Data Loss Prevention Keeping sensitive data out of the wrong hands* September 9, 2007 Aaron Davies-Morris, Director PwC Advisory Services Zeke Jaggernauth, Manager PwC Advisory Services
Agenda Data Breaches Traditional Security Limitations Data Protection Program Questions and Contacts Slide 2
Data Breaches Slide 3
Interesting Statistics Federal Trade Commission More than 54% of identity related data breaches can be attributed to theft or loss of computer or transportable media. Ponemon Institute 91% of organizations lack a process of determining data ownership 76% of organizations cannot determine who can access unstructured data 72% of marketers who out-source email marketing reported a data breach vs. 56% of marketers from the general survey population Slide 4
Examples Company Date Details Source: Privacy Rights Clearinghouse A test preparatory firm (New York, NY) August 18, 2008 The test-preparatory firm accidentally published the personal data and standardized test scores of tens of thousands of Florida students on its Web site. One file on the site contained information on about 34,000 students in the public schools in Sarasota, Fl. Another folder contained dozens of files with names and birth dates for 74,000 students in the school system of Fairfax County, Va. - 108,000 records. A top US bank (Minneapolis, MN) August 12, 2008 The bank notified customers that hackers accessed their confidential personal data by illegally using its access codes. Personal information including names, addresses, dates of birth, Social Security numbers, driver's licence numbers and in some cases, credit account information was accessed by "unauthorised persons. - 5,000 records. A residential mortgage banking financial holding company. (Calabasas, CA) August 02, 2008 The FBI arrested a former employee and another man in an alleged scheme to steal and sell sensitive personal information, including Social Security numbers. The breach occurred over a two-year period though July. The insider was a senior financial analyst at the company. The names were being sold to people in the mortgage industry to make new pitches. - 2,000,000 records. Slide 5
What is Data Loss Prevention (DLP)? Data Loss Prevention refers to a combination of strategy, people, processes and technology used to detect and/or prevent any unauthorized disclosure of data resulting in compromised confidentiality of proprietary data, intellectual property and/or non-public personally identifiable customer, employee and/or business partner data. Other industry names include: Data Leakage Protection Data Leakage Prevention Information Leak Detection & Prevention Content Monitoring and Filtering Information Protection and Controls Slide 6
Concerns General Sensitive data transfer via unencrypted USB keys, CDs and emails Collaboration through unsecured instant messaging applications Regulatory Operational Compliance with laws and regulations: GLBA HIPAA State Breach Notification European Union Directive Drivers Protecting industry specific data such as: Credit card numbers Patient health information Social security numbers New product research Movie scripts and clips Slide 7
Regulatory Concerns A Constantly Changing Landscape of Global Privacy Related Laws and Regulations Since 1998, over 80 laws in over 55 countries were passed: Australia Privacy Amendment (Private Sector) Act (2000) Canada Personal Information Protection & Electronics Documents Act (2000) Chile - Law for the Protection of Private Life (1999) Czech Republic Act on Protection of Personal Data (2000) EU Directive 95/46/EC - The Data Protection Directive (1995) Foreign Encryption Laws (U.S., Canada, France, Israel, Russia, China, etc.) Germany Federal Data Protection Law (1997) Hong Kong - The Personal Data (Privacy) Ordinance (1996) Hungary - Protection of Personal Data and Disclosure of Data of Public Interest (1992) Ireland Data Protection Act (1998 revised 2003) Japan Personal Data Protection Law (2003) New Zealand - Federal Privacy Act (1993) Switzerland Federal Law on Data Protection (2000) UK Financial Services Authority Systems & Controls (2002) Slide 8
Regulatory Concerns Global Privacy Issues and Cross Border Data Flows Various Compliance Approaches to EU Requirements. Binding Corporate Rules Intra-Group Agreements/SLAs Local Laws and Works Council Issues Model Contracts Using EU-authorized Standard Clauses Safe Harbor Certification Slide 9
Operational Concerns Data Breach Considerations Detection & Escalation Notification Post Notification Response Lost Business Impact to Stock Prices Customer Retention Damage to Corporate Reputation Source: National Survey on Data Security Breach Notification Ponemon Institute Slide 10
Operational Concerns Enterprises are subject to key operational challenges involving intellectual property and/or other sensitive information. Specific industry sector concerns around intellectual property and other sensitive data may include: Industry Financial Services Pharmaceutical/Health Care Entertainment Challenges Customer credit card information Customer non-public PII Outsourced data processing Drug formulae Patent pending research Strategic business plans Movie scripts Movie clips (digital dailies) leaking along the content supply chain Slide 11
