apsec 7 Golden Rules Data Leakage Prevention / DLP


Published on

7 Golden Rules of Data Leakage Prevention / Data Lost Prevention

Published in: Business, Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

apsec 7 Golden Rules Data Leakage Prevention / DLP

  1. 1. The seven golden rules of Data Leakage Prevention Eng. Andreas Schuster Business Development Manager Applied Security GmbH (branch) Middle East
  2. 2. <ul><li>Applied Security GmbH </li></ul><ul><ul><li>Founded in 1998 </li></ul></ul><ul><ul><li>Main office in Stockstadt/Main, branch offices in London, Dubai and Grand Rapids, USA </li></ul></ul><ul><ul><li>Software development and consulting in IT security </li></ul></ul><ul><ul><li>Member of </li></ul></ul><ul><ul><li>www.apsec.de </li></ul></ul>About apsec
  3. 3. <ul><li>Applied Security US Incorporated </li></ul><ul><ul><li>Founded in September 2008 </li></ul></ul><ul><ul><li>US HQ Grand Rapids, MI </li></ul></ul><ul><ul><li>IT Security Software and Consulting </li></ul></ul><ul><ul><li>Member of ACG </li></ul></ul><ul><ul><li>www.apsec.us </li></ul></ul>About apsec
  4. 4. „ I already have a firewall...“ Why DLP?
  5. 5. No firewall could have prevented...
  6. 6. Examples of data loss <ul><li>May 2005 -- Time Warner lost 40 computer backup tapes containing sensitive data of about 600,000 current and former employees and service contractors while being shipped by Iron Mountain to an offsite storage center. </li></ul><ul><li>June 2006 – American International Group (AIG) lost personal data (names, adresses, SSNs, medical information) of 970,000 employees of various companies whose insurance information was submitted to AIG due to the burglary of a file server. </li></ul>
  7. 7. Examples of data loss <ul><li>November 2007 – In the U.K. Her Majesty's Revenues and Customs (HMRC) had to admit they'd lost computer disks containing personal information on almost half the country's population (25 million records), including nearly all families with children. If that's not bad enough, the databases included the worst kind of information to lose – consumer bank account numbers. </li></ul><ul><li>December 2007 –- The U.K. Ministry of Transport lost personal data of 3 million candidates for driver's licenses due to a vanished hard disk at a subcontractor's site in Iowa, USA. </li></ul>
  8. 8. Who wants to be next in line?
  9. 9. What should I do? Seven golden rules of Data Loss Prevention
  10. 10. What should I do? <ul><li>The stated examples have something in common: </li></ul><ul><ul><li>None of them has anything to do with an Internet-based attack or was caused by a security flaw in the network </li></ul></ul><ul><ul><li>Most commonly used protection measures such as Firewalls, IDS or Virus scanners could not have helped </li></ul></ul><ul><ul><li>The data breaches could have been prevented by a single measure – encryption! </li></ul></ul>
  11. 11. Rule No. 1: Accept that there is a risk!
  12. 12. Regel 1 <ul><li>If you think </li></ul><ul><li>„ This won‘t happen to me!“,... </li></ul>
  13. 13. Regel 1 <ul><li>...think again! </li></ul>
  14. 14. Rule No. 1 <ul><li>...because that‘s exactly what Time Warner, AIG, HMRC and all the other victims thought, too. Be smarter! </li></ul><ul><li>Hence: Accept that there is a risk! </li></ul><ul><li>But: Accept does not mean tolerate! </li></ul>
  15. 15. Rule No. 2: Provide Endpoint Security!
  16. 16. Rule 2 <ul><li>Identify: </li></ul><ul><ul><li>Which data are sensitive? </li></ul></ul><ul><ul><li>Who is allowed to work with sensitive data? </li></ul></ul><ul><li>Protect sensitive data on their point of origin: the user‘s workplace! (Endpoint Security) </li></ul>
  17. 17. Rule No 2: practical hints <ul><li>File encryption with access for workgroups </li></ul><ul><li>Restrict the use of mobile storage media </li></ul><ul><li>Encrypt confidential e-mail attachments automatically </li></ul><ul><li>Log all access to sensitive files </li></ul>
