HOW TO KEEP A SECRET SECRET ERM AND DLP WORKING TOGETHER
2 ABSTRACT / EXECUTIVE SUMMARY The need for information protection is present in the mind of every security professional. Recent history (WikiLeaks, information leakage of personal client data, etc.) teaches us that confidential information is not secure in its traditional form and access to information is not controlled at all. Common security tools in place are typically network and/or computer centric, protecting information from external attacks (hacking, virus, trojans, etc.) but fail to secure companies against information leakage. According to recent studies by IDC 1, information leakage is mainly accidental (>50%) and in the majority of known cases implies a direct cost higher than 100.000 US$. The most promising techniques for controlling information leakage are ERM (Enterprise Rights Management) and DLP (Data Loss Prevention). ERM assures that data is protected regardless of its state (at rest, in transit or in use) while enforcing detailed rights over the information (right to print, edit, copy data, export to other formats, reply, forward, etc.). DLP ensures that company policies for handling digital information are enforced for all users, defining rules on how information may be handled and stored (pen drives, e-mail, corporate servers, etc.). As detailed further in this paper, the drawbacks of the ERM solutions (User dependency, Lack of automatic classification and administration complexity) and the strengths of DLP products combined, would reap the benefits of ERM and DLP, resulting in an innovative approach within the information security field. RightsWATCH is a combined ERM and DLP solution, based on the Multilevel security concept (explained further in this white-paper) that effectively protects your organization against information leakage, while maintaining control over corporate data, and monitoring the actions that users perform over the information produced, providing total life-cycle traceability! Visit us at http:// for further Contact us for a live demo or try it for free on your organization! INTRODUCTION Information leakage is a real and evermore common problem. Almost every month, news about a company leaking confidential information becomes public. These are the cases that are known to the general public and have a more visible impact on the organizations. Thousands of companies information is being leaked daily, and mostly by accident! Figure 1 - Distribuition of security incidents According to recent studies, the vast majority of information leakages have an accidental nature: IDC believes the majority of information leaks will continue to be accidental, but we expect a rising number of carefully managed attacks by sophisticated crime syndicates. We also believe that the financial impacts of deliberate incidents of data loss are often much greater than accidental incidents Source: IDC, 2010 This means that information leakage is not solely the result of intentional actions, but also unintentional actions that workers of your organization may indulge. The unintentional data loss is perhaps the most dangerous one because the user is not (at least immediately) aware of the data leakage and does not act upon it. Besides being an actual problem, information loss may represent a very high cost for organizations. When quantified, the most significant part of information loss events had a cost of more than $100,000! Figure 2 - Information loss costs 1 International Data Corporation (IDC) http://www.idc.com Information loss has a direct cost; the intellectual property or industrial information lost in the leakage, as well as handling
3 the consequences. It also has a number of indirect costs, such as: loss of credibility in the market, loss of Intellectual Property leading to erosion of competitive advantage and failure to comply with legislation. PROBLEM DEFINITION Nowadays little or no paperwork is involved in core business processes. Critical business information is increasingly in the digital format. Recent studies show that the trend of growth of digital format information is exponential and shall reach 35 Zettabytes 2 in 2020. The growing awareness of the risks of information leakage was sparked by a series of corporate scandals in which confidential information was disclosed. As the majority of those cases demonstrate, such breaches are often not the result of malicious wrongdoing, but rather employees who unknowingly put their companies at risk. This may occur as employees send out email messages that contain files or content that they are not aware is confidential. Another example is employees delivering confidential files to their Web-based email boxes, or copying files to mobile devices, and thus exposing them to un-trusted environments. As seen in recent studies, about 60% of Information Leaks are related to Intellectual Property, which constitutes to most organizations, their most valuable asset. Deutsche Bank Loses Hertz IPO Role Because of E-Mails Nov. 8 (Bloomberg) - Deutsche Bank AG, Germany s largest bank, lost its spot among the underwriters of Hertz Global Holdings Inc. s initial public offering after an employee sent unauthorized e-mails to about 175 institutional accounts. Figure 4 - Examples of information leakage Protecting systems, infrastructures and processes is no longer enough. Organizations must protect Information itself and assure that it is safeguarded from undue accesses independently of its state or location! HIGH-LEVEL SOLUTION MoD loses more laptops, USBs and 'secret files (UK) The Ministry of Defence has revealed that 658 laptops have been stolen over the past four years. The department also disclosed 121 of its USB memory sticks, some containing sensitive information, have been lost or stolen since 2004. In order to prevent information leakage, the information itself should be safeguarded from undue accesses. The only way to ensure this is to use a solution that is able to apply persistent protection to information that travels with it; ensuring data is protected regardless of its state or location. These solutions are data-centric security solutions. Analysing the taxonomy of the most relevant information security techniques (presented in the following figure) it is easily perceptible that most technologies focus on the protection of data in a specific state: At Rest while it is stored in a computer or network hard drive; In Motion While traveling through the network between two users or machines; and In Usage, while being accessed (read, edited, printed, etc.) by the users. Figure 3 - Types of information leaks: IDC Survey Information security has been faced as a task that involves the protection of information from external attacks to organizations infrastructure and processes. Security standards and best-practices (e.g. ISO/IEC 27002:2005) are mainly focused on the protection of an information system from external sources and events, involving processes and infrastructure security. Figure 5 - Security technologies taxonomy 2 1 Zettabyte = 1 Trillion Gigabytes
