How Digital Rights Management improves Data Loss Prevention



Similar documents
Information Rights Management

RightsWATCH. Data-centric Security.

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Overview of Active Directory Rights Management Services with Windows Server 2008 R2

Fasoo Data Security Framework

PCI DSS Requirements - Security Controls and Processes

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

Frequently Asked Questions. Frequently Asked Questions SSLPost Page 1 of 31 support@sslpost.com

Dispatch: A Unique Security Solution

Threat Modeling a SharePoint Application: An exploratory exercise in preventing data breaches and theft.

Data Classification Technical Assessment

Active Directory Rights Management Services integration (AD RMS)

Secure Mail Registration and Viewing Procedures

Information Security Basic Concepts

Tresorit s DRM. A New Level of Security for Document Collaboration and Sharing

Secure Document Sharing & Online Workspaces for Financial Institutions

ELECTRONIC INFORMATION SECURITY A.R.

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

D . A reliable and secure online communication platform. Armin Wappenschmidt (secunet) More information:

User Driven Security. 5 Critical Reasons Why It's Needed for DLP. TITUS White Paper

The Ministry of Information & Communication Technology MICT

Protective Marking for UK Government

Protecting Business Information With A SharePoint Data Governance Model. TITUS White Paper

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Information Technology Branch Access Control Technical Standard

Enterprise Forensics and ediscovery (EnCase) Privacy Impact Assessment

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Securing SharePoint 101. Rob Rachwald Imperva

CITY UNIVERSITY OF HONG KONG Information Security Incident Management Standard

Privacy + Security + Integrity

Data Management Policies. Sage ERP Online

Websense Data Security Suite and Cyber-Ark Inter-Business Vault. The Power of Integration

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

The Department of Health and Human Services Privacy Awareness Training. Fiscal Year 2015

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Solution Brief for ISO 27002: 2013 Audit Standard ISO Publication Date: Feb 6, EventTracker 8815 Centre Park Drive, Columbia MD 21045

The basic groups of components are described below. Fig X- 1 shows the relationship between components on a network.

CA Technologies Data Protection

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

Implementing HIPAA Compliance with ScriptLogic

Encryption Recipient Guidelines

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Brainloop Cloud Security

Estate Agents Authority

Information Security Policy

CHIS, Inc. Privacy General Guidelines

10 Building Blocks for Securing File Data

How To Protect Decd Information From Harm

Board Portal Security: How to keep one step ahead in an ever-evolving game

Encryption. How do I send my encryption key?

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Dematerialisation and document collaboration

Identity and Access Windows Server 2012

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

The SparkWeave Private Cloud & Secure Collaboration Suite. Core Features

Stay ahead of insiderthreats with predictive,intelligent security

Service Level Agreement (SLA) Arcplace Backup Enterprise Service

March

Technical Proposition. Security

SAFELY ENABLING MICROSOFT OFFICE 365: THREE MUST-DO BEST PRACTICES

Analyzing HTTP/HTTPS Traffic Logs

Instructions for Secure Cisco Registered Envelope Service (CRES)

HTTP connections can use transport-layer security (SSL or its successor, TLS) to provide data integrity

H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments

Information Rights Management for Banking Seclore FileSecure Provides Intelligent Document & Data Protection that Extends Beyond Enterprise Borders

ITAR Compliance Best Practices Guide

Electronic Messaging Policy. 1. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.0. Approval. Review By June 2012

Cloud Computing Security Considerations

Liquid Machines Document Control Client Version 7. Helpdesk Run Book and Troubleshooting Guide

WHITE PAPER. Managed File Transfer: When Data Loss Prevention Is Not Enough Moving Beyond Stopping Leaks and Protecting

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Protecting Regulated Information in Cloud Storage with DLP

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

FileCloud Security FAQ

How to Protect Intellectual Property While Offshore Outsourcing?

Account Restrictions Agreement [ARA] - Required by LuxSci HIPAA Accounts

how can I comprehensively control sensitive content within Microsoft SharePoint?