  18. 18. Rule Nr. 3: Take security into your own hands!
  19. 19. Rule No. 3: practical hints <ul><li>Demand central policy management! </li></ul><ul><li>Separate powers between system administrator and security officer </li></ul><ul><li>Grant access rights according to the „Need-to-know principle“ </li></ul><ul><li>Realize a four-eyes-principle </li></ul>
  20. 20. Rule No. 4: Make security easy!
  21. 21. Rule No.4: the human factor <ul><li>According to many surveys, human error is the No.1 reason for data breaches </li></ul><ul><li>There‘s nothing less secure than a misconfigured security solution </li></ul>
  22. 22. Rule No. 4: practical hints <ul><li>Invisible encryption in the background </li></ul><ul><li>Choose a rule-based and centrally managed solution </li></ul><ul><li>Care for an easy administration in order to reduce the chance of misconfiguration </li></ul><ul><li>Reduce complexity: don‘t choose the product with the longest feature list, but the one offering the functions you really need </li></ul>
  23. 23. Rule No. 5: Emergency precautions
  24. 24. Rule No. 5 <ul><li>Encryption is silver, but decryption is gold! </li></ul><ul><li>Ask: what to do if... </li></ul><ul><ul><li>Passwords are forgotten? </li></ul></ul><ul><ul><li>User keys are lost? </li></ul></ul><ul><ul><li>Configuration data are destroyed? </li></ul></ul><ul><li>Recovery mechanisms ensure the availability of your data! Ask your vendor about the mechanisms his solution offers! </li></ul>
  25. 25. Rule No. 6: The Pareto principle
  26. 26. Rule No. 6: The Pareto principle <ul><li>A typical dialogue: </li></ul><ul><ul><li>Customer: „I want 100% security!“ </li></ul></ul><ul><ul><li>Consultant: „There is no 100% security!“ </li></ul></ul><ul><ul><li>Customer: „In this case I want nothing at all!“ </li></ul></ul>
  27. 27. Rule No. 6: practical hints <ul><li>Prioritize your requirements! </li></ul><ul><ul><li>What is a „must“? </li></ul></ul><ul><ul><li>What is only „nice to have“? </li></ul></ul><ul><ul><li>What might even be counterproductive? </li></ul></ul><ul><li>Remember: 80% is much better than nothing! </li></ul><ul><li>The remaining risk must be tolerable! </li></ul>
  28. 28. Rule No. 7: Security costs money – but it is worth it!
  29. 29. Rule No. 7: Value for money <ul><li>A professional solution does not come as freeware from the Internet! </li></ul><ul><li>Data Leakage Prevention is a complex task – better ask a specialist! </li></ul><ul><li>Specialists earn their money with this – otherwise they wouldn‘t be specialists! </li></ul>
  30. 30. Don‘t wait until the damage is done – it is called Data Leakage Prevention!
  31. 31. fide AS ® file enterprise A professional DLP solution
  32. 32. Security for files and folders
  33. 33. Sicherheit für Dateien und Ordner
  34. 34. Access for workgroups Management Human Resources Research & Development System Administrator Central file server(s) Management . . . . Human Resources . . . . Research & Development . . . . All . . . .
  35. 35. Components of fide AS ® file enterprise File Server use Strong authentication does initial encryption exchange encrypted data to configure the fide AS ® file enterprise Security Server fide AS ® file enterprise Private Agent sends security policy to the use strong authentication Security Officer
  36. 36. Master/Slave concept <ul><li>Arbitratry number of Security Servers can be installed </li></ul><ul><li>Master/Slave operation </li></ul><ul><li>Automatic synchronisation of configurations </li></ul><ul><li>Load balancing (if the clients are configured appropriately ) </li></ul><ul><li>High availability at a minimum of administrative effort </li></ul>
  37. 37. Simple central administration
  38. 38. Control of mobile devices
  39. 39. Emergency precautions <ul><li>Forgotten password? No problem! </li></ul><ul><li>Lost smartcard/token? No problem! </li></ul>
  40. 40. Emergency precautions <ul><li>Recovery key for quick disaster recovery </li></ul><ul><li>Access to encrypted files even if the SecurityServer is down (or even physically damaged!) </li></ul>
