"Be careful and you will save many men
from the sin of robbing you."
DLP (Data Leak Prevention) is an information traffic control mechanism in the information system of an enterprise. The main objective of DLP systems is to prevent the transmission of confidential information outside of the information system. Such transfers (leakages) can be intentional or unintentional.
Practice shows that most of the leaks that are known (about 3/4) occur not by malicious intent, but because of errors, carelessness or negligence from workers.
The rest of the leaks are associated with malicious actors and users of the information systems. It is understandable that insiders usually try to overcome DLP systems. The outcome of this effort depends on many factors and it is impossible to guarantee success, but the risks can be greatly minimized.
DLP is necessary because there is a lot of data, unauthorized diversion of which could cause significant damage to the organization.
To assess in advance the size of the damage is not always directly measurable or fully foreseeable. However, in most cases, in order to realize the danger posed by leaks, it is sufficient to provide even for the basic consequences.
For example, the release of top secret information or copies of the original documents in the press or other "inconvenient" bodies, the cost of PR and subsequent decision needed to fix problems caused by leakage, reduced trust and outflow from partners and customers, problems with competitors, leakage schemes, technology, know-how and more.
In addition to the DLP system - a technical complex for information protection from leaks, its scope goes beyond just monitoring and blocking of the actions of users with protected information. The modern DLP system is also a tool that allows you to control the exchange of information, the use of information in the electronic files of the company and other "useful" areas, such as:
- Control over the sharing not only of confidential but also other information of interest (libel, spam, excessive amounts of data, etc.), control over the level of business ethics, etc.
- Tracking the loyalty of employees, their political attitudes, beliefs, gathering compromising information, tracking any single interest or suspicious object
- Identification of brain drain in the early stages, the actions of timely identification, aimed at finding a job / career change - the exchange of electronic messages containing employee information (resume), with external employers, visiting sites about finding a job. Thus, you can more efficiently monitor employee satisfaction, employer and labor conditions in a shorter time to take corrective action
- Monitoring the misuse of corporate resources, employee time - regular monitoring of storage and use in non-working order files (audio, video, photo, etc.) and the use of communication channels (e-mail, Internet, instant messaging) for the misuse of information exchange
The main tasks of DLP are monitoring and prevention of:
- Transmission of protected information by email (SMTP, including SSL)
- Transmission of unencrypted data in the Internet (FTP, HTTP, web-mail, chat)
- Transmission of encryption protected information in the Internet (HTTPS, SFTP, SCP (SSH), etc.)
- Transmission of protected information using instant messengers (ICQ, Jabber, Skype, WebEx Connect, QIP, etc.)
- Entry of protected information to removable media (USB drives, CD / DVD, flash-media, etc.) and mobile devices (smartphones, iPhone, iPad)
- Printing documents that contain protected information (monitoring and / or blocking printing on local, network and virtual printers) and copying of such data
- Control over user access to documents containing protected information (logging)
- Archiving of all transmitted information
- Monitoring user search activities
- Controlled data transfers between servers and workstations
- Monitoring of all storage on network shares (shared folders, work-flow systems, databases, e-mail archives, etc.)
DLP IS NOT JUST FOR THE BIG FISH
It is believed that the introduction of DLP system is justified only in the case when the organization has reached a very high level of maturity work-flows. In particular, it has developed and implemented policies for handling confidential information, has developed a list of its constituent data matrix, defined role-based access to different kinds of information, etc.
Of course, the presence of all these mechanisms make the use of the DLP system more efficient, but the full implementation of the policy for handling confidential information involves substantial elaboration.
However, for starters, it will be very useful and a more simple approach to highlight the most critical areas.
In this case, we are not trying to build an overall picture of handling all types of sensitive data, instead we allocate multiple repositories of documents intended solely for use within the organization. The system (with some regularity) scans all documents held within this repository, and then fixes any attempts to move the protected information outside the organization.
STAGES OF IMPLEMENTATION
INVENTORY & CLASSIFICATION of information, the allocation of Confidential Information:
- Management and administration (schemes of internal business processes, data flow diagrams and communications, strategic development documents, forecasts for the development, competitive analysis, internal documents, internal rules for handling client complaints, minutes of meetings and conferences, internal orders and instructions)
- Sales department (contracts, data from the system about work with clients, counter-parties data, market analyses, contract templates and reports, reports on projects, quality control, etc.)
- Accounting department (financial information, databases, reports, etc.)
- Personnel office (clerical staff, profiles and personal data of employees, working conditions, job descriptions for different units, motivational scheme, etc.)
- Important information on individual employees
- Trade secrets
- Technological information
- Data and Knowledge Base
- Description of the "know-how" and process analysis information
- Research results
- Activation codes for licensed software
- Any documents (files) and keywords that may indicate a leak, the classification of any information on the movement of which you need to follow
Designing a LOGICAL MODEL of the system based on the analysis of business processes:
- Policies on the processing and protection of Confidential Information, development of access rights matrix to the Confidential Information, identifying and delineating the powers and techniques of legal movement of Confidential Information (e.g., if the accountant sends the contract to the Director - this is normal, but if you write it on a flash drive or leave it in the mail – this is a security incident)
- Regulations and procedures for responding to incidents, changes to the system settings, etc.
- Instructions for system administrators, specialists, responsible for investigating incidents, users
Choice of SUPPLIER, Proof of Concept
IMPLEMENTATION of the system in the selected network segment to begin, commissioning
FINE-TUNING of system parameters, testing and training staff responsible for the operation of the DLP
MONITORNG & EVALUATION of the system's operation, measuring effectiveness, designing future improvements
THE 2 WAYS
TO SOLVE THE PROBLEM
THE RIGHT WAY: through an integrated approach. There are companies that specialize in these technical solutions for years. Costs about $200-500 in the workplace for implementation, and in the order of $20-50 per year per license.
This approach, of course, solves the problem more efficiently, enables the integration, or future integration, with other systems such as SIEM, RMS, etc., integration with ERP and guarantees compliance with international standards of information security.
THE WRONG WAY: trying to use free or low-priced products from multiple vendors that do not solve the problem comprehensively, but only close certain channels of communication.
As a result, we obtain a limited solution, working in principle in some channels and even sometimes solves the problem, but the data is not structured and is not consolidated, the efficiency is very seriously affected, there may be serious problems with scalability. Companies using this approach are eventually forced into an integrated approach.