Boldon James - HelpSystems Company Logo

Network vs Endpoint DLP and Data Classification

Reading Time: 4 minutes

Data loss is a constant threat to businesses, and the risk it comes with is not just a monetary one from breaching regulatory requirements, but perhaps far more costly in the long run is the potential reputational damage. When it comes to your organisation’s security ecosystem, Data Loss Prevention (DLP) solutions are a key priority for anyone handling sensitive data. There are two main types of DLP – Network DLP and Endpoint DLP – each providing a different function to protecting and securing sensitive data. Let’s explore what Network DLP (NDLP) and Endpoint DLP (EDLP) are, the differences between them, and how data classification integrates to bolster DLP decision making.

Network DLP (NDLP)

Network DLP (NDLP), also referred to as data-in-motion protection, mitigates the risk of data loss by monitoring, controlling, and reporting the flow of sensitive data via the network, email, or web. It sees data as it moves through the network and enforces policies at that time. For example, if a user attempts to send an email with sensitive data, NDLP inspects that traffic and can automatically take actions based on the organisation’s predefined policies such as block, audit, forward, notify, encrypt, and quarantine. NDLP also has visibility into web traffic such as social media sites for added protection.

A major benefit to NDLP is that it can be deployed with very little overhead and does not require much upkeep. However, as NDLP uses a box or virtual machine on the corporate network that data traffic passes through, devices must be connected to your network in order to protect data. If the device is off the network and not on a corporate VPN, NDLP does not have visibility into what is happening with data and cannot protect it. Even with a VPN, NDLP does not directly prevent data from being saved on external devices such as USB drives.

Endpoint DLP (EDLP)

Endpoint DLP (EDLP) monitors all endpoints such as laptops, desktops, phones, and any other device on which data is used, moved, or stored. With EDLP, an agent lives on the endpoint (the system) and gives you visibility into the data as it is created or updated and is then tagged to alert the user if it contains sensitive data. The agent can also see actions such as copy/paste, screenshots, and printing, and can restrict those processes, and prevents data from being saved on a USB drive, CD, or DVD. EDLP can protect data either on or off the corporate network, so data is protected even if users are working remotely and not connected to the corporate network via VPN.

Having data protected at its source is an enormous benefit, however EDLP requires the deployment and ongoing maintenance of agent software on every protected device. Volume of upkeep will depend on the number of laptops, desktops, severs, etc. in your organisation. This can be a lot to deploy and manage if the organisation has a multitude of devices to keep up with.

How they differ

While NDLP and EDLP work to the same end goal, preventing sensitive data loss, they are very different when it comes to what levels of control they offer and how they are deployed. The main difference between NDLP and EDLP is that NDLP secures communications on the organisation’s network, while EDLP safeguards intellectual property and ensures compliance with company policies. As discussed previously, NDLP protects data only in your company’s network, so a VPN must be used to make it conducive to a remote environment. However, NDLP is easy to deploy and does not require a dedicated resource once deployed. Meanwhile, EDLP protects data at the source offering deeper insight, but requires ongoing deployment and maintenance of the agent software on every device, which can be challenging to manage depending on the number of devices being used.

Questions to consider when choosing between NDLP and EDLP:

Deciding which option is best for your organisation depends on a few key factors:

  •  How much control over the endpoint do you have?

If you have devices that you are unable to modify for whatever reason (geographical location, personal device, etc.) and are allowing access to the corporate network and corporate data, then NDLP is the best option for the short term. Changes to endpoint policy are typically long-term plans in most organisations, and you do not want to wait to start protecting your data.

  •  How do you prioritise the thoroughness of data inspection vs. time, effort, and monetary investment in the inspection process?

NDLP is much faster to deploy and easier to maintain while EDLP provides deeper and more thorough insight and protection. Ultimately, you will need to make a realistic assessment of your organisations needs vs. capabilities.

Using data classification to enhance DLP

Both NDLP and EDLP provide a comprehensive set of control points at which to police the distribution of information – within the network and at the endpoint devices. However, unless the significance of the data is accurately determined, then even a pervasive set of control points will not prevent data leakage. A data classification solution assists users in applying consistent classification metadata to information, supplying DLP solutions with reliable insight into the meaning and value of data, which complements the detection methods based on keywords and regular expressions alone. With the business context captured in the metadata, DLP can then apply decisions in a consistent manner in order to control the distribution of information or apply further security measures.

Another benefit to data classification is that it helps mitigate one of the most prevalent hindrances to DLP – “false positives”. Organisations looking to deploy data loss prevention solutions are commonly faced with the dilemma of how to maximise the value of automated content scanning whilst avoiding the negative impact of “false positive” results. In order to avoid an adverse effect on business processes, DLP solutions can end-up being detuned to the point where only simple, highly predictable checks can be performed, for example, checking for credit card numbers, employee numbers, material codes, etc. As a result, the solution is left unable to identify the true business value of most information and to apply relevant controls. By engaging knowledge workers in the process of classifying the unstructured data that they routinely handle, it becomes possible to supply the DLP solution with predictable, meaningful metadata that greatly improves the reliability of DLP decision making. With improved accuracy of DLP decision making, the incidence of “false positives”, that are so frustrating to users and damaging to business processes, can be significantly reduced without compromising effectiveness.

With data being one of a businesses’ most valuable assets, implementing either NDLP or EDLP alongside a best-of-breed data classification solution, can help organisations maintain visibility and control of their data, keeping it safe, secure, and compliant. No matter which DLP route you choose, when paired with a classification solution, both NDLP and EDLP are some of the most effective tools for preventing data loss.