Using this Data Security Deployment Guide
Using this Data Security Deployment Guide
This document is for the reader who:
• HasreadtheCiscoSmartBusinessArchitecture(SBA)forGovernmentLargeAgencies—BorderlessNetworksdeploymentguides
• WantstoconnectBorderlessNetworkstoaCiscodatasecuritysolution
• WantstogainageneralunderstandingoftheCiscodatasecuritysolution
• HasalevelofunderstandingequivalenttoaCCNA® certification
• Wantstoprotectsensitiveintellectualpropertyandcustomerdatawithintheagencyandpreventaccidentalleakage
• Wantstoaddressdatasecuritycomplianceandregulatoryrequirements
• Wantstoimplementdatasecuritypolicieswithintheagency
• Wantstheassuranceofavalidatedsolution
This guide introduces the Cisco data security solution. It provides details on howCiscocontentsecurityappliancesworkwithRSADataLossPrevention(DLP)productstosolveend-to-enddatasecurityproblems.Anoverviewdiagram of the solution is illustrated in Figure 1.
This document is divided into the following sections:
• Agency Overview—outlinestheproblemsfacedbylargeagenciesinthe area of data security.
• Technology Overview—providesdetailsondatasecuritysystemconceptsandtheimportantcharacteristicsthattheindustrylooksforwhen evaluating such solutions.
• Detailed Configuration—discussessomeofthebestpracticesandthestepsrequiredtodeploytheCiscodatasecuritysolution.
Additional Information
ThisisasupplementguidetotheSBAforLargeAgencies(2,000to10,000connectedusers)deploymentguides.TheSBAforLargeAgenciesisareferencearchitecturethatdeliversaneasy-to-use,flexibleandscalablenetworkwithwiredandwirelesssecurity.
Design Overview
Internet Edge Configuration Guide
Foundation DeploymentGuides
Network ManagementGuides
Data SecurityDeployment Guide
Design Guides Deployment Guides
You are Here
Supplemental Guides
Internet EdgeDeployment Guide
Using this Data Security Deployment Guide
Figure 1. Solution Diagram
Related Documents
SBAforLargeAgencies(2000to10,000connectedusers)deploymentguides(http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns982/landing_sBus_archit.html)
InternetContentAdaptationProtocol(ICAP) http://www.faqs.org/rfcs/rfc3507.html
Technologypartnerdeploymentguidescanbefoundhere: http://www.cisco.com/go/securitypartners
TableofContents
ALLDESIGNS,SPECIFICATIONS,STATEMENTS,INFORMATION,ANDRECOMMENDATIONS(COLLECTIVELY,"DESIGNS")INTHISMANUALAREPRESENTED"ASIS,"WITHALLFAULTS.CISCOANDITSSUPPLIERSDISCLAIMALLWARRANTIES,INCLUDING,WITHOUTLIMITATION,THEWARRANTYOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSEANDNONINFRINGEMENTORARISINGFROMACOURSEOFDEALING,USAGE,ORTRADEPRACTICE.INNOEVENTSHALLCISCOORITSSUPPLIERSBELIABLEFORANYINDIRECT,SPECIAL,CONSEQUENTIAL,ORINCIDENTALDAMAGES,INCLUDING,WITHOUTLIMITA-TION,LOSTPROFITSORLOSSORDAMAGETODATAARISINGOUTOFTHEUSEORINABILITYTOUSETHEDESIGNS,EVENIFCISCOORITSSUPPLIERSHAVEBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.THEDESIGNSARESUBJECTTOCHANGEWITHOUTNOTICE.USERSARESOLELYRESPONSIBLEFORTHEIRAPPLICATIONOFTHEDESIGNS.THEDESIGNSDONOTCONSTITUTETHETECHNICALOROTHERPROFESSIONALADVICEOFCISCO,ITSSUPPLIERSORPARTNERS.USERSSHOULDCONSULTTHEIROWNTECHNICALADVISORSBEFOREIMPLEMENTINGTHEDESIGNS.RESULTSMAYVARYDEPENDINGONFACTORSNOTTESTEDBYCISCO.
AnyInternetProtocol(IP)addressesusedinthisdocumentarenotintendedtobeactualaddresses.Anyexamples,commanddisplayoutput,andfiguresincludedinthedocumentareshownforillustrativepurposesonly.AnyuseofactualIPaddressesinillustrativecontentisunintentionalandcoincidental.CiscoUnifiedCommunicationsSRND(BasedonCiscoUnifiedCommunicationsManager7.x)
©2010CiscoSystems,Inc.Allrightsreserved.
TableofContents
Agency Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
Technology Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Cisco Data Security Configuration Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Endpoint Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Datacenter Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Appendix A: SBA for Large Agencies Document System . . . . . . . . . . . . . . . . 20
1AgencyOverview
AgencyOverview
Networkbordersarerapidlybeingerodedbytheneedtoenableanyone,anywheretoconnecttoanything,atanytime.Employees,partners,andconstituentsareusingmobiledevicesandapplicationstoconnectfromhomes,hotels,airportInternetkiosks,andlocalcoffeeshops,collaboratingthroughmobileplatforms,increasingoperationalefficiency,productivity,andflexibility.However,enhancedcommunicationalsoincreasestheriskoflosingsensitiveinformation,suchasintellectualpropertyandconstituentdata,duetoinnocentormaliciousactivities.
Recently,multipledatalossincidentsaffectinglargeagencieshavemadeheadlines,resultinginnegativemediacoverageandpublicembarrassment.Insomecases,penaltiesandcorrectiveactionshavecostmillionsofdollars.Agenciesmusttakestepstoprotecttheirsensitiveagencydatainadditiontoconstituentdata,andtocomplywithgovernmentmandatesthatapplymanydifferentkindsofdata.
Intellectual property is one of an organization’s most important assets; organizationslosebillionsofdollarseachyearfromtheftoftradesecrets.Intellectualpropertycanbelostthroughinadvertentdisclosure,orthroughmaliciousactionbyanemployeeoranoutsider.
