What is DLP(Data Loss Prevention)?
Gartner defines DLP as three types — Data at Rest, Data in Use, Data in Motion. Data at Rest is data that housed physically on computer data storage in any digital form. Data in Use is data that currently being updated, processed, erased, accessed or read by a system. Data in Motion is data that processed of being transported between locations either within or between computer systems. So DLP solution can block and prevent loss of sensitive or confidential data within organizations above three types. This three types also can be categorized into three things; Discover, Network DLP and Endpoint DLP. Discover can detect confidential data at rest in large volume storages such as PCs, servers, and databases and help the organization take actions based on its security policy. Endpoint DLP detects for any data that violate the security policy when a user possessing confidential data attempts to export them through measures such as USB copying and printing, and logs and controls them based on the policy. Network DLP, on the other hand, refers to the DLP solution that prevents and controls data leakage through various network channels such as e-mail, messenger, P2P, FTP, HTTP/HTTPS, SNS, etc. Let’s see in detail each DLP type.
- DLP for Data at Rest
Data Discover
As shown in Fig. 1, Endpoint Discover detects confidential information and PII stored in user endpoint devices such as desktop and laptop PCs. To this end, agent must be installed on all endpoint devices. Discover supports both file scans and e-mail scans. File scan detects based on files instead of patterns, and an e-mail scan supports for Outlook, which makes it necessary to synchronize the scanned program with it as well as the license.
As shown in Fig. 2, Server Discover detects confidential information and PII stored in file server and database. To this end, agent must be installed on all file server. Database Discover works as agentless.
Detecting Sensitive Documents on Endpoint
Endpoint Discover detects files and e-mail messages residing on endpoint devices with the agent. The scan results can be viewed on managenemt console. Endpoint Discover checks for confidential files on endpoint devices with the agent installed of the data handlers. User scan, done by the user, and centralized scan, done by the administrator using management console, are supported. Security managers can perform a scan for all endpoint devices within the organization manually and/or by schedule.
Detecting Sensitive Data on Server and Database
Server Discover basically works agent-based discover, and support agentless detection through sftp for machine that can not install agents. It also detects sensitive data on all commercial databases as agentless. Through management console, administrators can easily create detection policies and receive incident results.
Follow-up Actions to Sensitive Data Detection
When an organization’s important data retained in an endpoint device are detected to be for inappropriate purpose, the user or administrator can take proper actions.
- Encryption: Keeps the data retained in the user endpoint device safe by encrypting them.
- Deletion: Permanently deletes confidential data so that they cannot be restored. After deletion, file restoration is impossible even with a data restoring program.
Managing PII(Personally identifiable information) Files
Users can classify and register confidential or personal data detected from the PC or server as customer information for business use, or personally owned data that do not require specific management and manage them by one’s self. User-level classification and management can reduce the centralized classification efforts and loads, while minimizing false positives. Administrators can review logs for data that have not been classified by users and recommend the users to classify them. Sample testing is provided so that administrators can check and ensure if the user-driven classification has been done correctly.
2. DLP for Data in Use
Prevent Overview
As shown in Fig. 3, DLP Prevent can monitor and control confidential data residing on endpoint devices such as desktops and laptops to prevent the data from being leaked through various channels. Especially, since uploads, printouts and USB storage devices are recognized as major data loss channels, there needs to be a DLP policy that fits the organization’s process. Channels prone to data loss include printouts, USB storage devices, Bluetooth, Wi-Fi, etc. To perform Endpoint DLP at Prevent, the endpoint device needs to have agent installed for control access, just as Discover.
Controlling Sensitive Data on Endpoint
In endpoint devices many events occur such as copying, uploading, and transmitting files. File transfers through diverse channels can involve files containing confidential information. To prevent this, Prevent is designed to monitor, block and/or control these events across all channels such as Email, USB, Print or Bluetooth in accordance with the organization’s policy. Context-based control feature can scan data based on the predefined detection rules to enable policy-driven controls rather than simply blocking all conspicuous attempts. Reactions can be set and applied separately depending on the agent network status (online or offline).
Copy Prevent
A huge number of portable devices are in use in organizations. Identifying and controlling those devices based on the central policy may not be feasible and may leave many blind spots unidentified. Therefore, for devices that have not been registered, organizations can allow/disallow the access of those devices selectively. When users attempt to access registered portable devices, predefined policy is applied, but all other attempts are blocked when the device has not been registered.
To idesntify and register any USB device, the device serial number needs to be leveraged for validation. Administrators, therefore, can extract the serial number of individual devices that are going to be used in the organization using an application which is generally installed in PCs in conjunction with the agent.
