Contents
Editorial
Tribune
Guest contributor
Hot topics
Business cases
Experts voice
At a glance
Events
PDF version
 

Subscribe to
Bull Direct:


 

Archives
N°30  |  October   2008
Experts voice

DLP1 : the new gold standard for preventing information leaks in the enterprise?
By Lionel Mourer, Head of the Consulting and Audit team, Networks and Security Division, Bull Services France

Lionel Mourer has more than 10 years experience of working in strategic and operational consulting in IT security for major groups and numerous SMEs. He joined Bull in 2004 to set up and develop the Information System Network & Security Consulting and Audit business. Apart from his work developing Bull’s offerings and leading his team of 20 staff, Lionel is involved in a large number of pre-sales projects, and also contributes to delivering consulting assignments and managing complex projects. Lionel qualified as an Engineer in Information and Communication Technologies from Telecom Lille 1.

 

Once upon a time... the ‘offenders’ were easy to identify: they were simply enemies, who came from the ‘outside’! Arming yourself against them involved inventing ‘external safety belts’, in the form of firewalls, intrusion identification or protection systems (IDS/IPS), anti-virus or other anti-spyware systems…  These barriers were impenetrable, protecting the information system from aggressors. Next, it started to become apparent that the threat came also (perhaps above all?) from inside, and so user control became the priority, with all kinds of ‘internal braces’ – including procedures, authentication tools, identity and access management (IAM) systems, etc – to ensure each user is known and recognized.… So today, everything is under control! And yet, information has never circulated so freely (too freely): from instant messaging to blogs, from peer-to-peer networks to FTP transfers and Web sites, how on earth can we really control the way information is distributed, particularly business information that is often sensitive, confidential, even mission-critical? So-called ‘data loss protection’ or ‘data leakage protection’ (DLP) solutions are one part of the answer: we will be looking at how they works.

Of course it goes without saying, far be it from us to suggest removing ‘belt and braces’. The security systems outlined about remain indispensable, and we must continue to develop them if we are to guarantee the right level of security for information systems, in line with corporate security policies. But, the world is an open place now! Information is circulating more and more freely out there, generally because that’s what people want to happen! But it is only a small step from information ‘circulating freely’ to it ‘leaking’; a step that is relatively easy to take, and (for the moment at least) carries very little risk of being detected. This is why many enterprises are trying to find ways of, at best, avoiding these kinds of leaks up front or, at worst, detecting them if they have happened. Setting aside for the moment the organizational aspects of this challenge (we will return to these later), technologies are evolving to help businesses do just that.  

In the rest of this article, we will be exploring:

  • The value of information, or how and why we should identify information and assess how confidential and/or critical it is to our organizations
  • The ongoing risk of information ‘disappearing’. Why is information stolen? Who are the interested parties? …
  • The consequences of data loss
  • Techniques for preventing and/or responding to data leaks: a vision that is at once organizational, legal, and technical, with a focus on DLP technologies. 

The value of information
The ‘value’ of information is only rarely identified within the enterprise; and the way it circulates and how it is used are similarly rarely quantified! And yet it is of prime importance to know these aspects, and especially to classify the information that is held in the enterprise. There are two aspects to classifying information:

  • Confidentiality: who should be able to access a particular item of information? Typically, three levels of classification for confidentiality of information are used (see Table 1). Research shows that less than 10% of information is estimated to be ‘secret’ or ‘confidential’, while over 50% is ‘public’ (these percentages can vary from one sector to another)
  • Criticality: which items of information are important within the enterprise: for example, those enabling the business to get back up and running following a disaster? Here also, one generally uses three levels (see Table 2).

Table 1 - Example of the classification of confidentiality of information (three levels)

Level of classification

Example of data

‘Secret’ or ‘Confidential’

R&D (industrial secrets), Banking, Medical
Defense, Official (government) information
Personal data (legal obligations)
Strategic projects/customers

‘Limited circulation’ or ‘Internal’

Internal projects/customers
Organization chart, phone directory
Intranet, Extranet sites

‘Public’

Public Internet site
Advertising, sales/marketing information
Annual report

Table 2 - Example of the classification of criticality of information (three levels)

Classification level

The absence of this information…

‘Highly critical’

…endangers the enterprise’s survival in the short or medium term

‘Critical’

…does not permit the enterprise operate at an optimum level (for example, a profitability problem

‘Less critical’

…has little impact (almost imperceptible) on the enterprise

Nevertheless, while it is easy to say that, “information should be classified within the enterprise”, it is more difficult to actually enforce, simply because there is often so much information in the business, it may be distributed in ways that are not always obvious, it is not always easy to identify the ‘true owner’ of the information...! 