Organizationsneedtoprotectconstituentdata,includingpersonallyidentifiableinformation(PII),creditcardnumbers(CCNs),SocialSecuritynumbers(SSNs),andotherrecords.Sophisticatedcriminalenterprisesareusingbotnetsandmalwaretoinfiltrateagenciesinordertostealthisinformation.Breachedagen-ciesoftenbearthecostsofnotifyingcustomersandthepublicofadatalossincident,andmayalsohavetobearremediationexpenses.
International,national,state,andlocalregulatoryrequirementsareincreas-ing,especiallyforprotectionofsensitiveinformationassets.Thousandsofdataprivacyregulationshavebeencreatedinrecentyears,andcountriesandstateshaveenacteddata-breachnotificationlaws.
Agenciesfromdifferentindustriesandoperatingindifferentcountriesareundermandatestocomplywithdifferentregulations,suchas:
• Health Care—EUDirective,PIPEDA,andHIPAA
• Education—FERPA,HIPAA,andpossiblyPCI-DSS
• Financial—GLBA,SOX,PCI
• Retail—PCI-DSS
Tosolvethesedataprotectionproblemsandmeetregulatoryrequirements,a comprehensive and well thought out data security solution is essential.
2TechnologyOverview
TechnologyOverview
Data Security
Adatasecuritysolutionidentifiesdatabasedonitscontentand/orthecon-textinwhichitoccurs.Theidentificationprocessoccursatmanydifferentlocationsandinmanydifferentways.Forexample,dataidentificationcantakeplacewhendataiscreatedandwhenendpointdevicessuchaslaptops,mobilephones,andremovablemediaconsumeit.Inaddition,identificationcanoccurwhendataismovedorsharedacrossanetwork,andwhenitisstoredorarchivedinthedatacenteroracloudnetwork.Aneffectivedatasecuritysystemmustprotectthedatathroughoutitsentirelifecycle,asdepicted in Figure 2.
Aprimarygoalofdatasecuritysystemsistoprotectagainsttheftofintel-lectual property and confidential customer data. Doing so helps agencies comply with legal and regulatory standards. Data security systems interact withnetworks,endpoints,anddatacenters,andconsistofmultiplecompo-nents,includingDLP,encryption,devicecontrol,informationrightsmanage-ment,andsecuredelivery,asdepictedinFigure3.
DLPisanimportantcomponentofacomprehensivedatasecuritysolution.DLPprovidescontent-baseddatadiscovery,monitoring,andprotectionofsensitivedataatrest,inuse,andinmotion.
Figure 2. Data Security Lifecycle
Endpointdatasecurityusesdevicecontrol,encryption,andcontent-awareDLPtechniquestoprotectdataatrestanddatainuseonmobiledevicessuchaslaptops,netbooksandsmartphones.Onlaptopsandonremov-ablemedia,dataatrestisprotectedbyfulldiskencryptionorintelligent,policy-basedencryptionofsensitivedata.Onsmartphones,dataatrest
isprotectedbyencryptionandbydevicecontrolfeaturessuchasdevicewipesandpersonalidentificationnumber(PIN)locks.Encryptionanddevicecontrolhelpmitigatetheriskoflostorstolendevices.Content-awareDLPcanalsodiscoverandclassifysensitiveinformationonendpointdevices,preventingaccidentalleakageofinformationthroughsuchmeansasUSBflash drives or uncontrolled printouts.
Figure 3. Data Security System
Networkdatasecurityfocusesonsecuredatadelivery,threatprotection,anddatalosspreventionfordatainmotionacrossthenetworkperimeter.Securedatadeliverysolutions,suchasVPNs,protectdataintegrityandconfidentialityforsensitiveinformationoverinsecurepubliclinks.Threatprotectionsolutionslikeintrusionpreventionsystems(IPS)protectagainstthreatssuchasbufferoverflows,injectionattacks,directorytraversals,andothercommonattacks.DLPdata-in-motionsolutionsusecontent-awaretechniquestoensurethatsensitiveinformationdoesnotleaveanagencyaccidentlyorbyanyunauthorizedmeans.
Data center security and cloud data security have many different compo-nents,suchasdatabaseencryption,file-shareencryption,storageareanetwork(SAN)dataencryption,content-awaredatadiscoveryofsensitivedataonservers,andinformationrightsmanagementforpreventionofunauthorizedaccess.DatacenterDLPtechnologiesfocusondiscoveryofsensitiveinformationbylocalorremoteagentsthatcrawldatabases,documentmanagementsystems,andotherservers,andclassifydata.Data center security addresses the need to meet data security regulatory requirements,todiscoverandprotectintellectualproperty,andtoprovideinsight into who has access rights to data.
Data security systems include a central management server for creating andadministeringdatasecuritypolicies,anincidentworkflow,areportingsystem,anddatadiscoveryandenforcementacrossvariouspoints.
3ArchitecturalComponents
Overview of the Cisco Data Security Solution
Cisco is partnering with leading companies through the Cisco Developer Network(CDN)todeliveracomprehensivedatasecuritysolution,includinganarrayoftechnologiestoprotectdatathroughoutitslifecycle,asshowninFigure4below.Thissolutionprovidesagenciesapolicy-basedapproachformonitoring,identifyingandpreventingleakageofinformationacrossthenetwork,endpointsanddatacenter.
Figure 4. Comprehensive Data Security Solution
Network Security
Sensitivedatacanleavethenetworkperimeterbymanydifferentmeans,suchasemail,webapplications,filetransfers,andinstantmessaging.Enforcingcontentpoliciesatthenetworkperimeterisaneffectivedefenseagainstaccidentaldataloss.CiscopartnerswithRSA,aleadingDLPsolu-tionprovider,toprovideintegratedDLPtechnologyonCiscoIronPortEmailandWebSecurityAppliances.
RSAEmailDLPisbuiltintotheCiscoIronPortEmailSecurityAppliancetoprovidecontent-levelscanningofemailmessagesandattachments,andtodetectsensitiveinformationbeforeitleavesanagency.ItcontainsanintegratedDLPscanningenginewithover100DLPpolicytemplates,andisactivatedthroughasoftwarelicense.DLPpolicyintheEmailSecurityApplianceallowsmessagestobeexaminedfordatapatternsthatareassociatedwithsensitivedatathatshouldnotbeexposedtotheoutsideworld.Severalactionscanbetakenwhenapatternmatchoccurs,rangingfromsendingawarningmessagetoblockingtheentiremessage.
