Home / Resources / ISACA Journal / Past Issues / 2014 / Key Considerations in Protecting Sensitive

Please enjoy reading this archived article; it may not include all images.

Key Considerations in Protecting Sensitive Data Leakage Using Data Loss Prevention Tools

Author: Nageswaran Kumaresan, Ph.D., CISA, CRISC, CGMA, CIA
Date Published: 1 January 2014

Protecting digital assets and intellectual property (IP) is becoming increasingly challenging for organizations. Looming patent challenges and court battles to claim ownership of IP illustrate the importance of protecting IP to gain a competitive advantage. A report by the US Patent and Trademark Office published in 2010 estimated US $5.06 trillion in value added, or 34.8 percent of US gross domestic product (GDP) generated, by IP-intensive industries in the US.1 In addition, organizations handle sensitive personal, financial and business data, some of which are governed by laws and regulations in local as well as international jurisdictions. Organizations are expected to take adequate measures to protect data from loss or leakage.

Recent studies describe external hacking as the primary cause of data loss in the corporate world;2, 3 however, organizations have few mechanisms to assess and report data losses through internal sources. Mature technology architectures, such as firewalls, intrusion detection systems, vulnerability scanning and penetration testing, are primarily designed to protect the network from external threats. Capturing internal data loss or leakage requires different architectures focusing on data handling within the organization as well as data outflow. Every day, a large amount of digital data flows outward in the form of email, data uploads, file transfers and instant messages from an organization’s networks. Internal data loss threats can be due to insider sabotage of IT, insider theft of IP or sensitive data, insider fraud, or human negligence or error.4 Large percentages of internal data losses are due to user negligence as opposed to malicious intent.5, 6 Negligent or accidental data losses by internal sources occur due to poorly understood data practices, lack of effective policies or guidelines, or user error.7 Data loss prevention (DLP) technology solutions focus on accidental or malicious data losses, primarily from internal sources, by defining policies within the system to prevent or detect sensitive data going outward.

DLP technology solutions have evolved in various forms since 2006/20078 as a comprehensive corporate approach to prevent, detect and respond to unauthorized dissemination of various sensitive data through an organization’s network. DLP has been identified as one of the 20 most critical control requirements for secure organizations.9 However, recent surveys indicate that DLP technology adoption and use in the industry are low, and often unsuccessful.10 Surveys have also revealed DLP solutions being implemented only for limited areas, such as web and email monitoring, and not as an integrated solution.11

Some common issues are not considered adequately during DLP solution implementation. Ten key considerations that could help organizations plan, implement, enforce and manage DLP solutions, thereby adding value to the organization, are described here.

DLP Solutions: How They Work

DLP solutions use content-level scanning and deep content inspection (DCI) technologies to identify the sensitivity of the content and prevent or block sensitive data from leaving the organization’s network. Integrated DLP solutions also support data or media encryption, malware-related data harvesting, monitoring of access to sensitive data storage, and data discovery and classification. Targeted end points, data storage and data transfer gateways are monitored, and certain activities or data movements are blocked by defining and deploying appropriate DLP policies.

Broadly, DLP solutions target activities at three levels:

  • Client level (in-operation)—Policies are defined and deployed, targeting end points used by employees for their day-to-day business operation. User activities that violate predefined policies are monitored or blocked by DLP agents installed in user end-point terminals.
  • Network level (in-transit)—DLP policies focus on data movements outside the organization’s network. Data transmitted from one location to the other are monitored and, if required, blocked by the DLP system at the network or email gateways. Transmitted data packets are inspected using deep packet-level review techniques to verify the nature of the content in transit. Data transfers using email (SMTP), web (HTTP/HTTPS) and file transfer (FTP/FTPS) are verified against policies to prevent or detect sensitive data leakage.
  • Storage level (at-rest)—The targets here are the static data stored in servers. Sensitive data stored in repositories are scanned based on specific rules, using crawlers to identify the location and assess the sensitivity of the data and the appropriateness of the location in accordance with the policy. Discover scans are used to classify or tag the files and then monitor their access.

10 Key Considerations

Based on lessons learned by reviewing previous DLP implementations, these are 10 key considerations that could help organizations successfully implement a DLP solution as a data protection mechanism:

