The right approach to data loss prevention

FEATURE

The right approach to data loss prevention Walter Rogowski

Walter Rogowski, Fordway Solutions An article in a leading IT magazine claimed that a document can be replicated an average of 30-40 times, with copies stored each time as it is sent around. This significantly increases the opportunity for loss of financial or customer records or proprietary data, which could have serious financial or operational implications, adversely impact a company’s reputation and, at worst, lead to litigation. The risk has been exacerbated by the growth of mobile working and the Bring Your Own Device (BYOD) phenomenon. Enabling mobile working has been much easier than understanding and managing the associated security implications. In many instances we find that people, as part of an increasingly technically aware user population, are simply configuring their own remote and email access. This also introduces issues where users bring their own devices into the office and then connect them to the corporate network, using either wired or wireless connections.

“DLP needs to be implemented at a strategic level – simply adding DLP tools to a network is not enough” The risk is not just loss of competitive advantage. Commercial espionage is not merely idle speculation by IT companies keen to sell the latest security products. In its latest report, the UK parliamentary Intelligence and Security Committee says that the threat to British interests from espionage, “remains high and the commercial sector, as well as government, defence and security interests, are at risk from traditional espionage and through cyberspace … Several major countries are actively targeting UK information and material to enhance their own August 2013

military, technological, political and economic programmes.”

“We need to base the solution on the context in which data is accessed. This is the only way we can match every possible user scenario with secure access while providing data security” Thus companies need to find a way to manage the distribution of sensitive data. Data Loss Prevention (DLP) is the ability to maintain a network-wide inventory of data and have visibility of data movement both over the network and on mobile devices and removable media. DLP needs to be implemented at a strategic level – simply adding DLP tools to a network is not enough. To solve this challenge effectively and intelligently, we need to base the solution on the context in which data is accessed. This is the only way we can match every possible user scenario with secure access while providing data security.

The scale of the challenge Consider a staff member using his or her own iPad to check corporate email and then downloading an email attachment as a PDF for later reading. This presents several challenges:

UÊ œÜÊ`ˆ`Ê̅iÊÕÃiÀÊVœ˜˜iVÌÊ̅iʈ*>`Ê to the corporate network – via the Internet or the internal LAN? UÊ œÜÊ`œiÃÊ̅iʜÀ}>˜ˆÃ>̈œ˜Êi˜ÃÕÀiÊ that only trusted iPads can connect to its network? UÊ 7iÀiÊ̅iÊÕÃiÀʜÀÊ̅iʈ*>`ÊiÛiÀÊ authenticated and was this authentication logged for audit purposes? UÊ œÜÊ`œiÃÊ̅iʜÀ}>˜ˆÃ>̈œ˜ÊVœ˜ÌÀœÊ what devices corporate email can be used on – for example, using Microsoft Exchange ActiveSync? UÊ 7>ÃÊ̅iÊi“>ˆÊ>ÌÌ>V…“i˜ÌÊ>ÊVœÀ«œrate document? If so, is it subject to a data classification scheme where DLP is enforced? UÊ vʈÌÊÜ>ÃÊ>ÊV>ÃÈvˆi`Ê`œVՓi˜ÌÊ­vœÀÊ example, marked Internal Use Only) how can the organisation provide iPad users with secure copies that cannot be distributed or copied? UÊ 7…>Ìʅ>««i˜ÃʈvÊ̅iʈ*>`ʈÃÊÃ̜i˜ÊœÀÊ lost? What options does the organisation have with respect to remote wipe or recovery? What about device encryption? The list of considerations will differ for each organisation, depending on corporate policy, but it is always essential to ensure that the policy is made first before looking for technical solutions. Having set the policy, an appropriate technical solution needs to be designed and implemented. This should take a holistic view, based on the assumption that there is no border for your trusted network.

