I. Background of Data Leakage Prevention (cont'd)

  1. Network DLP

    Network DLP is designed to detect any leakage incidents related to data in motion, by detecting if particular important data files are being transferred through universitiesí networks. This kind of DLP devices usually supports multiple protocols such as HTTP, FTP, P2P and SMTP, and is commonly attached to network equipments (e.g. routers, switches), where all traffic leaving universities' internal network can be captured for inspection.

    Nowadays, most universities have already implemented certain network traffic filtering systems, such as e-mail and web activity monitoring programs, which can achieve part of the functionalities of Network DLP. Some more specialised Network DLP tools include McAfee Network DLP Manager, RSA DLP Network, and Symantec Data Loss Prevention Network series.


  2. Endpoint DLP

    Endpoint DLP products are agents or software that usually reside on end user terminals such as mobile devices and laptops. The common use of Endpoint DLP is to prevent users from storing sensitive information on removable media devices such as USB flash drives and CD/ROM discs and to protect against unauthorised transmission of sensitive information when a user is not connected the universities' own networks (e.g. public free Wi-Fi spot). An Endpoint DLP software can also utilise disk encryption, which prevents unauthorsied access to information on a lost or stolen laptop.

    Popular Endpoint DLP products currently on the market include NextLabs Enterprise DLP, Symantec Protection Suite Enterprise and McAfee Host Data Loss Prevention.


  3. Embedded DLP

    Universities are also given a less expensive choice to implement "Partial" DLP solutions instead of setting up a comprehensive data leakage management infrastructure. Such solutions are commonly known as Embedded DLP.

    Embedded DLP are planted within specific applications to effectively monitor the data outflows, identify keywords or related patterns belong to sensitive information and block any suspicious data leakage attempts. For instances, scanning and rejecting outgoing e-mails for sensitive keywords or attachments, restricting printing of copyrighted softcopy documents.

    The design and implementation of Embedded DLP can be performed within Universities or acquired from existing security vendors. Cisco's IronPort e-mail security technology provides functionalities to detect sensitive content, patterns or images in a message body or within attachments. Websense Web Security Gateway Solutions incorporated Websense TruWeb DLP capability offers embedded DLP over outbound communications to destinations like web mail and social networks.

KPMG Publication - Data Leakage Prevention