Data Leakage Prevention: Best Practices

Data Leakage Prevention and its objective

Data Leakage Prevention Lifecycle

What Data needs to be protected

Potential Data Leakage Prevention points

Elements of DLP

DLP Strategy considerations

DLP Architectural considerations

DLP Implementation considerations

Recommendations

Organizations are increasingly getting dynamic on how they conduct their business.

With dynamicity comes the challenge to manage the organization and its customers data which may be managed on and off premises.

With increasing Cyber threat landscape, data must be protected at all times from unauthorized use, modification and storage. Protecting the data , especially sensitive data is getting challenging given the sophistication of Cyberattacks.

Objective of Data Leakage/Loss Prevention is to minimize the data loss and business impact at all times due to a data breach event that could potentially become an incident.

Data Leakage Prevention and its Objective

Data Leakage Prevention Lifecycle

4

DLP Strategy Data Mapping Roadmap and

Data Protection Policies

DLP Architecture and

Implementation DLP Placement

DLP Technical Policies

Security Incident and Event

Management DLP Monitoring Data Breaches

What Data needs to be protected

5

Department Data

Legal Contracts

Legal

Intellectual Property (Patent portfolio development and management materials (e.g., invention disclosures, unpublished patent applications, invention presentations, related communications, etc.).

Legal

Memos, communications, presentations and notes pertaining to litigation, pre-litigation, internal investigation, corporate governance, M & A information.

Legal Internal legal presentations.

Marketing Roadmap, business plans, forecasts, competitive data that gives edge against competitors, M & A Information.

Sales Customer Pricing, Customer Volumes, Customer sales quotations.

IT Network diagrams.

IT Configuration files (Networks, systems, application and database).

IT Wireless access keys.

Finance Pre-earnings release, financial statements, 10-Ks, 10-Qs, payroll and equity data.

Software Source Code, Intellectual Property etc.

HR Personally identifiable information (all employee data), recruiting lists, organization reporting structure.

Potential Data Leakage Points

6

Elements of DLP

7

Data Format Description Example Probability of Data Leakage

Printed Sensitive information used in hard documents and on whiteboards.

Documents left unattended on shared printers.

High

Electronic Data All three forms of digital media mentioned below are vulnerable to potential data leakage:

Data-in- Motion Refers to data that is moving through a network, including wireless transmission.

Wired transmission, wireless transmission – email traffic, application traffic, and peer to peer sessions.

High

Elements of DLP

8

Data Format Description Example Probability of Data Leakage

Data-at-Rest Refers to data that resides in databases, file systems, share point, file share servers and other structured storage methods.

Oracle/SQL Databases, SharePoint and application data files.

High (Since the Customer sensitive data may reside on endpoints as well without encryption).

Data-in-Use Endpoints of the network where data is being used.

Laptops, Hard drives, flash drives, other mobile and removable media.

High

DLP Strategy -Data Mapping

Department

Potential keywords in sensitive

data to monitor for Data Classification

Authorized

internal/external

Authorized

internal/external

Authorized

internal/external

Legal

Legal

Legal

Legal

Advanced Technology

Advanced Technology

Engineering

Technology and

Worldwide

manufacturing

Marketing

Sales

IT

IT

IT

Finance

Software

HR

DLP Strategy Considerations

DLP Architectural Considerations

DLP Implementation Considerations – Data at Rest Using Websense DLP as an example: Discover where the sensitive data is. Sensitive data could be on your corporate file shares, servers, database servers, laptops,

workstations and removable media.

Use predefined policy templates available within Websense to discover where the sensitive data is (E.g., Scan all systems on XYZ network for xyz confidential data).

Data Discovery should be performed in two steps: a) Creating a Discovery policy b) Scheduling Discovery tasks.

Under “Discovery policies’ Choose ‘Regulatory and Compliance policy’ if you are unsure

of what kind of data breach should be considered a DLP event. Else, proceed with “Policy from scratch’ option to specifically define rules and conditions that will consider it as a potential data breach and trigger a DLP event.

There are two types of discovery tasks available: a) Network Discovery Tasks b)

Endpoint discovery tasks. Based on where you want to search, choose either ‘Add network task’ or ‘Add endpoint task’ option.

View the discovery results under “Reporting’ “Discovery’ tab. Choose one of the following remediation options with the discovery results: a)

“CopyFiles’ (Copies files that are in breach of corporate directory b) “MoveFiles” that are in breach of corporate policy to another directory for quarantine. You may also write your own remediation script.

DLP Implementation Considerations – Data in Motion

Using Websense DLP as an example:

Create a custom policy to govern the data in motion across the network or on endpoint machines starting with policy to apply to all sources and destinations of data with a permissive action. Later, you can permit or block certain sources and destinations and apply more restrictive actions.

