Data Loss Prevention
Today data is crucial to our business and we need to keep it safe. However data leakage happens everyday and important data such as patient or customer personal records, payment details, intellectual property (such as source code and design specifications), price lists, trade secrets and anything else where your competitor gains an advantage or your reputation is affected heavily to the point of losing customers is why our information and data needs to be monitored and protected.
This is also why strict Laws against protecting data such as PCI DSS, HIPPA, DPA and Graham-Le achy have been introduced.
Part of a Process
So all businesses and organisations need to ensure they have a good data loss prevention solution implemented. However a technical solution is not enough on its own. Protecting against data loss is a process and the technical solution is part of this process.
First you need to assess and analyse data. To have a successful assessment on your data will help you have a more successful and effective technical solution put in place. To assess data thoroughly and to understand what you would require from a data loos strategy and a technical DLP solution you need to:
Understand your company's data.
Understand what type of data it is you need to protect.
Know where your data is located.
Is your data supposed to be there?
Should this data be encrypted?
Who has access to the data?
Should they have access to this data?
Would it affect their job role if they didn't have access to it?
Can they copy this data to their desktop or a USB stick?
Can they open it with certain applications?
Can this data be posted to a social website such as Facebook or attached to their personal or corporate email?
Should a user have full rights to a document? Would it be better if they had read only permissions for a limited time period before they were denied access?
How does the data move internally and also externally? Some data may have to be limited internally to certain departments. For example HR needs to keep their data safe and secure internally. How is HR data kept safe and secure from other data and other employees? Is the data protected while it moves? For example you may use technology such as using encryption software or a DRM/IRM solution.
Also what existing technologies do you already have to aid in data protection? For example outbound email filtering could be utilised as part of your ultimate DLP strategy.
After you have assessed your company's data thoroughly then you need to create policies for this data. These are just instructions to employees how to handle this data. So you would require well defined and written policies such as acceptable usage handling. This would include what the consequences are if anyone does not follow these policies.
After creating policies you need to make your employees aware of these policies and train your employees on the importance of DLP. This is in fact one of the most critical and important part of the process. Data loss occurs over 90 percent of the time because of employee errors. Some data loss can not be avoided without employee education.
For example if an employee could not send/copy or paste his/her customer details to another employee, they may physically write this on a piece of paper. This piece of paper may eventually end up in the wrong hands. That's of course a simple example. A technical enforcement solution can not block this and so employee education and some other aspects are crucial to a solid data loss prevention strategy.
Nevertheless a good technical solution does play a big part and can protect your company from data breaches, and also educate employees when they have accidentally made such an error. Therefore we need processes in place to provide a good data loss strategy with a technical solution being part of these processes.
Four leading data loss prevention solutions out there are RSA's DLP, Websense Data Security DLP, Symantec's Vontu DLP solution and Mcafee's DLP solution.
A DLP solution concentrates on three main areas;
Data at rest or storage (On file servers and database servers, etc)
Data in motion (Data travelling across the network such as sending email and web postings)
Data on the endpoints or in use (Data on laptops and desktops)
It's important that the company has a plan to define what is important to them. This is one of the main processes within DLP. So a financial company may want to be compliant with PCI DSS, where a private health clinic may want to be in line with HIPPA. These may be the key areas that these two organisations may build their DLP solution on, and some other areas in which they find important, valuable and confidential for their businesses.
If budget is tight which it usually is some DLP vendors break one product down into smaller products for specific jobs.
For example Websense has a product to discover where confidential data is on their network called Data Discover, a product for endpoint systems only called Data Endpoint, a product to monitor and report on data loss called Data Monitor, or a product to protect certain types of data from leaving the company called Data Protect. Finally Websense also offer an all in one DLP product solution to do all these things called Data Security Suite. This is very much the kind of variations major DLP vendors provide.
