Protecting Regulated Information in Cloud Storage with DLP

Transcription

1 Protecting Regulated Information in Cloud Storage with DLP

2 Protection of Regulated Information in cloud storage can be provided by an appropriate Data Loss Prevention, DLP, solution. The steps involved in implementing this protection are described and organized into the following phases: 1) Planning 2) Migration to Cloud Storage 3) Ongoing Operations Protection of Regulated Information The importance of managing sensitive personal information is dictated by many regulations and laws such as HIPAA/HITECH and PCI-DSS for the protection of private Healthcare and Financial records, respectively. Since placing such information in cloud storage is a new opportunity, Security and Compliance Officers and other information managers are seeking guidance and tools which address the risks and help manage the processes involved. The following sections discuss the selection and use of a proper Data Loss Prevention, DLP, technology to help address these requirements and reduce these risks DLP refers to technology employed for the purpose of reducing the risks from loss of control over sensitive data. What is at stake? For the responsible parties, the improper release of regulated information can result in painful consequences ranging from damaging media exposure to harsh fines and penalties from regulatory agencies. Maintaining compliance with government regulatory acts and Industry guidelines needs to be an important concern for every organization handling this type of information. How DLP will Assist Data Loss Prevention, DLP, refers to technology employed for the purpose of reducing the risks from loss of control over sensitive data. Not all DLP offerings on the market are equal, however. Because of its unique advantages and powerful capabilities, here DLP will be taken to mean Content Aware DLP which is often referred to as Enterprise DLP. Gartner, Inc. provides this definition in its IT Glossary: Content-aware data loss prevention (DLP) tools enable the dynamic application of policy based on the content and context at the time of an operation. These tools are used to address the risk of inadvertent or accidental leaks, or exposure of sensitive enterprise information outside authorized channels, using monitoring, filtering, blocking and remediation features. Protecting Regulated Information in the Cloud 1 of 8

3 Phase I: Planning The following steps will help the organization make appropriate decisions prior to selecting and implementing a DLP solution to protect information that will be migrated to cloud storage. 1. Assess Current Use of DLP Before including DLP in a Cloud strategy, the current use of DLP should be understood. Insure that any existing DLP rules may be extended in order to apply the same policy regulations to the cloud data. In some cases it may be desired to apply more stringent controls on data in or intended for cloud storage. 2. Assess Current Use Cloud Storage. Similarly, any current use of cloud storage should be understood to determine the protection requirements of the data already stored or to be stored there. It may also be useful, if possible, to understand current cloud use of by employees. It may be found that some enterprise data is already being inappropriately stored in the cloud and creating data loss risks previously not defined. 3. Establish Credible Expectations Cloud storage changes the means of visibility and the types of control required over enterprise information. In the absence of a well communicated policy, employees will often use potentially unsecured, cloud services to store confidential data in order to make it more easily accessible from their home or their mobile devices, which may also be unsecured! A DLP solution appropriate for cloud storage protection will apply uniform policy toward information across the enterprise, including cloud storage. In particular, an appropriate DLP solution will provide means for educating end users as well as preventing unauthorized actions when required by policy. Cloud storage changes the means of visibility and the types of control required over enterprise information 4. Set Objectives Appropriate for the Organization Gather and review existing policies and procedures concerning the handling of sensitive information. Develop agreement on what information you want to place in cloud storage, what that placement should accomplish, and note any information requiring special protection and control. For example: Records identifying name with SSN. Personal medical or financial records Employees personnel files Protecting Regulated Information in the Cloud 2 of 8

4 5. Involve the Stakeholders Insure the participation of those responsible for managing the use of regulated information and those understanding the regulatory compliance requirements. All parties should understand the benefits being sought from cloud storage and the requirements for protecting sensitive data expected to be stored there. Managers should understand the benefits and issues of the cloud storage as well as the policy enforcement capabilities provided by DLP. These persons could include: Compliance and Privacy personnel, HR, IT Security Executive management Third party consultants specializing in Data Loss Prevention 6. Assess the Costs Involved If DLP is being acquired for the first time, several cautions are appropriate in making that selection. For instance, resist buying features you will never use. Doing a 5 year Total Cost of Ownership (TCO) analysis will make it easier to compare alternative possibilities. Make sure this analysis includes the costs for: the hardware, the software, maintenance, training, and any professional services that will be required. Pay particular attention to understanding any software licensing payment terms. All parties should understand the benefits being sought from cloud storage and the requirements for protecting sensitive data expected to be stored there 7. Test Any Proposed Solution On-Site Insist on a short demonstration or Proof of Concept to evaluate ease of installation and usage. This should be done in your environment with the organization s own data both inside and outside of cloud storage. A system that requires separate services only for cloud storage will be both inefficient and confusing in operation. Seek a DLP solution capable of comprehensive and consistent compliance management across the enterprise including the cloud. Protecting Regulated Information in the Cloud 3 of 8

