DLP

• Centralized Visibility: Provides data leaving the organization’s network.
• Good for outbound traffic control: Excellent at blocking data exfiltration over the common channels that exist on the network: email, web upload, and file transfer.
• Minimal to no effect on end users: Probably won’t even execute on the end-user device.

Endpoint DLP

Endpoint DLP solutions protect the endpoint devices of individual users. These endpoint devices include laptops, desktops, and mobile devices. Endpoint solutions are installed directly on the endpoint. Endpoint solutions track and monitor data location and usage on local personal devices. The intent is to protect data that is at rest (we store on a device) and data that is in use (the data is being accessed, modified, or copied).

How does Endpoint DLP Work?

Endpoint DLP agents capture user activity related to sensitive data and usage based on defined policies. This could include:

File Activity: Copying, moving, renaming, and deleting sensitive files.

Clipboard Activity: Copy and paste activities that include sensitive content.

Printing: Printing of sensitive documents.

Removable Media Activity: Utilization of USB drives and other external storage devices.

Application Activities: How sensitive data interacts with applications.

If a user’s activity breaks a DLP policy, such as trying to copy a confidential design document to a USB drive blocked by policy, the endpoint DLP solution can:

• Block the action: block the copy action.
• Encrypt the content: encrypt the file if it is copied to the USB drive.
• Warn the user: show a warning message regarding breaking the DLP policy.
• Notify the user: Display a warning that they have violated the DLP policy.
• Notify administrators: Report the incident to the security department.

Benefits of Endpoint DLP

• Granular Control Over Local Data Usage: This software allows for precise control over how users manipulate sensitive data on their local computers.
• Effectiveness against Insider Threats: Endpoint DLP is capable of mitigating data loss by preventing actions such as copying to removable media or using applications that have not been pre-defined for handling sensitive data.
• Visibility into Data in Use and at Rest: Endpoint DLP provides visibility into where sensitive data is stored on endpoints and how it is being accessed.

Cloud- DLP

The rise of cloud services, specifically SaaS applications (e.g., EA, M365, Google Workspace) and cloud storage (e.g., AWS S3, Azure Blob Storage), has made it crucial for organizations to protect data residing within these cloud environments. Cloud DLP products are designed to protect data in cloud repositories by bringing detection and protection features of DLP into cloud applications.

How Cloud-Based DLP is Executed

Cloud DLP solutions can either directly integrate with cloud platforms through Application Programming Interfaces (APIs) or operate as Cloud Access Security Brokers (CASBs) to monitor access and activity. Cloud DLP has three general capabilities:

1. Identify Sensitive Data in the Cloud: Identify where sensitive data exists within cloud-based applications.
2. Track usage by users: Monitor how users are interacting with the data in the cloud through downloading, uploading, sharing, and/or editing.
3. Evidence Data Security: Block violations of security policies, preventing users from sharing sensitive data inappropriately; control access permissions to the company’s sensitive data; and comply with cloud-based regulatory requirements.

Once a violation of company policy is discovered, for example, a user mistakenly selecting ‘public share’ with a sensitive document directly from company-owned cloud storage, the cloud DLP solution offers many options.  The cloud DLP solution can take the following actions:

1. Block the share action: Stop the data from being shared or exposed.
2. Change the sharing permissions: Restrict access to the data.
3. Encryption or redaction: Encrypt the sensitive content or redact the sensitive data.
4. Alert administrators: Notify the IT or security team of the transgression.

Benefits of Cloud-Based DLP are:

1. Visibility and Control Over Cloud Data: It can provide specific protection for the data you have in your SaaS applications in the cloud or on cloud infrastructure.
2. Addresses unique cloud security needs: Regulates cloud security concerns, such as shadow IT and misconfigured sharing settings.
3. Most Data Loss Prevention solutions working on cloud systems have APIs that work with various cloud platforms. Therefore, deploying and managing the implementation will require less time and resources.

Combining DLP Layering

Although each type of DLP addresses specific points of control for protecting data, the safest security posture is achieved by using a layered security approach, which involves combining Network, Endpoint, and Cloud-Based DLP.  Data loss prevention through unified DLP ensures sensitive data is protected regardless of its location (at rest, in use, in motion) and the location or state (network, endpoint, cloud) where the Data may be.

Selecting the right amount and types of DLP solutions is based on your organization’s requirements, the types of data being protected, your infrastructure, and tolerance to risk. Once you understand the strengths and limitations of each type of DLP, you can begin to develop a reasonable plan for your data loss prevention program to effectively protect your business-critical information in today’s complex and hazardous digital environment.