The policy should contain rules. The rules should have conditions, classifiers that should govern who should send/receive certain data. (e.g., If “SSN” and “income’ is matched, the data should go to HR department).

Every condition within the rule should have a condition severity (Low, Medium, High) assigned to it. Choose the Action plan based on the condition severity. Best practice is to have action plan based on the severity. The most common action plan is “Audit and notify manager”. “Block all” option can be used for repeat violators of the policy.

Events will be generated based on the rules, conditions, classifiers, condition severity and action plan chosen.

Recommendations

Recommendations

14

Data Format Controls to Prevent Data Breach

Printed Controls: i) Emphasis about Data Protection should be throughout

employment/contract lifecycle as part of Employment/contract agreement, Information Security Policy. Since business may be conducted in multiple countries, Data Protection responsibilities must be in line with local, state and federal laws.

ii) Do not leave sensitive data unattended on desks, printers, fax machines, copiers and other common access areas . Please lock them in a secure file cabinet, when unattended. iii) Do not leave sensitive data visible to the public in the car and other public places. iv) Shred sensitive paper records using Customer authorized shredding bins. v) Do not send paper mail that displays Individual’s Personally Identifiable Information (PII) such as Driver’s License ID, Social Security Number etc.

Recommendations - Continued

15


Digital Media (Data-in- Motion)

Administrative Controls: i) Sensitive Data should be sent and received from authorized

personnel inline with the Information Security Policy. Such data flow (including data sent within the organization or external to the organization) should be authorized and approved by authorized stakeholders.

Physical Controls: i) Laptops that process sensitive data should be locked with a physical cable lock, when unattended. ii) Infrastructure assets that process sensitive data such as

Networks, Systems, Applications and Databases should be segregated and physical access managed by controlling and restricting access to authorized personnel only.


16


Digital Media (Data-in-Motion) Technical Controls: i) Sensitive Data in Motion sent outside the organization premises

should be encrypted using one of the FIPS 140-2 approved encryption algorithms for the following:

a) Site-to-Site VPN with business partners/third parties. b) Sensitive data in emails using Opportunistic TLS that are sent outside of Customer network. ii) Assets that send/receive Customer sensitive data should have critical patches and fixes installed up-to-date. (i.e., Formal Patch Management process).


17


Digital Media (Data-at-Rest) Administrative Controls: i) Sensitive data should be stored only in authorized locations as

approved by stakeholders based on a valid business reason in line with the Information security policy.

Physical Controls: i) Physical access to assets that store sensitive data should be

controlled and restricted to authorized personnel only. Technical Controls: i) Sensitive Data at rest in authorized locations such as database

servers within Customer network or external to organization network should be encrypted.

ii) Sensitive Data in Backup and storage should be encrypted. iii) Endpoints that are authorized to store sensitive data should be

encrypted. (This will be very useful in scenarios where McAfee DLP can’t support non-windows endpoints such as Mac books etc.).


18


Digital Media (Data-in-Use) Administrative Controls: i) Sensitive Data should be accessed and used by authorized

personnel inline with the Information Security Policy. Physical Controls: i) Laptops that access sensitive data should be locked with a physical cable lock. ii) Infrastructure assets that are used to access sensitive data such

as Networks, Systems, Applications and Databases should be segregated and physical access controlled and restricted to authorized personnel only.


19


Digital Media (Portable/Removable Media)

Administrative Controls: i) Portable/Removable Media should be used by authorized personnel based

on the approval from stakeholders inline with the information security policy.

Physical Controls: i) Portable/Removable media should be secured in a file cabinet when not in

use or unattended.

Appendix A

20

Recommendations – Data Protection Considerations before traveling to High risk countries

21

Since encryption products can be used for illegal purposes, taking encrypted laptop to the countries that you may visit may ban or severely regulate the import, export and use of encryption products. Taking your encrypted laptop without proper authorization could violate U.S. export laws or the import regulations of the country to which you are traveling.

Under “Wassenaar Arrangement”, one of its provisions allows traveler to freely enter a participating country with an encrypted device under a “personal use exemption” as long as the traveler does not create, sell, enhance, share or otherwise distribute the encryption technology while visiting.

The countries that support the personal use exemption include: Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Netherlands, New Zealand, Norway, Poland, Portugal, Republic of Korea, Romania, Slovakia, Slovenia, South Africa, Spain, Sweden, Switzerland, Turkey, United Kingdom and the United States.