5 Phase II: Migration to the Cloud Once the decision is made to proceed with a DLP solution the following steps should be taken to prepare for and execute the migration of information to cloud storage. The selection, above, of an appropriate DLP Discovery solution capable of performing these actions will help ensure that regulated information will be properly categorized and protected, or, removed before it may be uploaded and exposed to access in the cloud. There are several strategies that may be employed for this migration. Two will be discussed here: Identify information assets that make sense to move the cloud Targeted. A targeted approach employs DLP capabilities to carefully select, assess and, perhaps, remediate specific information assets prior to migrating them to cloud storage. A typical example might be something such as an entire server used by a marketing department that is filled with brochures and other sales collateral. But, with a desire to control any inadvertent release of certain private customer information. Broad. A broad approach, which may be more common, allows end users to control the migration of their data to a contracted cloud storage provider, but applies DLP to scan and block any regulated data found as it is in flight to the cloud. In both approaches DLP Discovery should be employed to inspect all previously stored information in the cloud to bring it under the same policy levels as will be applied to the newly arriving data. This important cloud Discovery capability is not a capability offered by every DLP offering. These approaches are not mutually exclusive and may be applied at different times with different sets of information, or with different end users. Here are steps involved in the targeted approach. The broad approach will simply involve the last two steps in this list. 1. Identify targets for migration to cloud storage The first step is to identify information assets that make sense to move the cloud. For example it might make sense to move a marketing file to the cloud to allow easier sharing with an external design agency. This will require identifying and categorizing the information on all storage under control of the organization, including file servers, file shares, SAN, SharePoint servers, user home directories, workstations and laptops in order to determine the best candidates to move the cloud Protecting Regulated Information in the Cloud 4 of 8

6 2. Scan the identified assets for regulated data Once candidates have been selected for cloud migration the next step is to identify any potential regulated or sensitive information on that information asset. An appropriate Data Loss Prevention (DLP) Discovery scan will assist in performing this task. For example you might configure the DLP Discovery scan to identify all files containing unencrypted patient information or unencrypted credit card information. 3. Review any regulated data found The DLP Discovery scan will produce a list of potential regulated or sensitive information on each information asset. This output will help determine the actions required before moving the data on a particular information asset to the cloud. 4. Remediate any regulated data as appropriate An appropriate DLP Discovery solution will include the ability to remediate potentially sensitive data both during and after the discovery scan. These include: moving files to secure vaults, deleting files, or applying rights management. If the objective is to move an information asset to a cloud storage provider then all regulated data should be moved to a secure area or simply removed altogether from that asset prior to moving the information. An appropriate DLP Discovery solution will include the ability to remediate potentially sensitive data both during and after the discovery scan 5. Review Information Already Stored in the Cloud An appropriate DLP tool may be employed to inspect all previously stored information in the cloud to bring it under the same policy levels as will be applied to newly stored data. Employ standard DLP Discovery features Assures uniformity of current rules applied to older information stores Many alternative cannot achieve this important uniformity over time 6. Move the information asset to the cloud Once the information asset has been sanitized it is ready for migration to a cloud storage provider. If the data has not already been sanitized then apply DLP to scan and block any regulated data found as it is in flight to the cloud Protecting Regulated Information in the Cloud 5 of 8

