Data Leak Prevention - simple as 1,2,3

Transcription

1 Data Leak Prevention - simple as 1,2,3 A Practical Guide for Implementing Data Leak Prevention A White Paper for the Business Executives

2 DLP - like 1, 2, 3 A Practical Guide for Implementing Data Leak Prevention A White Paper for the Business Executives Executive Summary Not a day goes by without a news story about an organizations employee misplacing or losing their USB memory sticks, having their laptops stolen or sending an important to the wrong person by mistake (automatic population). The result of a data loss is negative media attention, reduced trust from customers and partners, a reduction in corporate, value, damage to reputation, loss of competitiveness and possible criminal charges. The damage can be avoided simply by implementing solutions that go under the name of Data Leak Prevention (DLP). DLP simply means - making sure which data that is deemed sensitive does not leave the organization unsecured, and that only the right people have access to the right information. This includes discovery of sensitive data that can be communicated outside the organization s four walls, and blocking or encrypting the same data based on centrally defined policies. In the last few years, companies have spent huge sums of money focused on keeping the bad guys out of their networks by investing in firewalls and other filter technologies to protect against hackers, viruses, spam and spy-ware. These in-bound protection systems have been effective and are today considered by all businesses and individuals as obligatory to protect against outside attacks and avoid computer system disasters. Today, corporate IT Directors and security experts are focusing their attention on stopping information from leaking out of the network. And the challenge is much greater compared to inbound protection issues, in that companies have to decide what information is sensitive and confidential, and what is not. The critical issue of false positives has to be managed effectively so that today s information worker is not impacted by the DLP system s review of data in transit. The DLP system has to scan the data quickly and determine what to do with the data - based upon what the organization s security policy states. On top of this challenge, information is today highly mobile and therefore we need to manage and protect not just the data centre and the data throughout the network, but also all personal productivity devices such as mobile phones, laptop computers, ipods, and USB memory sticks. Attrition.org, estimates more than 162 million records compromised through Dec both in the U.S. and overseas, unlike the other group s U.S.-only list. Attrition reported 49 million last year The barrier for any company to implement a DLP system is that they do not know where to start. The scope of a DLP system can be overwhelming if you want to control all areas of vulnerabilities and technologies within an organizational network infrastructure. Thus the biggest barrier is knowing where and how to start a DLP project and taking the 1 st step. The CEO and executives alike have the responsibility to look after organizational assets and in particular make sure that sensitive and confidential information in digital format is not exposed. In most cases, regulatory compliance states that you get a get out of jail card if you encrypt the data and if you don t you will suffer legal consequences such as hefty fines and public notification of your misdeeds. The goal is to protect all digital assets, without changing the behavior of your employees and make it a seamless part of your existing business processes and technical infrastructure. This document discusses a practical approach to stop your sensitive and confidential information leaking from your company and putting you at risk. Cryptzone, a leading DLP technology company has developed practical solutions and the DLP stepped implementation approach that quickly allows the organization to overcome the barrier to initiate a DLP project, and thereby stop sensitive and confidential data leaking out of the organization simply and easily.

