Data loss prevention (DLP) vs DRM
DLP software & why it is not effective at preventing leaks
What are the advantages and disadvantages of data loss prevention software and DRM solutions, and which is better at preventing leaks?
Data loss prevention (DLP)
With much of the media focused on external security threats, it’s easy to forget that one in three data breaches involve insiders. The vast majority of these are not intentional – rather, they are an unintended product of employees seeking convenience by transferring files to untrusted devices and servers. Training plays an important role in addressing this, but so do technical solutions: namely data loss prevention (DLP) and DRM tools.
This blog will cover:
- What data loss prevention is
- How data loss prevention works
- Why data loss prevention is important
- The advantages and disadvantages of DLP
- What is DRM?
- The advantages and disadvantages of DRM
- Data loss prevention or DRM?
What is data loss prevention?
As you would expect, data loss prevention security systems seek to prevent sensitive data from escaping the enterprise. They try to identify the sharing, transfer, or use of sensitive data, prevent it, and send alerts if it violates policy.
Who are the most popular data loss protection vendors?
Some popular data loss prevention solutions include:
- Microsoft Office 365 data loss prevention/Microsoft Purview Data Loss Prevention
- Symantec data loss prevention
- Forcepoint DLP
- Proofpoint Insider Threat Management
- EndPoint Protector by CoSoSys
- Trellix DLP
How does data loss prevention work?
Enterprise DLP solutions employ various techniques for information protection, including people, access control, processes, endpoint monitoring, data filtering, antivirus software, and machine learning. Typically, DLP software looks at the activity that is occurring and the label organizations have applied to files/ folders involved and tries to determine whether it is unsafe.
Why is data loss prevention important?
Most businesses employ data loss prevention solutions to prevent the loss or theft of their intellectual property and protect customers’/clients’ personally identifiable information. Data theft of financial information, credit card numbers, social security numbers, and health information/medical information, can have a major financial impact on businesses.
DLP solutions also generally enhance visibility and governance over an organization’s data, allowing for the assessment of different endpoints and users and the retention, classification, and deletion of records.
All of this is key if modern businesses want to remain compliant with data regulations and be profitable. DLP solutions are one tool organizations use to help with regulatory compliance and reduce risk, but they are not the only tool and are perhaps not even the most effective one.
Data loss prevention advantages and disadvantages
There’s a reason that DLP solutions are so popular. They offer organizations key benefits such as:
- Aiding compliance with data security legislation and standards such as HIPAA, FISMA, GDPR, SOX, etc. Though they aren’t going to fulfill the requirements alone, they do help organizations to avoid fines.
- Preventing data leaks across various endpoints. DLP solutions cast a wide net – they won’t catch everything, but they often prevent accidental or non-technical leaks from occurring.
- Greater visibility and control over data. Understanding what sensitive data your organization has and where it is going is crucial for planning effective data protection. Many DLP solutions provide automatic classification, which aids in gathering this information. DLPs also deliver valuable insight into common ways data leaves the organization and from which users/departments so that training can be better targeted.
But DLP systems are far from perfect. One survey even found that though 99% of companies had DLP in place, 78% had sensitive data leaked. This is why:
- DLPs aren’t perfect at detecting and stopping data misuse. They rely on files being correctly classified and identified, and there will always be a margin of error at scale. Unfortunately, a single document slipping through the net can still be very damaging to a business.
- DLP solutions can be complex to configure and manage. From time to time, misclassification or poor policy definition can lead to sensitive data leaks.
- Overbearing or poorly configured data leak prevention solutions can impede employees’ work. Users also don’t like to feel like everything they’re doing is under watch. This can lead to them searching for ways around the protection, which can sometimes be achieved with simple workarounds such as changing the file type.
Most DLPs stop being effective once you share with third parties. As you can’t rightly scan the emails or network of an external company or client, the ability to identify misuse is significantly weakened or made impossible. Though you can encrypt documents before sending them, this only prevents them from being intercepted. It doesn’t stop authorized third parties from doing what they like once they have decrypted the file.
What is Digital Rights Management (DRM)?
DRM tools are also designed to prevent data leakage and misuse, typically via a combination of encryption and software enforcement. The difference is that they’re designed to be environment-agnostic. In a proficient DRM solution, you will be afforded the same protection regardless of whether a document is being accessed from your internal network, an employee’s home network, or by a third party.
DRM does not rely on automatically detecting and preventing the leak of sensitive information. Instead, users or admins choose which files to protect before they share them. Files are then locked to the devices and locations of authorized users, and documents can only be viewed under a strict set of controls. Locklizard Safeguard PDF DRM, for example, prevents sharing, copying, editing, screenshots, and printing. In this sense, digital rights management tools are a more “complete” and reliable solution.
DRM advantages and disadvantages
DRM solutions (or at least good DRM solutions) are an excellent way to protect documents, with advantages such as:
- No reliance on passwords or certificates. Users are sent a license file, and installing it securely transmits encryption keys to an encrypted keystore on their device that they cannot access or move to another computer. Keys are never exposed to the user.