Print Prevent
When a user attempts to print a document containing confidential information, the context-based control is applied. Basically, when a user attempts a print, the document is checked to determine if there is any PII in the document content, and then the attempt is allowed or blocked (and logged) based on the central policy. This feature is supported on Microsoft Office applications, web browsers and other applications running on Windows printer drivers.
Also, prints with PII, according to the organization’s security policy, can be automatically copied as jpg and/or txt files. Image and text log option can be enabled by the policy and be used for later tracing and audit purposes.
Media Control
Media control feature blocks wireless, data network (tethering, Wibro, etc.), serial port, parallel port, Bluetooth, infrared communication port and iPhone/iPad. It also provides controlling and/or blocking of data transfer to CD/DVD, floppy disk, file shares and network attached drives. For CD/DVD writing provided by Windows, context-based control can be applied.
3. DLP for Data in Motion
Network DLP
Network DLP protects information by detecting, controlling, and blocking confidential data based on the central policy before it leaves the organization through a network. To this end, DLP server analyzes network packets, scans attachments, and determines and logs if there is any policy violation. For example, DLP server can detect and block any malicious attempts to transfer a file containing sensitive information such as customer information to a rival company.
Control target protocols provide a wide coverage including e-mail(SMTP, POP3 and IMAP), web mail, messenger, remote control applications, web (HTTP/HTTPS) and file sharing (FTP active/passive), and bypass access. Network monitoring is port-independent and application-level network traffics can be identified and controlled, even when the traffics are not passing through basic TCP 80 port.
Network Configuration for Network DLP
Configurations for Network DLP are categorized into mirroring, web proxy and transparent proxy. For content-based preventive control, web proxy and transparent proxy are used. Port mirroring can be leveraged to monitor network traffics through diverse data loss channels to detect any data containing PII, causing no network performance load issues. However, for a tight content-based control, transparent proxy is leveraged instead, so that the packet flow can be controlled and monitored in a protocol-wise manner. T-proxy can facilitate user convenience, since it uses FOD equipment, L4 and WCCP switches and thus requires no additional configuration inputs by users. If there is any proxy already established, DLP server can be synchronized based on the ICAP method. Network DLP, in majority of the configuration, utilizes FOD equipment and L4 switch, so it can bypass any failure occurring in the server and ensure the service continuance. High availability and load balancing options are also provided to ensure sustainment of DLP services while ensuring performance.
Protocol Coverage & Automatic Update
Retaining diverse and numerous network protocol coverage is very important for Network DLP. Everyday, new data loss channels appear and disappear, making it necessary to identify and support widely used protocols. Network DLP protocol supports not only commercialized domestic web mails such as Naver and Daum, but also globalized web mail services such as Gmail, as well as widely used messengers such as Facebook and NateOn. In web mail services, large-sized file uploads using ActiveX can also be controlled. Protocols frequently changing, so it is important that the packets be analyzed and updated whenever a protocol changes for unbreakable control. To address security issues that may caused by protocol changes, it forces updates across all agents to reflect the changes. Once the new protocol version is verified, the agent is automatically updated with a higher version with a new service.
SSL Visibility & HTTPS Control
Explicit proxy requires user-specific settings (e.g. user-specific proxy setting). As shown in Fig. 4, SSL Visibility concentrates traffics to gateway (proxy), so does not require additional user-specific proxy settings, making it convenient to use. For commercial web mail services using HTTPS, logs could be viewed and traced. Also, outgoing data transferred through HTTPS can be saved and traced as well. In case of web storage services, web posts and other web based file transfer applications, all of the web transactions can be saved and traced.
4. Conclusion
DLP solution consist of Discover, Endpoint DLP and Network DLP can be implemented to have confidential and internal data in a safe retention, while using them for appropriate purposes under permission range of the organization security policy. Discover detects confidential data stored in endpoint devices of the organization and takes proper actions. Endpoint DLP secures important data being uploaded, printed, and transferred to USB storage devices using content-based detection without impacting work availability and productivity. Server Discover detects confidential data in file server and database, and remediates by deletion and encryption. With Network DLP, organizations can use the network to channels in which PII and confidential data are transferred for appropriate purposes within the permission range set by the security policy. It prevents important information from being exported out by monitoring and blocking actions that are against the policy. Content-based detection allows securing PII and confidential data without impeding work availability and all events and statuses can be viewed and managed through the management console which can comprehensively manage all type of DLP. Through these DLP solutions, an organization can not only stay compliant with regulations, but also protect its important assets.
