Protecting Data-at-Rest with SecureZIP for DLP

Transcription

1 Protecting Data-at-Rest with SecureZIP for DLP

2 TABLE OF CONTENTS INTRODUCTION 3 PROTECTING DATA WITH DLP 3 FINDING INDIVIDUAL AND SHARED INFORMATION-AT-REST 4 METHODS FOR REMEDIATION 4 ENCRYPTING UNPROTECTED FILES 5 USING SECUREZIP FOR DLP 5 ENCRYPTION KEYS 7 DETERMINING WHO CAN ACCESS AN ENCRYPTED FILE 8 SECUREZIP FOR DLP CONFIGURATION SETTINGS 8 USING ENCRYPTED DOCUMENTS 9 DETERMINING WHO CAN ACCESS AN ENCRYPTED FILE 9 HANDLING EXCEPTIONS 9 PAGE 2

3 INTRODUCTION Data Loss Prevention (DLP) software is often described as content-aware, because it uses technology to examine the content within files or applications to identify unsecured data. DLP solutions also have the ability to apply security policies to either remediate or report breaches. Most enterprises have deployed or are investigating content-aware DLP solutions. There are many DLP vendors in the market, but most do not provide a full remediation solution for the unsecured data. The SecureZIP for DLP solution provides automatic remediation by encrypting unprotected files. With DLP software, data in violation of policy can be identified based on its content. PROTECTING DATA WITH DLP DLP solutions have become a critical part of enterprise security strategies because of their ability to find files that do not conform to data protection policy. With DLP software, data in violation of policy can be identified based on its content rather than on less reliable means like file name, type, location, and other subjective characteristics. Initially used in ways similar to anti-virus and anti-spam products for inspecting traffic, DLP has matured and now monitors almost every outbound data path on a network, ensuring information is not sent outside the enterprise in violation of security policy. DLP has evolved to being used to inspect data at its source, locating files where they reside, and protecting them in-place on shared storage. This protects files before they leave the organization through means such as , IM, or other outbound information paths; providing more proactive data management than simply trying to stop information as it leaves the organization. When an unprotected file is found, regardless of whether it is in motion or at rest, the standard remediation capabilities of most leading DLP solutions provide options for blocking, quarantining, or deleting the file. These remediation strategies may be viable preventative measures, but they are disruptive to the flow of data since they stop the information workflow and add unnecessary administrative intervention to resume use of the file. Encryption is an alternate remediation strategy that allows files to be safely stored and transferred while retaining critical business productivity without disrupting information flow. When using encryption as a remediation strategy, it is important that encrypted files remain accessible inside and outside the organization and are available for uninterrupted use for the remainder of their useful life span. DLP does not directly encrypt files. Instead, it starts the remediation process which is then completed through other methods according to the enterprise s encryption policy. Further, DLP is not part of the decryption process which occurs when users try to open the encrypted file for use. Since encryption and decryption occur separately, the encryption supported by a DLP product must be interoperable with other processes, users, and systems that are all required to access a file encrypted in response to a DLP policy violation alert. When a suitable data encryption policy is in place within an organization, it will provide a requirement to protect data as part of normal work activities. In this scenario, DLP becomes only one point of many in the lifecycle of sensitive data. Over time, with proper encryption tools, procedures, and training in place, increasingly fewer files should be found through a DLP inspection because users take appropriate actions for data protection. PAGE 3