3 This paper also provides a business perspective on how your organization can put measures in place that will substantially decrease the risk of your company ending up in the news as yet another victim of data loss. Moreover, this paper also covers how your organization will have a competitive advantage over your competitors by increasing information worker productivity, streamline document collaboration and reduce the cost of maintaining regulatory compliance. Why is DLP an issue anyway? Today, the majority of organizations are storing and communicating all of their information digitally in an unstructured environment of different servers and computers scattered throughout the data centre, coupled with the replication of data on ever more powerful mobile devices like laptops, PDAs, mobile phones and USBs. Information flows like water these days, and users expect to have access to all corporate and personal information - 24 hours per day, 7 days per week. Accessibility requirements puts pressure on the IT Directors to provide secure access to data while making sure that sensitive data does not end up in the wrong hands. Protecting sensitive data is crucial for most organizations where Intellectual Property (IP) and related confidential information often correlates to the company s monetary value. Examples of Intellectual Property are; corporate business plan, financials, acquisition strategy, patents, product designs, R&D documents, and marketing strategy. The list of sensitive IP data goes on and on. Then we have confidential information that is related to customers and suppliers, where we have an obligation to protect the information that is held in trust towards third parties. Examples of this information would be business proposals, contracts, health records and financials including credit card information, account balances and payment information, as well as general correspondence. Finally, there is a category of information that relates to the organization s financial and legal business together with information about the employees of the company. Examples of this would be financial reports, employee records, contracts, acquisition targets, product and marketing launch plans, budgets, customer databases etc. What data needs to be protected, when and by whom? One of the obstacles to getting a DLP project underway is agreeing What data is actually sensitive? and Who has the right to it?, and at What point should we employ data security such as encryption and content inspection? Encryption is finally simple! Historically, encryption of digital documents and s from PC to PC has been a complex and expensive project to implement - especially for larger enterprise users. Therefore, encryption software has been provided to a few selected employees working with sensitive and confidential data, such as legal and human resource departments. Some organizations have opted for gateway-to-gateway encryption only to protect the data from being read while surfing the internet. However, that does not protect the data from being leaked internally before and after it reaches the gateway which is where most of the data is at risk. Surprisingly, the vast majority of organizations s, USB memory November 2007 Two computer discs holding the personal sticks and laptops are not encrypted. details of all families in the UK with a child under 16 have For s this is especially serious as gone missing. The Child Benefit data on them includes name, it is relatively easy to sniff wireless address, date of birth, National Insurance number and, where networks for free text communications, relevant, bank details of 25 million people. and the risk of sending s to the wrong recipient is only a send button depression away. Lost or stolen unencrypted laptops or USB memory sticks are potential disasters for most companies that allow data to be carried outside the safety of the organization.

4 January 2008 Swedish Armed Forces Loses USB Stick with Classified Documents What can organizations do to quickly remedy what is clearly an unacceptable situation where simple human error will lead to sensitive information being distributed freely with huge repercussions? The answer is DLP DLP- Simple as The benefits of implementing DLP can be achieved quickly and capture the majority of all data leakage occurrences by simply focusing on the obvious vulnerabilities - first. Cryptzone has devised a methodology called DLP that takes a pragmatic approach to securing your sensitive information in a phased deployment and concrete approach. DLP - Simple as Take simple steps to protect your sensitive and confidential information without interrupting the business. The following table illustrates how an organization can focus its efforts on the simple and high impact areas of data encryption, and then move into the more advanced protection measures including content inspection, data classification and device and port control. User Group Step 1 Step 2 Step 3 Next step include Executive, Legal, Mobile Workforce (sales, account managers, consultants) Encrypt Laptops, and USBs. Encrypt all internal s and s outside the organization based on Sender-Receiver combination policies. Encrypt all network folders and files that belong to these user groups. Perform content inspection and encrypt or block based on policies for sensitive data. Classify all company files, folders, s and digital assets. Implement content encryption and blocking based on classification. Implement port and device control based on central policies. Mid Manager, Accounting & HR (mostly in house based but also staff working from home or on the road) Encrypt Laptops and USB. Encrypt all internal s and all external s based on Sender-Receiver combination policies. Encrypt all network folders and files that belong to these user groups. Perform content inspection and encrypt or block based on policies for sensitive data. Classify all company files, folders, s and digital assets. Implement content encryption and blocking based on classification Implement port and device control based on central policies. Information worker, Staff, Shop floor, Contractors (Typically without laptops or mobile devices) Block and control devices and ports. File and folder netshare encryption. Encrypt all external s (customer s must be considered separately from service level perspective). Perform content inspection and encrypt or block based on policies for sensitive data. Classify all company files, folders, s and digital assets. Implement content encryption and blocking based on classification

