Making DLP work for you
First of all, allow me to make a distinction between data loss and data leak.
If we talk about loss, well, prevention of data loss encompasses the entire realm of security. That’s it, that’s what security is all about – preventing data from being stolen, or corrupted, or somehow destroyed. Data leak, on the other hand, is a particular aspect of the problem – it is the loss that occurs in small quantities, slowly, over time, and has internal causes, such as accidental distribution of classified information, or intentional insider theft. And this is likely the most important aspect of data leak – it’s always related to an insider issue, be it intentional or accidental.
With that in mind, there are many ways in which data can be made to “leak”. Clearly, anyone can steal an entire disk but we’ll assume that most people in your organization won’t even know which disk to steal to get their hands on the data they want. Alternatively, they could plug in a Flash drive and copy an entire database (Snowden anyone?); but more simply (and frequently), data can be leaked using the internet. The problem with this is that most companies I see only think of protecting email. They forget that chat, web, peer to peer, ftp and many other applications are also very good media to leak data using the internet. And while it appears easier to control these applications, in reality there are so many of them ~ vastly dissimilar from each other, using a myriad of different protocols ~ that controlling them takes some seriously specialized software.
DLP for email is quite common.
Here’s where you catch all the outbound emails, scan them for particular data that you want to keep safe, such as social security numbers, credit card numbers and other similar information; ensure the attachment doesn’t return the fingerprint of a particular, confidential file; and then make a decision – do I block it, quarantine it, and find out why that data was in that email? Or trust the employee and assume there’s a reason why that data is going out, and therefore encrypt and let it go?
What’s uncommon is DLP to protect HTTP/HTTPS, FTP, Instant Messaging and peer to peer. Solutions do exist, and they apply the same methods as the DLP for email; but they’re expensive because these applications are interactive and therefore scanning requires performance.
While it may be OK to take 5 seconds (for example) to scan an email before it’s delivered, it’s absolutely not OK to take 1 extra second to scan a web page – your users will start a mutiny. So to be able to perform DLP scan on interactive applications, you need powerful hardware – there’s really no other way around that. And this means the solution is expensive, and many companies opt for closing an eye and pretending it’s not happening, their employees are all loyal and they’ll never do anything intentionally bad.
OK, I’ll go for that – the world is wonderful and no one does bad things intentionally. But sometimes we make mistakes, and unintentional leak is just as bad. Actually, sometimes it may be worse, because you may have no idea that something has happened until it ends up in the news! It isn’t only the intentional theft that should concern you; it’s also the distracted employee who types something he shouldn’t into a chat, who uploads to a common repository, a file classified restricted; someone who doesn’t pay careful attention to what data is transmitted over the internet.
There’s also another, unintentional form of leak.
Assume one of your employees installs a peer to peer application to illegally share some music. What the employee likely doesn’t realize is that the moment he starts sharing, his entire disk is visible to the entire community. This means anything, including those confidential files he’d never intentionally leak. And before you know it, those files are all over the internet. How do you stop this from happening? By controlling the applications that try to get out to the internet from your LAN. You may not be able to completely stop the employee from installing that app; but you should be able to block it at the gateway so it doesn’t cause damage.
Finally, we circle back to the data copied locally. If you can, you shouldn’t allow the use of small data devices such as Flash drives, even if that means disabling all the USB ports on your workstations.
But wait – someone in the company will need some kind of access; someone will need to have the ability to activate those ports to install software or perform some other maintenance. Who will protect you from those employees? The protection from these “power users” is segregation and double authorization. Somehow, you need to ensure that no one in the company (yes, no one, not even the CEO) has too much power; and any access to download certain data should be controlled, monitored, and possibly should require 2 individuals to gain access. Yes, they could always be in cahoots but it’s less likely and this is all a game of chances.
So how do you protect yourself? It should be clear by now that you need DLP scanning for email, web, instant messaging and FTP. You should also carefully restrict the use of FTP because there’s really no reason why most of your company should need it.
Finally, you should adopt a system allowing you to recognize, control and, possibly, block peer to peer applications of any kind; and if one is needed for business, find a way to scan it for content as well or find a different way of conducting that aspect of your business. Disable the external ports on the workstations, require double login for highly classified data, monitor everything and trust no one; and when I say no one, I mean no one, not even yourself.
Why? Well, because you’re human and you too can make a mistake.