4 FINDING INDIVIDUAL AND SHARED INFORMATION-AT-REST Data-at-rest resides in many locations. It can be found on all user endpoints, on shared network folders and files (NAS/SAN), and in collaboration repositories such as SharePoint. Unstructured data in work document formats such as PDF, XLS, DOC, and PPT is most often at risk. DLP inspection easily locates this unstructured data when it is left unprotected. Files residing on endpoint local storage are generally accessed on an individual basis by the local user. Unprotected files on these endpoints are more easily encrypted by users directly using encryption software as part of their standard work procedures. Mapped drives, shared network folders, and filers are more easily inspected at the network level using DLP. This approach has minimal impact to users because the inspection occurs on a server out of the view of users and often occurs during off-hours. Many of these files are legacy documents created long ago that still reside on the network. Other legacy files may reside in storage for many years. In some cases, the original creator of the document is no longer with the organization. Protecting all of these files is critical to ensure no gaps occur in responsibility for sensitive information when the chain of custody for a file may change or even lapse over time. Files identified through DLP inspection processing require remediation to ensure the information they contain is no longer left unprotected once it has been identified. Remediation can be initiated by users, administrators or through automated processes. METHODS FOR REMEDIATION Files identified through DLP inspection processing require remediation to ensure the information they contain is no longer left unprotected once it has been identified. Remediation can be initiated by users, administrators or through automated processes. User Remediation: Users must be properly trained on what information requires encryption and have the necessary software to protect this information. They should encrypt their documents on a routine basis as part of their normal workflow. Users can be responsible for document security when informed about what information is sensitive and how they need to protect it. With this approach users become more aware and better able to protect sensitive information as the first line of defense for information security. DLP provides a means to find documents that users have not properly protected. With appropriate data protection guidelines in place for users, DLP plays an auxiliary role in protecting data by alerting users to documents they may have left unprotected. Using the notification capabilities of DLP, the user responsible for an unprotected document would receive an alert informing them that their document has been found in violation of policy. This would include instructions on how to protect the document. To avoid receiving this alert again and to avoid possible supervisory escalation in the future, the user would encrypt the file per policy. After the user has addressed the issue, subsequent DLP inspections would find the file has been protected and will no longer raise an alert unless the document is again found unprotected in the future. The alert may also be sent to the user s manager, and to the security administrator for appropriate awareness and action as necessary. Administrator Remediation: With appropriate tools and training for users, administrative remediation is required less often over time. However, there are still documents that fall outside the active view of users and which may require administrative intervention to protect. An example of this is documents created in the past or by users no longer with the organization. These types of documents are common today within the typical large enterprise storage pool. User remediation is not feasible since there is no clear responsible user evident for the document. In this case the alert notification will be sent to the DLP administrator and will appear within PAGE 4

5 the standard DLP administrator user interface. The DLP policy for the document will instruct the DLP administrator what remediation is required. Automated Remediation: Both user and administrator remediation methods may be enhanced by automated encryption remediation. In each case the same alert notifications should be sent to the responsible party. However, with automation support, encryption processing can be run automatically without requiring action by the user or administrator. This reduces the steps needed to enforce policy. Support for automated remediation must be a function provided within a DLP solution. When this function is available, the policy enforcement rules and actions can be configured to automatically protect documents reported during a DLP inspection. Not all DLP solutions provide support for automated remediation actions. ENCRYPTING UNPROTECTED FILES When encrypting files through a user-directed procedure as part of routine document use, a file can be readily encrypted for each of the additional users that must have access to the file. In contrast, encrypting files from an automated or semi-automated process require that specific rules be developed for whom each file must be encrypted. These rules quickly become complex and difficult to properly define and maintain. Access information easily known to users in user-directed encryption workflows is typically not known in automated scenarios. With incomplete information, automated encryption processing must rely on other system level information such as file Access Control Lists (ACLs). Using DLP as a safety net to provide short-term remediation in response to alerts can greatly reduce the complexity of DLP initiated encryption, making it significantly more manageable for use within automated processes. The objective of DLP remediation should be to protect the file immediately while at the same time providing appropriate notice to the responsible parties that the file was found unencrypted. With this notification, those responsible for the file can then correctly set the proper access for continued use of the document by all who need it. When using DLP as a checkpoint, responsible parties can more reliably use system level information such as ACLs to determine the file owner, or the last user that modified the document. The responsible user can then add the appropriate additional users. The responsible manager may be notified to ensure the proper parties are aware of the lapse and proper follow-up is made to verify the file was encrypted for the correct set of users. Once the file is encrypted the DLP inspection process will not again report on the file unless it is found unprotected at some time in the future. USING SECUREZIP FOR DLP SecureZIP for DLP is based on the standard ZIP format and provides the most interoperable file encryption available for protecting files. Combining the SecureZIP for DLP Solution with DLP software protects sensitive files while providing a means to control access and can be used with any of the remediation methods mentioned earlier to support encryption as a response to a DLP inspection alerts. Using SecureZIP for DLP to protect data-at-rest relies on the ability of the DLP solution to run a separate PAGE 5