DLPpolicycanalsoenforceencryptionofmessagescontainingsensitivedata,usingtheemailencryptionfeatureoftheappliance.EmailencryptioncanuseeithertheCiscoRegisteredEnvelopeService(CRES)oralocalkeyserver,asshowninFigure5.CRESprovidessecureandtransparentman-agementofkeycreation,distribution,andretention.
Figure 5. CiscoRegisteredEnvelopeServiceinUse
Gateway-to-gatewayencryptionthroughTransportLayerSecurity(TLS)isanotherwayofprotectingsensitiveinformation.TheEmailSecurityAppliancecansecurelyrelayamessageoveraTLSconnection,andtheadministrator can configure the policy to control whether TLS transport is mandatory,orusedonlywhentheothersideoftheconnectionsupportsit,andwhethermessage-levelencryptionisusedasafallbackwhenTLSisnotavailable.
WhiletheEmailSecurityApplianceprotectsstandardInternetemailsentusingtheSimpleMailTransferProtocol(SMTP),otherincreasinglypopularalternatives,suchasinstantmessagingandweb-basedemailservices,mustalsobeinspectedforsensitivedata.CiscoIronPortWebSecurityAppliancescanconnecttoanexternalDLPsystemusingICAP.ThisenablestheWebSecurityAppliancetoapplyDLPpoliciestoHTTP,HTTPS,andFTPtrafficinthesamewayastheEmailSecurityAppliancedoestoSMTPtraffic,providingconsistentenforcementnomatterwhichprotocolisbeingusedtosend the information.
Endpoint Security
Endpointdatasecurityincludescontentawarepolicyenforcement,mandatoryencryptionofsensitivedataonlaptopsandsmartphones,andprotectionofsensitiveinformationbeingcopiedortransferredtoremov-ablemedia.Ciscopartnerswithendpointdataprotectionmarketleaderstoprovidevalidatedandcompatiblepolicy-basedencryptionanddevicecontrol solutions for data at rest and data in use on endpoints.
4ArchitecturalComponents
CiscorecommendsRSADLPEndpointfortheprotectionofinformationassetsonlaptopsanddesktops.RSADLPEndpointconsistsoftwomodules,DiscoverandEnforce.TheDiscovermoduleprovidescontent-baseddataclassificationandfingerprintingthatprovidesvisibilityforsensitivedataonlaptopsanddesktops.TheenforcementmoduleprovidesprotectionfordatainusebypreventingcopyingofsensitivedatatoUSBdevicesandotherremovablemedia.
Data Center Security
DLPforthedatacenterinvolvesdiscovering,classifyingandencryptingsensitivedatanomatterwhereitresidesinthedatacenter—filesystems,databases,emailsystems,ornetwork-basedstorage.CiscorecommendsRSADLPDatacenter,whichcandiscoversensitivedataandhelptoenforcepoliciesacrossfileshares,databases,networkstorage,MicrosoftSharePointsitesandotherdatarepositoriestoreducetheriskandopera-tional impact associated with agency data loss.
RSADLPDatacenterofferspermanentandtemporaryagents.Temporaryagentsscandata,collectpolicyviolations,andself-uninstalltoallowagen-ciestosurveytheirrisklandscape.RSAEnterpriseManagercandeploypoliciesacrossRSADLPDatacenter,DLPNetworkandDLPEndpoint.
FordatacenterSANstorage,CiscoMDS9000FamilyStorageMediaEncryption(SME)offersaheterogeneous,standards-basedencryptionsolu-tionfordataatrest,withcomprehensivebuilt-inkey-managementfeatures.
Data Security Deployments and Use Cases
Acompletedatasecuritysystemisbestdeployedinstages,asdepicted inFigure6below.CiscorecommendsimplementingDLPinthree sequentialsteps:
1. Network Deploymentprovidesbroadcoveragewitheaseofmanage-ment,usingthesecuritymanagementfeaturesofCiscoIronPortEmailSecurityandWebSecurityAppliances.
2. Endpoint Deploymentprovidespolicy-baseddevicecontrolandencryption to prevent sensitive information from leaving through externalremovablemedia,printing,copyingandothermeansofdata in use.
3. Data Center Deployment,thefinalstep,requiresunderstandingtheagency’sunstructuredorstructuredsensitivedataassets,anddeter-miningwhatpoliciesneedtobeenforcedatvariouspointsinthedatasecuritydeployment.RSADLPDatacenterandCiscoSMEaddressissues of discovering and encrypting sensitive information in the data center.
Inaddition,aftereachstepiscompleted,werecommendtwo additional activities:
• Tuning—afteragenciesidentifytheirsensitivedata,theyconfigureDLPtomeettheirparticularrequirements.Thisinvolvestestingtoensuretheyaredetectingviolations,frequentlybyconfiguringtheproductsinlearningornon-blockmodetogatherinformationforsecondaryanalysis,beforeimplementingmorestringentcontrols.
• Optimization—finally,thedatasecuritysystemshouldbeoptimizedforeasymaintenanceandmanagement.Inthisphase,automaticupdates,instantreportsforexecutives,automaticdecisionmakinginformationanddetailed violation reports are typically configured.
Figure 6. CiscoDataLossPreventionDeployment
5Cisco Data Security Configuration Details
Cisco Data Security ConfigurationDetails
Network Security
Process
CiscoEmailDataSecurityConfiguration
1. EnableDLP
2. SetUptheBasicDLPPolicy
3. TestingandMonitoringtheDataSecuritySystem
4. MonitoringDLPPolicies
TheCiscoIronPortEmailSecurityApplianceisplacedintheDMZoftheInternetedgeoftheSBAforLargeAgencies—BorderlessNetworksarchi-tecture.Forsimplicity,theapplianceisconnectedbyasingleinterface,asshown in Figure 7.