Operational Concerns Enterprises are subject to key operational challenges involving intellectual property and/or other sensitive information. Specific industry sector concerns around intellectual property and other sensitive data may include: Retail Other Industry Challenges Compromise of PCI data Marketing plans, customer trend information ERP financial data Complex data privacy requirements (global regulatory structure) Loss of intellectual property through external mass media (USB keys, removable storage) Slide 12
Traditional Security Limitations Slide 13
Traditional Security Limitations The focus has not been on actual content within files Regulatory centric vs. balanced regulatory and operational approach Keep the bad guys out (Firewalls/Antivirus/IDS/IPS/etc.) Reduced emphasis on insider threats Slide 14
Data Protection Program Slide 15
What is a Data Protection Program? A data protection program refers to a combination of strategy, people, processes and technology used to discover, inventory, classify and protect information based on it value to the organization. Such a program seeks to provide assurances that: We only collect the information we need We clearly define what data is confidential We know how it is protected We know how it is used We know how it moves We know where it is stored We know how it is destroyed Slide 16
What is a Data Protection Program? Governance Policies and Standards Risk Assessment Data Lifecycle Management Data Architecture Technical Safeguards Device Encryption Data in Motion Data at Rest Data at the Endpoint Information Rights Management Slide 17
What is a Data Protection Program? Process Controls Classification Discovery Encryption Monitoring Awareness and Training Slide 18
The Three Vectors of Data Loss Prevention Governance Policies & Standards Risk Assessment Data Lifecycle Management Data Architecture Technical Safeguards Process Controls Awareness & Training Technical Safeguards Device Encryption DIM DAR DAE Info Rights Mgmt Data in Motion (DIM) - Network Data at Rest (DAR) - Servers Data at the Endpoint (DAE) - Laptop computers/mass media storage Slide 19
The Three Vectors of Data Loss Prevention Data in Motion Data in motion refers to data that is electronically transmitted outside an organization s network through the use of email, IM/chat, web pages, files transfers, etc.). Solutions that address data in motion related risks monitor and filter network traffic. Specifically, these solutions are designed to focus on sensitive data, as it travels through the network. Once identified, the solution can block the identified data or re-route it to an encryption server prior to exiting the network. Image Source: Symantec Slide 20
The Three Vectors of Data Loss Prevention Data in Motion Benefits Does not interfere with enduser workstations Combats e-mail data leakage All traffic routed through the servers can be monitored for sensitive data Challenges Does not encrypt data at source Does not monitor endpoints Does not monitor or control handheld devices, WiFi devices, screen captures, storage media, or printing of sensitive data Slide 21
The Three Vectors of Data Loss Prevention Data at Rest Data at rest refers to data that typically resides within stationary repositories (e.g. File Systems, Databases, etc.). Solutions that address data at rest related risks focus on scanning repositories across server farms to determine unauthorized locations for intellectual property and/or PII. Image Source: Symantec Slide 22
The Three Vectors of Data Loss Prevention Data at Rest Benefits Gain visibility into where confidential data is stored Gain insight into who has access to intellectual property/customer information or unauthorized copies thereof. Challenges Clearly defining what is considered intellectual property and the authorized locations Coordinating the scanning of highavailability systems with low utilization time windows. Identify broken business processes. Slide 23
The Three Vectors of Data Loss Prevention Data at the Endpoint Data at the endpoint refers to data stored on laptop computers and portable storage devices (e.g. USB drives, CD/DVDs, ipods, etc.). Solutions that address data at the endpoint related risks focus on those data storage locations through the use of agents. An agent is a piece of software that enforces security policies, behind the scenes, on a system. Depending on the technology, the solution can monitor the activity of sensitive data activity at the operating system and the application levels. Image Source: Symantec Slide 24
The Three Vectors of Data Loss Prevention Data at the Endpoint Benefits Policy rules defined by the software can identify abnormal behavior on the system and take appropriate action Monitors and blocks traffic from the client side Prevents unauthorized use of mass media storage devices Challenges The system hardware or existing software might not be compatible with the agent The application storing, processing, or transmitting sensitive data may not be compatible with the solution Cost of seat/agent for deploying to the entire enterprise Slide 25
Maturity Models Think of your organization. Dimension Strategy Level 1 Ad Hoc? Level 2 Repeatable? Level 3 Defined? Level 4 Managed? Level 5 Optimized? People Process Technology??????????????? Slide 26