You have to look into what the solution monitors, which protocols it supports. The most common two protocols are HTTP and SMTP, monitoring. SMTP is used for confidential emails with attachments and monitoring HTTP is used for posting data on the 2.0 websites, or using web mail to send data. Also there's FTP which is another common protocol as well. Then there may be other specific types of data and protocols used at your company.
From a discover network scan perspective you may need to look at what the solution will scan for, such as a file server, website servers, SMTP servers, database servers, etc.
Some pointers on DLP
A discover utility should be able to scan the whole network and not just windows platforms. A solution may leave a file marker where confidential information did reside, though quarantining the original file. The marker would inform user on data protection policies and how the can regain access to the file.
An Endpoint solution should prevent from copying sensitive data to removable devices even when off the network, via an agent installed on the local machine. Endpoint Prevention should block files to removable media, or transferred over email, IM (Instant Messaging) or ftp. Endpoint agents should provide local detection for policies when the laptop is offline. It should be able to block users copying to removable disk and ask a user to justify why they need to send this data. This is a good learning practice for both administrators on why users need to send such data and for end user’s making them aware of sensitivity of data.
Data security policies should be defined using a policy builder within the centralised management platform. A user should be able to create a policy from scratch or use a policy template from a package of defined templates to meet different types of needs. A user should be able to write the policy once and enforce it across all defined data models.
Storage areas (data at rest) would need to be scanned and so scanned targets would need to be defined within the central interface. Network Discover would scan these targets for sensitive data.
You should start off by protecting your most important data first, monitoring and testing this and fine tuning where necessary.
To go a step further and a technical control which proves to be very powerful is the integration of IRM/DRM solutions. If your employees take documents off site and away from managed DLP systems such as Microsoft Office documents and PDf's a DRM/IRM policy will keep the document tightly controlled depending on the privileges assigned.
A typical example on what happens to sensitive data;
Step 1 – A user defines a data security policy, defining detection rules and response rules.
Once policy is defined and active, network monitor and or network prevention are able to inspect data and match this against the defined policies. If network monitoring inspects and finds a match it will report an incident.
Step 2 – An employee sends confidential data such as an attached diagram (Intellectual property, source code, payment details, etc).
Step 3 - Network prevention can block the email or any other type of data from leaving. The policy it hits will consist of defined detection rules and response rules. Response rule will specify how to respond to a detected incident, E.g., block email and send notification to management. It may choose from blocking the transmission, tag for redirection or down stream processing.
Step 4 - Here the system can optionally send the employee a notification, referred to as a sender notification which provides real time security education of company policy. Sender notifications should contain links to corporate policies, FAQ, and more assistance.
The incident will be logged and can later be used for reporting. The notification can be customised to include variable data that was captured with the incident. Such as subject and violations, recipients email, etc. Finally remediation incidents and use reports to manage and track risk reduction over time.
In the Symantec DLP (formally Vontu DLP), incident responders have ability to remediate incident by looking at network incident snapshot in Enforce (Central Management). Snapshot is generated each time incident occurs. Type of information captured is remediation information context who sent data where was it going and how to be used, what matched in content, which policy was violated, history changes occurred for this incident and more.
Finally DLP processes should be maintained
DLP processes need to tuned as things change, processes change, companies shrink and grow, employees take on more or less responsibilities, new servers and desktops are introduced, new technologies that process this data are implemented. So it's important to monitor and maintain the DLP solution.
A DLP process needs a lot of thought and planning. A technical solution will enable you to have far more control of your data. However points to consider is DLP will never be perfect. End of the day if a user wants a piece of data he or she can see in front of their screen they can just copy the whole thing onto a piece of paper or take an image of the screen with a camera, so there is no perfect remedy.
Now we are not saying do not bother will a DLP solution because it does give you a huge amount of control and visibility to your information and provides other advantages such as user training and awareness, ability to see where sensitive data resides within the network, enables you to meet regulations and more. However be aware that although the solution plays a BIG part in DLP, still it's a subset of the process and an investment that needs to be maintained.
For further reading, there's some excellent electronic ebooks available for download from eBooks.com