Datensicherheit Glossary
Data Loss Prevention (DLP) - Datenverlust verhindern
Data Loss Prevention (DLP) prevents the unauthorized leakage of sensitive data from the organization. DLP systems monitor data in three states: data at rest (storage), data in motion (network), and data in use (endpoints). Detection methods: Regex patterns (credit card numbers, IBAN, Social Security numbers), fingerprinting (document signatures), ML-based classification. Key solutions: Microsoft Purview DLP, Symantec DLP, Forcepoint. GDPR requirement for the protection of personal data.
Data Loss Prevention protects what companies value most: their data. Customer data, trade secrets, financial information—DLP ensures that this information does not leave the company unchecked.
Basic DLP Architecture
Data at Rest
- Data on hard drives, NAS, cloud storage, and databases
- DLP scans storage locations for classified content
- Finds: Credit card numbers in Excel files on file servers
- Finds: Customer data in misconfigured cloud buckets
- Action: Alert + optionally enforce encryption
Data in Motion (Data on the Network)
- Emails, HTTP/HTTPS uploads, FTP, cloud sync
- DLP inspects data transfers (TLS interception required!)
- Finds: Customer list as an Excel attachment in an external email
- Finds: Contract PDF uploaded to consumer Dropbox
- Action: Block, quarantine, notification
Data in Use (active use)
- Endpoint agent monitors actions on the device
- Clipboard monitoring, print monitoring, USB transfers
- Detects: Copying of classified data to a USB drive
- Detects: Screenshot of a confidential document
- Action: Block + alert to security team
> Insight: Effective DLP combines all three levels. Email DLP alone is blind to web uploads and USB; endpoint DLP alone is blind to cloud sync without an agent.
Data Classification as the Foundation
Classification Levels (typical)
| Level | Description |
|---|---|
| Public | Freely accessible information |
| Internal | For employees only (no harm if lost) |
| Confidential | Restricted group of people (contract partners, etc.) |
| Strictly Confidential | C-level, Finance, HR (highest risk of harm) |
Classification Methods
Manual (user-based):
- Employees classify upon creation: "Confidential"
- Advantage: context-aware
- Disadvantage: prone to errors, inconsistent
Automatic via Regex/Pattern Matching:
IBAN: DE[0-9]{2}[0-9A-Z]{18}
Credit Card: [0-9]{4}[- ][0-9]{4}[- ][0-9]{4}[- ][0-9]{4}
ID Card: [A-Z]{1}[0-9A-Z]{8}[0-9]{1}
Email (internal): [a-zA-Z0-9._%+-]+@company\.comFingerprinting:
- Document signatures: Contract X.pdf → unique hash
- DLP detects copies/excerpts of this document anywhere
- Advantage: Document-specific, no regex required
- Use cases: NDAs, M&A documents, source code
ML classification (modern DLP):
- Trained on classified documents
- Detects similar content even without an exact match
- Microsoft Purview: trainable classifiers
Microsoft Purview DLP
Scope of application
- Exchange Online (email)
- SharePoint Online / OneDrive
- Teams
- Endpoints (with Defender for Endpoint)
- MCAS (Cloud App Security, for third-party cloud)
Policy Creation (Example: GDPR-relevant data)
Microsoft Purview Compliance Portal:
Data Loss Prevention → Policies → Create Policy
Template: GDPR
Locations: Exchange, SharePoint, OneDrive, Teams, Devices
Rules:
Condition: Content contains:
→ German IBAN (Sensitive Info Type)
→ ID card number (Sensitive Info Type)
→ Count: ≥ 5 instances
Exception: Email to @company.com (internal allowed)
Actions:
→ Block sending (external recipients)
→ Send compliance alert (security team)
→ User policy tip: "This email contains personal data"Endpoint DLP (Defender integration)
- Monitored activities: Copy to USB, Print, Upload, Clipboard
- Action: Audit (logging only) or Block + User Notification
- Exceptions: Approved USB devices (Serial Numbers)
DLP Monitoring
- Purview Activity Explorer: What data is going where?
- Alerts: For policy violations
- Reports: Top triggered policies, Top users
DLP and Data Protection (GDPR)
GDPR Requires DLP
- Art. 5 (1) f: "appropriate security" of personal data
- Art. 25: Privacy by Design → DLP as a technical safeguard
- Art. 32: "appropriate technical measures" → DLP explicitly mentioned
DLP Itself Is Subject to the GDPR
- DLP monitors employee communications → processing of personal data
- Legal basis: Art. 6(1)(f) (legitimate interest)
- Employees must be informed (transparency!)
- Works Council: §87 BetrVG (co-determination) (monitoring!)
- Company agreement: what is monitored, how long is it stored?
Balance between data protection and DLP
- DLP logs: 90-day retention period recommended (no long-term monitoring)
- Document only incidents (no logging of all legitimate transfers)
- No content logging for non-violations (data minimization)
- Clear policy: What is prohibited? Employees know the rules.
> GDPR Note: Data loss without DLP can increase fines. Proof of DLP demonstrates "appropriate measures" and helps reduce fines.
DLP Implementation: Practical Steps
Phase 1: Audit Mode (Months 1–2)
- DLP active, but logging only (no blocking!)
- Measure false positive rate: How often does DLP trigger incorrectly?
- Typical: 60–80% false positives during the initial rollout
- Adjust policies: Define exceptions (HR department is allowed to send IBANs!)
Phase 2: Warning Mode (Months 3–4)
- User sees warning, can override with justification
- Collect justifications: what are legitimate exceptions?
- Further refine policies
Phase 3: Block Mode (Month 5+)
- Critical policies: Activate block
- Low-risk policies: Remain in warning mode
- Escalation process: Users can submit an appeal
Common false positive scenarios
| Department | Problem | Solution |
|---|---|---|
| Accounting | Sends IBANs daily (legitimate!) | Department-based exception |
| HR | Sends ID numbers for travel expense reports | Department-based exception |
| IT | Sends test credit card numbers (test system!) | Specially marked documents |