6 encryption program. Each DLP vendor uses a distinct method of connecting the inspection process used to locate files to a separate encryption process. This allows existing SecureZIP encryption scripts already in use to be leveraged for other data protection needs, or new scripts can easily be written if scripts are not already available. Not all DLP vendors support integration through common scripting environments. To address this, PKWARE has an Application Programming Interface (API) that allows any DLP provider to work seamlessly with SecureZIP for DLP to automatically encrypt sensitive files. SecureZIP DLP In Action 2 DLP discovers a file containing sensitive information. SecureZIP for DLP invoked for data remediation. ALERT ON POLICY VIOLATION 1 DLP inspects shared file storage for content policy violations..ppt 3 Sensitive file is encrypted using SecureZIP for DLP..doc 4 Encrypted file is sent to the shared file storage, replacing the unsecured version. Information about each file to be encrypted must be provided to the SecureZIP for DLP Solution by the DLP process as it finds and creates alerts for files at risk. Critical information that must be provided by the DLP solution includes file name and location. This information identifies which file must be encrypted and where it can be found on the storage network. The encryption process must also receive information necessary to determine who is allowed to access the file. This is necessary to determine which encryption keys are to be used to encrypt the file. DLP software may provide information about a file by using the file s ACL. With this information available, SecureZIP for DLP can encrypt the file. After encryption, the unprotected file will be replaced with a SecureZIP file. The original file will be removed to ensure the unprotected content is no longer exposed. Appropriate policy settings must be established for the DLP and SecureZIP for DLP as the two workflows are combined. The DLP policy ensures the inspection process aligns with the appropriate user requirements and sets the rules and actions taken for data found in violation of policy. DLP policy is set within the DLP administration interface. Policies may be defined for each type of information that must be monitored. This includes information with regulated compliance mandates such as HITECH Act, HIPAA, EU Privacy Laws, PCI DSS, and others. Actions are established within each policy for how to protect files that require remediation. Actions are the means used to initiate the SecureZIP for DLP encryption process. Encryption policy defines how SecureZIP for DLP will encrypt each file. This defines the type and strength of encryption used as well PAGE 6

7 as the assignment of contingency keys to ensure viable recovery of the encrypted information. Established SecureZIP for DLP encryption polices may be reused within DLP remediation processing. ENCRYPTION KEYS Data encryption relies on encryption keys to lock and unlock access to encrypted files. The most commonly used encryption keys are passwords and digital certificates. SecureZIP for DLP supports using either or both in combination at the same time. The recommended practice for enterprise encryption is to rely on standard X.509 digital certificates. Digital certificates should be provided to the user community using a standard certificate authority (CA). Certificate provisioning happens independent from the encryption process and no specific requirements need be placed on the certificate delivery process. Any certificate in the X.509 V3 format having a key size of bits can be used. The standard key usage characteristic of key encipherment should be set on each certificate to ensure it can be used for data encryption. If a certificate will also be used for digital signing, it should also have the characteristics set for digital signing and non-repudiation. Additional attributes may be set to help users identify the intended purpose for their key. This may consist of specific friendly name labels, or descriptive organization unit (OU) values. Each user receiving encrypted data will require at least one digital certificate consisting of a public/ private key pair. Public keys used for encryption should be located in an Active Directory to ensure enterprise-wide availability. Key retrieval for encrypting data is performed using standard LDAP query functions. User public keys may be located in the Active Directory using existing configurations. No special placement or hierarchy is necessary within the repository for use with SecureZIP for DLP. The locations for each Active Directory repository used for storing user public keys must be configured for use by SecureZIP for DLP. Multiple locations may be defined to ensure keys can be located from within all available stores within the organization. Storing public encryption keys on local user systems is not recommended. This limits their use to only the user on the local machine and causes a significant administrative burden to maintain copies of shared keys across all systems. User private keys needed for decrypting data must be located in the user s local certificate store. This can be enhanced by the use of secure removable storage devices such as Smart Cards or USB tokens that provide for secure and portable private key storage. The type of private key storage used is transparent to the decryption process. PAGE 7

