Pages

Friday, June 5, 2015

Data Loss / Leak Prevention


Strictly speaking data  “Loss” can be due to machine failure, power failure, data corruption, data / media  theft etc and the means of protection is backups, disaster recovery strategies and redundancies.

Though “L”  is used to represent either  “Loss” or “Leak” in the acronym DLP, it is actually more about “LEAK”  as it is understood in the industry. Which actually  means sensitive data crossing over to unauthorized area from a authorized area due to various leak vectors.

DLP is actually more of a concept or strategy with functional sub components (e.g  email scanning, encryption of data at rest and so on). These components are used to enforce the strategy outlined by policy statements. Such policies can be
  • Acceptable use policy( AUP),  
  • Data sharing on detachable/portable media  policy, 
  • Data classification policy,  etc
DLP is actually part of IRM (Information Risk Management). Data sanitation, using test data and  Data masking is also part of DLP strategy.

However, we have DLP tools which claim to handle all functionalities of DLP strategy and therefore some technologists believe that by just deploying such tools  DLP is implemented.  This is grossly wrong.  DLP is more about strategy, awareness,  training  plus the technology. Data leak more often than not happens due to poor employee discipline or awarness.

DLP addresses three areas
  • ·         Data at rest ,    e.g data in databases, data on a drive of a laptop / usb storage
  • ·         Data in transit,   e.g  emails or web forum postings, upload to cloud, data on network
  • ·         Data in use, e.g  file copy or print operations
Output actions of a DLP tool:
  • Quarantine, 
  • encrypt, 
  • block, 
  • notify

DLP Tool is deployed at end points,  email gateways, network gateways for url filtering.
Sub functions or processes of DLP  tool are:
  • Monitor, 
  • Detect and 
  • Prevent
DLP tools are good at monitoring structured data as in  PII(Personally Identifiable Information) and as in PCI(Payment card industry)  but they are difficult to use for unstructured data.

For data at rest Data discovery or discovery scanning is used. Pattern matching or string comparison is used for structured data. hashing is generally used for unstructured data.

Before a DLP tool is deployed one should clearly define  and identify the sensitive data which need protection and also all possible  internal and external threats

A Checklist
  1. Policies and user awareness campaigns.
  2. Encryption for data at rest and in transit.
  3. File shares mapped  with access rights.
  4. Consolidation of inventories.
  5. Control of  external HDD and usb storages devices (mobile and portable storage devices)
  6. Disabling of all usb ports for usb storage devices.  
  7. Disabling of all unwanted  inbuilt DVD readers/writers.
  8. Air gap maintenance  disconnected networks.
  9. Secure  file delete policies and procedures.
  10. Access controls on laptops and full disk encryption.
  11. Use of  VLANS
  12. Consolidation of file servers 
  13. Strict data classification policies.
  14. Data retention policies. Destruction of old and unwanted data files.
  15. Deploying RMS/DRM/IRM  solution
  16. PKI based email  
  17. Effective Identity provisioning and management.
  18. Content and Gateway screening