Monday, June 27, 2011

Fully-Functional Data Loss Prevention

Since Data Loss Prevention (DLP) became a known technology in the computer security arena a few years ago, a number of vendors of existing non-DLP security products added basic DLP-like features to enable detection of some common private or confidential information.  However, a complete DLP implementation involves more than just regular expressions to match patterns in text in, say, email messages.

Certainly, email is a significant vector by which data loss occurs.  More generally, the DLP industry terms data traversing the network as Data in Motion.  However, there are many more protocols than just email, not the least of which include web-based email services, such as Google Mail, and social media services, such as Facebook, that could also be data loss vectors.  A complete DLP implementation will likely be able to work with a number of common network protocols to manage Data in Motion.

DLP also manages data in two other important situations, Data in Use and Data at Rest.  Data in Use DLP can manage data used on a workstation, such as monitoring data being copied to a USB flash drive.  Data at Rest DLP can inventory and manage the private and confidential data stored on workstation and server's hard drives.

The ways in which most DLP systems are able to discover protected information extend far beyond basic regular expressions.  Common approaches include pre-packaged sets of terms, database fingerprints, file fingerprints, special code to match data like credit card numbers, and more. I previously wrote an article on Classes of Protected Information and DLP that goes into much more detail on this topic.

In addition to managing protected data in the scenarios of Data in Motion, Use, and Rest, and using multiple approaches to finding protected data, DLP systems also offer sophisticated configuration, reporting, alerting, and case management services.  There may be situations where certain groups of users are allowed to work with certain kinds of confidential information while others are not -- a DLP system might be configured to monitor such information use for the privileged users and block use by other users.  The depth of reporting and alerting capabilities offered by a DLP system can make a DLP installation more useful by providing information ranging from summaries to detailed violation information as needed for management and compliance reports.  Finally, DLP case management tools can enable rolling up multiple incidents into a consolidated case that can be managed as necessary to resolution.

In summary, a DLP system is a significant addition to an organization's data security arsenal.

Tuesday, June 7, 2011

It's 10:00pm - Do You Know Where Your Data Is?

Data can be stored in so many places and be so vulnerable to loss or exposure.  The obvious risk and probability of loss for protected data stored on devices like laptops often motivates security staff to make improvements in this area.  Many people have an "a-ha moment" when they see how Data Loss Prevention (DLP) discovery agents can find and report confidential or protected data stored in unexpected places.

It's good practice to inventory where and how confidential / protected data is stored, create policy that defines where and how such data should be stored, then move towards the goal defined by the policy and monitor progress.   (Helpful side benefits of this process include improving your backup and archive coverage of protected data, reducing duplication of data, and assisting your business continuity planning.)

The initial inventory of protected data can be overwhelming -- data can be dispersed over all the personal workstations and laptops in the entire company and in the oddest nooks and crannies of servers.  But it's good to know where your organization stands with regard to protected data, and what your biggest points of risk might be.  If you found confidential financial data being stored on laptops that don't have disk encryption, maybe that's your prime starting point.  If you found multiple copies of confidential data stored on a server, maybe it's just a matter of consolidating the data and keeping employees better informed about what location to use on the server for that data.

When it comes to writing your protected data storage policies, keep flexibility in mind.  Mobility is a big factor in employee computing use cases today, so if important data on laptops is common, then maybe a disk encryption solutions for laptops is needed rather than disrupting employees' work by requiring them not to keep data on laptops.

When your protected data storage policy is defined, then it's time to move toward it.  Education will be important so employees understand why and how this process is happening.  Some time & effort will be required to implement the changes, and perhaps some new software will be required for encryption.

As progress is made, DLP discovery software can be used to measure and monitor the progress, and watch for significant deviations from the policy that need to be addressed.

Friday, June 3, 2011

Cloud Computing and Protecting Confidential Information

A couple of months ago, I talked about the implementation of DLP in cloud computing environments.  Since then, I have seen a few examples of how security-oriented firms are working with cloud computing vendors, such as Tripwire, enStratus, and others working with cloud vendors to provide internal compliance and validation.

Meanwhile, we have seen several large-scale data breaches, including numerous attacks on Sony, that involve attacks through web servers.

A significant use case for cloud computing is to provide scalable web services, so we have an interesting and significant security intersection between deployments of web servers (often with vulnerabilities) in the cloud, and the need for web application firewall (WAF), data loss prevention (DLP), and intrusion detection/prevention (IDS/IPS) to protect the web servers and the information to which they provide access.

There are some difficult problems with protecting outward-facing cloud-based web servers, though.  It might not be feasible to scale WAF, DLP, and IDS/IPS systems alongside the web servers.  It may be challenging to be able to monitor and/or intercept web traffic -- especially SSL web traffic -- to protect against attacks and data loss.

A solution to this problem might be to incorporate WAF, DLP, and IDS/IPS technology into the web servers themselves, so as the web servers are scaled, the protection automatically scales also.