comprehensive data leak prevention
TRANSCRIPT
1
Enterprise Information Leak Prevention
Recent trends shows Insider’s threat is bigger then the Hacker’s.
2
Knowing ‘what’ is sensitive is a business problem that Technology alone can not solve. (The Policy)
Technology need to know the data, to know ‘How’ and ‘Where’ to manage it. ( Process & Federation)
Ancillary functions are required in order to increase further functionalities. Each DLP program is unique and ancillary functions changes from deployment to deployment.
What is Information or Data Leak Prevention ?Information / Data Leak Prevention (DLP) is a strategy for making sure that sensitive information doesn’t reach to wrong hands either inside or outside of the enterprise network. The term is also used to describe technology products that help a network administrator to control the data that end-users transfer. Terms Information-Data, Leak-Loss and Prevention-Protection are used interchangeably.
3
Quiz - Ahead of Apple much anticipated new product launch. On iCloud, a celebrity picture leak incident caused its share prize to fall by 4.2%. If Apple have total 5.99 Billion shares then Kindly put a price tag on this leak ?a) $ 6 Million b) $15 Million c) $15 Billion d) $25 Billion
Financial Implication of a Single Information Leak; An example
4
“According to Kaspersky Labs Accidental Data sharing leads to loss of more data than software flaws.27% of organizations have lost sensitive business data due to internal threats in last 12 months…”
Industry Trend
Vulnerabilities in Existing software
Accidental Leaks / Sharing od data by staff
Loss / Theft of mobile device by staff
Intentional Leaks / Sharing of data by staff
Information leaked / inappropriately shared on mobile device
Security failure by third part supplier
Fraud by employess
7%
7%
7%
9%
5%
4%
5%
13%
14%
12%
9%
10%
7%
7%
16%
7%
7%
3%
6%
5%
4%
Data Loss ThreatsYes- Of Sensitive Business Data Yes- Of Non Sensitive Data No
5
Obtain top management buy-in, Have a policy and Have a high-level vision of enterprise network to establish the primary boundary and identifying primary gateways Speak to Corporate Governance, Data
Governance, Control Minded Cousin
Speak to IT and understand various Information types and its handling
Speak to sample staff at all levels to understand the culture around information life cycle Survey to business function to understand specific Business Process and develop data flow diagrams
Develop a road map with all the above details
Finding the Starting Point
Policy
Leak Control at Mail
Gateway (@xyz.co.kw)
Leak Control at
Automation (USB,CD, etc.)
Leak Control at Internet Gateway (Gmail,
SkyDrive, etc.)
6
Data Classificatio
n Policy
Framework
Rights Manageme
nt
Gateway Tech Integration
Encryption
Mobile Support
While developing a roadmap, identify the ‘What’, ‘How’ and ‘Where’, and ancillary functionality as per organization priorities.
The Roadmap
‘What’ shall constitute the Information Classification as per the Policy, to achieve the primary building block of the program
‘Where’ shall form the base and extended boundaries thus constituting the Federation
‘Who’ shall constitute the Rights Management ‘How’ shall constitute related Business Processes, flow diagrams and also the deployment of gateway technology (Mostly referred as the DLP Products)Ancillary functions are further added to bring in the functionality for Encryption and Mobility
7
Public Information which is to be shared outside the enterprise
Internal Use Information accessible to staff on need-to- know basis or need-to-have basis.
Business Partners Information accessible to Vendors, Partners or consultant (i.e. outside KFH Domain) .
Confidential Information accessible to staff only on need-to-know or need-to-have basis perform assigned jobs responsibilities within organization only.
Secret Information accessible to highly restricted authorized employees within org with absolute need to know or need to have requirement to perform assigned job.
Information Classification Scheme
Info
rmat
ion
Sens
itiv
ity
Information Classification is the fundamental requirement of identifying sensitive data. In its absence, no amount of technology deployment can be an alternative
Information Classification Policy
1Public Internal use Business Partners Confidential Secret
8
The term ‘Leak’ refers to the breach of boundaries by respective classification Boundaries also constitutes the constituency of each classificationSimilar to Social media framework allows end user to classify his / her information accordingly.