5 The following describes each step above in more detail and provides some examples. Step 1- Secure that laptop and that USB memory stick! Securing laptops with hard disk encryption is a straight forward approach that requires little administration as users will simply have their PCs locked down as soon as they log off. Laptops should be encrypted with pre-boot authentication to ensure total data protection. Secured Secured eusb eusb The same goes for encrypting USB memory sticks although these mobile devices require a bit more thought on policies for what specific data shall be allowed to be un-encrypted, if any. A simple start up policy can be to automatically encrypt all data that is transferred to removable media such as USB sticks. For general staff using corporate desktops, block all external devices and ports to ensure that no data can be exported without the authorization of senior staff. Step 2 - Secure that & file! The CIO and its information security officers must define a security policy that dictates that all data that is used in transit or moved to a mobile device need to be encrypted or blocked if not encrypted. Examples of this would be that all communication (including the body of the , subject line and attachments) should be encrypted if the communication contains sensitive or confidential information, especially when s are sent outside the company s intranet. Other examples would be that all s from the Human Resource (HR) and Finance Departments should be encrypted if sent to anybody inside and outside the company s intranet. With Cryptzone s Secured solution as an example, sending encrypted messages to third parties is now simple and easy, and does not involve complex exchange of encryption keys. As well, upon receipt of an encrypted , decryption software can be easily obtained without complex installations. Files and folders on network drives that are considered to contain sensitive data needs to be encrypted from the moment they are created. Users or groups of users need to be defined in advanced who owns the data and who is allowed to access the information on the files and folders sitting on the company s network drives. Typically, folders that belong to finance, legal, HR and management are the first to be encrypted. Files that reside on shared network drives are often exposed to a wide number of users internally. Securing these files by encryption based on defining users rights and setting up secure groups is a straight forward approach. Having defined individual s right to certain files and folders is now possible to do centrally with the user being able to access, encrypt and decrypt automatically. By securing the records at its birth, the overall security level increases as the data will already be encrypted and any accidental copying or transferring of the sensitive data will not lead to a breach of security as only authorised users can decrypt and read the information. Step 3 Monitor, find and block sensitive data! Having completed step 1 and 2, you will have provided a good strong DLP foundation for adding more layers of intelligent DLP protection, such as data classification and automatic content monitoring of data being moved. Hence, more advanced rules might require actual scanning of the content of an and its attachments before it gets sent, looking for information such as social security numbers, credit card numbers, personal information as well as key words such as confidential, classified and/or actual customer names and/or other specific words, phrases and/or other expressions. Depending on the sender and the receiver of the , the systems will apply pre-set security rules managed centrally through various policies to either automatically block the from going out, or alternatively encrypt it before sending. Filter The content in this document needs to be checked for errors and unauthorized words etc. Identity documents and other info about customers or patients are not to be sent unsecure. Always encrypt your sensitive information!