Developing a DLP policy The entire organisation must commit to the DLP policy – it cannot be Computer Fraud & Security

5

FEATURE left to the IT department. Too often we see that the implementation and management of DLP (and information security in general) is being left to the IT department. At a minimum these are the steps required to complete a successful DLP implementation: UÊ iÌÊVœ““ˆÌ“i˜ÌÊ>˜`Ê«ÀœiVÌÊÃÕ««œÀÌÊ from the executive team for DLP. UÊ
««œˆ˜ÌÊ>ÊLœ>À`‡iÛiÊœÀÊiÝiVṎÛiÊ sponsor for DLP in the organisation. UÊ `i˜ÌˆvÞÊ̅iÊ`>Ì>Ê̅>Ìʘii`ÃÊ̜ÊLiÊ protected. UÊ >ÃÈvÞÊ̅iÊ`>Ì>Ê>VVœÀ`ˆ˜}ÊÌœÊ business information levels. UÊ
««œˆ˜ÌÊ`>Ì>ʜܘiÀÃÊqÊvœÀÊ example from engineering, finance, compliance and HR teams. UÊ -iÌÊ>ÊVi>ÀÊ«œˆVÞÊvœÀÊ`>Ì>ʅ>˜`ˆ˜}Ê and communicate that to the business. UÊ “«i“i˜ÌÊ *ÊVœ˜ÌÀœÃÊ>˜`ʓ>ŽiÊ these available to the data owners. UÊ 1ÃiÊ *ÊÀi«œÀ̈˜}Ê̜œÃÊ̜ʈ`i˜ÌˆvÞÊ policy violations. UÊ
VÌʜ˜Ê *Ê«œˆVÞÊۈœ>̈œ˜Ã]ÊiˆÌ…iÀÊ by adjusting DLP controls, HR involvement or both.

Principles of a DLP solution DLP requirements broadly fall into two categories, one for data in motion and the other for data at rest. Data in motion or, as it is often referred to, network DLP, deals with data transferred over the corporate network. This may include data going out to the Internet or other private networks – for example using applications such as webmail, FTP file transfer or online storage. Data at rest deals with data hosted on severs or storage platforms. This includes data on file shares, database servers or content management systems. A comprehensive DLP solution will secure both types of data but can also be very complex to implement and enforce. When designing a DLP solution it is important to understand how it is going to integrate with other 6

Computer Fraud & Security

network and security components already deployed.

Network DLP At the Internet border, the DLP solution would ideally integrate with any firewall and content inspection solutions already deployed. This offers several benefits in that the current investments in these solutions are maximised and the DLP solution integrates seamlessly with the existing network security infrastructure, thereby reducing complexity and minimising any disruption to services during the implementation. A typical network DLP deployment would integrate like this: UÊ /…iʘÌiÀ˜iÌÊvˆÀiÜ>ÊܜՏ`ÊvœÀÜ>À`Ê permitted outbound traffic to the content inspection solution. UÊ /…iÊVœ˜Ìi˜Ìʈ˜Ã«iV̈œ˜Ê܏Ṏœ˜Ê would then submit any traffic containing matching data to the DLP solution for inspection. UÊ /…iÊ *Ê܏Ṏœ˜ÊܜՏ`Ê̅i˜Ê instruct the firewall or content inspection solution to block or permit the traffic.

“Data owners should be given responsibility for ensuring that data is consolidated in a central network location as DLP works best when data is organised and structured” There are integrated solutions available that provide all the firewall, content inspection and DLP functionality in one box. However, these solutions usually do not offer anywhere near the flexibility and granular configuration options available with dedicated solutions, but tend to have very limited features available.

DLP for data at rest The DLP solution needs to be able to discover data stored on the network.

This is usually done by configuring the DLP solution to index data stored on various file servers, databases and content management systems. At this point it is important to know where all the data is. If data is not stored in a centralised way then one would need to consolidate all the data to be protected so that it can first easily be indexed and then monitored afterwards. Typically the problems many organisations encounter occur where users are allowed to store data on their own machines. Data owners should be given responsibility for ensuring that data is consolidated in a central network location as DLP works best when data is organised and structured.

