9 Steps to Create a Data Loss Prevention (DLP) Policy

11 mins to read

According to Gartner, through 2025, 90% of the organizations that fail to control public cloud use will inappropriately share sensitive data. The real challenge exists not in the security of the cloud itself but in the policies for security and control of the infrastructure and data. In nearly all cloud data breaches, we hear it is not the cloud providers’ fault but the organizations using the cloud who have inefficient Data Loss Prevention policies. No organization wants to compromise its environment or have data loss. So how do you reduce the risk to your data in the cloud? By having a strong cloud data loss prevention policy.

Cloud Data Loss Prevention platforms aim to secure the data hosted in your public cloud environments. This means ensuring your data is safe at rest, in transit, and in use. Ultimately, it aims to protect the confidentiality, integrity, and availability of your data. Cloud DLP tools offer your organization security controls to detect anomalous behavior and enforce data security best practices. With the right tools, you can create iron-clad data loss prevention policies.

dlp policy

What is a Cloud Data Loss Prevention Policy?

A data loss prevention policy is a basic data rule within an effective data loss prevention (DLP) tool. These rules dictate how your identities, whether they are a person or non-person, can and should be accessing, sharing, and using data in your cloud environment. You can think of data loss prevention as the process of detecting and preventing a data breach, data leak, or unwanted loss of sensitive information. 

In a recent webinar entitled, “It’s All About the Data,” speaker Eugene Tcheby said that DLP policies are a must to help identify, prevent, and remediate unseen risks. He states, ”You have thousands of pieces of compute flying around in the cloud, there is no way you can keep track of everything that’s going on manually and focus on the really critical risks that need your attention.”

Why Do Companies Need a DLP Policy?

Companies need DLP policies to prevent data loss, enforce compliance, and protect intellectual property. 

Data Regulation and Compliance

Company policies are guided by mandatory compliance standards specified by governments and industry regulators, such as SOX, HIPAA, GDPR, and PCI DSS. These standards outline how an organization should safeguard personally identifiable information (PII) and other sensitive data whether you are in the cloud or on-premise.

A DLP policy is the first step in becoming compliant and helps provide accurate reporting for audits. Typically, DLP tools are designed for the requirements of a particular industry’s common standards and the continuous auditing needed to remain compliant.

Teams undertake manual security auditing after months of harmful activities have already occurred, making the value of manual efforts debatable regarding regulatory compliance or assessing real risk. Assessing past procedures and processes positively impacts future activities. Of course, your organization shouldn’t halt these practices before implementing continuous auditing. Therefore, continuous auditing will enable you to take more immediate action against risks by continuously mapping permissions, managing configurations, and controlling access to data. With a strong cloud DLP policy, data sovereignty, data movement, and identity relationships are monitored and reported to ensure conformance to the sovereign, GDPR, HIPAA, and other compliance mandates. 

Read, ‘Blocking Access to Confidential Data’

Data Visibility

Sensitive data is found throughout a cloud environment such as virtual machines, cloud storage, data stores, and so on. A DLP policy can help organizations enforce how identities access sensitive information. An organization can better safeguard its information when it has visibility into what data exists, where it resides, who is accessing it, and other contextual information.

Implementing controls around what has access to data is fundamental to any data security and compliance program. Although each unique cloud provider delivers services and APIs to manage identity and access to information for their stack, they are different across all the stacks available (e.g., AWS, GCP, and Azure), do not address third-party data stores, and often require the use of low-level tools and APIs. Creating policies that help your organization identify configuration risks, public data exposure, and excess privilege risks across cloud providers, accounts, countries, teams, and applications significantly reduce risk.

Intellectual Property

Trade secrets and other intangible assets, including organizational strategies and customer lists, might be of greater value than physical assets. Losing this kind of intellectual property may result in financial and reputational damage, misappropriation, criminal penalties, and legal action. Creating policies that can prevent crown jewel data from being accessed through least access or least privilege is a big benefit.

