WEBVTT

1
00:00:00.000 --> 00:00:01.350
In this lesson,

2
00:00:01.350 --> 00:00:05.730
we will learn about data loss prevention, or DLP.

3
00:00:05.730 --> 00:00:09.630
Data loss prevention is used to detect, prevent,

4
00:00:09.630 --> 00:00:13.800
and respond to unauthorized access, transmission,

5
00:00:13.800 --> 00:00:16.110
or use of sensitive data.

6
00:00:16.110 --> 00:00:20.340
Data loss prevention concepts include data discovery,

7
00:00:20.340 --> 00:00:23.220
managing data at rest and in transit,

8
00:00:23.220 --> 00:00:25.410
and policy enforcement.

9
00:00:25.410 --> 00:00:27.270
Data loss prevention systems

10
00:00:27.270 --> 00:00:31.080
are tools used to detect and prevent sensitive data

11
00:00:31.080 --> 00:00:34.080
from being stored on unauthorized systems

12
00:00:34.080 --> 00:00:37.230
or transmitted over unauthorized networks.

13
00:00:37.230 --> 00:00:38.760
By managing data,

14
00:00:38.760 --> 00:00:41.460
DLP, or data loss prevention,

15
00:00:41.460 --> 00:00:44.130
ensures that critical information remains

16
00:00:44.130 --> 00:00:47.010
within an organization's control.

17
00:00:47.010 --> 00:00:49.770
DLP systems play an important role

18
00:00:49.770 --> 00:00:51.750
in protecting data at rest,

19
00:00:51.750 --> 00:00:53.760
like data stored in files,

20
00:00:53.760 --> 00:00:57.000
and data in transit as it moves between systems

21
00:00:57.000 --> 00:00:58.770
or storage devices.

22
00:00:58.770 --> 00:01:02.490
At the core of DLP is data discovery,

23
00:01:02.490 --> 00:01:04.110
which involves recognizing

24
00:01:04.110 --> 00:01:06.540
and labeling sensitive information

25
00:01:06.540 --> 00:01:08.670
based on predefined rules,

26
00:01:08.670 --> 00:01:13.620
then allowing the DLP system to enforce security policies.

27
00:01:13.620 --> 00:01:18.240
A typical DLP solution consists of three main components.

28
00:01:18.240 --> 00:01:22.590
A policy server, an endpoint agent, and a network agent.

29
00:01:22.590 --> 00:01:25.230
The policy server configures rule sets

30
00:01:25.230 --> 00:01:29.880
that classify data based on its confidentiality, privacy,

31
00:01:29.880 --> 00:01:31.620
or sensitivity level.

32
00:01:31.620 --> 00:01:35.460
This server also logs incidents of rule violations

33
00:01:35.460 --> 00:01:37.470
and compiles reports.

34
00:01:37.470 --> 00:01:41.310
This shows how sensitive data is being used or misused

35
00:01:41.310 --> 00:01:42.780
throughout the network.

36
00:01:42.780 --> 00:01:45.210
The endpoint agent enforces these rules

37
00:01:45.210 --> 00:01:47.640
on individual client devices,

38
00:01:47.640 --> 00:01:50.640
even when disconnected from the corporate network.

39
00:01:50.640 --> 00:01:54.720
For instance, if an employee tries to copy sensitive data

40
00:01:54.720 --> 00:01:57.450
to a USB drive while offline,

41
00:01:57.450 --> 00:02:01.230
the endpoint agent can still detect and block that action,

42
00:02:01.230 --> 00:02:03.330
safeguarding the data at rest

43
00:02:03.330 --> 00:02:06.090
regardless of network connectivity.

44
00:02:06.090 --> 00:02:09.600
Meanwhile, a network agent monitors data

45
00:02:09.600 --> 00:02:11.670
in transit across the network

46
00:02:11.670 --> 00:02:14.010
by scanning various protocols,

47
00:02:14.010 --> 00:02:18.510
including web traffic, emails, and messaging platforms.

48
00:02:18.510 --> 00:02:20.490
A network agent can identify

49
00:02:20.490 --> 00:02:23.940
both structured and unstructured data formats

50
00:02:23.940 --> 00:02:28.650
and enforce DLP policies based on predefined rules.

51
00:02:28.650 --> 00:02:30.840
Structured data includes formats

52
00:02:30.840 --> 00:02:34.170
like JavaScript Object Notation, or JSON,

53
00:02:34.170 --> 00:02:37.860
or Comma-Separated Values, or CSV files.

54
00:02:37.860 --> 00:02:40.590
While unstructured data encompasses documents

55
00:02:40.590 --> 00:02:44.520
like Word files, emails, or presentations.

56
00:02:44.520 --> 00:02:48.900
DLP can use additional automated data discovery tools

57
00:02:48.900 --> 00:02:51.690
beyond the tools in the system itself.

58
00:02:51.690 --> 00:02:55.290
These tools conduct data discovery across the network

59
00:02:55.290 --> 00:02:58.890
and apply labels based on predefined rules.

60
00:02:58.890 --> 00:03:02.970
The labels can categorize data according to its sensitivity,

61
00:03:02.970 --> 00:03:06.540
confidentiality, or privacy requirements.

62
00:03:06.540 --> 00:03:09.300
Following data discovery and labeling,

63
00:03:09.300 --> 00:03:11.280
DLPs can be configured

64
00:03:11.280 --> 00:03:15.030
to use either allowlists or denylists.

65
00:03:15.030 --> 00:03:17.400
Allowlists block all data,

66
00:03:17.400 --> 00:03:20.250
except what is explicitly allowed.

