There are a number of names for DLP, whether the L stands for Loss or Leakage or the P stands Protection or Prevention it’s all about stopping data from getting in the wrong hands.
There are a number of ways in which this can be done, an active or passive system. Active means that data passing from one security zone to another is flagged or checked based on a risk profile. Data moving from the DMZ to the internal network would be flagged with a lower classification than data passing from the internal network to the DMZ. Specific templates flag specific types of data with higher classification, integers of specific length with specific patterns. These could indicate phone numbers, or more troubling Social Security Numbers or Credit Card Numbers.
Usually to determine the types of data being transported within the network a passive system in initially installed which scans all data transferred in and between zones and marks specific transactions as low, medium or high risk. It also marks linked data, such as Expiration Date and Credit Card Number in a risk category. In this way it can be determined which portions of the network are more critical when it comes to the data transported within the network or over network boundaries than others.
The reason I started this explanation is because I read the article New DLP Startup Performs ‘DNA Sequencing’ of Data.
“Previous DLP solutions — Vontu and PortAuthority, for instance — were good at finding and classifying data, but not in determining who should have access to that data or what they could do with it,” Stiennon says. “If nextTier has solved that issue, they may have the edge in ease of deployment to get traction in this crowded space.”
One of the interesting features is that “… nexTier’s algorithms can ’sequence’ data to identify its characteristics and determine whether it’s been modified, or accidentally or maliciously rearranged to evade detection, according to the company.” This means that it makes light obfuscation difficult.
In a good network (data transfer) implementation some kind of encryption must be used between the Network Layer and the Session-Application layer, either IPSec or specific data encryption, preferably multi layered encryption. I always find it interesting that without receiving all the codes from a Key Management system which provides the keys for the encryption of the data, either symmetric or asymmetric keys, it is practically impossible to really determine what kind of data is being transported between network zones. And if it’s impossible to determine what data is being transferred it’s impossible to classify the data.
technorati tags: data, loss, prevention, leakage, protection, security, encryption, classification
