Data Loss Prevention – old models vs the new access modalities
DLP is not an ‘Easy Button’ solution to a data protection issue! There, I said it and got it off my chest early. If you have a difficult scenario you are trying to remediate or a mandate that is the result of a recent breach or audit and you have reached for DLP as a solution you are going in the right direction, but DLP is only part of a larger solution. With the impacts of COVID even if your organization is still primarily on premises and require a VPN to access your corporate data, the wider adoption of remote work that looks to be here to stay in many cases requires a rethink of Data Protection policies/strategies and where DLP fits in the model.
This is Part 1 of a multi-part article around Data Protection.
- DLP defined and the pursuit of data protection as an ‘Edge solution’
- Defining the edge of an Enterprise and control planes
- DLP in Microsoft Information Protection (MIP)
Data Loss Prevention – defined
Whenever I have a conversation around information protection that includes Data Loss/Leakage Protection (DLP) one of the first things required is to define the term DLP for the context of the conversation.
What DLP is:
- DLP is technology that is targeted at the prevention of the Loss/Leakage/Sharing of specific data that meets a defined criterion
What DLP is not:
- Classification and labeling of data
- Review of current Access Control Lists (ACL) and reporting on all publicly shared data
- Risk assessment and remediation (changing ACLs or removing shares)
- De-duplication or deletion of stale data
- ML based content inspection, reporting and (automated) creation of data categories/labels
- Reporting on types of data in an environment and where the data resides
- Alerting to end users when sensitive data is placed in repositories where data sharing is possible
- Encryption of data
- Data Governance and attestation
- Risk detection and Behavioral analytics
Many vendors, including Microsoft include these capabilities in their tools and workloads, however if the discussion is about this larger strategy, the term being used should be an ‘Information or Data Protection’ and DLP reserved for discussing this specific element of a Data Protection effort. This co-mingling of terms has caused much confusion which can be difficult to unwind, but the net of it is that data protection is a layered approach of which DLP is one component.
DLP and the Modern Enterprise
If you have been in a meeting with a Microsoft Security and Compliance professional, you have probably heard the phrase ‘Identity is the new perimeter.’ It sounds like marketing, but it is not and when looking at data protection solutions this concept should be a primary consideration. This IS a large shift in mindset but consider that when many of the historic data protection vendors got their start the image below the access modality that existed. This perimeter scenario is often referred to as the ‘4-walls’.
The perimeter of this architecture is easy to identify. Access to corporate data required physical access to a desktop compute environment. Mobility and Remote Access were limited and when deployed often required a VPN that backhauls traffic outside of the network into the data center thereby persevering the 4-wall perimeter security and data protection model. One off external sharing solutions such as FTP and DMZ resources were closely governing and highly restricted. DLP solutions in this environment would sit on the network edge and email systems. Even as access modalities and corporate services changed, I see clients continue to struggle trying to preserve this protection model. This model persists in large part for three reasons.
- The physical and network edge are still valid perimeters that need to be protected. Corporate network security professionals tend to design this environment with many of the basic principles they always have, thinking about the edge and making sure any ingress or egress at that edge is secure is paramount.
- Note: An artifact of this model is inherent trust. Once you are inside the network you are implicitly trusted. Zero Trust is the newer framework and consideration of this concept should be part of the implementation.
- The model is conceptually easy to understand
- Business and corporate leaders sometimes believe they understand OS and Application security because they use the clients and at times weigh in on what a design should be. This rarely happens in an infrastructure conversation since business/corp leaders generally have never logged into switch or firewall. Operations teams find network-based security designs experience less friction when implementing controls.
The ubiquity of Cloud based services has largely trashed this model for data protection. There are recent offerings from network providers for a software defined perimeter (SDP) that routes all ingress and egress from all Corp resources through the vendor cloud. This is an effort to preserve the 4- walls security model and the efficacy of those would need to be evaluated by your org.
In the Modern Enterprise, the edge of your environment is dictated by where your data exists. That is the perimeter that needs to be secured for DLP to be an effective part of your data protection strategy.
Where is the edge of this environment? Are you doing shadow IT discovery? Are you allowing unmanaged endpoints to download content? Are you controlling data flow within 3rd party SaaS solutions? Do you know what types of data exist within your environment and where that data sits? If you have architected DLP based on the modern perimeter then your deployment probably looks like the below. Maybe all these solutions are the same vendor and have an integrated control plane or maybe they are not. But what is likely true is that DLP has been operationalized in a way that makes it one of the primary tasks of the security team. DLP monitoring and forensic investigation may be a daily task for one or more resources. If this is true of you team I would go a step further and guess that overall the team is over utilized with ‘keep the lights’ on activities and investments are around improving or plugging holes in the current capability and strategic improvement (3-5 year outlook for an end state) is sacrificed for the current need.
For Microsoft we use identity as the ‘perimeter’ and the core of our data protection methodology is to protect the data no matter where it is. In the modern perimeter the user brings an identity to every transaction, it is the common element and the focus of protection. Microsoft has DLP solutions, and these continue to evolve an improve however Classification, Labeling and Protection (CLP) is the foundation to our data protection solution. No matter where the data is, does this identity have access to this data and if so, what rights do they have? This is a data security mindset shift for many clients and to be frank in a tactical response to a point solution request for DLP, it does not land well with the Security teams. In that conversation what those teams are looking for is a point solution that fits into their current protection model and possibly improves the process. Microsoft’s Information Protection is part of our drive for digital transformation and resonates in a strategic conversation around Data Protection as a whole.
In the next installment I’ll discuss how to start the discussion around DLP and define the ‘edge’ of your Enterprise, example DLP scenarios and the experience we have across clients as data protection solutions are pursued across multiple departments
If you have questions on M365 DLP capabilities, please contact your Microsoft or CSP account team for more detailed information.