Tuesday, January 15, 2013

Data Loss Prevention: A competitive advantage for today's businesses

First of all I would like to wish to all my readers a happy new year! I wish to all of you the best and may the 2013 be a landmark - year for the mankind!

After a couple of weeks of processing, finally I have managed to publish the following article! I wanted to write an article regarding security solutions but with a different perspective; I would like to escape from the strict technical view and present them from management's point of view. Therefore, the current post has to do with the role of Data Loss Prevention (DLP) in Information Security Management (ISM) and how the DLP solutions help in Risk Management and in IT Compliance.

Introduction

Key terms: 
  • What is Data Loss Prevention? 
  • What is Information Security Management? 
  • What is Risk Management?

From the ancient years, information was one of the most, or perhaps the most valuable thing that one possesses. Its significance can be evaluated by the way and care people handle it over the years. Wars can have a different turnover only with the possession of some valuable information. Nowadays, the nature of the information has changed and has become more digitized than ever.  Credit cards, health records, nuclear missiles launch codes, military schematics, promising technical patents are some examples of how the nature of the information has changed. Moreover, the methods of stealing such information have changed as well; from the gangsters with guns entering a store in order to steal physical and tangible objects, to people sitting in front of a computer with an Internet connection. Therefore, the attack vector has changed. It has become even more complicated and even larger than it used to be. Some years ago, a couple of locks, a big fence and a large, cement wall were sufficient in order to keep your information safe. On the contrary, these days you need hardware and a hypervisor with a couple of virtual machines running sophisticated security software in order to provide surveillance of  the whole infrastructure through different security perspectives such as data leakage preventions, encryption, anti-virus protection etc..
Information security is a necessity for all organizations nowadays, not just because they have to comply with industry standards, but because of the need to protect their information, their assets and their infrastructure. Investing on the right policies and procedures is the equivalent of a health insurance; you pay a very small percent in order to prevent a bigger loss in the near future.

During my research for an definition for Data Loss Prevention (DLP), I found numerous entries defining DLP as a "system" or "software". But, I would like to present a different definition and a point of view for DLP; I could say that DLP is a strategy, a mentality. DLP is a complete planning of preventing sensitive information from leaving the corporate network. It should not be just a DLP software solution; all deployed IT solutions should cooperate in order to implement a DLP strategy and mentality on our organisation. For example, endpoint protection software, email gateways, endpoint encryption software, all of them can work to enforce, along with DLP solution, the organisation's policy regarding the prevention of data leakage. 

The following key term is Information Security Management, which is a superset of Information Risk Management. According to the wikipedia article [1]:

"Information security management (ISM) describes controls that an organization needs to implement to ensure that it is sensibly managing these risks."
Information Risk Management (IRM) is a integral part of Information Security Management. One of my favourite definitions is the following:
 "Information Risk Management is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level". [2]

Let's break down and explain in details the above key terms.

Overview of DLP solution

Without ignoring my previous statement that DLP is something more than a software enablement solution and a mentality that should be implemented on many points of our infrastructure and cultivated among the employees, I would like to present the architecture of a DLP solution and its key features with a top-down approach. 
DLP solutions are designed to provide the following features:

  • Manage
DLP is managed through a user friendly but very detailed web interface. Throughout that interface numerous features are offered such as administration, view only, approve functions for releasing information, etc. Policies are configured and fine-tuned as well by this interface.
  • Discover
This key feature discovers the sensitive information, with the expertise of the consultants implementing the solution and with the help of the management and of the IT department, the sensitive information is  found and its classified by the DLP.
  • Monitor
Monitor feature understands the flow of the sensitive information. It monitors the information in any format, protocol or port.
  • Protect / Prevent
This is the last phase of DLP; when the policies are being enforced. The prevention policies are being enforced on every boundaries of your corporate network. This can be email, web, instant messaging, etc.

Below you can see a very simplistic diagram of a DLP implementation:





In this simplistic implementation, the key roles are awarded according to the following:

  • Network Monitor: Monitors the flow of the sensitive data.
  • Network Prevent: Enforces the policies applied.
  • Endpoint Discover: Discovers sensitive data on endpoints (laptops, desktop).
  • Endpoint Prevent: Detects and prevents sensitive data from leaving the endpoint.


Dealing with the Risk 

What is at stake?

As I mentioned at the beginning of my article, it 's all about information; sensitive information. Therefore, its loss could cause massive loss to a business. It could be from a credit card loss (failing to comply with industry standards, for example), to an industrial pattern. Industrial espionage attempts are also common nowadays. Moreover, frustrated employees are also a risk. In many countries, Labour Law mandates that an employee has to be warned some days/months later if he is about to get fired. Those employees can be a potential risk to a business because they might think to leak some sensitive data they handle in order to cause harm to the organisation that is firing them. DLP implementations address those risks.
What is more, on large organisations help identify business processes leaking confidential data. For example, a secretary sending a corporate document at her gmail account in order to work from her home computer. These practices and behaviours are monitored, identified and addresses by DLP implementations.
Last but not least, a DLP solution could help implement ISM procedures and policies all over the organisation and provide the necessary data to the management regarding the internal (and external where applicable) compliance policies.

Achieving Compliance through DLP

For many industry standards, information leakage prevention is a requirement in order to get certified and comply with them.
Let's present an example; PCI/DSS is one of the most common standards in the bank industry.
The keystone is the PCI Data Security Standard (PCI DSS), which provides an actionable framework for developing a robust payment card data security process -- including prevention, detection and appropriate reaction to security incidents. [3]
Below, I have gathered a sample of PCI/DSS requirements that a DLP help in order to achieve them:

  • 3.5: Protect cryptographic keys used for encryption of cardholder data against both disclosure and misuse.
  • 4.2: Never send unencrypted PANs by email.
  • 6.3.4: Production data (live PANs) are not used for testing and development.
  • 7.1: Limit access to system components and cardholder data to only those individuals whose job requires such access.
  • 10: Track and monitor all access to network resources and cardholder data.

It is apparent therefore that a DLP not only manages the risk arrousing from handling sensitive information but also helps the organisation comply with many industry standards.

Conclusion

With the current article, I wanted to present the DLP solution and highlight its benefits for management.
I am looking forward to your comments! Thank you!

Further Reading


References

2. All in One CISSP, Shon Harris
3. PCI SSC Data Security Standards Overview