Data Loss Prevention: A Holistic Approach Sam D Amore, Principal Information Technology Security Office The Vanguard Group (www.vanguard.com)
Agenda Vanguard Background Challenges Solution: A Layered, Integrated Approach Policy Governance Technology
Vanguard Background A broad and diverse client base with over $1.5 trillion in U.S.-based fund assets A broad lineup of investment products that includes more than 160 mutual funds, commingled trusts, and ETFs Vanguard s average expense ratio was 0.23% at EOY 2009 compared with the fund industry average of 1.19% More than 12,500 U.S. employees based at headquarters in Malvern, Pennsylvania; Scottsdale, Arizona; and Charlotte, North Carolina Shareholder, employee, and company information is a critical asset Most employees work with sensitive information in one form or another
Challenges Provide employees with secure access to sensitive information (PII) they need to do their jobs, while eliminating excessive access Provide access to large teams of employees to maintain world-class client support Service our clients efficiently and effectively while balancing information security and accessibility Use diverse technologies and platforms including mobile devices without losing control of how information is used Leverage technology to facilitate cross-product, cross-service marketing and support for our clients International and cross-national operations subject to differing regulations Minimize data duplication
Solution: A Layered, Integrated Approach
POLICY Code of Ethics / Employee Agreement Information Security Policy Information Ownership/Stewardship Policy Information Classification Standard Electronic Communications Policy Personal Devices Policy Social networking guidance
Information Ownership Policy All business information has a designated owner Responsible for classification Ultimately accountable for user and application information access IT Data Stewards Responsible for where and how data is stored and accessed Business Data Stewards Represent owners Employees Adhere to standards and guidelines
Information Classification Standard Defines minimum controls for each classification level Public Internal Use Only Confidential Highly Confidential Covers data in all formats Electronic Hardcopy Portable devices Removable media
GOVERNANCE Enterprise Data Governance Council Ultimate arbiter of decisions about Vanguard information Senior management from different business areas Approve strategies Data Governance Program Team Working group on behalf of Governance Council Implement strategies Manage operational projects DLP Oversight Team Drives high-level control objectives for endpoint controls
TECHNOLOGY Workstation Activity Endpoint Controls Outbound e-mail Filtering Printing Secure multi-functional devices Mobile Devices Hardened Platform
More Than Data Loss Prevention (DLP) Multi-tool Strategy E-Mail content filtering End-user environment agents Additional network coverage The focus is user behavior, so awareness is part of the effort Key issues in selecting tools Alignment with other initiatives
E-Mail Content Filtering Scan and Route Deliver normally Block (with return message to sender) Hold & review Deliver securely via Integration with secure e-mail system Private Encryption How do you know what s in a privately encrypted ZIP file?
Protecting the End-user Environment Where the action is Insider threats Staff misuse or abuse Malware Removable media Advantages Control information in unencrypted formats (before file encryption, before SSL) Monitor activity that never leaves the workstation (hardware, printing, off-site use) Challenges Jurisdictional boundaries Diversity of business use and technology
Endpoint Control Rule Examples (1/3) Removable media Block or encrypt data to RM Block burning of CD/DVDs Restrict decryption to managed computers Allow portable encryption by exception only No device dependencies/vulnerabilities Control introduction of executable files Block execution of software from USB Confirm execution of software on CD External data transfer Require justification for all external uploads Exempt trusted sites Control activity on off-site laptops
Endpoint Control Rule Examples (2/3) Printing Control printing of sensitive files Control all off-site printing File controls Examine content and control user activity based on profile and business authorizations Control clipboard, uploads and other risky functions based on data in play Web 2.0 Block editing of Wikipedia entries Provide read-only access to Facebook Disable email functions embedded in websites (such as Google Reader)
Endpoint Control Rule Examples (3/3) Special users Step up controls for seasonal workers and contractors Provide exceptions tailored to business requirements Software control Control downloads of executables Block unauthorized applications Restrict privileged applications by group
Endpoint Control & Role-Based Access (RBAC) Most controls are applied globally, to all users and computers For targeted controls, rather than singling out individual users, leveraging RBAC allows rules and controls to be applied based on user roles RBAC allows changes to be driven by HR events Having an independent endpoint control ensures that privileged users are subject to the same controls as everyone else
Many Audiences, Many Benefits Tactical security groups Malware detection Environments groups Off-site / cloud computing workstations Business areas Specific audit issues Employee awareness Governance departments Increase compliance Provide guidance IT operations groups Software control System management and insight on real usage, leading to better service
Monitoring the Network Mobile devices Blackberry devices (BES) Managing nonstandard mobile usage (development environments) Use of personal devices Non-production systems Guest systems and networks Rogue systems New technology Specialized appliances Non-compliant devices MacOS and other Apple devices Legacy systems
Tool Selection DLP is a buzzword. Solutions often don t prevent anything Detection or intervention? Find a system that provides flexible enforcement options Blocking is a sure way to frustrate your users use sparingly Communicate with users to provide real-time guidance just when they need it the most Prompts visible to users should only use business language (not codes or technical terms) Forrester, Burton, and Gartner had different views on tools Select tools based on the threats in your environment E-Mail Internet uploads Rich Web applications (W2.0) Instant messaging Mobile devices Removable media Rogue wireless Remote access systems
Alignment with other security initiatives Who is personally responsible for how information is handled? What applications actually are used? Can you trust them? What s really going on at the endpoint? Who can access your information? Privileged user monitoring Information ownership Software control Incident management Intrusion detection Enterprise DRM Awareness External service provider management How effectively do you respond when something goes wrong? Do your users have the information they need to make good decisions? Can your admin users evade monitoring? Do you have sufficient separation of duties? What are the security postures and practices of your providers?
Thank You Sam D Amore Principal www.vanguard.com