6 Organizations can gain immediate benefit from implementing this step and then delve into more advanced rules for spotting complex data that is not always that easy to determine whether it should be blocked, let through, converted to read-only PDF or simply encrypted before being moved or sent. Examples of more complex data patterns could be social security numbers, account numbers, PIN codes, credit card numbers, patient IDs, secure project codes, etc. If in doubt go for more draconian DLP - Block that port and take control of devices! An additional and complimentary step to stop users from even using external devices is to apply port and device control technologies. The important thing to consider when looking at port and device lock & other control solutions is workforce productivity. Blocking or restricting the use of external devices and communication channels can cause disruption to the business and reduce productivity. The combination of a content-aware DLP solution and a device control approach can be very effective. Depending on your organization s hierarchy of authority when it comes to data access, it can be very effective to apply the combination of content-based data leak protection with that of simply blocking devices from being used. As an example, for desktops that are used on the shop floor or in environment with open access, it is a good idea to control or even block all external devices altogether. But for nomadic users like a sales force, it would be more appropriate to apply content based DLP protection with some level of device and port control that is appropriate. Sales executives require the use of mobile devices to perform their duties when interacting with customers, doing presentations, accessing product databases, transmitting confidential proposals and processing orders. Future Steps simplify the process - classifying data from the start! A DLP project is really the beginning of a full classification of all the data that an organization creates and distributes both internally and externally. For example, when an account manager writes a customer trip report that includes sensitive information, and/or delivers a proposal, these are situations when documents need to be classified. The classification can be binary in that it says that the information is either confidential or not. For more ambitious organizations, the classification can be more multidimensional with description of the level of classification, of who can access it, who can modify it, view it, print it, send it etc. This discipline is often referred to as Digital Rights Management and/or provisioning and can be a quite complex and time consuming effort for an organization with thousands of employees and a multitude of documents, s, files and records created every day. One way to introduce classification is to force each user at the time of creating new records to apply a classification level (e.g. confidential, top secret or general). This approach can be aided by the content monitoring discussed earlier so that sensitive documents are not labeled as unclassified information by mistake. PricewaterhouseCoopers reported that security breaches cost the British economy 6 billion, or $12 billion, a year. Even with a simple classification system in place, organizations can start getting a better grip on what information that should stay inside the four walls, and what needs to be encrypted if it leaves the office by , file transfer, USB, laptops or any other mobile device. By applying classification, organizations approach the data leak problem from the ground up. Most organizations will obviously not be able to apply classification over night for all documents held on all PCs and network drives. Hence, a combined approach is recommended where by content scanning is applied for key words as well as detection of pre-classified documents and files. This can be done retrospectively for files on network drives and on local PCs, or simply on new documents created.

7 How does data leakage occur? We have discussed the potential damage that data leakages can cause, and how to prevent such a loss by applying v arious technologies to v arious communication channels. The following are some real world examples of how data is actually lost. Sending to the wrong recipient (using the applications auto populate feature) or attaching the incorrect file containing sensitive information to the . o Most of us have sometime made the simple mistake of picking the wrong recipient or attached the wrong document and hit send before we realized it was too late. An effective DLP solution will block such an action and/or automatically encrypt the message so that only a valid recipient can read it. Sending confidential information unencrypted from an open wireless network outside the office. o Wireless networks are easy to tap and business information sent as free text can be intercepted by anyone connected to the network. Deliberately sending with confidential files to competitors by an employee who thinks he is doing someone a favor. o Disgruntled staff has been known to steal information this way. In one case the employee had access to the system administration and copied executives to his own personal mail account. Sharing unencrypted USB memory sticks with external parties when doing presentations or transferring documents. o USB memory sticks today often hold GB of data and are easy to forget and drop when used outside the office. There are many stories of misplaced USB memory sticks where the employee has no idea where it is or what information was on it. Allowing printing of confidential reports on remote network printers. User places a sensitive document on a file share where other users can access the document.

8 How often does data leakage happen and how severe is it? Most companies will not issue press releases about data being lost unless they have to do so by law (which is the case in most states in the US). The majority of companies have experienced some loss of information and with the explosion of usage and data being increasingly mobile this is an ever increasing issue. The issue is not how often data is lost, but the potential damage of every single event when information leaks. The scary fact is that most incidents are not from the outside but from internal staff who willfully or by mistake let confidential information leak from your organization. An IDC study from late 2007 shows that 84% of all data leakage incidents can be attributed to employees. Organizations need to be more aware than ever to scan and control employees information activities. (The diagram below is created with help of data from Annual Study: U.S. Cost of a Data Breach, Benchmark research conducted by Ponemon Institute, LLC, the graphic are from Wyred Magazine)