Among the first questions cloud security professionals should be asking themselves when tasked with classifying data are:

  • “What is my data?”
  • “Where is my sensitive data?”
  • “What information, if made public, would be detrimental to the business as a whole?”
  • “Who can access this data?”
  • “When did they access it?” 

In other words, asking these questions should be fundamental to any risk management strategy. The end goal of a risk assessment should be to identify critical assets and the associated risks. Identifying the risk helps enable security teams to classify better, including which data is necessary to protect and at what level of protection is best.

How to Create a DLP Policy

DLP policies are the backbone of data security – without them, a DLP tool wouldn’t work. Creating effective policies is key.

Start with your ‘crown jewel’ data 

Starting cloud DLP security can be challenging. We recommend you start with your crown jewel data or a type of risk you want to address. The goal is to secure the most critical data first. In order to start here, you need to know what and where your crown jewel data is, by following the next few steps:

Find where the data is located

Your organization’s cloud is complex, and you’ll need to identify all the places your data can reside, including shared objects, files, block storage, data stores, and so on. If identities can access your environment, whether it is a person or a piece of compute, they can access your data. Be sure to understand completely where your data resides and who can access it. This is different than where you think your data is, or where it’s supposed to be.

Identify which data needs protection

You need to identify and prioritize which data would cause the biggest problem if it were leaked or which data is most likely to be targeted by bad actors. Determining this sensitivity is up to your business — is it customer information, is it revenue information, is it notes from a google doc, etc. It is important to assess what is the worst thing that could happen if someone malicious got their hands on this data. DLP policies automatically recognize an infraction and mitigate the risk through a set of predetermined actions. This could include suspending the user, quarantining the content, or breaking the file share.

Classify and tag data sources

Data classification provides a way to categorize organizational data based on criticality and sensitivity to help you determine appropriate protection and retention controls. Data sovereignty, data movement, and identity relationships must be monitored to ensure conformance to data sovereign and other compliance mandates. This means your data needs to be classified and tagged so that it can be enforced, like social security numbers or credit card information of customers. Tagging typically follows a ‘name’ tag and then a ‘value’ tag. For example, DataClassification:Confidential, DataType:CustomerPII, DataOwner:DevOpsTeam1. More information on data classification is available here.

Define roles and levels of data access

Determine who and what should be able to access certain types of sensitive information and who should be disallowed. The permissions of your organization will be different across your organization. Based on the sensitivity of the data or type of identity, decide how the DLP tool will enforce the policy once a violation occurs. This will help you understand when data is at risk. Do not create broad sharing permissions such as public, external or internal across the organization. In addition, sensitive files owned by privileged identities can be at risk.

Continuously monitor data movements

Your organization will want to continuously monitor data movements, whether it is object storage, warehouses, databases, block storage. Along with the location and movement history of data, your organization will want to provide cloud teams with a uniform view and true picture of the current security posture.

As you work through your cloud data loss prevention policy, it’s important to consider data in all its forms: data at rest, data in transit, and data in use.

Data at rest is storage. You should ensure when your data is stored that, it is using encryption. By providing the appropriate level of protection for your data at rest, you protect your data stored.

Data in transit is traveling. Data in transit is any data that is sent from one system to another. This includes communication between resources within your workload as well as communication between other services and your identities. By providing the appropriate level of protection for your data in transit, you protect the confidentiality and integrity of your workload’s data.

Data in use is memory actively being utilized, updated, processed, erased, accessed, or read by a system. This type of data is actively moving through your infrastructure.

Outline remedial actions

In the cloud, your perimeter is your identities, and it’s important to block potential entry points for breaches for all data regardless of the form. To ensure sensitive assets are best protected, you’ll want to use a data-centric approach that enables quick and simple defense of critical resources. You’ll want a tool that can limit your blast radius and isolate your cloud accounts if they are breached. 

Get executive buy-in

Get buy-in from organization leadership. Each business unit has a role in shaping a data loss prevention policy that aligns with corporate objectives. Having executive buy-in means meeting the strategy of all departments and functions it affects.

Educate and train your workforce

Educate everyone in the organization about how and why the data loss prevention policy is in place. Get help enforcing the policies in the development cycle by including security earlier in the process.