Maturity Models Dimension Level 1 Ad Hoc Strategy Limited or no strategy for implementing effective DLP solution No incorporation of privacy policy into the DLP implementation People Limited or no trained DLP resources Process Limited or no use of DLP related processes and/or procedures No linkage to other security processes Technology Default vendor embedded reporting used Trial/Evaluation installation of DLP components No automation of reporting/monitoring Slide 27
Maturity Models Dimension Level 2 Repeatable Strategy Limited or no strategy for implementing effective DLP solution DLP strategy is understood but not defined DLP follows privacy policy, but no explicit coverage for DLP in policy People Technical staff are able to operate DLP devices No education of employees on security policies enforced by DLP Process Events are reviewed on a quasi-periodic basis Linkage to other security processes considered but not implemented Technology Limited use of DLP across all data states (Data in Motion, Data at Rest, Data at the Endpoint Slide 28
Maturity Models Dimension Level 3 Defined Strategy DLP strategy is defined in minimal form DLP is addressed in privacy policy, but may not be effective People Technical staff understand technology and train new staff Employees are exposed to security policies related to DLP, but are not aware Process SLA defined in policies for regular review and remediation of DLP events DLP linked loosely to a few security processes Technology Full architecture and monitoring rules are defined Monitoring rules have been refined to meet technical requirements Slide 29
Maturity Models Dimension Level 4 Managed Strategy DLP strategy has been implemented and reviewed/updated on a periodic basis DLP is included in privacy policy and is effective People Technical staff are able to deploy devices across all data states Employees are aware of security policies enforced by DLP Process Sporadic reporting to stakeholders Regular review of events and management of incidents DLP connected to other security processes regularly Technology Scope of monitoring rules is refined to meet business objectives Linkage to other security infrastructure in place Automated response to defined incidents Slide 30
Maturity Models Dimension Level 5 Optimized Strategy DLP strategy has been refined to align with security, compliance, and legal objectives DLP is well-aligned to privacy strategy and supports policy effectively People Technical staff are able to manage complex architecture Employees are widely educated on policy and DLP tools Process Regular KPI reporting to key stakeholders Formal remediation process for managing incidents Full integration with other security processes Technology Data is protected across all three data states and across enterprise Linkage to other security infrastructure in place Automated response with no impact to false positives Slide 31
Maturity Models The Market Dimension Strategy Level 1- Ad Hoc Level 2 Repeatable Level 3 Defined Level 4 Managed Level 5 Optimized People Process Technology Slide 32
5 Key Elements of a Successful Data Protection Program Slide 33
5 Key Elements of a Successful Data Protection Program Conduct Risk Assessment Determine Privacy/Operational Requirements and Design the Data Classification Schema Design and Implement Processes Deploy and/or Integrate Technologies Optimize Program Slide 34
1. Conduct Risk Assessment Conduct evaluations based on business and privacy requirements to identify instances of unprotected data on insecure storage or leaving the enterprise on the wire. The result enables management to determine the current level of exposure to data leakage and quickly identify broken processes. Slide 35
1. Conduct Risk Assessment Slide 36
2. Determine Privacy/Operational Requirements and Design the Data Classification Schema Review the data loss monitoring program objectives and requirements against laws and regulations, including crossborder dataflow analysis. Create data classification schema. Slide 37
2. Determine Privacy/Operational Requirements and Design the Data Classification Schema Slide 38
2. Determine Privacy/Operational Requirements and Design the Data Classification Schema Slide 39
3. Design and Implement Processes Create operational, exception handling and reporting processes and/or supplement existing processes. Slide 40
4. Deploy and/or Integrate Technologies Integrate data loss prevention and monitoring tools with the existing infrastructure. Create and tune monitoring rules to enhance effectiveness of the overall data loss prevention program. Slide 41
5. Optimize Program Conduct tests to evaluate whether the data loss monitoring and prevention processes and technologies operate effectively. Fine tune processes and technology configurations as needed. Slide 42
Questions and Contacts Aaron Davies-Morris (949) 283-9967 aaron.davies-morris@us.pwc.com Esekiel Jaggernauth (213) 440-0738 e.jaggernauth@us.pwc.com Slide 43
2008. All rights reserved. refers to LLP (US) or, as the context requires, the global network or other member firms of the network, each of which is a separate and independent legal entity.