Figure 7. CiscoEmailDataSecurityArchitecture
Email Security Appliance
Internet servers
Firewall
End User
Internet
DMZ switch
ImplementingDLPwithEmailSecurityAppliancesrequiresthefollowinghigh-levelprocedures,eachinvolvingseveralsteps,aslistedbelow:
• EnableDLP
• SetupbasicDLPpolicy
a. HIPAAPolicy
b.GLBAPolicy
c. PCI-DSSPolicy
d.CustomPolicy
• ConnecttheDLPpolicywithoutgoingmailpolicy
• Testandmonitorpolicyviolations
Procedure 1 Enable DLP
DLPisalicensedfeatureontheCiscoIronPortEmailSecurityAppliance.YoucanactivatethisfeaturebyprovidingthelicensekeyintheFeatureKeytabofthewebmanagementinterfacebyselectingSystem Administration > Feature Keysandthenclicking“CheckforNewKeys”.Verifythatthekeyisactive,asshowninFigure8.
Figure 8. ActivateDLP
NotethattheemailencryptionfeaturelicenseisalsoactiveintheexampleandisrequiredinordertoemploymessageencryptionasanoptionintheDLPpolicy.Ifyouhavenotlicensedemailencryption,thisactionwillnotbeavailable.
To start scanning the outgoing emails for sensitive data you must first enableDLPontheapplianceusingthefollowingstepsinthewebmanage-ment interface:
Step 1: Select Security Services > RSA Email DLP.
Step 2: ClickEnable. The license agreement page appears.
Step 3: Readtheagreement,thenclickAccept.
6Cisco Data Security Configuration Details
Step 4 (optional):EnableMatchedContentLoggingtoallowthelogstoincludethecontentthattriggersaviolation.Notethatthisoptionwillcausepotentiallysensitiveinformation(suchascreditcardnumbers)toappearinthesecuritylogs.Youragency’spolicyrequirementswilldetermineifthisisdesirableornot.Alsonotethatthisfeaturerequiresthatthemessagetrack-ingserviceisenabledunderSecurity Services > Message Tracking.
Procedure 2 Set Up the Basic DLP Policy
TheDLPPolicyManagerisasingledashboardinthewebinterfacethatallowsyoutomanageallemailDLPpolicies.YoucanaccesstheDLPPolicyManagerfromtheMail PoliciesMenu.Theappliancecomeswithover100predefinedpolicytemplatesdevelopedbyRSA,someofwhichareshownbelow.Inthefollowingexamples,configurationsofHIPAA,GLBA,andPCI-DSSpoliciesfrompredefinedRSAtemplates,aswellasonecustompolicy,are shown.
HIPAA Policy
Step 1: Select Mail Policies > DLP Policy Manager.
Step 2: ClickAdd DLP Policy.
Step 3:ClickRegulatory ComplianceandthenclickAdd HIPAA .
Figure 9. AddDLPPolicy
Inthisexample,assumetheagency’spatientIDnumbersfollowapatternofthreedigits,eachrangingfrom2to4,followedbysevendigitsrangingfrom0to9.Thispatternismatchedbyaregularexpressionoftheform[234]{3}
[0-9]{7};additionally,thephrase“PatientID”mustappearinthedata,inorderfor the policy to match.
Step 4:Enter[234]{3}[0-9]{7}inthe“PatientIdentificationNumbersasaregularexpression”field.
Step 5: Enter“PatientID”inthe“ANDmatchwithrelatedwordsorphrases”field,asshowninFigure10below.
ThecompletedformisshowbelowinFigure10.Ifanoutgoingemailmes-sagecontainsanumberthatmatchesboththeregularexpressionandthetext“PatientID”,ittriggersthisDLPpolicy.
Figure 10. HIPAADLPPolicy
Step 6: Under Severity Settings > Critical Severity Settings,selectQuarantine from the Action Applied to Messages drop-downmenu.MessagesthatcontainDLPviolationswillbeheldinaquarantinearea.
Step 7: Select Sender under Advanced > DLP Notification.Optionally,youcanchoosetoencryptthemessage,modifyitsheader,deliverittoanalternatehost,sendacopy(bcc)toanotherrecipient,andsendaDLPnotification message.
Step 8: If you want to define different settings for messages that match the high,medium,orlowseveritylevel,unchecktheInherit Settingscheckboxfortheappropriatesecuritylevel.Edittheoverallactionforthemessageandtheothersettings.Inthisexampledifferentsettingsbyseveritylevelremainunconfigured.
Step 9: ClickSubmit and then Commit Changes. The policy is added to the DLPPolicyManager.
7Cisco Data Security Configuration Details
GLBA Policy
FollowtheprecedingstepsandaddaGLBApolicy.However,inthisexampleassumetheaccountnumbersconsistofthreedigitsintherangeof4to6,followedbysixdigitsintherangeof0to9.
Step 1: Select Mail Policies > DLP Policy Manager.
Step 2:ClickAdd DLP Policy.
Step 3: ClickRegulatory ComplianceandthenclickAdd GLBA .
Step 4: Enter[456]{3}[0-9]{6}inthe“CustomAccountNumbersasaregularexpression”field.
Step 5: Enter“AccountNumber”inthe“ANDmatchwithrelatedwordsorphrases”field.
AnoutgoingemailthatcontainsamatchingaccountnumberandkeywordwillnowtriggeranalertforaGLBAviolation.
Step 6: Under Severity Settings > Critical Severity Settings,selectQuarantinefromtheActionAppliedtoMessagesdrop-downmenu.MessagesthatcontainDLPviolationswillbeheldinaquarantinearea.
Step 7: Select Sender under Advanced > DLP Notification.Optionally,youcanchoosetoencryptthemessage,modifyitsheader,deliverittoanalternatehost,sendacopy(bcc)toanotherrecipient,andsendaDLPnotification message.
Step 8: If you want to define different settings for messages that match the high,medium,orlowseveritylevel,unchecktheInherit Settingscheckboxfortheappropriatesecuritylevel.Edittheoverallactionforthemessageandtheothersettings.Inthisexampledifferentsettingsbyseveritylevelremainunconfigured.