7 Phase III: Operations By selecting a DLP solution that provides coverage uniformly across the enterprise including cloud storage, the organization s ongoing management of regulated or other sensitive information is greatly simplified. Policies will be enforced with consistency and from single administrative control. Here are steps to help guide the ongoing processes. 1. Audits Conduct a mock compliance audit involving the information in Cloud storage... Not only will you be ready if your organization is audited, but, it will force questions to be asked regarding where to focus on risk mitigation strategies. 2. Scan Large Files Planned for Cloud Storage An appropriate DLP solution may be employed to inspect all data poised for sending to the Cloud. Sensitive data discovered will be controlled according to policies established by the enterprise for cloud storage. For efficiency it may sometimes be appropriate to scan entire files when there may be some questions regarding content. Or the files may be large enough that it is desirable to scan them prior to the uploading transmissions which will look at each record at a time. An appropriate DLP solution may be employed to inspect all data poised for sending to the Cloud. Sensitive data discovered will be controlled according to policies established by the enterprise for cloud storage Before release to the cloud sensitive information may be denied passage or automatically encrypted Or, other proscribed remediation may be applied Audit large files with uncertain data content for most efficient handling prior to moving 3. Filter and Audit Information as it is Moved to the Cloud Apply Network DLP capabilities to inspect all data being sent to the cloud. Before regulated information leaves the network it may be removed, encrypted on the fly or stopped for remediation according to policy for the particular information Information is inspected at the final stage before leaving the enterprise network Automatic process reduces opportunities for error Audit trails provide visibility into information being transmitted Control is easy to modify if problems are detected Protecting Regulated Information in the Cloud 6 of 8

8 4. Apply Remediation Selectively at Each Step It may or may not be most effective to encrypt-everything sent to the cloud. An appropriate DLP will allows, at every stage in the process, the appropriate remediation to be automatically applied according to the policies established by the enterprise for that particular information and where it is being stored or transmitted Policies dictate action for specific data elements More efficient, speedier processing Alternatives may add burden of needless repetitive encryption and decryption Protecting the Benefits Cloud storage provides the enterprise with substantial benefits in cost reductions, scalability, and operational ease. However, as many others have pointed out, the very sharing of resources that underlies these advantages must be combined with the proper management of this information... Otherwise new risks of data leakage will be generated. These risks may be deemed a concern if the information being stored is private or sensitive in any way. And, of particularly of concern if it involves data that is regulated by industry or Government rules and laws. Cloud storage provides the enterprise with substantial benefits in cost reductions, scalability, and operational ease Data Loss Prevention, DLP, technology has proven to be an invaluable resource in protecting regulated data as the enterprise has moved such information from secure data centers to distributed file servers to the desk top and to mobile computing devices. Also, most recently, some DLP products have been improved with features to control content in cloud storage. There are many resources to assist organizations in sorting out the options for protection available. But, it is most important to evaluate solutions that will help apply consistent and uniform policy enforcement to information across the entire enterprise, no matter where it is stored, including cloud storage, and that a proof of this capability be demonstrated on site before an organization begins an enterprise implementaton No single tool is capable of addressing every security issue; however, an appropriate DLP implementation will substantially reduce the risks to an organization as a key component of its overall security strategy. Hopefully, this paper has illustrated how DLP is particularly applicable in protecting information in the cloud as well as elsewhere in the organization. Protecting Regulated Information in the Cloud 7 of 8

9 About Code Green Networks Code Green Networks delivers solutions that help enterprises protect and manage regulated and other sensitive digital information across their data network, whether local, remote, mobile or in the cloud. The company s solutions have been tested and proven through daily use by hundreds of deployments in large and small organizations across the United States and around the globe. It s All About The Data Code Green s total focus is data protection utilizing innovative content inspection technology to insure maximum protection for an organization s important data. By investing over 200 man years in software development and working closely with customers since 2004, Code Green Networks has applied innovative technology to produce Data Loss Prevention solutions with the most advanced capabilities available to locate, identify and manage regulated data. Significant examples include: A complete Content Aware DLP solution: TrueDLP The Deep Inspection Content Engine: DICE Protection extending to the cloud: Cloud Content Control Removing Compliance Complexity Code Green Networks believes that many products offered to address regulatory compliance are often needlessly complex in implementation and difficult to manage leading to unplanned costs and delays resulting in diminished benefits to the organization. Code Green has taken a different approach. We chose to deliver solutions that are faster to deploy, easier to manage, highly accurate with superior performance and significantly less costly than alternative solutions. Our attention to these details has produced major benefits for our customers: Enhanced simplified management control for consistent uniform policy administration Powerful yet simple to deploy appliances designed for quick installation PoEasy modular growth by capacity, function and location Committed to Supporting Our Customer s Compliance Requirements Working with customers to address the rigorous regulations faced by organizations handling personal medical and financial information has led to our deep understanding of these particular areas of regulatory compliance. It has also helped us create solutions which are very applicable to other markets as well. We fully understand that there is no margin for error when it comes to protecting our client s critical data and this commitment to our customers guides us in everything we do. Code Green Networks, Inc. 385 Moffett Park Drive Suite 105 Sunnyvale, CA Phone: +1 (408) info@codegreennetworks.com Protecting Regulated Information in the Cloud 8 of 8