You are on page 1of 29

Data Loss Prevention (DLP)

Security and Implementation in Government Sector 24 June 2011 Sudeep Kumar Das, CISA, CISSP Lead Solution Architect, India & SAARC

Agenda

Why DLP is important

Understanding DLP Methodology

Aligning with NIST Guidelines, IT Act (India)

Deployment Guide & Next Steps

Knowing The D In DLP: Sensitive Data

Regulatory Data
Privacy data (PII) Transaction Data Asset Data

Government Secrets
Personally Identifiable Information
Government Program data & communications Reports

Why DLP Is Important For Government

Comply With Regulations

Secure Your Sensitive Data

Improve Operational Efficiencies (security)

IT Act, DIT guidelines, Sector Specific guidelines etc.

Government Official & customer data (PII), program secrets, intellectual property

Keep security costs low and reduce impact on end users

Fines: Unlimited Liability Burden: Quarterly audits Legal: Lawsuits, privacy notices

Damage: Government Repuation Churn: citizen adoption Loss: Trust & confidence

Burden: More FTEs for security Capital: Additional HW & SW Cost: Higher TCO

DLP Methodology You Can Follow

Policy Framework Based on Governance, Risk & Compliance

DISCOVER
Sensitive Data

MONITOR
User Actions

EDUCATE
End Users

ENFORCE
Security Controls

Reduce Risk

?
RISK

Understand Risk

TIME

DLP Covers Your Entire Infrastructure


Central DLP Management Console

DLP Network

DLP Datacenter

DLP Endpoint

Email

Web

File shares SharePoint

Databases

Connected PCs

Disconnected PCs

DISCOVER MONITOR EDUCATE

ENFORCE

What is a DLP Policy?


Government or organizational regulations, standards or best practices Accurate, out of the box, large selection of policies for diverse industries and geographies Policies are built from Content Blades that identify information, and handling, notification and remediation rules.

Policy is described by
1
What
1.

Identification
Who Where

2
Who

Notification
What How

Remediation
What How

We identify a violation by specifying What: the identification of content is done by Content Blades. Check out the library of Content Blades available in the product. You can further manage this by specifying attributes like file type, file size

Who: same content might be a violation for some people or AD groups, departments, while perfectly ok for others.

2.

Where: in the network, datacenter, endpoint or all; or in a particular subset of scans identified by a scan group (which can represent a BU, geography); or a specific user action (at copy or at print).

We set up notification by defining Who: who is responsible for handling the incident (the user creating it, the administrator, the users manager)


3.

What: what is in the notification (eg. notification customized per AD group or policy, include links) How: Send an email, pop up a window, integrate into Remedy or SIEM solution

Remediation What: We support different remediation options encryption, quarantine, block, copy, move, delete, apply Microsoft AD RMS

How: thru automated actions at the time of the incident; thru workflow that can leverage AD hierarchy; facilitated actions (operated from our UI) , or manual actions with incident management thru our UI

Discover Your Sensitive Data


Reduce uncertainty and understand risk from the data you own
Protect Government Trust Advantage

Comply With Regulations

Transactional Data

Personally Identifiable Information (PII)

Personal Health Information (PHI)

Program Secret Data

Unstructured

Semi-Structured

Structured

Better Insight into Risk from Data at Rest

Better insight into Data at Rest and more effective remediation process

DISCOVER
DLP
What data is sensitive? Where is it?

MONITOR
DLP
How is it being used?

EDUCATE
DLP
What to educate on?

ENFORCE
DLP
What do I enforce? Where do I enforce?

Data Governance
Who has access to it? Where to start discovery?

Data Governance
Who is accessing it?

Data Governance
Who do I educate?

Data Governance
What is the impact? How can I enforce?

Decentralized Data Discovery Architecture

Database

Main Data Center

DLP Administrator
Secondary Data Center SharePoint

Remote Offices

Note: All RSA Data Discovery components are offered as software

Permanent Scanning agent

RSA Temporary Agent

Monitor Your User Actions


Understand how your user actions impact your corporate objectives

Regulatory Data

Compliance Objectives

Corporate Secrets

Governance & Risk

Objectives

DLP Network Monitor

SMTP

Mail Servers

SMTP Outbound Relay

SPAN TAP
IM, HTTP, HTTPS, FTP

Proxy Server

Corporate Users

DLP Administrator
Note: All RSA Network components except for RSA DLP Network Sensors can be deployed as physical or virtual appliances

DLP Network How it Works

Encryption Server

SMTP

Mail Servers

SMTP Outbound Relay

IM, HTTP, HTTPS, FTP

Proxy Server

Corporate Users

DLP Administrator
Note: All RSA Network components except for RSA DLP Network Sensors can be deployed as physical or virtual appliances