Step 9: ClickSubmit and then Commit Changes. The policy is added to the DLPPolicyManager.
Figure 11. GLBADLPPolicy
PCI-DSS Policy
PCIstandardsmandatethatcreditcardnumbersneverbetransmittedinunencryptedform.BeforeaddingaPCI-DSSPolicy,enabletheencryptionprofileinordertotakeencryptionasactionwithinthePCI-DSSpolicy:
Step 1: ClickSecurity Services and then IronPort Email Encryption Services.
Step 2: MakesuretheIronPortEmailEncryptionisenabledandthattheproxyserversettingiscorrectforyournetwork.Inourexample,noproxyserverisrequired,asshownbelow.
Figure 12. EnablingEmailEncryption
8Cisco Data Security Configuration Details
Step 3: Click Add Encryption ProfileanduseEncryption_Enableastheprofile name.
Forexample,useCRESforkeymanagementandselectCisco Registered Envelope ServicefromtheKeyServiceTypelistasshownbelow.
Figure 13. AddinganEncryptionProfile
ToenablethePCI-DSSpolicy,followthesamestepsthatyouusedtoaddtheHIPAAPolicy,withthefollowingexception:
InStep5,intheCriticalSeveritySettingssection,choosetheQuarantine action asinthepreviousexample,butalsoselecttheEnable encryption on release from quarantine option. From the Encryption Ruledrop-downlist,selectOnly use message encryption if TLS fails and choose the Encryption_Enable profile from Step 2 in the Encryption Profiledrop-downlist.
Figure 14. EnablingMessageEncryptionifTLSFails
Custom Policy
Whenusingthepre-builtPCI-DSSpolicyortheCreditCardNumberClassifierfeature,itisimportanttonotethatthosecoverCCNsfromAmericanExpress,Discover,DinersClub,JCB,MasterCard,andVisa.Ifyouwanttoaddsupportforspecificstorecreditcards,youmustuseacustompolicyandconfigureregularexpressionstomatchtheCCNsine-mail.
Thefollowingexample,illustratedinFigure15,configuresaregularexpres-siontomatchaCCNthatis16digitslongandbeginswiththeprefix6035,witheachgroupoffourdigitsseparatedbyaspace,sotheCCNstructureis6035000000000000.Inaregularexpression,thiscanberepresentedas6035\s\d{4}\s\d{4}\s\d{4}.Notethathere,“\s”representsaspace,and“\d”adigit,equivalenttotherange[0-9].
Step 1: Select Mail Policies > DLP Policy Manager.
Step 2: ClickAdd DLP Policy.
Step 3:ClickCustom Policy and assign the name Store_Card.
Step 4: Configure the following three rules:
• RegularExpression:6035\s\d{4}\s\d{4}\s\d{4}
• Entity:USAddress
• Entity:ProperName
Figure 15. CreatingaCustomDLPPolicy
Step 5: Under Severity Settings > Critical Severity Settings,chooseQuarantine from the Action Applied to Messages list.
9Cisco Data Security Configuration Details
Step 6: Select Sender under Advanced > DLP Notification.Optionally,youcanchoosetoencryptthemessage,modifyitsheader,deliverittoanalter-natehost,sendacopytoanotherrecipient,orreturnasystem-generatednotification message to the sender.
Step 7: ClickSubmit and then Commit Changes. The policy is added to the DLPPolicyManager.TheDLPpolicieswilllooklikethoseshowninFigure16below.
The order of the policies is important. The appliance evaluates the policies intheorderthattheyarelistedintheDLPPolicyManager,readingfromtoptobottom.IfamessagematchesmorethanoneDLPpolicy,onlythefirstonefoundinthelistwillbeapplied.Edit Policy Ordercanbeusedtorearrangetherules,ifneeded.
Figure 16. SettingtheOrderofPolicies
Procedure 3 Connect the DLP policy with Outgoing Mail Policy
OutgoingmailpolicydetermineswhichDLPpoliciesareappliedtomes-sagesleavingtheagency.ToapplytheDLPrulescreatedinthestepsabove,go to Mail Policies > Outgoing Mail PoliciesandselectthecurrentDLPpolicyrulesfortheoutgoingdefaultpolicy.NotethatifyouhavenotyetsetupDLPpolicies,thecurrentDLPpolicyruleswillappearas“Disabled”.ClickingonthatlinkwillallowyoutoselectEnable DLPandtoenableordisabletheindividualpolicies.
Figure 17. ConfiguringOutgoingDLPMailPolicies
10Cisco Data Security Configuration Details
Procedure 4 Testing and Monitoring the Data Security System
HIPAA Policy Example
Thepre-definedHIPAApolicyintheRSAEmailDLPenginelooksfordatainthis fashion:
(DrugdictionaryORDiseasedictionaryORInjurydictionary)AND(PIIclassi-fiersthatareORedtogether)
Inotherwords,amessagemustcontainsomethingthatmatchesoneoftheHIPAAdictionaries,aswellaPIIidentifier,inorderforthemessagetomatchthe policy.
Totesttheoutgoingmailpolicy,composeatestemailthatincludessomeillness-relatedterms,thetext“PatientID”,andapatientIDnumberthatmatchesthepatterndefinedintheHIPAAexampleconfiguration.Theimagebelowshowsasimpletestmessage.Sendthetestemailtoadestinationoutsidethenetwork.
Figure 18. TestingtheOutgoingDLPMailPolicy
Iftheruleisbeingappliedcorrectly,thesenderwillreceiveanotificatione-mailsimilartotheoneshownbelow,indicatingtheHIPAAviolation.
Figure 19. ExampleNotificationEmail
BecausetheHIPAApolicywasconfiguredtoquarantinemessagesthatcontainDLPviolations,manuallyinspectthetestmessage,andeitherdeleteitorforwardit.Quarantineareasalsohaveadefaultaction,whichcanbeeithertoreleasethemessageortodeleteit,andatimeperiodafterwhichthedefaultactionisautomaticallytaken.Inthisexample,manuallyreleasethemessage,allowingittobedelivered:
Step 1: Select Monitor > Quarantines > Policytoviewquarantined messages,asshowninFigure20.
