web analytics

Archive for January, 2012

DLP

One of the most common definitions for the term DLP (Data Loss Prevention or Data Leakage Prevention) is “systems that identify, monitor, and protect data through deep content inspection, contextual security analysis of transaction (attributes of originator, data object, medium, timing and recipient/destination and so on) and with a centralized management framework.”

Purpose of this article
Organizations are interested to protect their sensitive data, and DLP provides them with the framework to do that. So far no news… However, the DLP world is a bit more complicated than that and the purpose of this article is to highlight few basic domains and areas that are worth thinking about when considering DLP solutions.

Common Data Locations and States

  • Data in motion – Any data that is moving through the network to destinations outside the local / corporate LAN via the Internet
  • Data at rest – Data that resides in files systems, databases and other storage methods
  • Data at the endpoint – Data at the endpoints of the network (e.g. data on USB devices, external drives, MP3 players, laptops, and other highly-mobile devices)

Examples of sensitive data:

  • Confidential and/or proprietary data, for example: processes, methodologies, development code and etc.
  • Customer and employee data
  • Financial data
  • Data that is regulated by regional and national laws such as HIPAA, SOX and GLBA

Common Data Leakage Channels:
Technical side:

  • Email Traffic – SMTP from mail servers
  • Web mail (Gmail, Yahoo, etc)
  • Uploading files to internet destinations (HTTP, HTTPS, FTP)
  • Posting on internet sites (blogs, social media, forums)
  • Instant messaging (gTalk, MSN, Yahoo, Skype)
  • P2P networks
  • Wi-Fi networks
  • Key loggers, Trojan horses
  • Multiple platform (Windows, Linux, MAC, etc)
  • Application permissions (ERP, database, SaaS platforms, SharePoint)

Physical:

  • Mobile devices
  • Non-encrypted hard drives
  • USB drives (Disk on key, external hard drives)
  • Portable media (CD/DVD, floppy drive, backup tapes)
  • Physical security (hard copy of documents)

Human factor:

  • Lack of employee awareness to security risks
  • Partners, suppliers, temporary employees and visitors
  • Working from home, remote locations, internet cafe

Company’s needs to protect themselves from scenarios as mentioned below:

  • Inadvertent forwarding of email containing product development or business plans to another email recipient
  • An employee extracts data from a secure system and conducts the analysis on a less secure system
  • Sending unreleased pricing information to the wrong email address
  • Customer or competitive information sent by an employee to a third-party for financial gain
  • A disgruntled employee with privileged access to sensitive information acts maliciously and steals information
  • Proprietary information sent to a distributor, who might then forward it on to competitors
  • Backup tapes are stored in a non-secure environment and curious intruder removes the tape to examine the content
  • Incorrect settings of permissions of file and directory structure could allow anyone access the information

DLP solutions prevent confidential data loss by:

  • Monitoring communications going outside of the organization
  • Encrypting email containing confidential content
  • Enabling compliance with global privacy and data security mandates
  • Securing outsourcing and partner communications
  • Protecting intellectual property
  • Preventing malware-related data harvesting
  • Enforcing acceptable use policies
  • Providing a deterrent for malicious users (by creating the possibility of being caught)

How to implement DLP solution:

  1. Perform risk assessment to find out:
    • What type of data exists in the organization?
    • Where is the data located/saved?
    • How valuable is the data to the organization?
    • What type of loss is the organization willing to accept?
    • What are the regulatory and privacy gaps for the organization?
  2. Classify the organization data:
    • Top secret
    • Secret
    • Confidential
    • Restricted
    • Unclassified
  3. Decide what information does the organization would like to search and protect:
    • Pattern, keyword matching and dictionaries
    • Document fingerprinting
    • Database fingerprinting
  4. Prepare data loss prevention plan:
    • How to limit the damage to the organization
    • How to avoid similar incidents from happening in the future
    • How to report to the management, stock holders and media on the current data loss incident
  5. Prepare policies, standards and procedures for handling data loss incidents:
    • Scan HTTPS traffic on the gateway
    • Block data from leaving the organization
    • Encrypt sensitive information inside database
    • Full disk encryption
    • Encrypt data before sending to partners/suppliers
    • Prevent use of portable media
    • Employee awareness training
  6. Deploy the DLP solution:
    • Install a product on the gateway
    • Configure SSL termination – recommended
    • Configure encryption gateway for SMTP traffic – recommended
    • Deploy agents on the end-points – highly recommended
  7. Ongoing monitoring:
    • Review incidents on regular basis (daily/weekly)
    • Fine-tune the product to raise alerts on important incidents and collect all other incidents.
    • Create reports on regular basis to locate top senders/targets
    • Perform data discovery on regular basis (daily/weekly/month) on network shares, servers, end-points, etc.