Data Protection Considerations - Export and Import Controls

22

Export Controls:

Encryption functionality within McAfee’s Data Protection Suite, has been granted an “ENC/Unrestricted” license exception within the U.S. Department of Commerce. If you must travel to one of the five embargoed countries listed below with encrypted laptops, Customer must obtain the appropriate export license, but the process can take, on average, a ninety days for review which is managed by Department of Commerce’s Bureau of Industry and Security and the Office of Foreign Assets Control (OFAC) within Department of Treasury.

a) Cuba b) Iran c) North Korea d) Sudan e) Syria

Import Controls:

The following countries do not recognize a “personal use exemption” (i.e., Before traveling to these countries with an encrypted laptop, you will need to apply for their specified governmental agency for an import license:

Belarus - a license issued by the Belarus Ministry of Foreign Affairs or the State Center for

Information Security of the Security Council is required.

Burma (Myanmar) - a license is required, but licensing regime documentation is unavailable. Contact

the US State Department for further information.

Export Controls and Import Controls - Continued

23

Import Controls:

China - a permit issued by the Beijing Office of State Encryption Administrative Bureau is required.

You can either apply for the permit on your own. The laws in China vary from province to province

where the customs officers or border guards exact their own interpretation of what encryption

means. It is advised that your travel laptop is not encrypted.

Hungary - an International Import Certificate is required. Contact the US State Department for

further information.

Iran - a license issued by Iran's Supreme Council for Cultural Revolution is required.

Israel - a license from the Director-General of the Ministry of Defense is required. For information

regarding applicable laws, policies and forms, please visit the following website.

Kazakhstan - a license issued by Kazakhstan's Licensing Commission of the Committee of National

Security is required.

Moldova - a license issued by Moldova's Ministry of National Security is required.

Export Controls and Import Controls - Continued

24

Import Controls:

Morocco - a license is required, but licensing regime documentation is unavailable. Contact the US

State Department for further information.

Russia - licenses issued by both the Federal Security Service (Federal'naya Sluzhba Bezopasnosti –

"FSB") and the Ministry of Economic Development and Trade are required. License applications

should be submitted by an entity officially registered in Russia. This would normally be the

company that is seeking to bring an encryption product into Russia.

Saudi Arabia - it has been reported that the use of encryption is generally banned, but research

has provided inconsistent information. Contact the US State Department for further information.

Tunisia - a license issued by Tunisia's National Agency for Electronic Certification (ANCE) is

required.

Ukraine - a license issued by the Department of Special Telecommunication Systems and

Protection of Information of the Security Service of Ukraine (SBU) is required.

Recommendations – Before traveling to High risk Countries

25

In Countries like China, data protection is a different ball game. Some of the Recommendations may not be implemented or may have to be removed. Below are some of the considerations to protect Customer sensitive data before traveling to high risk countries:

No. Action item Recommendations

1 Preparing your laptop/mobile device i) Install updates for your operating system and other software to plug known security holes and make sure your security software is up to date ii) Turn off your device’s Bluetooth function iii) Lock your device with a PIN or password, and use whole disk encryption to protect stored data (if you can’t obtain license to carry encrypted laptops to the countries that doesn’t allow personal use exemption, don’t encrypt the laptops) iv) Install and configure a personal firewall and anti-malware.

Recommendations – Before travelling to High risk Countries - Continued

26


2 Stripping unneeded data from your laptop/mobile device before travel

i) Customer should consider using only travel-only devices with minimal or no amount of sensitive data stored on them.

Recommendations – While in High risk Countries

27


1 Using Corporate VPN to connect to the Internet.

i) Use Corporate VPN to connect to the Internet, which creates an encrypted tunnel for internet traffic so it can’t be read or tampered with by interlopers.

2 Do not download any sensitive data while connected to corporate VPN.

i) While connected to corporate VPN should not download any Customer sensitive data onto their laptops/mobile devices.

3 Keep your laptop/mobile device secured at all times.

i) Laptops/mobile devices should be locked with a lock screen, while unattended ii) Laptops should be physically secured with a cable lock iii) Mobile devices should be secured in a file cabinet, while unattended.

Recommendations – Returning from High risk Countries

28


1 Securely wipe laptops/mobile devices after returning from High Risk Countries.

i) Treat all returning devices from high risk countries as compromised. Wipe and reformat laptops/mobile devices before using them at home or work, or securely dispose of them using Customer approved secure disposal guidelines.

29

Contact

Lokesh Yamasani Manager, IT Compliance and Advisory – SOAProjects Inc Cell: 408-636-8268 Email: [email protected]

mailto:[email protected]

Data Leakage Prevention: Best Practices -...

Documents

Transcript of Data Leakage Prevention: Best Practices -...