Figure 20. ViewingQuarantinedEmailMessages
11Cisco Data Security Configuration Details
Step 2: Clickthesubjecttoviewthedetailsofthequarantinedmessage,asshowninFigure21below.
Figure 21. ViewingDetailsofQuarantinedMessages
Step 3: Under Quarantine Details ,youhavetheabilitytoeitherdeletethequarantinedmessageortoreleaseit,ortoextendthequarantineperiod.Toreleasethemessagetoitsdestination,checktheSelectboxforthetestmessage,chooseRelease from the Select Actiondrop-downlist,andthen Submit.
Procedure 5 Monitoring DLP Policies
InthemanagementGUI,selectMonitor > DLP Incidents.FromtheDLPIncidentSummaryscreenshownbelow,onecanclickonanyofthepoliciestoseethereportforthatspecificpolicyviolation.Byclickingonthepolicyin“DLPIncidentDetails”,onecanviewindividualuserswhohaveviolatedthatpolicy.Thisallowstheadministratortoseetheirmailprofile,whichprovidesinformationaboutwhatinformationassetsareleavingthenetworkbye-mail.AdministratorscanalsosearchforDLPviolationsandseethespecificcontentthattriggeredtheDLPviolation.ThisprovidesdetailaboutwhattranspiredintheDLPincidentsduringauditinganddiscovery.
Figure 22. MonitoringDLPIncidents
12Cisco Data Security Configuration Details
Process
DLPConfigurationforWebTraffic
1. EnableDLPontheAppliance
2. ConfiguretheRSADLPNetwork
3. ValidatetheSetup
ACiscoIronPortWebSecurityAppliancedeployedattheInternetedgeinteroperateswithRSADLPtechnologytoidentifyandprotectsensitivedata.TheapplianceactsasaproxyserverandusesICAPtooffloadcontentscanningtoexternalsystems.RSAEnterpriseManagermanagespoliciesforthenetwork,endpoints,anddata-center.CiscoIronPortWebSecurityAppliance,RSAEnterpriseManager,andtheRSADLPNetworkControllerarethemaincomponentsshownbelow.
Figure 23. MainComponentsforWebTrafficDLP
Web Security Appliance
ICAP server
RSA Network
Controller
RSA Enterprise Manager
Firewall
End User
HTTP/HTTPS/FTP proxy connection
Internet
Inthisdeploymentguide,RSADLPNetworkController,theICAPserver,andRSAEnterpriseManagerareinstalledandconfiguredintheSBAforLargeAgencies—BorderlessNetworksarchitecture.
Thefollowingsectionsprovidearecommendedconfigurationforblockingsensitiveinformationsentthroughwebmail.CiscoIronPortWebSecurityApplianceversion6.3.3istheverifiedplatform.Inthisexample,thepre-definedPCI-DSSpolicyforthenetworkisused.
ImplementingDLPwithWebSecurityAppliancesrequiresthefollowinghigh-levelprocedures,eachinvolvingseveralsteps,aslistedbelow:
• EnableDLPontheappliance
• ConfiguretheRSADLPnetwork
• Validatethesetup
• Testandmonitorpolicyviolations
Procedure 1 Enable DLP on the Appliance
Step 1: EnableexternalDLPserver,whichinthisexamplehasIPaddress10.4.200.118:
FromtheWebSecurityAppliancewebmanagementGUI,selectNetwork > External DLP Servers,thenclickEdit Settings. In the Server Addressfield,entertheaddressoftheRSADLPserver,inthiscase10.4.200.118.ThePort willusuallybeleftsettotheICAPdefaultportof1344.TheService URL is of theformicap://serverIP/srv_conalarm,sointheexampleshowninFigure24,it is icap://10.4.200.118/srv_conalarm.
Figure 24. ConfiguringanExternalDLPServerUsingICAP
TotesttheconnectionbetweentheapplianceandtheexternalDLPserver,clickStart Test.
ClickSubmit,thenCommit Changes.
13Cisco Data Security Configuration Details
Step 2: SetUpExternalDLPPolicy
CreateexternalDLPpoliciesthatdeterminewhichtrafficissenttotheICAPserver for content scanning.
Go to Web Security Manager > External DLP PoliciesandclickAdd Policy. Give the policy a name in the Policy Namefield.Inthisexample,use“GmailPolicy”asthename.UnderPolicy Member Definition,selectcriteriaforthepolicy.Inthisexample,applythepolicytoallusersandleave Identities and Users set to the default value of All Identities.Forthissetting,atleastonefurtherselectionoptionisrequired.ClickonAdvanced and then set the ProtocolsdefinitiontoincludeHTTP,HTTPS,FTPoverHTTP,NativeFTP,andAllothers.ClickSubmit.
ClickontheScan settings under Destinations for the policy. Choose Define Destinations Scanning Custom Settingsfromthedrop-downlist,andsetDestinations to Scan to Scan all uploads.Theresultingpolicyshouldlooklikethe“Gmailpolicy”entryshownbelow:
Figure 25. ConfiguringtoScanAllProtocols
Step 3:ClickSubmit and then Commit Changes.
Procedure 2 Configure the RSA DLP Network
Step 1:InRSAEnterpriseManager,enabletheICAPserverandNetworkController.TheNetworkControllercommunicatesbetweenRSAEnterpriseManagerandnetworkdevices.
Go to Admin > Network > StatusandverifythattheNetworkControllerandICAPserversareoperating.FordetailedinstructionsonsettinguptheDLPNetworkICAPserverandNetworkController,pleaserefertotheRSAdocumentationforRSADataLossPrevention.
Step 2: WriteaPCI-DSSpolicytopreventthelossofsensitiveinformationvia Gmail.
Go to Policies > New Policy > Use Policy Template.
ClickPCI–DSSpolicy.ThePCI-DSSpolicypageopens.
UndertheNetworktab,selectthefollowingoptions:
• UnderWho,selectall Users.
• UnderDetect,selectProtocols.
• UnderAction,Audit only.
ClickSave.