“The requirements of each department will be unique – and often dynamic as well in that data may only need to be shared once and perhaps at very short notice, requiring a flexible solution” Many DLP solutions will not protect data that is first copied from a network location to a mobile device or laptop, after which that device is taken out of the office and the data can then be copied off the machine when it is not subject to any network DLP controls. Securing this data usually works best with a DLP client that will enforce and report on DLP violations even when a machine is outside the corporate network. This DLP client would be deployed on each PC and the client policy and reporting would then be centrally managed. One of the key controls used to protect data on laptops or PCs is to disable the use of USB or other mobile storage devices. This usually proves to be an unpopular decision and for this reason user education and awareness training should form an important part of implementing this control. August 2013

FEATURE

Managing DLP DLP management should not be the responsibility of the IT department. Once they have implemented the technical DLP controls used to enforce DLP policy, the various data owners should be responsible for managing and keeping their data safe. Data owners can use DLP tools to define granular and specific policy and reporting requirements.

“The requirements of each department will be unique – and often dynamic as well in that data may only need to be shared once and perhaps at very short notice, requiring a flexible solution” For example, the engineering department will share data very differently from the way finance or another department would do it. Engineering will often share specific data with component manufacturers or subcontractors, while finance may share data with investors, auditors or external accountants. The requirements of each department will be unique – and often dynamic as well in that data may only need to be shared once and perhaps at very short notice, requiring a flexible solution. This makes it important that a DLP solution can be used by data owners, otherwise users will either push this back to the IT department or attempt to circumvent the DLP controls.

DLP in practice Let’s look at an example of how one company is tackling the DLP and BYOD security challenge. The organisation concerned carries out R&D in a niche area of technology. Arguably a world leader in its field, it is going to market with its own products and also licenses its technology to other organisations. The company has August 2013

sites on several continents, and its staff primarily consists of engineers and software developers – in other words, a very technically savvy user population.

“The organisation began by setting an acceptable use policy covering remote working, BYOD and DLP and communicating it to all users. It was vital to ensure there was no ambiguity, so that all users were clear what was and was not allowed” Employees use a mix of Windows, Macs, iPads, iPhones and other smartphones. The user population is very mobile and needs secure, reliable access to corporate resources and data at all times from any location using any device, whether their own or company issued. They may be working on a public network or using the Internet. The company has to allow users to bring their own devices but both the device and the data on it need to be under corporate control. It has to control remote and local access to the corporate network and what data is allowed to leave the corporate network. This means enforcing DLP policy and observing data classification strategy in all applications on all devices, including email, webmail, online storage and so on.

Acceptable use The organisation began by setting an acceptable use policy covering remote working, BYOD and DLP and communicating it to all users. It was vital to ensure there was no ambiguity, so that all users were clear what was and was not allowed. The policy is mandatory and is rigorously enforced. A solution was developed meeting all the user and corporate requirements.

This has several components and functionality is provided by a combination of products from several vendors, as there is no single product that will provide everything the organisation needs. In developing the solution, it was necessary to address a range of challenges, including using Macs in a Windows environment. The key components of the solution include: UÊ
ÊœLˆiÊ iۈViÊ>˜>}i“i˜ÌÊ (MDM) solution that integrates with the company’s Microsoft Active Directory and Exchange email solution. This solution solves the requirement for BYOD and DLP for data on all mobile devices. UÊ
Ê *Ê܏Ṏœ˜Ê̅>Ìʈ˜VÕ`iÃÊ network and data at rest protection. Network access control, which prevents unauthorised devices from connecting to the network, including visitors and contractors. It also checks that company devices are meeting minimum requirements before allowing a connection – for example, that the corporate antivirus solution is installed and updated. UÊ
ÊÃiVÕÀiÊÀi“œÌiÊ>VViÃÃÊ>˜`ÊÜiLÊ security solution to complement the anti-virus solution. UÊ /iV…˜ˆV>ÊVœ˜ÌÀœÃÊqÊi}]ÊvˆÀiÜ>ÃÊ>˜`Ê an encrypted client on each machine.

About the author Walter Rogowski is a network consultant and project manager at Fordway Solutions, with a specific focus on security. In his 12 years at Fordway he has designed and implemented secure data communications, firewalls and intrusion detection systems and worked on security penetration testing for a wide range of organisations in the public and private sectors. Prior to joining Fordway, Rogowski worked in the City of London providing and supporting secure LAN and WAN installations and access solutions. He has a degree from the University of South Africa. Computer Fraud & Security

7