.svg)
.jpeg)
.svg)
What is a DLP policy, and why do you need one?
Whether organizations are looking to prevent data exposure, meet leading compliance standards, or simply earn customer trust, Data Leak Prevention (DLP) policies are effective tools for pinpointing and protecting sensitive data across the cloud and beyond.
DLP policies are especially useful in the following top use cases:
- Safeguarding personal information like personally identifiable information (PII), payment card industry data (PCI), protected health information (PHI), intellectual property (IP), and more
- Preventing secret sprawl to mitigate the risk of privilege escalation attacks and costly data breaches
- Preventing data exfiltration by tracking data movement and permission settings across SaaS apps, browsers, and endpoints
- Securing AI usage in both homegrown and third-party AI apps like ChatGPT, Perplexity, or Claude
- Encrypting sensitive data automatically as a best practice when business-critical data must be shared over email or another secure platform
How do you create an effective DLP policy?
There are several factors that go into making an effective DLP policy—one that doesn’t let any high-risk data slip through, but also doesn’t cause inconvenient workflow interruptions.
Every DLP policy is constructed using detectors and detection rules. Here’s how each of these components come together to form a DLP policy:
- Detectors are models or algorithms for identifying specific types of sensitive information. When creating a DLP policy, it’s important to start with a detector that has high precision and recall so that you don’t have to suffer through a high percentage of false positive alerts.
- Detection rules are combinations of detectors that define what you are looking to detect in a policy. For instance, you might create detection rules to pinpoint secrets in code repos, scan for social security numbers (SSNs) in messages, or uncover anomalous behavior in shared drives.
- DLP policies define what you’re looking for, where you’re looking for it, and how you want to handle any violations. To expand on the above examples, you might create policies to automatically redact active API keys in GitHub, delete SSNs in Slack channels and DMs, or change permission settings for sensitive files in Google Drive.
DLP policies can be incredibly versatile; they can start protecting your data right out of the box, but can also be tailored to specific business use cases. With this in mind, let’s dive into to the most popular DLP policies for protecting sensitive data across the business tech stack.
What are the top DLP policies?
1. Detect secrets in Slack and notify
Communication apps like Slack make it all too easy for employees to accidentally share sensitive data like passwords, API keys, and other secrets in DMs, public channels, private channels, or files. This dedicated policy can:
- Automatically remediate secrets in Slack
- Monitor specific users, channels, and file types
- Send alerts to security admins via Slack, Teams, or your SIEM of choice
- Send notifications to employees to educate them about company policies and ask them to self-remediate any issue
2. Detect secrets in GitHub and notify
On average, over 5 active keys are found sprawled across the cloud per every 100 employees—and many of those keys are found in GitHub. This policy automatically detects and notifies security admins when an API key or other secret is found in GitHub. This policy also can be configured to:
- Monitor specific repos according to public/private status, repo directory, and file extension to exclude test code and data
- Send alerts to security admins via Slack, email, or your SIEM of choice
- Send notifications to employees to educate them about proper secret handling and coach them to prevent future data exposure
3. Detect Secrets in Jira and notify
Though it may seem counterintuitive, Jira contains, on average, 5x more active API keys than GitHub. This dedicated policy detects secrets and automatically notifies security admins for swift time to remediation. Here are a few more policy details at a glance:
- Automatically remediate secrets in Jira
- Send alerts to security admins via Slack, email, or your SIEM of choice
- Send notifications to employees to educate them about proper secret handling and coach them to prevent future data exposure
4. Prevent sharing of secrets with ChatGPT
Perhaps a developer might want help generating new code or de-bugging existing code. Either way, if they mistakenly include an active API key in their ChatGPT prompt, that API key could be stored by OpenAI and used to train OpenAI's models. To avoid this pitfall, it’s important to have a DLP policy in place that intercepts any and all prompts containing sensitive data before they’re sent to third-party LLMs. With this policy, security admins can…
- Monitor all ChatGPT conversations
- Automatically block secrets, like API keys, from being shared with ChatGPT
- Send alerts to security admins via Slack, email, or your SIEM of choice
- Send notifications to employees to educate them about proper secret handling and coach them to prevent future data exposure
5. Monitor bulk downloads from Google Drive
Insider risk takes a multitude of forms, from departing employees to threat actors with access to employee credentials. This policy protects organizations from such risks by detecting when a user’s quantity of downloads crosses a certain threshold in a specific time period (e.g. more than 25 files in 24 hours). Here are some further features of this policy:
- Monitor specific users and drives in Google Drive
- Send alerts to security admins via Slack, email, or your SIEM of choice for further investigation and response
6. Prevent sharing of U.S. PII via Gmail and notify
Over 40% of data breaches involve email. In order to limit the blast radius of breaches, and to remain in compliance with leading standards like HIPAA and FERPA, it’s crucial to have a policy to protect sensitive PII in cloud email services like Gmail. With this policy, security admins can:
- Intercept and automatically encrypt emails containing sensitive PII in Gmail
- Send alerts to security admins via Slack, email, or your SIEM of choice
- Send notifications to employees to educate them about proper data handling and coach them to prevent future data exposure
7. Detect PCI data in text payload and redact
For organizations that wish to stay compliant with PCI-DSS, it’s may be a requirement to have a DLP solution in place to monitor for sprawled PCI data (e.g. credit card numbers). This policy helps maintain compliance via the following configurations:
- Detect and automatically redact credit card data in text payloads
- Send alerts to security admins via Slack, email, or your SIEM of choice
8. Detect HIPAA violations in Slack and notify
Looking to stay in continuous compliance with HIPAA? In that case, it’s crucial to monitor for accidental PHI sharing in Slack DMs, public channels, private channels, or files. This policy offers the following features to help organizations stay audit ready:
- Automatically remediate PHI in Slack, including diagnoses, FDA drug names, insurance claim information, and more
- Monitor specific users, channels, and file types
- Send alerts to security admins via Slack, Teams, or your SIEM of choice
- Send notifications to employees to educate them about proper PHI handling and ask them to self-remediate any issue
How can you get started with your own DLP policies?
All of the above policies—and more—can be found on the Nightfall Feed: A community for discovering, sharing, and collaborating on templates for detectors, detection rules, and DLP policies. Each of the policies on the Feed can be easily configured in the Nightfall platform so that organizations can more easily identify and protect their high-risk sensitive data.
How can you create a custom DLP policy?
If you can’t find what you’re looking for on the Nightfall Feed, you can always create your own policies, detection rules, and detectors from scratch using Nightfall’s Firewall for AI Developers. Sign up for Nightfall for free to start customizing your own policies today.
.svg)
.svg)
.svg)
.svg){kind=small}
.svg){kind=small}