Figure 26. SettingaPolicyforGmail
14Cisco Data Security Configuration Details
Procedure 3 Validate the Setup
Step 1: ConfigureawebbrowsertoproxyoutgoingtrafficthroughtheCiscoIronPortWebSecurityAppliance.
Step 2: Usingthebrowser,accessGmail,composeanewmessage,andattachafilethatviolatesthePCI-DSSpolicy.
Step 3: VerifythataNetworkICAPdiscardmessageisdisplayedinthebrowser.
Step 4: UseRSAEnterpriseManagertoviewtheresultingeventandinci-dent that were created as a result of this violation of policy.
Figure 27. ViewingIncidentsandEventsCausedbyPolicyViolations
15EndpointSecurity
EndpointSecurity
RSADLPEndpointallowsyoutomonitorandcontrolhowendusersinteractwithsensitiveinformation.Ittracksandcontrolsarangeofuseractionsasdefinedbypolicy,anditauditsuseractionsinvolvingsensitivedata,sendingalertsofpolicyviolations,andcreatingauditlogs.
Configuration of RSA DLP Endpoint
AdeployedinstanceofRSADLPEndpointincludesthefollowingcompo-nents,showninFigure28.
• RSADLPEndpointAgents
• RSADLPEnterpriseManager
• RSADLPSiteCoordinator
• RSADLPEnterpriseController
Figure 28. ADeployedInstanceofRSADLPEndpoint
EndpointAgentsrunoneachuser’scomputertomonitoruseractionsandperformcontentanalysis.Theagentsareresponsibleforenforcingusagepolicy and collecting audit data. The Site Coordinator controls the custom-er’sdeployment.Itsendsinstructionsto,andgathersresultsfrom,endpointagents,definedintoEndpointGroups.
TheEnterpriseManageristheinterfacetoDLPEndpointforbothusersandadministrators.TheEnterpriseManagersendsconfigurationsettingsandpoliciestotheSiteCoordinatortobepickedupbyallendpointagentsonthenetwork.Atpredefinedintervals,theEnterpriseManagerpicksupeventssenttotheSiteCoordinatorbythoseendpointagents,andbasedonpolicy,generates incidents for review and analysis.
Process
RSADLPEndpointExample
Inthisexample,assumeEnterpriseandSiteCoordinators“SanJose”areconfigured.Thisexampleshowsthat,ifausertriestocopyfilesontoexter-nalmediasuchasaUSBdrive,thisactiontriggersaDLPviolation.
Step 1: CreateanewEndpointAgentgroup
InRSADLPEnterpriseManager,gotoAdmin > Endpoint.ClickNew Endpoint Group. Select the site San Jose.
In the Computers (DNS names or IP addresses)field,specifytheIPaddressofthecomputer(forexample,192.168.21.36).
In the Configure passwordssection,entertheGPO/PushAgentPassword,which is the password for installing endpoint agents with push technol-ogy. If you have already installed endpoint agents on the target machines intheEndpointgroup,enterthesamepasswordthatwasusedforthoseinstallations.
Step 2: ActivateRSADLPEndpointpolicyusingpre-definedpolicytemplates
GotoPoliciestab.
ClickNew Policy at the top of the policy list.
Select Use Policy Template Libraryfromthedrop-downmenu.
UndertheRegulatoryandCompliancesection,selectthePCI-DSSpolicytemplateandactivateitforEndpoint.
ClickthePCI-DSSpolicyandthenselecttheEndpointtabwithinthePCI–DSS template.
Figure 29. PolicyValidationRules
16EndpointSecurity
Createapolicyviolationrule.IntheWhofield,keepthedefault“Allusers”option.
UnderDetect,thedetectionfilterletsyouspecifyuseractions,fileattri-butes,destinationattributesandtransmissionattributethatcantriggerDLPviolation.
Adda“Useraction”detectionrule,whichletsyouspecifyauseractionthattriggersaDLPviolation.SelectCopy to Removable Drive.
Figure 30. DefiningaUserActionDetectionRuleforRemovableDrives
UnderSeverity—Action,chooseNotify and Audit as the action the policy shouldtakeifaviolationoccurs.
ClickSave. The new or edited policy will appear in the policy list on the PolicyManagerpage.Bydefault,thepolicyisenabled.Totestthepolicyontheclientmachine,trycopyingadocumentoranyotherfiletypethatcontainsaCCNwithaddressinformationtoaUSBdrive.ThiswillgenerateDLPviolation.
View DLP Violation:ClicktheIncidenttabtodisplaytheDLPviolation.
Figure 31. ConsoleMessagesShowingDLPViolations
17Datacenter Security
Datacenter Security
RSADLPDatacenterisasoftwaresolutionthatpermitslocatingandact-ingonsensitiveinformationstoredanywhereintheagency.Inuse,DLPDatacenterscansanagency’snetworks,examiningfilesonallmachinesofinterest.
RSA DLP Datacenter Configuration
AdeployedinstanceofRSADLPDatacenterincludesthefollowingcompo-nents,asshowninFigure32.
• RSADLPEndpointAgents
• RSADLPEnterpriseManager
• RSADLPSiteCoordinators
• RSADLPEnterpriseCoordinator
Figure 32. RSADLPDatacenterComponents
Duringascan,endpointagentsperformthecontentanalysis.Eachagentreceivesinstructionsfrom,andreturnsresultsto,itsSiteCoordinator.AnRSADLPDatacenterinstallationcanhaveasmanySiteCoordinatorsasrequired,possiblyinwidelydispersedlocations.TheEnterpriseCoordinator
isthemastercontrollerfortheDLPDatacenterdeployment.Itsendsinstruc-tionsto,andgathersscanresultsfrom,allSiteCoordinatorsinvolvedinallscans.
Whenitscans,DLPDatacenteraccessesaspecificscangroup,whichisasetofmachinesonthenetworkthatyouspecifyasbeingofinterest.