Data Security What are you waiting for? Lior Arbel General Manager Europe Performanta

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

Enterprise Data Protection

Implementing Transparent Security for Desktop Encryption Users

Secure Cross Border File Protection & Sharing for Enterprise Product Brief CRYPTOMILL INC

Why Encryption is Essential to the Safety of Your Business

EJGH Encryption User Tip Sheet of 8

Copyright Telerad Tech RADSpa. HIPAA Compliance

Top 7 Tips for Better Business Continuity

Cloud Computing Security Issues and Controls

Archiving Compliance Storage Management Electronic Discovery

Control and management of privileged users

Transcription:

How Digital Rights Management improves Data Loss Prevention Case Study from UBS Marek Pietrzyk CDC DRM Business Project Manager March, 2015

How to avoid such "Breaking News"? Breaking News "Goldman Sachs Group Inc (GS.N)": Wed Jul 2, 2014 8:50pm EDT (Reuters) - Goldman Sachs Group Inc (GS.N) on Wednesday said Google Inc (GOOGL.O) has blocked access to an email containing confidential client data that a contractor sent to a stranger's Gmail account by mistake, an error that the bank said threatened a "needless and massive" breach of privacy. The breach occurred on June 23 and included "highly confidential brokerage account information," Goldman said in a complaint filed on Friday in a New York state court in Manhattan. Goldman said the contractor meant to email her report, which contained the client data, to a "gs.com" account, but instead sent it to a similarly named, unrelated "gmail.com" account. Data Leakage Breaking News: coming alone with reputational and financial losses. 1

Risks of Accidental or Unintended Data Leakage Protection of sensitive data before the era of electronic data storage Physical perimeter barriers: only authorized users can access sensitive data (one-dimensional risk) => Risks of accidental CID disclosure during the era of electronic data storage 1. Root cause: CID well maintained within of IT applications, but after its retrieval and download spreading through the organization's collaboration environment. 2. Some CID leakage scenarios: Emailing CID externally to unauthorized recipients ("autocomplete") Printing CID and then losing the print-outs Creating screenshots of CID and using those in non-sensitive documents Copying & pasting CID content into a new document Accessing CID off-premise, in unsecure environment (e.g. mobile devices) Cyber attacks pilfering unprotected sensitive files (e.g. CID)... 3. Issue's complexity: we cannot prevent all of the above scenarios with just one protection barrier, but applying appropriate security solutions, we can considerably reduce the imminent risk levels. 4. So how to protect efficiently? Perimeter based protection proved not helpful, as we give up control when data leaves the secure zone, like applications or encrypted file shares. Therefore UBS, as global operating financial institution, managing millions of sensitive customer data, has decided to build in cooperation with leading technology partners, an innovative data centric solution to efficiently "stop-the-bleeding" 2

Digital Rights Management (DRM) at UBS - Objectives Only authorized users, authenticated with a smartcard have access to protected documents Outside UBS UBS Collaboration Environment UBS Applications Only documents marked for "3 rd party access" are readable outside UBS Phase 1: Automatic DRM Classification and Encryption of Downloads from Applications Phase 2: Classification and Encryption of user generated data assets Principles Data classification is enforced for all documents and e-mails, based on the UBS information classification framework. DRM protection is automatically applied to all unstructured data according to the data classification. Access to unstructured data is granted according to the authentication strength and other controls, i.e. off-premise, x- border, access group. Authentication strength is dependent on the DRM protection and therefore dependent on the data classification (e.g. smartcard required for access to strictly confidential data: superior 2FA). How do we get there? Phase 1: Protect application downloads Phase 2: Protect user generated data assets From perimeter based protection controls to Protection and Access Control at Data Asset Level. 3

Required DRM Features and affected Use Cases Required Features: File Security Properties including Confidentiality Classification What are the file's metadata that can be effectively used for implementation of control measures File Protection and Access Controls Rules In which cases files must be protected: during download, user generated files, copy&paste inheritance What are the required protection measures: encryption, 2FA, offline work, LAAC, access groups (black/white lists) User interactions and user interface Under which circumstances and how user can modify file's security properties / confidentiality classification Rule based automatic re-protection / re-classification What are the rules allowing for automatic re-protection: periodic CID scans of File Shares and SharePoints External DA Transmission What are the sender / recipient / attachment rules, and required sender interactions (blocking, requesting justification) Logging and reporting Which are the reporting dimensions: user decryptions, classification downgrades, justifications of external sending Affected Use Cases: Download file / create new file: automatic protection (classification / encryption) => performance? Access to file: depending on the required authentication and authorization controls => access denied? Transmit file internally / externally: decrypt / re-encrypt depending on sender/receiver/attachment => intrusive? Challenge: how to avoid severe impact on daily Business Processes. 4

