Exact data match (EDM) is an advanced data loss prevention (DLP) technique that finds specific data values that are important to the organization and need to be protected rather than finding general data patterns or formats only. For example, an organization can detect the exact match of a customer credit card number, rather than detecting only the pattern, to enhance detection accuracy and reduce false positives.
The purpose of EDM, as with DLP, is to protect sensitive data such as personally identifiable information (PII) from exposure to the internet. Protecting such information becomes more difficult as organizations adopt cloud services, where managing security functions such as permissions, endpoint security, and remediation all increase an organization's risk of misconfiguration—the top cause of cloud data breaches.
Exact data match is a method of data classification, which is a critical element of DLP. Typically, DLP systems use pattern matching to identify data that needs to be protected. A DLP system will monitor data such as credit card numbers, account numbers, Social Security numbers (SSNs), and so on depending on the types of records the administrator selects for protection and the policies attached to them.
EDM helps these values stay protected on an exact basis rather than a tangential one, meaning that the value itself has its own security protocol rather than a group of values being treated as one. This schema will help security teams reduce the amount of false positives—or unnecessary notifications—they receive.
How Does Exact Data Match Work?
EDM “fingerprints” sensitive data from structured data sources, such as databases or spreadsheets, and then watches for attempts to move the fingerprinted data to stop it from being shared or transferred inappropriately. If even one transaction appears suspicious, the DLP attached to EDM will close off access to all entries of that custom sensitive information type, such as a credit card number.
It starts with plain text from a database or spreadsheet that contains the sensitive records. This data in these records is obfuscated, usually by hashing (i.e., data strings are algorithmically shortened and encrypted) and then stored within the DLP solution. The same algorithms are then applied to all outbound traffic. So, when traffic that is hashed matches the stored hashes, the transfer will be blocked or an alert will be triggered.
Why Is EDM Important?
Let’s take the example of a credit card number: simply monitoring traffic for credit card numbers may trigger alerts anytime someone in the organization uses a credit card for any reason. So, an employee making an online purchase during a break may be blocked from doing so, and the security administrator will receive an alert.
In this case, the alert would be a “false positive,” so called because the system accurately detected an attempt to send credit card data, but the activity posed no risk to the organization. With EDM, only the specific credit card numbers a company stores in its databases—such as those belonging to its customers or partners—would trigger alerts. An employee making a purchase would not trigger an alert, nor would an accountant paying bills.
To clarify, most false positives are real positives, meaning the detection engine did its job and identified content that matches a policy. However, the content doesn’t pose a risk to the business in the context it’s being used. False positives have consequences—they don’t cause direct harm, but they jam up the system. While administrators weed out hundreds of false positives every week, perhaps more, they spend less time investigating the legitimate alerts.
Benefits of EDM
DLP already puts protocols in place to help organizations keep their data secure, but exact data match allows organizations to detect and protect specific data values. When it comes to selecting a quality platform, however, you should be on the lookout for certain features. Some of the benefits of an effective EDM platform include:
Inline Inspection and Enforcement
A cloud-delivered DLP with EDM can inspect all network traffic inline, whether users are on or off the network, increasing the accuracy of detection of data loss incidents and nearly eliminating false positives. EDM with native SSL inspection and policy enforcement secures all application and user traffic, providing enhanced security and greater visibility.
By leveraging the scalability of the cloud, customers can fingerprint and match up to a billion cells of data at any time. Trying to deploy such a solution on-premises will only yield performance constraints due to the resource-intensive nature of the technology.
Granular Policy Control
With EDM and highly customizable policies, a cloud native DLP can detect and stop the transfer of an exact match to a particular record to unauthorized parties or services. This technique eliminates false positives, improving both security posture and administrator productivity.
It’s clear that EDM can support a variety of DLP use cases, but only one DLP vendor was born in the cloud and has the capability to protect users wherever they are, whichever devices they use, with zero trust principles. That vendor is Zscaler.
Exact Data Match and Zscaler DLP
Not to be confused with Exact Data Match offered by Microsoft, Zscaler Exact Data Match is a storage- and compute-intensive operation, requiring a highly scalable platform that can accommodate its processing demands.
Because Zscaler Cloud DLP with EDM is built on a global multitenant cloud architecture, it detects and blocks attempts to send protected data no matter where the user connects or what apps are being used. There’s no impact on connectivity or performance due to Zscaler’s large global footprint (over 150 PoPs), and the centralized Zscaler admin portal provides real-time visibility into incidents.
Most DLP systems can’t inspect encrypted traffic, leaving them blind to the majority of enterprise traffic. But Zscaler Cloud DLP is part of the integrated Zscaler Zero Trust Exchange™ platform, which inspects all traffic, including encrypted traffic. Zscaler is the only security service provider that provides such functionality as a cloud-delivered service.
With Zscaler EDM, you can fingerprint and match billions of cells of your unique sensitive data, store those fingerprints in the Zscaler cloud, and stop data loss globally and at scale. Zscaler also helps you maximize your information protection as you comply with industry mandates, such as HIPAA for healthcare data and medical records, as well as data privacy regulations like GDPR.
Leveraging an extensive feature set, including EDM, machine learning, file type control, and granular DLP policy that follows the user, Zscaler Cloud DLP simplifies compliance with regional regulations. It can also help increase your security posture, reduce end user frustration stemming from unnecessarily blocked transactions, and give your teams back time to investigating and address real data loss incidents instead of digging through the haystack of false positives.
Visit our DLP page to learn more about Zscaler DLP, Exact Data Match, and the power of better data protection.
Exact Data Matching (EDM) and Data Loss Prevention