Thereareseveraltypesofscangroupsavailable:
• Agent: Scangroupsforagent-basedscan
• Grid: Scan groups for grid scans
• Repository: Scan groups for scan
Agent-Based Scanning
Inthistypeofscan,anendpointagentisinstalledoneverymachinewhosecontentshouldbescanned.Toperformascan,EnterpriseManagersendsarequesttotheEnterpriseCoordinator,whichsendsacommandtotheappropriateSiteCoordinatoronalocalorremotenetwork.TheSite Coordinator installs or connects to an endpoint agent on each target machineinthescangroupandcommandsittostartscanning.Eachagentaccessesandanalyzesallfilesonitslocalhostandthensendsresults—informationaboutfilesthatviolatethepoliciesbeingscannedfor—backtotheSiteCoordinator,whichcollatesresultsandsendsthemtotheEnterpriseCoordinatorandontoEnterpriseManagerfordisplaytotheuser.
Figure 33. Agent-basedDLPScanning
Grid Scanning:
Gridscanningprovidesforefficient,scalableanalysisofverylargefilerepositories(suchasSANorNASsystems),distributingtheburdenofanalyzingthelargeamountsofdata(uptoterabytes)inthestoragedevice.
Figure 34. Grid-basedDLPScanning
18Datacenter Security
Repository Scan and Database Scan
Specializedtypesofgridscansincludedatabasescanningofagencydatabases,andrepositoryscanningofcollaborationanddocument-man-agementsystems,suchasSharePointorDocumentum.
Inthisguide,onlyagent-basedscanninghasbeenvalidated.Gridscanningis out of the scope of this guide.
RSA DLP Datacenter Agent-based Scanning Example
Thisexamplescansagroupofmachinesthatcontainspecificdatedfiles.
Step 1: InEnterpriseManager,clicktheAdmintab.TheAdministrationStatusOverviewappears.BeneaththeAdmintab,clickDatacenter. The Datacenter administration page appears.
Step 2: Createanewagent-scangroup
Inthedeploymenttree,selecttheSiteCoordinatorthatthenewagentgroupbelongsto.Abovethetree,clickNew Object and select New Agent Scan Groupfromthedrop-downmenu.TheNew/EditAgentGrouppanelappearson the right
Step 3: ActivateDataCenterDLPpolicyusingpre-definedpolicytemplates
ClickthePoliciestabandthenNew Policy at the top of the policy list. Select Use Policy Template Libraryfromthedrop-downmenu.UnderregulatoryandcompliancesectionselectPCI-DSSpolicytemplateandactivateitforDataCenter.ClickthePCI-DSSpolicyandthenselecttheDatacentertabwithinthePCI–DSStemplate.
a.Createapolicyviolationrule.ClickAll Agent and Grid Scan Groups for selectingthescangroup.Selectthescangroup“Agent_Scan1”.
b.UnderDetect,addadetectionfilterthatletsyouspecifybydatethosefilesthatcanbeconsideredtobepolicyviolations.Clickthelink(bydefault Any File Dates)todisplaythisdialogbox:SelectFiles modified before May 2010.
c. Under Severity — Action,specifyAudit Only as action the policy should takeifaViolationoccurs.Youcanspecifydifferentactions(allow,auditonly,audit&encrypt,quarantine&audit,block&audit)fordifferenteventseverities.Inthisexample,settheseveritytoHigh and select the action Quarantine.
d.SavethePolicy.ClickSave. The new or edited policy will now appear inthepolicylistonthePolicyManagerpage.Bydefault,thepolicyisenabled.
e.StarttheScan.Inthedeploymenttree,selectthescangroup“Agent_Group”usedforthescan.TheAgentGrouppanelappears,showingstatusinformationforthescangroupthatyouhaveselected.IntheAgentGrouppanel,clickScan Now.Fromthedrop-downlist,chooseRun Full Scan.Scanalldocumentsonalltargetmachinesinthescangroup.Afterthefilesareidentified,thesystemmovesthemautomaticallytoasecurelocation,dependingupontheseverity.Iftheseverityishigh,thenthesecurityadministratorshouldinspectitandcheckwhytheoperationalprocesseswerebroken.
f. ViewLogs.ClicktheHistorytabandthenselectView Status Log.Awindow displays all status messages as they are logged. This window displaysthesamestatuslogthatisvisiblewhentheStatustabisactive—coveringboththeagent-deploymentphaseandthecontentanalysis phase of the scan.
19Summary
Summary
Data security challenges are growing as the second decade of the 21st centuryunfolds.Organizationswanttoprotectintellectualpropertyandcomplywithnewlyintroducedregulatoryrequirements.Toaddresstheseconstituentchallengesandagencyproblems,CiscohasintroducedtheCiscoDataSecuritySystem,whichconsolidateskeydata-securitytrendslikeDLPwithotherdataprotectiontechnologiesinasingleframework.Thisguideprovidesastepwise,streamlinedimplementationapproachtoenablethefullsuiteofDLPinaprioritizedorderacrossthenetwork,endpointsanddata center.
Additional Information:
Technologypartnerdeploymentguidescanbefoundhere: http://www.cisco.com/go/securitypartners.
20AppendixA
AppendixA:SBAforLargeAgenciesDocumentSystem
Design Overview
IPv6 AddressingGuide
LAN DeploymentGuide
LAN Configuration Guide
WAN DeploymentGuide
WAN Configuration Guide
Internet EdgeDeployment Guide
Internet Edge Configuration Guide
SolarWinds Deployment Guide
Foundation DeploymentGuides
Network ManagementGuides
Wireless CleanAirDeployment Guide
Data SecurityDeployment Guide
Nexus 7000 Deployment Guide
ArcSight SIEM Partner Guide
LogLogic SIEM Partner Guide
nFx SIEM Partner Guide
RSA SIEM Partner Guide
Splunk SIEM Partner Guide
CREDANT Data Security Partner Guide
Lumension Data Security Partner Guide
SIEM DeploymentGuide
Design Guides Deployment Guides
You are Here
Supplemental Guides
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Americas HeadquartersCisco Systems, Inc.San Jose, CA
Asia Pacific HeadquartersCisco Systems (USA) Pte. Ltd.Singapore
Europe HeadquartersCisco Systems International BVAmsterdam, The Netherlands
C07-640736-0012/10