KSA
C-In-C
Circle of Trust
Untrusted
Circle
3rd party
Federation
Circle of trust Oman
UAE
Qatar
Bahrain
KSA
Kuwait
Org
Circle of trust
Examples of LinkedIn, Google, FB :
Its fundamental requirement to establish logical enterprise boundaries as per base organization.
Federation Framework
9 Print
Rights Management along with validation features manages the restriction and access control mechanism of program Rights to change the classification are managed to avoid unauthorized business partner classification in order to send the information Outside RM mechanism deployed to restrict the printing of ‘Confidential’ and ‘Secret’ information.
RM manages the authorization of Public information.
Its required to establish ‘Who’ can do ‘what’ as per job authorization.
Rights Management
Right Manageme
nt Mechanism
10
Identified sensitive information shall be auto encrypted and do not require interference from average end user
Encryption mechanism get auto evoked based on classification without end user intervention.Organization do not need to apply cumbersome encryption across the organization.
Special public announcement that needs to be treated as confidential till released are managed with special process.
Encryption and Digital Certificates
50%
10%
20% 5%
15%
Sensitivity Trends
Internal Use Business Partners Confidential Secret Public
11
Extend the program on Mobile Devices as per organization appetite, similar to PC.
Integrate Mobile Device Management with solution Including device identity parameters
For large organization facility can be rolled out with limited staff only to keep license cost down
SMB may consider integration with MS Office360 / Google Docs
Deploy Black and white (MAC Address) list at the enterprise gateway
Mobility
Corporate Network
Management Server
ProxyData
Stora
ge Exchange
+Policy
+Policy
DMZ
CA Server
Forrester Research 2013
12
General Benefits # Benefits 1 Gaining Competitive advantage, in both brand value and reputation2 Data leakage prevention comprehensively covers all information types,
that Management do not wish to get leaked3 Once information is classified, no user interference is required, further
security is managed in the background4 Increases the staff awareness about value and sensitivity of the data
adherence to corporate governance and information security policies5 Confidential information printing is restricted6 Secure work environment, Archive Data Governance, Intellectual Property
protection, Privacy and Regulations, Culture Change 7 Securing Proprietary information against security threats caused by
enhanced employee mobility and new communication channels8 Preventing the misuse of information, both on and off the enterprise
network
13
Regulatory / Compliance Benefits #
Regulation Benefits
1 Payment Card Industry - Data Security Standards V3.0
PCI requirement 4.2: Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat, etc.).PCI requirement 9.6.1: Classify media so the sensitivity of the data can be determined.PCI requirement 12.2 Implement a risk-assessment process that is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), Identifies critical assets, threats, and vulnerabilities, and Results in a formal risk assessment. (KRIs)
2 Central Bank of Kuwait
Information Security Instruction ( 2012 /2013) and Corporate Governance Instruction (20112):Banking confidentiality is considered one of the key principles of banking business due to the trust and reassurance it gives to all parties dealing with banks
3 IS027001-2013 Information Security Management
A.8.2.1 Classification of InformationA.8.2.2 Labelling of InformationA.8.2.3 Handling of Assets
4 Intellectual Property Protection
All public information are intrinsically protected for Trademarking, © protection and ®
5 Data Governance Primary requirement of any Data Governance program
14https://kw.linkedin.com/in/tanvirh
Tanvir is an Information Security professional specializing in managing large scale programs that requires unique blend of expertise in strategy, process re-engineering and technological action planning. Prior to his role at Kuwait Finance House (KFH), He has been associated with leading companies including National Commercial Bank (NCB), Emirates NBD, Riyad Bank and HSBC.
Tanvir has MS in Electronics & Communications and CISSP, CISA, AMBCI Certifications.
Speaker Profile