67
00:03:20.250 --> 00:03:22.500
Denylists allow all data,

68
00:03:22.500 --> 00:03:25.140
unless it is specifically denied.

69
00:03:25.140 --> 00:03:29.040
In application, DLP systems often also feature

70
00:03:29.040 --> 00:03:32.130
reporting tools to monitor for false positives,

71
00:03:32.130 --> 00:03:34.320
helping administrators fine-tune

72
00:03:34.320 --> 00:03:37.020
the system's accuracy over time.

73
00:03:37.020 --> 00:03:40.440
When a DLP system detects a rule violation,

74
00:03:40.440 --> 00:03:42.990
it can take one of four actions.

75
00:03:42.990 --> 00:03:47.610
Alert, block, quarantine, or tombstone.

76
00:03:47.610 --> 00:03:48.810
In alert mode,

77
00:03:48.810 --> 00:03:52.650
the system logs the incident and notifies administrators,

78
00:03:52.650 --> 00:03:56.130
but still allows the data to be transmitted or moved.

79
00:03:56.130 --> 00:03:58.530
This is considered a detective control

80
00:03:58.530 --> 00:04:00.480
rather than a preventive one.

81
00:04:00.480 --> 00:04:04.410
Next, blocking actively stops the data transfer,

82
00:04:04.410 --> 00:04:07.020
like preventing a user from copying a file

83
00:04:07.020 --> 00:04:08.760
to an external device,

84
00:04:08.760 --> 00:04:13.050
and blocking also includes alert mode actions.

85
00:04:13.050 --> 00:04:15.780
A quarantine action goes a step further

86
00:04:15.780 --> 00:04:19.530
by conducting both alert and blocking mode actions,

87
00:04:19.530 --> 00:04:23.610
as well as removing user access to the data entirely.

88
00:04:23.610 --> 00:04:26.280
Quarantining can be done by encrypting the data

89
00:04:26.280 --> 00:04:29.160
or rendering it unreadable to the user.

90
00:04:29.160 --> 00:04:33.690
Finally, a tombstone action takes alert, block,

91
00:04:33.690 --> 00:04:35.850
and quarantine mode actions

92
00:04:35.850 --> 00:04:38.850
and then replaces the original file

93
00:04:38.850 --> 00:04:42.570
with a message indicating a policy violation.

94
00:04:42.570 --> 00:04:44.190
That's the tombstone.

95
00:04:44.190 --> 00:04:47.070
Tombstone files often include instructions

96
00:04:47.070 --> 00:04:51.300
for regaining access to the data that caused the violation.

97
00:04:51.300 --> 00:04:55.590
DLP systems can also integrate with other security controls

98
00:04:55.590 --> 00:04:57.540
to enhance data protection.

99
00:04:57.540 --> 00:05:00.630
For instance, they can block external media,

100
00:05:00.630 --> 00:05:03.870
preventing users from copying data to devices

101
00:05:03.870 --> 00:05:06.480
like USB drives or CDs,

102
00:05:06.480 --> 00:05:10.170
reducing the risk of mass data exfiltration.

103
00:05:10.170 --> 00:05:12.750
Print blocking can stop sensitive documents

104
00:05:12.750 --> 00:05:15.690
from being physically removed from the workplace.

105
00:05:15.690 --> 00:05:19.080
Remote Desktop Protocol, or RDP, Blocking

106
00:05:19.080 --> 00:05:21.450
ensures that data cannot be transferred

107
00:05:21.450 --> 00:05:24.540
between a remote session and a local machine,

108
00:05:24.540 --> 00:05:28.230
protecting that data in transit during remote access.

109
00:05:28.230 --> 00:05:30.960
Clipboard privacy controls prevent users

110
00:05:30.960 --> 00:05:33.960
from copying and pasting sensitive information

111
00:05:33.960 --> 00:05:37.620
into unauthorized applications or platforms.

112
00:05:37.620 --> 00:05:42.360
Finally, Virtual Desktop Infrastructure, or VDI environments

113
00:05:42.360 --> 00:05:45.240
can also be secured with DLP agents

114
00:05:45.240 --> 00:05:49.110
just as traditional laptops and desktops are.

115
00:05:49.110 --> 00:05:53.970
So remember, data loss prevention, or DLP, systems

116
00:05:53.970 --> 00:05:57.930
are designed to detect, prevent, and respond

117
00:05:57.930 --> 00:05:59.850
to unauthorized access

118
00:05:59.850 --> 00:06:03.090
or use and transfer of sensitive data.

119
00:06:03.090 --> 00:06:07.620
DLP manages both data at rest and data in transit,

120
00:06:07.620 --> 00:06:09.660
ensuring that critical information

121
00:06:09.660 --> 00:06:12.840
stays within an organization's control.

122
00:06:12.840 --> 00:06:16.320
At the core of DLP is data discovery,

123
00:06:16.320 --> 00:06:18.060
which involves identifying

124
00:06:18.060 --> 00:06:20.820
and labeling sensitive information

125
00:06:20.820 --> 00:06:23.310
based on predefined rules.

126
00:06:23.310 --> 00:06:26.940
The system then enforces security policies

127
00:06:26.940 --> 00:06:31.200
through a combination of policy servers, endpoint agents,

128
00:06:31.200 --> 00:06:33.000
and network agents.

129
00:06:33.000 --> 00:06:36.330
By doing so, DLP helps protect data

130
00:06:36.330 --> 00:06:38.280
across different environments,

131
00:06:38.280 --> 00:06:42.243
preventing breaches and unauthorized transfers.