- You don’t have to rely on filters or accurate identification to prevent documents from being shared. Though it’s possible to share the file itself with unauthorized users, it won’t open unless that user has a valid license installed on their device.
- DRM works for both internal and external sharing. You don’t have to worry about having less control the moment a document leaves your organization.
- They are easy to use and relatively inexpensive to maintain. You don’t need to configure policies or classify documents, though you may want to use command-line and API tools to automate document protection and user access rights at scale.
- They grant you comprehensive modular control over what users can do with different documents. The ability to choose whether to allow printing and screenshots or add dynamic watermarks enables security to be customized based on the requirements and sensitivity of individual documents.
- Since there is no way for documents to be shared, tracking is accurate. Businesses can see who has viewed or printed a document, when, and where from.
That said, there are a few things to consider before purchasing a DRM solution:
- They are usually focused on protecting specific file types rather than securing against general data exfiltration. You naturally cannot expect a PDF DRM solution to prevent the sharing of documents in the .docx format. Unlike DLPs, they focus on doing one thing well instead of casting a broad but less effective net.
- For the best security, recipients must install a secure viewer application before they can view documents (rather than accessing them in the browser). This limits compatibility to operating systems the app supports.
- You need to make sure that users do not forget to protect sensitive documents with the DRM tool before sharing them. Or, better yet, use cli and API tools to automate the protection of documents.
Data loss prevention or DRM
There is some overlap between the goals of DLP and DRM solutions, with both seeking to prevent the unauthorized sharing of files. That said, major differences in approach and scale make it less a matter of better or worse and more a case of choosing the right tool for your needs.
You should use a DLP solution if:
- You want to monitor and manage data flow and data security on a broad scale across your enterprise network and various file formats, applications, and endpoints.
- You’re not looking to prevent all sensitive data leakage; just cut out enough to mitigate risk.
- Price isn’t a constraining factor.
- Your organization is backed by experienced IT professionals who can correctly and diligently manage policies and classifications, as well as read logs and take action.
- You do not need to worry about security when sharing with outside parties.
DRM is useful where:
- It’s key that no sensitive data or IP escapes your organization. You want to apply strong protection to specific file formats or documents by embedding controls directly into the content and locking files to specific devices.
- You need effective protection when sharing with third parties.
- You want to control exactly what users can do with files, such as restricting printing, screenshots, editing, and copying.
- It is important that you can revoke or expire access regardless of where a file is located
That said, it is worth noting that there is nothing fundamentally incompatible between a DLP tool and a DRM solution. Businesses that want broad protection for some data and targeted protection for documents could easily deploy both a DRM and DLP solution and have the best of both worlds.
You can see if a DRM solution is the right fit for your business with a 15-day free trial of our DRM software.
FAQs
What are the three types of data loss prevention?
The three types of data loss prevention are network DLP, Endpoint DLP, and Cloud DLP. Network DLP tracks and analyzes traffic and activity across the network and cloud, establishing records of who is accessing sensitive data and when. Endpoint DLP looks at places data is leaving the network, such as servers, laptops, mobile devices, cloud syncing, etc. Cloud DRP focuses on securing and monitoring data in cloud storage, as well as controlling which users can access which cloud applications.
What is the difference between DLP and EDR?
DLP offers data protection against leaks and loss, while Endpoint Detection and Response specifically tries to secure endpoints against attacks.
Does DRM prevent data loss from natural disasters?
No. Most DRM software does not back up data or protect it from ransomware. For that, you should look into a disaster recovery solution.
What are the best practices for data loss prevention?
It’s important to have a clear DLP strategy if you want any semblance of success when in preventing leaks of sensitive and personal data. Some best practices include:
- Regularly perform data classification and review your classification guidelines
- Regularly review DLP policies
- Use strong encryption wherever possible, including in cloud repositories
- Monitor and regularly check logs
- Use the principle of least privilege for information access
- Update frequently
- Plan your response to incidents
- Monitor endpoints outside your network where possible
- Try to eliminate false positives
Is Locklizard a complete replacement for a DLP solution?
Locklizard is not a like-for-like replacement for a DLP solution. If you are primarily concerned with securing documents, then you could replace your DLP solution with DRM. However, each organization should make its own assessment regarding the security it needs and the solutions it has already implemented.
What is the DLP lifecycle?
The DLP lifecycle typically refers to three distinct phases of data’s lifecycle and how a DLP solution protects them:
- Data at rest: DLP solutions use a combination of endpoint security, encryption, physical media controls, safe disposal, and classification.
- Data in transit: Solutions try to prevent sensitive data from leaving the premises unencrypted while monitoring network traffic for unauthorized transfers, controlling internet use, preventing file transfers via instant messaging, and securing remote access.
- Data in use: Is usually secured by monitoring which users have access to sensitive information, how data is being used, ensuring sensitive data is anonymized, restricting exports, etc.