4 At least two types of security solutions have greater visibility noticeable due to coverage in terms of data state and features: ERM and DLP. Enterprise Rights Management Enterprise Rights Management ERM is a security technology that applies persistent encryption to data, ensuring that information is protected regardless of being At Rest, In Motion or In Usage. Even while being used, the information is only decrypted to the computer s memory and made available to the application using it. While ERMprotected information is In Usage, ERM also applies detailed rights over the usage (e.g. block certain actions like: print, copy to clipboard, export data to another format, forwarding the e-mail, etc.). Data Loss Prevention Data Loss Prevention DLP technologies include a broad range of solutions designed to discover, monitor, and protect confidential data wherever it is stored or used. DLP includes solutions that discover, protect, and control sensitive information found in data at rest, data in motion, and data in use. The systems are designed to detect and prevent the unauthorized use and transmission of confidential Network-based DLP solutions are typically installed at the corporate gateway. These solutions scan network traffic such as email, instant messaging, FTP, Web-based tools (HTTP or HTTPS), and peer-to-peer applications for leaks of sensitive Host-based DLP solutions are typically installed on desktops, laptops, mobile devices, USB drives, file/storage servers, and other types of data repositories. Host-based DLP also includes solutions that provide data discovery and classification capabilities. Discovery DLP solutions are designed to discover sensitive information on desktops, laptops, file servers, databases, document and records management, email repositories, and Web content and applications. Figure 6 - ERM vs. DLP for data-centric features Watchful has developed a joint solution that provides ERM and DLP features, taking advantage of the strong points of each security technology: RightsWATCH (http://). RightsWATCH A Data-Centric Security Solution RightsWATCH is an integrated and transparent information protection solution, implementing the multilevel model, which allows the users to protect the information generated with the most common productivity tools (Office, E-mail, Mobile Devices, Content Servers, etc.). Information is protected through a permanent cypher algorithm and the rights that each user has upon the information are controlled during access. Information is continuously protected. Actions like opening, printing, edit, copy, export, reply, forward are enabled or disabled according to user s rights upon that ERM vs. DLP In the following table, the strengths and weaknesses of each technology are presented. A quick analysis reveals that DLP weaknesses are exactly the strengths of ERM and vice-versa.
5 or otherwise. An example of the security policies on the RightsWATCH solution is presented in the following picture. Figure 7 - RightsWATCH e-mail support range RightsWATCH is based on the Multilevel security model. Multilevel security model was developed in the military world and states the following essential premises: All produced information in an organization is classified according to its confidentiality level (e.g. Internal, Reserved, Confidential, Secret, ); A security credential is granted to every user in the organization; Access to information classified at a certain level is only granted to users with at least a specific credential (e.g. Information classified with Confidential is only accessible by users with the credential Confidential or above). The RightsWATCH system extends this base concept to a new level by adding two new derivatives: When a user is granted access to information, only certain rights are available to handle the data (e.g. the user may be able to read and edit the information, but have the printing or copying capabilities disabled); Information classification levels may be grouped into Information Scopes and Scopes into Organizational Units (e.g. the fictional organization Critical House may contain two scopes [which Financial and Management], the Financial scope may contain three security levels Secret, Confidential and Reserved ). This allows for user roles to have different accesses to information depending on the scope of the information (e.g. a user may be able to access information up to Confidential in one scope and only access Reserved information in other scopes). RightsWATCH allows the definition and implementation of information security policies to manage user rights to manipulate and access It mitigates the risk of access of unauthorized actions upon information, intentional Figure 8 - Multilevel security example Monitoring Capabilities RightsWATCH protected information is subject to logging of user actions. This allows for the security auditor to know, for instance, which files or e-mails were produced by each user and when and how these were accessed by others. For every file or e-mail protected with RightsWATCH, the system generates a unique identifier. This unique identifier may be used to track the lifecycle of a specific document, obtaining every logged action upon that document. The unique identifier may also be used to manage a document blacklist for which, documents added to it shall be revoked of all future access. This is particularly useful for managing identified security breaches within the organization and containing undue information access. As information is permanently encrypted, its access depends on a server validation process. Since RightsWATCH is directly coupled with the ERM system, it is possible to control or deny access to individual documents. Since RightsWATCH is an information security tool, the configuration of the system itself might represent a security breach. A RightsWATCH administrator is able to grant specific users rights to access information on the organization or revoke those rights. To prevent and monitor administration errors, all administration tasks are logged centrally for future audit. Advanced Identity and Access Management RightsWATCH is a product that prevents data loss by applying data-centric security techniques to information produced within an organization. As most security products, the digital identity of the users on the system is represented by the user s login. The strength of any security system is directly related to the strength of the bond between the users and their digital identity. If an illegitimate user assumes the digital identity of a user, it gains access to all information that