Data loss prevention templates

Data loss prevention tools should include out-of-the-box policy templates as well as the ability to customize controls to meet your industry and organizational standards. These are preset rules designed for specific regulatory environments. Templates are extremely helpful for setting up data loss prevention policies in the cloud. Cloud providers may have ready-to-use policy templates that address common compliance requirements, such as helping you to protect sensitive information subject to the U.S. Health Insurance Act (HIPAA), U.S. Gramm-Leach-Bliley Act (GLBA), or U.S. Patriot Act.

Each policy template will cover what types of sensitive information they look for in your organization and what the default conditions and actions are when they are turned on. For an example, see the tables below offering templates for GDPR.

dlp policy
dlp policy 2

How To Enforce a DLP policy

With cloud security data breaches making headlines, organizations need to share sensitive data without compromise or incident appropriately. Therefore, implementing controls, data protection around what has access to data is fundamental to any data security and compliance program. Finding the right tools to meet and enforce your cloud DLP security standards can be easy.  

Automatically locate, classify and tag data

Sonrai automatically locates, classifies, and tags data. Use prebuilt configurations that recognize common PII and sensitive data formats (such as credit card numbers, magnetic strip numbers, health claim numbers, etc), or build your own customized tagging scheme using classification bots. Data sovereignty, data movement, and identity relationships are all monitored and reported to ensure conformance to a sovereign GDPR, HIPAA, and other compliance mandates.

Enforce Least Access

Least access is extremely important to apply to critical resources. But as a strict policy goal, it’s difficult to apply it to every piece of data. When you consider that your cloud comprises tens of thousands of pieces of compute and thousands of roles with rights and privileges to access data, this becomes a daunting task.

Monitor critical resources

Least access is extremely important to apply to critical resources, and it’s difficult to apply it to every piece of data. When you consider that your cloud comprises tens of thousands of pieces of compute and thousands of roles with rights and privileges to access data, this becomes a daunting task. Sonrai’s Identity Graph lets you understand every identity’s historical data access and potential access, allowing you to enforce a least access policy.

Automate remediation

Sonrai lets you organize your teams around your unique cloud environments and the sensitivity of those environments so you can secure your cloud at scale. 

Compliance enforcement

Frameworks covering regulations and industry-recognized controls provide you with the ability to create your own frameworks to meet the exact needs of your organization.

Cloud Data Loss Prevention with Sonrai Security

‘Sonrai’ means data in Gaelic. It is the origin of our company’s mission — protecting data. Sonrai takes a data-centric approach to securing your cloud, and ensures Data Loss Prevention programs include policies that are unique to the cloud. Sonrai’s patented analytics and identity graph outline every possible access point to enterprise data, so you can shut down the unintended paths created by toxic permission-chains and misconfigurations.

We believe protecting data, and securing the identities leading to your data, is the most efficient way to stop breaches and stop business disruption, revenue loss, & customer consequences. Ask us how we do it and see a personalized or on-demand demo.

dlp policy

Frequently asked questions about DLP

What is data loss prevention policy?

Data loss prevention policy is a definition of how an enterprise can use, store, and transit data. These policies enforce the protection and preservation of data in your cloud.

What are the key elements of a data loss prevention policy?
The main elements of a data loss prevention policy include: discovery, classification, locking down, and monitoring data. Discovery entails locating all your data. Classification includes defining what your data is, tagging it, and grading its sensitivity. Locking down ensures your data is secure and not at risk of unauthorized access. Finally, monitoring entails the continuous monitoring of data access and use to detect risky changes or malicious activity.

Why do companies need a DLP policy?

DLP policies prevent data breach or mitigate their damage. They help automate data security so your program can scale. This results in better security, the protection of business continuity and revenue, and a time save on resources.

How can I enforce a data loss prevention policy?

Locate and classify your data. Enforce a least access policy to ensure only those who absolutely need the access have it, reducing any unnecessary risk. Then implement a monitoring tool for anomaly detection and continuous data compliance best practices. For more information, read ‘building a data loss prevention policy.’