  1. Implement a holistic approach and value proposition for DLP based on a risk assessment—DLP solutions should be considered as part of an overall information security mechanism and data protection strategy. It is important to understand the existing security architecture and assess how a DLP solution could add protection. The assessment should consider what data the organization wants to protect, the security risk based on the current and future security architecture, the total cost, and value-added benefits of introducing DLP. An objective cost-benefit analysis valuing the cost of data loss, total cost of implementation and management, and potential benefits provides the value proposition for a DLP solution. A DLP value proposition and go/no-go decision should be based on an objective risk-based assessment and analysis, considering current and future business direction.
  2. Involve the right people with the right organization model—Business teams have large stakes in preventing and detecting sensitive data flows. The requirement or the need for establishing DLP policies can come from several sources: corporate policies (from senior management), risk assessments (from risk management), recent security events (from IT security, legal, compliance management) and ad hoc threats/concerns. DLP policies should comply with legal and data privacy requirements. Representatives from key departments such as research and development, engineering, finance, compliance, and legal can contribute toward developing policies based on their respective risk. Involving the right people with defined roles and responsibilities from inception is one of the key success factors. The DLP team should include representatives who are responsible for data protection, data owners and those from key functions, IT, and various business units. Team members should be given appropriate training on the DLP system, its use and limitations to enable them to contribute to the implementation effectively. The team lead should have a good understanding of organizational and business requirements and the DLP system and be empowered to handle DLP-related issues.
  3. Identify sensitive data and understand how they are handled—Content-centric data protection technologies such as DLP rely heavily on proper classification of sensitive information. DLP policies are defined to primarily target sensitive documents and their handling within an organization. Streamlining sensitive data handling practices from creation to archiving and deletion through policies and practices should be a necessary step for successful DLP enforcement. The identification and classification of sensitive data according to the policies and guidelines of the organization are important steps for executing a comprehensive data protection strategy. Understanding how those sensitive data are handled, exception scenarios, and what scenarios should be prevented or blocked is also required for defining DLP policies. Policies and procedures should provide clear guidance to employees on appropriate and inappropriate practices. Training and awareness programs could help to achieve this goal.
  4. Provide a phased implementation based on progress— DLP solutions provide a wide variety of implementation options, allowing organizations to focus on high-risk areas. Email, web and USB/flash-drive monitoring are the most widely used options in DLP.12 The initial pilot implementation should be restricted to a region or division. A phased approach, prioritizing the modules and targeting key end points, provides an opportunity to learn from experience before wider deployment. An implementation road map should be planned, with appropriate milestones and checkpoints to review progress, including go/no-go decisions. Modules could be first piloted in a small group or target area to fine-tune the policies and minimize the business impact. The implementation team should review the initial results objectively, including improvement opportunities, benefits and operational impact.
  5. Minimize the impact to system performance and business operations—DLP gathers data from numerous end points and consumes considerable network bandwidth. Agents installed in the end points and in packet-level monitoring in network gateways can also impact user performance. Poorly defined policies can trigger a large number of events and impact user performance. This can create dissatisfaction among users and adversely impact the DLP program. The phased implementation discussed previously, coupled with adequate policy-level testing, could help minimize the impact on performance and promote a positive user experience. The DLP infrastructure and the network capacity must be planned adequately to minimize the impact to the business. Adequate testing of policies in a test environment can help in understanding the effectiveness of the policy and the potential impact on the business before wider deployment. Periodic monitoring and measurement of the impacts on system performance and users can help to assess an overall negative impact resulting from poorly tuned DLP policies.
  6. Create meaningful DLP policies and policy management processes—Creating relevant and meaningful policies is central to the DLP strategy. Figure 1 depicts typical DLP operational activities in an organization. Policies are created to monitor or block (prevent) sensitive data from leaving an organization’s network. A structured policy request and review process can help to ensure that policies defined are meaningful and relevant and do not overlap with existing policies. Policy changes or modifications should be handled through a controlled process. DLP policies also need a periodic review to adapt to changing technologies, business practices and new risk scenarios. Establishing a policy life cycle management process (figure 2) from request to modification/deletion and involving the right people are necessary for successful implementation. The process should include a robust change management activity, including emergency changes to cope with specific ad hoc threats. Before deploying widely, policies need to be tested in a test or restricted environment to ensure that they are working as intended and not causing an adverse impact.