8 DETERMINING WHO CAN ACCESS AN ENCRYPTED FILE Whenever a file is encrypted, information must be known about who is allowed to open the file. This information must align with the enterprise policy established for protecting data. It also informs SecureZIP for DLP of the encryption keys needed to protect a file marked for encryption. In all cases, a contingency key should be applied to ensure data recoverability. Organizations most often rely on the available IT managed file system information ACLs or Active Directory information to determine who may open a file. This information is useful for determining a single responsible party based on file usage, such as the creator or last modifier for a document. It fails to address situations such as the recorded owner of an unprotected document no longer being with the department or the company. In all cases, a contingency key should be applied to ensure data recoverability. Determining the appropriate encryption access for a document should be determined by those directly responsible for the document. This is a decision the document owner should make directly, or it may be defined by the owner s supervisor, but it is best made by those having direct responsibility for the document. Defining appropriate encryption access should be part of the standard workflow of the users of sensitive documents. Encryption workflows performed by those users directly responsible for the content and security of the files they create and maintain provides the first line of defense for ensuring the appropriate use of sensitive materials. Integrating proper encryption practices into each user s routine procedure develops a means for long-term user-directed protection of data. SecureZIP for Windows integrates within standard office applications allowing users to easily protect documents as they are used and with minimal impact to their standard workflows. Even the most responsible user will forget to encrypt a document at some point and lapses can be expected to occur in any user-directed encryption cycle. Using DLP to supplement responsible user actions can ensure documents are routinely protected first through documented user procedures and are then checked using routine DLP inspection to identify when a lapse may have occurred. DLP should not be considered as the primary means of protecting documents and it should only be considered as means for finding and remediating documents not previously protected through routine document use such as may occur from a workflow lapse or for legacy documents. SECUREZIP FOR DLP CONFIGURATION SETTINGS SecureZIP for DLP policy and configuration files should be used to enforce the same settings and parameters needed to support enterprise encryption requirements. Specifically, settings for contingency key should be configured to ensure data recovery and encryption algorithm and key strength should be set. Recommended values are AES at 256 bits. When SecureZIP for DLP is used within a DLP remediation workflow, the original unprotected file will automatically be deleted after it has been copied into a SecureZIP file. Configuring the use of data compression values is optional but highly recommended to reduce the storage requirements for encrypted data. Compressing a file can reduce its size up to 95%. USING ENCRYPTED DOCUMENTS After encryption is applied, the original unprotected information is replaced by encrypted data. Continued use of the document requires that the encrypted data be decrypted using the private key of one of the users allowed access to it. Informing a user that a document is in an encrypted state requires a visual queue that PAGE 8

9 can be seen within the Windows normal file selection view. Encrypted documents are displayed within folders using the familiar ZIP icon and the.zip file extension within Windows. SecureZIP will retain the original document name to ensure the user can identify the content or purpose of the document. File extensions will be changed to.zip to ensure files can be decrypted when opened using SecureZIP. SecureZIP for Windows allows a user to open a now-encrypted document using a standard Windows double-click or Open operation. Opening the encrypted form of a file will decrypt the contents and pass the file to the application needed to view or modify the content. Accessing encrypted information can be done in this manner for most common work documents and for application specific data types. SecureZIP will use the associated application for each type of file. With SecureZIP for Windows Desktop, users can access encrypted documents without disrupting their workflows. They can easily extend or remove encryption recipients to ensure the correct users have on-going access to documents. HANDLING EXCEPTIONS An exception condition that prevents the successful encryption of a file can be expected to occur at times during remediation processing. One cause for this is that a file marked for encryption is in use by a user or by another application at the same time the encryption process is attempting to encrypt the file. Another cause is that a key for an encryption recipient is not available or cannot be retrieved from Active Directory. When these types of situations occur, the resolution is for the file to be left unencrypted and the exception condition is reported to the system administrator through routine error routing. The administrator has the option to perform manual encryption, or the encryption will be reattempted as the unprotected file is again detected during the next DLP scan. Resolving the cause of the exception after notification of the error will allow the next encryption attempt to complete. CONCLUSION Combining SecureZIP for DLP with routine DLP inspection of network storage provides a highly effective means to remediate identified instances of policy violations, avoiding the risks associated with leaving files containing sensitive PII unprotected within enterprise storage. The interoperable SecureZIP for DLP format protects data wherever it is, wherever it goes and however it gets there. Copyright 2011 PKWARE, Inc. All rights reserved. PKWARE, the PKWARE Logo, SecureZIP and PKZIP are registered trademarks of PKWARE, Inc. Trademarks of other companies mentioned in the document appear for identification purposes only and are the property of their respective companies. PAGE 9