Presentation to CSBS 10-Nov-10

Transcription

1 Presentation to CSBS 10-Nov-10

2 Why We re Here - Regulations Fully aware of increasing threats, federal and state governments have demanded increased data protection and enacted increased regulatory requirements. Health Insurance Portability and Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health (HITECH) Act Gramm-Leach-Bliley Act (GLBA) UK Data Protection Act Payment Card Industry Data Security Standard (PCI DSS) State laws, such as: - Massachusetts MA 201 CMR Nevada NRS

3 Data Loss Prevention (DLP) Objective Prevent the movement of sensitive data from inside your organization to the internet aka Data-in-motion DLP Works on multiple channels Mail Social network Twitter Wiki Blogs Etc 3

4 Data Loss Prevention Example Someone creates a spreadsheet containing data from your customer database and attempts to post it on a blog The DLP solution would detect this and execute a defined action Getting started Decide what your objectives are What are you current policies surrounding the handling of sensitive data What/when can data be sent What should be encrypted What should be blocked Use DLP tools to implement your objectives and policies 4

5 How Does DLP Work? Data Read, Hash, Store DLP Hashes policies Step 1: Data fingerprinting Step 2: Define policies Step 3: Analyze traffic Data flow 5

6 Business Today is the dominant communication tool used Time spent on exceeds all others combined Average cost of a breach of 5,000 customers is $350,000. Social Media 8% 60% Telephone 22% Instant Messenger 10% *Osterman Research (based on time spent on communication tools during an eight-hour day)

7 Is A Big Exposure As much as 75% of an organization s intellectual property is stored in its infrastructure About 70% of data leaks occur via Approx 5% of should be encrypted from ZixAuditor stats What if the data in question has not been fingerprinted yet? Inbound to your organization contains sensitive data and your internal recipient hits Reply 7

8 Adjustment in interpreting what loss means Sensitive data sent in clear text is lost, in the sense that anyone now has access to it secured (encrypted and signed) data ensures that only the owner and designated recipient have access to it and no one else can read it while in transit privacy, access control, integrity, authentication, non-repudiation Encrypting vs Blocking Blocking and/or quarantining is not practical Stops/delays the flow of business So why not encrypt everything? Not everything needs to be Minimize recipient inconvenience factor 8

9 How Works Policies work as follows: Define a <condition>, if it is met then execute an <action> on the message Conditions allow you to separate out messages of interest (eg. those that contain sensitive info) Actions include: Encrypt, block, forward, cc:, adding custom header and/or footer text Two main types of conditions Sender/recipient address or domain Content Eg. From achiu@zixcorp.com to *@xyzpartner.com Keyword Lexical content analysis 9

10 HIPAA Scanning Lexicons: 1. Health Identifiers 2. Health Terms 3. Social Security Numbers (Health Identifiers AND Health Terms) Patient IDs, policy numbers, claim numbers, etc. type of clinical diagnosis, prescriptions drugs, illness, etc. OR (Social Security Numbers) number masks for SSN: nine-digit number, number is divided into three parts, numbers never allocated 10

11 Healthcare Lexicon Development Terminology, phrases and patterns in the lexicons come from: Preston-Gates-Ellis, LLP HIPAA Privacy Rule National Library of Medicine s Medical Subject Headings (MeSH) American Medical Association s Current Procedural Terminology (CPT) Center for Disease Control s International Classification of Diseases v.9 (ICD-9) Medicare/Medicaid s Healthcare Common Procedure Coding System (HCPCS) Health Insurance Association of America Glossary Juried messages from Healthcare organizations 11

12 Financial Scanning Lexicons: 1. Financial Identifiers 2. Financial Terms 3. Credit Card Numbers 4. Social Security Numbers (Financial Identifiers AND Financial Terms) account numbers, loan or policy numbers, etc. balance transfer, checking account, refinance, W-2, etc. OR (Credit Cards OR SSN ) 12 number masks for VISA, MasterCard, American Express, Discover, and more number masks for SSN: nine-digit number, number is divided into three parts, numbers never allocated

13 Financial Lexicon Development Terminology, phrases and patterns in the lexicons come from: Preston-Gates-Ellis, LLP Gramm-Leach-Bliley Act (GLBA) Privacy of Consumer Financial Information Final Rules by: Securities Exchange Commission (SEC) Federal Trade Commission (FTC) Federal Reserve Federal Deposit Insurance Corp (FDIC) National Credit Union Administration Collaboration with a Fortune 500 consumer lending corporation New York Times Dictionary of Money and Investing Juried messages from financial institutions 13

14 Lexical Content Detection Built-in lexicons designed to detect: Personal health info Personal financial info Content specific to MA privacy law Content specific to NV privacy law Health research Personally Identifiable info contains both: something that uniquely identifies an individual Eg. SSN, account id, patient id financial and/or health info Diseases, drugs, treatments, credit card info, financial services Flexibility to choose what lexicon(s) to use 14

15 Typical usage If sensitive info is found in the body or attachments Encrypt cc: to another inbox (so privacy officer can keep track) if found in the subject line Block Return to sender Include message to move content to the body and resend Two main types of conditions Sender/recipient address or domain Content Eg. From to Keyword don t rely only on keywords Lexical content analysis 15

16 Typical Rule Set Subject line keyword rule to force encryption Encrypt from to Plaintext from to Turn on health and financial lexicons for encryption CC: a copy of all messages that were encrypted to privacyofficer@mycompany.com an easy way to see how the rule is working Questions: analysis@zixcorp.com Add footer to all outbound 16

17 An effective solution should include Address government and corporate requirements Effective content detection Typically only about 5% of s need to be encrypted Avoid false positives Minimize recipient inconvenience factor Do not make recipients decrypt messages that do not need to be encrypted Out-of-the-box lexicons (no need to build yourself) Health Finance SSN, credit card, etc Flexible remediation actions Encrypt Push, pull, TLS, PGP, S/MIME Block, cc:, Forward, Log Inserting custom text 17

18 Inbound Scanning Scenario An external party sends your organization an containing sensitive info Inbound scanning allows your organization to detect such s Alert an internal contact Alert the sender, message received but next time please use the portal to send encrypted Help ensure that your business partners DLP policies match your own 18

19 How It Works 19 Title of Presentation

20 ZixGateway and Outbound Inbound ZixPort Compose Feature

21 Summary Determine what DLP objectives you want to achieve How to encrypt messages How to deliver messages Build yourself or Saas? Expect adoption of SaaS to far outpace market growth through Gartner July 2010 Lower costs due to shared infrastructure/support Less pain and effort associated with maintenance/upgrades Gartner, July 2010 What are your peers using? Leverage existing infrastructure Potential to be have seamless and automatic encryption? 21 Title of Presentation

22 Questions? 22 Title of Presentation