Monitor & Enforce User Actions on Endpoints


Monitor and mitigate risk from end user actions on endpoints
Monitor
Educate

Enforce


Connected or Disconnected from Corporate Network


Connected to Corporate Network Not Connected to Corporate Network

DLP Endpoint Monitor Agent

Educate End Users About Data Security Policies


Educate end users on policies and violations to reduce risk

Emphasized Education Program Augment Standard Policy Education With

Top Violators
(Identified through Discover and Monitor)

Just-In-Time Education

Rest of the users


Just-In-Time Education

!
1
user performs actions

3
user acts responsibly

DLP educates on violation

Enforce Controls to Prevent Data Loss

Enforce security controls based on the risk of a violation


User Action Data Sensitivity User Identity

Defined in DLP Policy

LOW

RISK
QUARANTINE

HIGH

ALLOW
NOTIFY

MOVE

ENCRYPT

JUSTIFY

BLOCK

SHRED

Manual or Automated

AUDIT

COPY

DELETE

RMS (DRM)

Classification: Flexible Framework

A classification framework to suit your unique needs

Attributes
Transmission metadata File size, type, etc. Owner, sender, etc.

Described Content
Detection Rules Context Rules Exceptions

Fingerprinting
Full & partial match Databases Files

Highly accurate results in identifying sensitive data

User Identity Analysis

Name

Title
Business group Organization hierarchy Special privileges

What policies to apply Define the risk of actions What controls to enforce Who to notify

Real-time data from your Windows Active Directory Used across all phases of DLP

Incident Workflow to Effectively Manage Violations


Reduce noise, prioritize incidents and manage workflow

Consolidate Violations
Violation Event 1 Violation Event 2 Violation Event 3 Violation Event 4 Violation Event n
Policy Based Logical Grouping

Send Alerts Based on Risk


Alert Security

HIGH Security Incident Security Incident MEDIUM LOW

Officer

Alert Manager

No Alerts. Audit Only

DLP + enVision = More intelligent alerts and prioritization

Scalability For Government Deployments

PEOPLE
Number of users Types of users

PLACES
Number of office sites Types of office sites

DATA
Amount of data Sources of data

Flexible policy framework to support a million plus users and 100s of user types

Expandable site and agent architecture to support 1000s of sites

Unique grid technology to scan large amounts of data most cost effectively

Connecting DLP With Your Business and IT


POLICY

Your DLP Deployment

INFRASTRUCTURE

INCIDENTS

CONTROLS

Built-in DLP for the Infrastructure: DLP Ecosystem


Whats in it for you
Leverage your current infrastructure for DLP
Rights Management Faster and cost effective deployments Centralize policies and management

Data Loss Prevention Data Governance

Your DLP Strategy


Policy & Incident Management Storage Infrastructure Security Monitoring

Comparison of Critical Criteria


Critical Criteria For Sustainable DLP

Discover Information Risk


Non-invasive endpoint scanning Effective scanning of data repositories (grid scanning) Insight into users and real owners Accuracy in identifying data

Respond to Information Incidents


Apply reactive controls for incidents Add business context for incidents Establish workflow for incidents

Understand Root Cause & Fix


Identify the IT root cause Identify business root cause Effectively engage business users Apply controls proactively at root cause level

DLP Deployment Playbook For You


Gain support from executives and business managers

PEOPLE

Make sure employee education is part of the plan

Establish SLAs and MOUs with group heads

Do not boil the ocean. Deploy in phases.

PROCESS

Prioritize deployment phases by risk (data, group, etc.)


Establish a process for remediation and reporting

Conduct a technology requirement assessment

TECHNOLOGY

Identify current technology you can leverage Evaluate fit with IT roadmap (cloud, virtualization, etc.)

DLP Project Process & Check List

Your DLP Pre-Deployment Check List

PreDeployment
DLP champion (team)

Discover & Monitor


Next Phase
(New policies / groups)

Buy in from groups beyond IT Top 3-5 drivers & corporate policies

Educate

Education process & resources


Remediation process & resources

Enforce

Technology provisioning DLP administration hours Project Timeline and next phase

Next steps
What stage are you in today? We can help you:
Better understand DLP

Develop a DLP project internally


Develop a framework to evaluate and select the right DLP vendor

Considering DLP Risk Assessment DLP Miniscan DLP Workshop DLP Demo EMC CIRC Tour Free Scan

Scoping DLP Project

Evaluating DLP Vendors

DLP Workshop EMC CIRC Tour DLP TCO Tool DLP Sizing Guide

DLP RFP Templates DLP POC Consideration Metrics

28

Five Critical Factors For DLP Solutions: RSAs Take

E
Policy & Classification
Policies covering a broad range of regulations and topics. Developed by an expert team

Identity Aware
Identity awareness for classification, controls and remediation

Incident Workflow
Consolidated alerts with the right information to the right people for the right actions

Enterprise Scalability
Scan more data faster with lesser hardware and resources

Built-In vs. Bolt-On


Common policies across the infrastructure EMC, Cisco and Microsoft