Data Loss Prevention vs. Data Security Platform

In the ongoing quest to protect our businesses from the threat of data breaches, there is an ocean of alternatives that attempt to solve the problem in a variety of techniques leveraging perimeter security, host/system security, application security, and data security. This article will discuss the differences in the approaches used by Data Loss Prevention (DLP) solutions versus Data Security Platforms (DSP) as it relates to their ability to deliver the outcome of protecting sensitive data. 

Data Loss Prevention (DLP) solutions have been advertised by software vendors as products that can prevent data breaches and protect sensitive data. However, organizations that have made significant investments on implementing DLP solutions only gain minimal return on investment (ROI), primarily for the following reasons: 

  • Limited efficacy against real threat actors 

DLP solutions are designed to detect, monitor, and safeguard sensitive data. It is great for stopping accidental leakage of sensitive data. However, threat actors continue to find ways around DLP systems. Sensitive data can be sent as an encrypted binary stream to external storage. Beyond encryption, threat actors can use other transformation techniques to evade DLP detection, such as data encoding, segmentation, and embedding. For example, the Banshee Stealer malware compresses all sensitive data collected as a zip file. The zip file is then XOR encrypted and base64 encoded before being transmitted to a Command and Control (C2) server. The sensitive data is exfiltrated in encrypted format without ever being detected by DLP solutions. 

  • High false positives 

During normal course of businesses, DLP solutions often generate a lot of false alarms, inundating security teams with unnecessary alerts and contributing to alert fatigue. When a real threat is detected, the IT team may not respond to it due to alert fatigue. Detection without a response is not effective. 

  • High cost 

Implementing DLP solutions can be labor-intensive and time-consuming, resulting in a substantial upfront investment. You have to configure and fine-tune the detection rules and control policies to effectively block accidental leakage. Moreover, ongoing maintenance adds an additional burden on resources. The excessive cost coupled with deployment and maintenance challenges often leads to dissatisfaction among users. 

Because of the shortcomings of the DLP solutions, many businesses have started to implement data security solutions leveraging Data Security Platforms (DSP) to address the root problem. Those platforms focus on protecting sensitive data persistently and only expose sensitive data to authorized people on authorized endpoints. No one has access to the sensitive data by default.  It is a “deny all, unless specifically authorized” answer to sensitive data. That means the protected data can be copied from one place to another, or even sent outside the company firewalls. But the data is protected with encryption and is meaningless bits and bytes without decryption. No one, including system administrators, has access to any sensitive information without proper authorization. To access sensitive information inside the persistently protected data, a user must be authenticated and authorized to do so.  

A DSP solution allows you to simply control users’ access to your sensitive data through your existing Identity and Access Management (IAM) system. It is much easier and simpler to deploy and manage, without concerns regarding where the protected data is stored and how it is transferred, inside or outside your network boundaries. Instead of focusing on detection, a DSP solution focuses on protection. It proactively protects your sensitive data and prevents data breaches. 

Our patented OnData SaaS platform is a lightweight DSP solution designed to protect structured data in databases or unstructured data in documents and files. It integrates with your IAM system so that you can control access to your sensitive data from your IAM system, no matter where the sensitive data is stored. The OnData solution extends an IAM’s capability to control data access, beyond application access and system access that it is capable of managing today. 

The OnData solution can automatically discover, classify, and protect your sensitive data at all times. Detailed audit logs are available to record who has accessed what sensitive data where and when. The OnData DSP solution delivers high performance and quantum-resistant level of security in a very straightforward and highly usable manner. It enables you to protect your sensitive data at all times, and at a reasonable cost.