9 The following are some recent stories in the news of data leakage: DATE MADE PUBLIC NAME(Location) TYPE OF BREACH NUMBER OF RECORDS Jan. 31, 2008 University of Minnesota Reproductive Medicine Center (Minneapolis, MN) A doctor at the fertility clinic lost a flash drive that he used to back up his computer. The drive holds details of infertility treatments for 3,100 patients going back to The lost drive did not seem to contain any financial or Social Security information. 3,100 Mar. 3, 2008 Kraft Foods (Northfield, IL) A company-owned laptop computer was stolen from an employee of Kraft Foods travelling on company business. The laptop contained the names and may have contained Social Security numbers. 20,000 Mar. 15, 2008 Sterling Insurance and Associates (Aspen, CO) A server stolen from the locked offices contained names, addresses, and Social Security numbers, dates of birth, driver s license numbers, and/or account information for an unspecified number of customers. Unknown Mar. 17, 2008 Binghamton University (Binghamton, NY) A university employee mistakenly sent an attachment containing the names, grade point averages and Social Security numbers of junior and senior accounting students to another group of School of Management students. 300 Mar. 22, 2008 Agilent Technologies (Santa Clara, CA) A laptop containing sensitive and unencrypted personal data on current and former employees of Agilent Technologies was stolen from the car of an Agilent vendor. The data includes employee names, Social Security numbers, home addresses and details of stock options 51,000 and other stock-related awards. Agilent blamed the San Jose vendor, Stock & Option Solutions, for failing to scramble or otherwise safeguard the data - in violation of the contracted agreement. Mar. 26, 2008 Presbyterian Intercommunity Hospital (Whittier, CA) About 5,000 past and current employees at Presbyterian Intercommunity Hospital had their private information stolen. The data included Social Security numbers, birth dates, full names and other records stored on a desktop computer that was stolen. 5,000 Source: Privacy Rights Clearinghouse (

10 Conclusion & Recommendation Implementing DLP can be achieved relatively quickly and capture the majority of all data leakage occurrences by focusing on the obvious leaks - first. Cryptzone has devised a methodology called DLP that takes a pragmatic approach to securing your sensitive information in a phased and concrete way. Hence, start with the simple measure of encrypting mobility devices such as laptops computers and USB memory sticks and data in transit applications like s and files on the basis of simple security policies. As the organization becomes more aware of all sensitive data stored and how it is communicated, then there is a natural step to move towards a complete classification of all sensitive information. Data leak prevention starts with the realization that the main threat comes from within the four walls and not so much from the outside as with inbound virus and hacker attacks. A key success factor for implementing DLP is defining a data protection policy that is easy for your own staff to understand and adhere to on a daily basis. It is all about awareness of how to protect data at all possible leakage points, and using the tools available to simplify the enforcement without negatively affecting productivity. Effective DLP solutions do not hinder staff from their daily work in collaborating with customers, suppliers and partners. On the contrary, with a balanced approach to DLP, third party trading partners and customers will value your efforts to protect their data. As an example, having sensitive documents automatically encrypted without manual interaction before being ed will speed up business processes. Not only that, DLP builds trust with your customers and suppliers knowing that you are caring for their information s safekeeping. A well implemented DLP project should therefore be seen as a competitive weapon rather than a constraining security initiative. Organizations that approach the problem in this structured way and invest in both DLP tools as well as making its employees aware of the threats, will be perceived as more trusted business partners and therefore increase its company overall value. Prime Minister Gordon Brown ordered a review after the country s tax authority, HM Revenue and Customs, known as HMRC, said it had lost data on 25 million people, exposing them to the risk of identity theft and fraud Cryptzone can help with both pre-implementation planning of a DLP strategy, including the development of security policies, provisioning of the tools and technology to enforce the policies that can then be implemented in a smooth and effective way - we call it DLP 1-2-3! Read more about how your organization can benefit using Data Leak Prevention technology from Cryptzone on or contact us at [email protected]. We will be happy to discuss how DLP can protect your company s sensitive and confidential information. Larrea 1011 piso 8º C1117ABE / Buenos Aires / ARGENTINA Fax: / - [email protected] Partner