DRM - Solution Design and Implementation Approach Security Technology and Integration Partners Microsoft RMS used as basis encryption technology Secure Islands IQP(rotector) provides UI and supports non-ms-office file formats Business Logic defined by DRM Governance Group (Information Security, L&C) Classification levels - divisionally specific, depending on file's information category and type Mapping between confidentiality classifications levels and protection mechanisms (i.e. encryption) UI and user interaction principles (e.g. "external email") Rules implemented as "IQP Policies with RMS templates" distributed to end point IQP agents. Implementation and Roll-out Approach Extensive functional and non-functional tests, to ensure required protection, but no severe impacts: End user performance (encryption / decryption additional system time) System performance and scalability (RMS License Server, IQP Policy Server, network load) Gradual roll-out: Validation using a pilot roll-out to a few thousand users downloading bulk CIDs from Sales Applications Onboarding of users by locations and business divisions Applications onboarding and registration of download capabilities (granularity vs. accuracy) "Switching on" DRM features successively, tightening the "stop-the-bleeding" controls. 5

DRM - Roll-out and Deployment Strategy High Complexity and Dependency Management required to: Provide different functionalities to the users applying download protection and to the rest of the staff: "Full enabled mode" and "Collaboration mode" Staggered deployment to the downloading users (weekly deployment waves): Taking into account temporary limitations by exchanging protected files between teams In favour of closer monitoring and control of increasing load on RMS and IQP Servers and on the network. Dedicated L2/L3 support teams helping to resolve any related end user issues. No issues related to encryption / decryption performance. Few issue types traced back to clashes with other processes (all resolved either by policy update or with IQP upgrades): Slowdown of data upload process into MS-Excel spreadsheet, using certain plug-ins and processes (wscript.exe and cscript.exe) Performance degradation when working with the following 3 rd party products: FactSet, REOS, SSH Client, Thomson Reuters Eikon Processing slowdown of developer tools RAD, Talend, Eclipse, ANT, Maven, Tomcat Deploy, as those are intensively accessing.txt,.csv and.png files SAP BEx (excel) reports cannot be generated, as BEx add-in clashing with IQP Add-in. Roll-out phase stats Successful: since July 2014 DRM in production, protecting 10'000 CID downloads weekly. 6

DRM Key Usage Indicators (examples) Since July 2014 reports downloaded from registered applications are auto protected and then all DRM related operations on such files are included in audit trail and reported to Security Org. Registered vs not registered downloads 6,000 5,000 4,000 3,000 2,000 1,000 0 32 33 34 35 registered downloads not-registered downloads Analysis of registered downloads 6,000 5,000 4,000 3,000 2,000 1,000 0 32 33 34 35 not encrypted (i.e. "internal") encrypted (containing Swiss CID) Confidentiality classification changes File un-protections and the trend Enlightened: monitoring users' behavior to (a) find possible malicious activities, and (b) discover patterns allowing for further improvements of DRM controls. 7

DRM Outlook (next steps and challenges) Global roll-out (locations & business divisions) Further (more automated) applications onboarding Improved usability: integration of new IQP 5.0 UI automated decryption / re-encryption (reducing user interactions) simplification of offline work with encrypted files Protection of user generated files Copy & paste security context inheritance Improved reporting: detection of flows of classified files through the organization Decryption services for ediscovery, Forensic and Compliance processes File Shares and SharePoint scanning and file auto-protection DRM on Mobile Devices (read & write features) Integration with ADRMS & S/MIME in MS-Office and MS-Outlook: aligned look & feel Searching for a balance between controls and usability: Data Centric Protection ("immunization") successfully reduces data leakage related risks, but also decreases efficiency of daily business processes it is a learn process. 8

Contact information Marek Pietrzyk, CDC Pillar 3, Corporate Center COO, UBS UBS AG, 8048 Zurich, Office: +41-44-236 49 34 Mobile: +41-79-572 01 79 marek.pietrzyk@ubs.com 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information