626 Information leakage and Data Loss Prevention Tools


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

626 Information leakage and Data Loss Prevention Tools

  1. 1. Information Leakage and Data Loss Prevention Tools<br />By: Matthew Li<br />June 24, 2011<br />
  2. 2. Agenda<br />What is Information Leakage?<br />Why should Executives Care?<br />How do we Defend against it?<br />
  3. 3. Information Leakage<br />Any event, either accidental or malicious, that allows an unauthorized party to access data that is not already public information<br />
  4. 4. Information Leakage<br />How? <br />Negligence 40%, System glitch 36%, Malicious attack 24%<br />Why?<br />Advances in data storage technology<br />Proliferation of consumer technology in corporate IT environment <br />
  5. 5. Examples of Information Leakage<br />Sony Playstation network data breack<br />As of May 24, 2011: $171 million in costs<br />1,000 laptops go missing daily; only 3% recovered<br />National Institute of Health lost a laptop with unencrypted patient data<br />
  6. 6. Costs of a Data Breach<br />Regulatory fines<br />Increased government oversight<br />Loss of customer trust<br />Reputational damage<br />Loss of proprietary business intelligence<br />$6.75 million<br />The total data breach cost in the US in 2009<br />
  7. 7. DLP: What should it do?<br />Manage the data<br />Discover sensitive data<br />Monitor the use of sensitive data<br />Protect the sensitive data<br />
  8. 8. Protecting Data: The 3 States<br />Data in Motion<br />Data leaving the organization in a email or other network<br />Data at Rest<br />Data stored in an internal server within the organization<br />Data in use<br />Data being used by users in the laptop, USB storage devices, or CDs<br />
  9. 9. DLP in Action<br />Crawls through the firm’s servers to search for sensitive data as defined by the user<br />Monitors network traffic and blocks transmission of sensitive data<br />Applications that limit a user’s ability to download and save sensitive data on their laptops<br />
  10. 10. DLP and Encryption<br />Last line of defense if DLP fails to prevent sensitive information from leaving the organization<br />However: DLP tools CANNOT locate, monitor, or scan encrypted data <br />Organization need to allow the DLP tool to have access to the decryption keys<br />
  11. 11. DLP: Beyond the Technology<br />Technology and applications are only as good as the people who operate it<br />Educate users about data leakage consequences<br />Empower employees to take responsibility of data<br />
  12. 12. Implementation: Analyzing Processes and Data Flows<br />Analyzing business processes and data flows<br />Information life cycle<br />Understand the government regulations that governs that data the company owns<br />Classify data into different categories: public, private, sensitive, business intelligence, etc.<br />Recommended to use a DLP application to crawl through the server to locate all sensitive data<br />
  13. 13. Implementation: Risk Assessment<br />Need to prioritize data based on its risk (probability of loss * impact of loss)<br />Allows for priorization<br />Without it, IT department and users will be overloaded by data and data usage warnings<br />Exercise judgment in DLP strategy<br />
  14. 14. Implementation: Applying Controls<br />Training employees about new processes and technologies<br />Use of encryption, traffic monitoring, security over USB ports<br />Testing the controls<br />
  15. 15.
  16. 16. Implementation: Monitoring and Improvements<br />Take lessons learned to implement DLP program to other sets of data<br />
  17. 17. DLP Checklist<br />What sensitive data do we own? <br />Where is this data stored?<br />What is the information life cycle of the data?<br />What are the regulatory requirements regarding the data we own?<br />What is the risk prioritization of each classes of data?<br />
  18. 18. DLP Checklist<br />What controls are currently in place?<br />What additional controls do we need to address each classes of data?<br />Does our staff have the capabilities to operate the new business processes/controls/technologies?<br />How do we apply the DLP program in compliance with the firm's change management policy?<br />
  19. 19. Limitations of DLP<br />Cannot detect/monitor encrypted data without a decryption key<br />Cannot interpret graphic files<br />Employees can “print-screen” and send it out<br />
  20. 20. DLP on a Tight Budget<br />Communicate to employees and raise awareness<br />Move critical files off laptops to an offline desktop<br />Change local shared storage access settings<br />Talk to email host about filtering outbound emails to authorized email addresses only<br />
  21. 21. Conclusion<br />Real issue with real monetary costs<br />Requires co-operation from all business units to identify sensitive data<br />Take action to secure the data with highest risks and impacts<br />Requires the use of technology and people<br />