6 should be available only to the user. Identity theft is a major drawback on every security solution. Current results of this technology assure 99.7% reliability: Current authentication mechanisms offer a reasonable layer of protection against intruders, however, password-based authentication, or even strong authentication forms are weak. After an authentication phase, no further proof of identity is required. These mechanisms allow for opportunist attacks, especially from insiders (e.g. leaving your computer logged on while grabbing a coffee or going to lunch is an attack opportunity). In order to prevent identity theft, we need a technique that passively and continuously monitors the user s interactions, searching for some proof of intrusion. Host-based Intrusion Detection Systems (HIDSs) satisfy most of these conditions; however, current HIDSs are focused on the system, rather than the user. System-safe actions are considered legal and it is still very easy to execute harmful actions and still be undetected. RightsWATCH has extended the concept of IDS to the user authentication level. RightsWATCH contains a patented technology that monitors users interactions with the computer through the identification of biometric features. Keystroke Dynamics is the behavioural biometric technique that better satisfies this goal. Keystroke dynamics consists in the analysis of typing patterns from users in order to identify a biometric feature in the typing activity. Typing patterns are continuously available after the authentication phase (providing continuous authentication) It is non-intrusive and transparent (the user s daily routine is not bothered) It is inexpensive, since it does not require any special equipment. Figure 9 - User Intrusion Detection system effectiveness BUSINESS BENEFITS The deployment of a RightsWATCH installation enhances Information Security awareness within your organization and effectively enforces the deployment of security policies, while providing business with the means to audit security breaches, identify trends and possible violations. RightsWATCH usage provides the following main business benefits: Information Data Loss Prevention - Applying security policies and rules across the organization allows for effective data loss prevention. DLP features allow the enforcement of security policies such as the automatic protection of all files sent by e-mail or transferred to external devices. Enterprise Rights Management - Detailed rights over privileged information allows the definition of fine-grained effective rights over the information, which blocks attempts to misuse or leak internal information to the outbound of the organization. Features like printing, copying, exporting to different formats or forwarding the data to third-parties. Centralized Policies Management - All security information policy management is made centrally on a webbased console. It is possible to transpose information security policies and procedures to RightsWATCH directly and import roles and profiling data directly from your company user directory. Widest Range of Applications - RightsWATCH supports a wide range of productivity applications and devices and is easily extendable. Transparently encrypted information is accessible and effectively protected in most commonly used Office applications on your organization. Information is safe, no matter where it is stored or by wherever channels it travels or where it is being accessed. Total protection: At- Rest, In-Motion and In-Use. User Intrusion Detection System - Along with RightsWATCH data protection features, the system includes a User Intrusion Detection System that assures a 99% reliability rate. This biometric behavioural method assures continuous authentication, is inexpensive (no special
7 equipment needed) and non-intrusive as it does not bother user s regular behaviour. Advanced Monitoring Capabilities - RightsWATCH allows the business to have a big picture of the utilization of the information security. Drill-down features allow the auditors to identify deviations to the company information security policies by detecting behavioural trends and setting alarms and preventive measures. Lifecycle of Protected Information - With the unique identifier of each RightsWATCH file and e-mail it is possible to trace all accesses to every protected data individually and analyse the lifecycle of the Based on this feature it is also possible to revoke all access to a specific protected file/e-mail through the management of a blacklist. Audit Trail for Administrators - Management of the RightsWATCH system may provide access to information for unauthorized users and change access policies and DLP rules. RightsWATCH includes auditing trail for all administrator s actions, thus preventing and montoring possible administration errors. SUMMARY Common security tools in place are typically network and/or computer centric, protecting information from external attacks (hacking, virus, trojans, etc.), but fail to secure companies against information leakage. According to recent studies by IDC, information leakage is mainly accidental (>50%) and in the majority of known cases implies a direct cost higher than 100.000 US$. The most promising techniques for controlling information leakage are ERM (Enterprise Rights Management) and DLP (Data Loss Prevention). ERM assures that data is protected independently of its state (at rest, in transit or in use) while enforcing detailed rights over the information (right to print, edit, copy data, export to other formats, reply, forward, etc.). DLP ensures that company policies for handling digital information are enforced for all users, defining rules on how information may be handled and stored (pen drives, e-mail, corporate servers, etc.). The drawbacks of the ERM solutions (User dependency, Lack of automatic classification and administration complexity) are precisely the strengths of DLP products. RightsWATCH is a combined ERM and DLP solution, based on the Multilevel security concept that effectively protects your organization against information leakage while maintaining control over corporate data and monitoring the actions that users perform over the information produced, providing total life-cycle traceability! Visit us at http:// for further Contact us for a live demo or try it for free on your organization!