  7. Implement effective event review and investigation mechanisms—Events triggered by policy violations and the resulting activity logs (when blocking or monitoring) are key outputs from a DLP tool that provide valuable information and insight. An effective and responsive review mechanism is required to realize the benefits of the solution. Response rules can be defined in the system to respond in a particular way to each case. Alerts can also be configured for specific events. A representative and responsive event review team should review critical events and take appropriate actions in a timely manner to prevent a negative impact to the business. Serious incidents may require a detailed investigation, preferably by a separate team. Data that are no longer required should be purged to free up storage space. Appropriate risk-based event response rules should be established for each policy defined to identify and prioritize unusual events. An event review team should have adequate knowledge of business risk. Feedback on event reviews to policy owners can provide useful information to fine-tune the policies and take effective actions to reduce the noise (wrongly identified cases) in the events triggered. Event reviews and investigations need to be handled with care, following established procedures to comply with policies, laws and regulations.
  8. Provide analysis and meaningful reporting—Events triggered from DLP policies provide useful insight on where, when and how the sensitive data are stored and handled within the organization. Events can be analyzed by breaking them down into individual policies, departments, regions and trends. The aggregate picture could provide insights on current data-handling practices and where the organization needs additional awareness and training. An effective DLP program can strengthen current practices when they require improvement. A meaningful analysis and reporting process can help policy owners to improve the effectiveness of their DLP policies. Event profiles and trends can also help to create or refine policies and guidelines. Periodic reporting should be set up to communicate data loss patterns and trends to stakeholders to improve control practices and modify the policies, if required. Developing the right indicators (metrics) and appropriate pattern and trend analysis to capture the changes and exceptions is one of the critical factors for successful analysis. Generally, data loss events should progressively reduce for each policy, if supported by awareness programs and other management actions (figure 3).
  9. Implement security and compliance measures—A DLP system collects a large amount of data, some of which may be personal in nature. The handling of personal data collected should comply with data privacy laws and regulations of the countries in which the data are collected. The data can also be business sensitive; therefore, it is critical to manage the DLP system and the data captured securely and in compliance with applicable laws and regulations. As with other technologies, DLP has its own limitations in preventing or detecting every data loss event in a dynamic technology world. Thus, it is necessary to understand the potential high-risk scenarios in which DLP technology can be circumvented for malicious reasons and to work with IT security teams to design robust security countermeasures. Secure and controlled practices for creating, updating and deleting policy configurations and event management within the DLP system and appropriate segregation of duties should strengthen the overall security. Based on the implementation scope, it is important to know the applicable data privacy requirements and take appropriate measures such as employee notification and consent, if required. The DLP team should be part of the corporate security governance structure and work closely with other security teams to ensure data protection.
  10. Implement an organizational data flow and oversight mechanism—Data sharing and cross-sectional data flows of business information are the lifelines of an innovative organization. Every day in the course of normal business operations, organizations share data with several groups, such as suppliers, clients, research partners, regulators and dealers. While organizations have to protect loss or leakage of sensitive data, they must also make sure that DLP solutions do not hinder legitimate data flow inside or outside the organization. An oversight team should review the business benefits of DLP on an ongoing basis and also verify its impact on legitimate data flow within the organization. The business benefits of a DLP program need periodic verification by an oversight team. Rapidly changing technology landscapes can also impact the DLP solution’s effectiveness; DLP may not be able to capture all exceptions. The oversight team needs to review the overall cost and benefits of the DLP program on a periodic basis. The oversight team can also provide strategic direction for the DLP program based on periodic reviews.

Conclusion

Ensuring that the organization takes adequate measures to protect against information loss or leakage is an important responsibility of the IT department. Management has to provide assurance to its stakeholders that measures are in place to protect sensitive corporate digital assets, including IP, as well as personal and financial data. A comprehensive and integrated DLP solution should provide reasonable controls to protect data loss from internal sources. At the same time, successfully implementing a DLP solution for a larger organization needs careful planning, systematic implementation and effective processes. The identified 10 key considerations show in different stages what can impact the success of a DLP solution to deliver business value for an organization. Although not all of them are applicable to every organization, consideration of the applicable points can improve the success of DLP solution implementation and policy enforcement.

Endnotes

1 US Patent and Trademark Office, “Intellectual Property and the U.S. Economy: Industries in Focus,” Economics and Statistics Administration, March 2012, www.uspto.gov/news/publications/IP_Report_March_2012.pdf
2 KPMG, “Data Loss Barometer: A Global Insight Into Lost and Stolen Information,” 2012, www.kpmg.com/US/en/IssuesAndInsights/ArticlesPublications/Documents/data-loss-barometer.pdf
3 Verizon, “Data Breach Investigations Report,” 2012, www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012-ebk_en_xg.pdf
4 Janes, Paul; “Information Assurance and Security Integrative Project: People, Process, and Technologies Impact on Information Data Loss,” SANS Institute, 7 November 2012, www.sans.org/reading_room/whitepapers/dlp/people-process-technologies-impact-information-data-loss_34032
5 Op cit, KPMG
6 ISACA, Data Leak Prevention, white paper, September 2010
7 CSIS, “20 Critical Security Controls, Version 4.1,” SANS Institute
8 Kanagasingham, Prathaben; “Data Loss Prevention,” SANS Institute, 2008, www.sans.org/reading_room/whitepapers/dlp/data-loss-prevention_32883
9 Op cit, CSIS
10 Forrester, “Rethinking DLP: Introducing the Forrester DLP Maturity Grid,” September 2012, www.forrester.com/Rethinking+DLP+Introducing+The+Forrester+DLP+Maturity+Grid/fulltext/-/E-RES61231
11 Ashford, Warwick; “Why Has DLP Never Taken Off?,” ComputerWeekly, 22 January 2013, www.computerweekly.com/news/2240176414/Why-has-DLP-never-taken-off
12 Op cit, Janes

Nageswaran Kumaresan, Ph.D., CISA, CRISC, CGMA, CIA, is a lead IT auditor at General Motors Company (GM) and has significant experience in managing several high-profile global audits within GM, including data loss prevention system implementation and policy enforcement. Before GM, he worked at IBM Consulting, PricewaterhouseCoopers and Deutsche Bank.