Information leaks: a constant risk…
There are two ways of ‘losing’ information:

  • Accidentally; for example, this could happen through a message being sent to the ‘wrong’ person (an error on the part of the sender, sending an email to someone with a very similar name, etc.), or through documents being ‘left’ on a printer or a desk that is accessible to everyone (lack of awareness?)
  • With malicious intent: in other words, the theft of information. The thief knows what he or she is looking for, who they are is taking it for and why: for example, stealing confidential information with the intention of selling it on (simple financial gain); revenge or the desire to harm a brand (an embittered employee, etc); making life easier for themselves when they change employer, etc.

As for the channels for ‘lost data’, they are much more numerous and correspond to the different means of exchanging information (see Figure 1, a non-exhaustive list).

scheam

Figure 1 – Ways of exchanging data, and potential sources for leaks…  

Globally, the majority of information that ‘disappears’ from businesses stems from individuals authorized to access that information (78% according to the Ponemon Institute). Similarly, the loss or dispersal of information is often the outcome of an action or aim that is not deliberately malicious. However, in every case, it is the enterprise’s duty (to try) to control this information.

…with a variety of consequences
What would happen if information of strategic importance to the enterprise or personal data were divulged? Regular ‘press bombshells’ remind us that these losses do happen (see Box 1 below) and the enterprises affected suffer the consequences to a greater or lesser extent. For example:

  • Their brand image may be tainted, causing loss of market share (a number of banks have lost customers following media coverage of a data loss)
  • Legal proceedings can be launched, and result in a fine
  • In some cases, this can even put the enterprise in danger (mergers or takeovers aborted following an information leak during the negotiations), etc.

Box 1: Some recent, widely publicized, examples of ‘data loss’ 

Of course, professional ethics do not permit us to cite the players involved in these misadventures, either directly or indirectly. Nevertheless, there is plenty of talk about them in the press… Among the latest leaks receiving media attention here are just two typical examples:

  • In the recent past, an industrial, a world player and a leader in their market, suspected one of its former managers of trying to sell confidential and strategic information to a competitor. The clues were damning and this person is under investigation and has been placed under the control of the courts, being forbidden to leave the country, for abuse of confidence and violation of manufacturing secrets: he risks 15 years in prison. Potential consequence: the risk of the loss of one or several competitive advantages
  • But even more recently, the government of a large industrialized country is ‘losing’ personal data. A number of CD-Roms containing several tens of millions of records of citizens, a laptop computer containing the details of several hundreds of thousands army recruits... No-one knows whether this data has been ‘found’ by people with bad intentions, nor whether it has been or will be exploited. Many people are hoping that it won’t... Potential consequence: loss of confidence in government services.

As we can see, this does not just happen to other people (more than fifty known cases have come to light over the past three years…. And how many unknown cases are there? And the impact can be varied and highly significant for the organizations involved!

Prevention/reaction ‘Techniques’ 
To protect against leaks of information, there are three possible approaches. If businesses are to deal with this problem in a holistic way, they must manage the legal, organizational and technical aspects. 

Legal aspects
As already written, the problem of information leaks needs to be approached from the ‘human’ point of view. So anyone able to access ‘classified’ information (whether it is confidential, critical or both) should be alerted to his/her responsibilities from the start, in case there is any ‘loss’ of information.  

When it comes to an employee of the business, it is possible to use a confidentiality clause, defining the importance of the information to which the employee will have access, and insisting on their agreeing to confidentiality. The vehicle for this might be the contract of employment, a user charter, a personal pledge of confidentiality, or even in some critical cases, using some kind of formal accreditation (Defense or Confidential Secret for example).

For external parties (customer, supplier, etc.), the enterprise must handle the problem in the same way, for example using a specific clause in the service contract, signed personal commitments to confidentiality, or formal requirements for the company involved to produce security clearance on behalf of their personnel.  

Organizational aspects
Organization plays an especially important role in any DLP project. Some of the points to consider include identifying the data in question, raising awareness and/or training the different people involved, establishing procedures coupled with an audit and control mechanism, etc.

The first step is to identify and classify sensitive data, following a structure or creating a data ‘map’ as described earlier. To this end, the business needs to consider not only the legal and regulatory aspects and the internal rules (security policy, etc.), but also the possible need to protect intellectual property. A questionnaire can be submitted to each internal function (both in operational and support activities) in order to assist with this process of identification/classification.

The second element, directly related to the legal side, is an awareness campaign among staff (including external parties who carry out specific functions within the enterprise) to highlight the problems posed by information leaks. Although the legal framework may already be in place, the business still has a degree of responsibility to explain to staff why it is so important to protect the company’s sensitive information.  

