[This article originally appeared in MONiTOR Magazine]
Protecting sensitive information gets more difficult every day, and it shows. We hear about major security breaches on a weekly – sometimes even daily – basis. There are several reasons:
- Corporate perimeters are disappearing due to information sharing requirements and an increasingly mobile workforce;
- To remain competitive, applications are often rushed to the market without adequate security design and testing;
- More data is in motion, both inside and outside corporations, on a variety of mediums; and,
- Employees often receive little security awareness and training.
Every company should be conducting risk assessments, vulnerability assessments and security awareness training. But a significant contribution to the problem is that most of the security controls we have traditionally used focus on protecting networks and computers instead of data.
The assumption, of course, is that by protecting the server, you protect the data on it, and that remains an important concept in a layered security architecture. But what about protecting the information asset more directly?
Corporate and government information is subject to all sorts of threats. And while we tend to focus on espionage and the theft of financial information, a lot of information leakage is unintentional. For example, employees often email confidential information because it’s convenient, without realizing that it is highly vulnerable to interception while in transit. It’s also easy to accidentally send email to the wrong person, as many of us have embarrassingly found out. Sometimes issues results from what I call the “intentional unintentional”. For example, and employee who can’t send a .zip file attachment due to corporate rules might log into a webmail account and send it from there. While the employee knew that they were breaking corporate policy, their intent was just to get their job done, not create a security incident.
Some organizations have reacted to the data leakage risk by implementing draconian ‘security’ measures like physically disabling USB ports and using web filtering technologies to prevent employees from accessing webmail accounts, social media sites, and other resources deemed “not employment related”. While these measures can sometimes help, overkill is not without cost, including impact on employee morale and retention. Perhaps I’m a security rebel, but I suggest that my clients consider encouraging employees to use webmail accounts for personal email and reserve their corporate email account for company business. This reduces risks such as embarrassment due to employees writing controversial emails, makes it clear when the employee is speaking for the organization and when they are not, and reduces the amount of personal information on company servers and in archives.
But enough on the problem. What’s the solution?
Data Loss Prevention (DLP) is the next big thing in information security. DLP is a discipline to reduce information leakage by discovering, monitoring and protecting sensitive information assets. DLP products are both content and context sensitive — a new level of sophistication for security products.
DLP products use different terminology, but it’s easiest to understand them by thinking of a toolbox rather than a single tool. Most vendors offer a central point of administration, and those who don’t are in the process of integration. The other tools have specific purposes. Discovery modules scan file shares, databases, web servers and other repositories for information that shouldn’t be there. Based upon the policy configuration, they may generate alerts, reports or automatically move information to a secured location, leaving behind a ‘breadcrumb’ to tell users what has been done.
Monitoring modules work at the host or network level. A sniffer approach is often used to monitor network traffic at the organizational perimeter to detect sensitive information leaving the organization. Endpoint agents (installed on user laptops and workstations) can also provide passive monitoring. It’s important to note that this is very different from the “spyware” type of monitoring that I’ll be discussing next month. The purpose of these modules is to detect and monitor the movement of sensitive information assets, not the user’s overall activity on the system.
Last, but not least, are modules that provide active protection. In some cases, such as the endpoint, the difference between monitoring and protection may simply be a matter of configuration. In network applications, protection agents are placed inline. For example, outbound email can be inspected and automatically routed to an encryption gateway or bounced as dictated by policy.
But there is much more to the discipline of DLP. Successfully using DLP tools in the corporate environment requires vision, strategic implementation and integration with other security program fundamentals. To begin, one has to be able to define sensitive information in order to detect it. If the organization already has a good classification policy in place it may need to be refined. If not, that’s a good starting point.
DLP tools can then be used to identify areas of concern. For example, a data loss assessment at the corporate perimeter can be used to quantify the organization’s leakage onto the Internet. Scanners can rapidly detect credit card numbers in documents on file shares. And endpoint agents can be used to monitor sensitive parts of the organization.
Once the magnitude and location of the data leakage problems are identified, an appropriate business case can be developed and DLP tools deployed where a sufficient business justification exists. I usually recommend a period of passive monitoring to fine-tune rules prior to implementing active protection. This reduces the likelihood of business interruption due to false positives. In addition to rules, some DLP products can also fingerprint both structured and unstructured data known to be sensitive so that it can be recognized in the future. Using these features requires careful planning so that the DLP deployment itself does not create vulnerability.
I’ve often said that security awareness is the best security investment an organization can make, and it’s noteworthy that DLP vendors seem to understand the value of education as well as the need to minimize operational overhead. Products on the market today have feature sets that facilitate automated remediation and user education. For example, we can write DLP rules to automatically notify the user if they have breached (or are attempting to breach) the organization’s policy.
For example, when a user attempts to email a file containing personal information, a DLP endpoint agent could pop up a box to warn the user and ask why they are trying to send the file. This not only educates the user, the also gathers important information for DLP administrators. At the network perimeter, a DLP sensor could detected that a user has included one social insurance number in an email, bounce it back to the user with an explanation, notify the user’s manager and close the incident. On the other hand, if the email included an attachment with many social insurance numbers, the email could be quarantined and an incident opened with the information security team.
The DLP discipline offers us new tools to directly address serious issues that corporations and governments face today. By combining them with other sound security fundaments, we can significantly reduce risks related to data leakage.