Tactical Advice

How to Help DLP and Encryption Coexist

Learn where to incorporate data loss prevention technologies on encrypted networks.
How to Help DLP and Encryption Coexist
Credit: iStock

Data loss prevention (DLP) has become increasingly important for protecting organizational data from being leaked to unsecured or unauthorized locations. For example, these technologies can prevent a disgruntled worker from copying personally identifiable information or intellectual property, or stop someone from accidentally emailing the wrong file attachment to an external recipient.

Unfortunately, DLP technologies often clash with network encryption, which seeks to protect data from eavesdropping. To resolve this conflict, organizations must deploy DLP in places where network traffic isn’t encrypted. Here are some tips for DLP implementation options that are mindful of the need to protect sensitive data communications.

1. Route all user traffic through organization-controlled proxy servers to observe unencrypted traffic.

Without a proxy server, encrypted connections take place directly between the source and the destination. To get around this, an organization can insert a proxy server into the route followed by all incoming and outgoing traffic. This encrypts the segment between the source and the proxy server, and between the proxy server and destination. Network-based DLP software deployed at the proxy server can monitor the unencrypted communications between the two encrypted segments, and therefore stop sensitive information from being transported against policy.

2. Use existing security gateways for web, email and other common protocols.

Most data exfiltration involving network traffic takes place over web or email protocols. An alternative to deploying a proxy server is to deploy a security gateway, such as a web or email appliance. These essentially provide a proxy capability, but they can also perform a variety of security checks on the unencrypted traffic that is routed through them, including DLP inspection.

Organizations with existing security gateways should take advantage of them to provide DLP capabilities. Of course, they still must make sure that network traffic is being routed through these gateways. Mobile devices on external networks might not be able to use these gateways unless traffic is forced through them by a virtual private network or other means.

3. Take advantage of existing endpoint security protection suites.

Many organizations have already deployed endpoint security protection suites to their desktops, notebooks and mobile devices. These suites, which provide an integrated defense-in-depth approach to endpoint security, often include an endpoint-based DLP capability. Once this is properly configured and activated, the suite will examine all activity within the endpoint before encryption is employed.

Endpoint-based DLP can even detect forms of exfiltration that network-based DLP can’t spot, such as transferring sensitive data to USB flash drives. As a result, endpoint-based DLP may offer more effective detection than a network-based solution.

4. Consider adding endpoint-based DLP technologies to endpoints.

As mentioned, many endpoints already have DLP capability built in. But if an organization lacks an endpoint security protection suite, an alternative is to purchase endpoint-based DLP technology as a point solution.

This is particularly helpful for mobile devices that are often being used on networks outside the organization’s control. Unfortunately, endpoint-based DLP technology can be highly resource-intensive, particularly when deployed as a point solution. IT managers should perform extensive pilot testing when evaluating endpoint-based DLP products.

Sign up for our e-newsletter

About the Author

Karen Scarfone

Karen Scarfone is the principal consultant for Scarfone Cybersecurity. She previously worked as a senior computer scientist for the National Institute of Standards and Technology.


Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....


The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...


Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.