Another important point to take into account: how are people using their information and how do they distribute it (using messaging systems, on CDs, DVDs or USB keys, on paper, etc.)? These ‘information flows’ are especially important in any DLP approach, because the choice of technical tools to be configured and deployed depend on what they are (see Technical aspects below).

Finally, there must be procedures in place to enable each person only to access what they have a right to see in the first place. Procedures are pointless without at least some supervision, control and auditing of them. Once again, organization is key. It is worth noting that, generally, the implementation of an Information Security Management System (ISMS) can play a very useful role in supporting the organizational responsibilities of Chief Security Officers (CSO)

Technical aspects
These are mainly the province of dedicated software tools developed by software publishers (see Table 3 below), and distributed either by exclusive specialist companies or traditional suppliers of workstation protection solutions. Generally, DLP tools are not technologically innovative. They use mechanisms that already exist and are well known, such as port control, encryption, authentication, etc. Their added value resides in their capacity not only to automate data entry and classification, but also control and monitoring functions related to that information. 

Typically, a DLP tool takes a digital ‘imprint’ of data that is identified as being sensitive, thus ensuring that information inside the enterprise can be traced. The tool then monitors the data to be protected, tracks its file path within the Information System and, if necessary, applies predefined security policies. So the systems administrator and/or the Information System Security Officer will be alerted if a user tries to transmit or copy data deemed to be sensitive; and the action itself can be blocked. An alert can also be issued (before or after the action has been executed) to the user, reminding them that they are handling sensitive information. In effect, users are not always aware (or may have forgotten) about the sensitive nature of certain items of information …    

Although this list is not exhaustive, the key characteristics of a DLP solution include:

  • Processing confidential information, including:
    • Handling of structured and non-structured data, independently of language (multilingual)
    • Matching via keywords and metadata, regular expressions, or even ‘fingerprint’
    • Matching of text files with binary files
  • Discovery and management of the topology of computers (endpoints), with:
    • Detection of endpoints in the enterprise
    • Display in ‘map’ format of the status of all end-points
    • Centralized monitoring and management of the status of customers
    • Detection of unauthorized input/output devices at all end-points
  • Control of all input/output devices (USB keys, CDs/DVDs, floppies, Bluetooth/IrDA devices, communication ports and printer ports, etc) and blocking the ‘Print Screen’ function
  • Implementation of various granular security strategies, such as:
    • Logging, alarms on the server and/or client side, blocking, etc
    • The option of applying different strategies for cases of on-line and off-line violations
    • Security strategies based on groups or specific areas of endpoints
  • Generation of reports, for example:
    • Via personalized interactive dialogue boxes, and in real time, to inform systems administrators and the CSO, or even staff, of ‘illicit’ actions detected
    • Reports generated in real time of cases of security violations and dashboard per endpoint, per user, etc
    • Analysis of trends and violation channel breakdown;
    • Regular and/or on-demand reports on security violations.
  • Role-based administration and sensitive content access control.  

Once a tool has been chosen, all that remains is to integrate and deploy it. This type of project is generally run by the IT Director/CIO, in collaboration with the CSO and the enterprise’s senior management team.

To finish, don’t forget that not all information is ‘digital’, and when faced with an ill-intentioned person, it is sometimes difficult to avoid ‘physical theft’ (of a paper copy, a folder, a portable computer, etc.). In other words, no system of prevention can be entirely effective against information leakage, and the confidence that the business puts in the ‘human element’ remains at the heart of the problem!  

Table 3 – Main players


Player

Product name

Remark

Codegreen Networks

Content Inspection Appliance

-

IronPort (Cisco)

Data Loss Prevention

-

McAfee

Host Data Loss Prevention

Acquired Onigma and Safeboot

Oracle

Information Rights Management

Acquired Stellent

Proofpoint

Proofpoint

-

Reconnex

Data Profiler

-

RSA (EMC)

Data Loss Prevention Suite

Acquired Tablus

Safend

Safend Protector

-

Symantec

Endpoint Management Suite

Acquired Vontu

Trend Micro

LeakProof

Acquired Provilla and Identum

Utimaco (Sophos)

SafeGuard Enterprise

 

Verdasys

Digital Guardian

-

Vericept

Monitor, Protect, Discover, Edge

-

Websense

Content Protection Suite

Acquired PortAuthority Technologies

 

1 Data Leak/Loss/Leakage Prevention

SEND TO A FRIEND
Contact  |  Site map  |  Legal  |  Privacy