  41. 41. Encrypted E-Mail-Attachements <ul><li>Encrypted files can be sent via E-Mail </li></ul><ul><li>Recipient decrypts by a password and a free tool </li></ul>
  42. 42. Advantages <ul><li>Sensitive documents can be transmitted securely </li></ul><ul><li>Free decryption tool </li></ul><ul><li>Secure communication with any recipient </li></ul>
  43. 43. Several security officers <ul><li>Different levels of administrative rights </li></ul><ul><li>Four-eyes-principle </li></ul>
  44. 44. Advantages <ul><li>Control of the security officer‘s actions </li></ul><ul><li>Interesting for audit/revision </li></ul>
  45. 45. Data Leakage Prevention <ul><li>Encrypted files can only be copied/moved within protected folders </li></ul><ul><li>Warning when attempting to send encrypted files via e-mail </li></ul><ul><li>Journal, which users decrypt files, when this happens, what application is used </li></ul>
  46. 46. Revision proof logging <ul><li>Digitally signed „action journals“ for administrators and users </li></ul><ul><li>Verification tool checks integrity  Protection from manipulation </li></ul>
  47. 47. Administration of distributed locations <ul><li>Different locations (= OUs in the LDAP-directory) can be administered separately </li></ul><ul><li>Better stucturing of large installations </li></ul>
  48. 48. Sophisticated LDAP adapter <ul><li>Facilitates LDAP configuration </li></ul><ul><li>Better performance by direct choice of LDAP vertices </li></ul>
  49. 49. Long-time security <ul><li>RSA keys can be up to 4096 bits long Attention: this requires powerful hardware! </li></ul>
  50. 50. Emergency acces by self-service <ul><li>Emergency access answering a personal question </li></ul><ul><li>Fast recovery in case of lost keys or forgotten passwords </li></ul>
  51. 51. LDAP-interface + external PKI <ul><li>User, groups and certificates can be imported from any LDAP-directory, e.g. Active Directory, Novell eDirectory </li></ul><ul><li>An external PKI can be integrated via bridge certificates </li></ul>
  52. 52. Technical stuff <ul><li>OS: Windows 2000, 2003, XP, Vista, 2008 </li></ul><ul><li>Also runs on terminal servers </li></ul><ul><li>Easy client-roll out via MSI </li></ul><ul><li>Optional real-time central logging (syslog) </li></ul><ul><li>Supports every fileserver (Unix, Linux, Windows, …) </li></ul><ul><li>Encryption algorithms: AES, RSA </li></ul><ul><li>Certificates: X.509 </li></ul><ul><li>Interface for smartcards/tokens: PKCS#11, MS CSP </li></ul>
  53. 53. Network prerequisites <ul><li>Users must be organized within an LDAP directory (AD works best) </li></ul><ul><li>Security Server must have full access to all protected folders on the file servers </li></ul><ul><li>Administrator’s workstation must be connected to AD (or other directory) </li></ul><ul><li>Shares on file servers must be accessible via UNC </li></ul><ul><li>Components of fide AS ® file enterprise must be able to use an open HTTP port for communication </li></ul>
  54. 54. <ul><li>Secure encryption for files and folders </li></ul><ul><li>Protects file servers, local drives, mobile storage devices </li></ul><ul><li>Invisible for the user </li></ul><ul><li>Role separation between system administrator and security officer </li></ul><ul><li>Easy central administration </li></ul><ul><li>Data Leakage Prevention </li></ul><ul><li>Encrypted e-mail attachments </li></ul><ul><li>Innovative key management </li></ul>fide AS ® file enterprise in a nutshell
  55. 55. What others say <ul><li>Expertise of the eGovernment consultant of the regional government of the state of Bavaria: „Using fideAS ® file enterprise significantly raises a company‘s security level.“ (Complete expertise available in German) </li></ul><ul><li>Awards (Germany) </li></ul><ul><li>Test SC Magazine (USA): 4 out of 5 Stars; in particular 5 Stars for performance </li></ul>
  56. 56. Thank you for your attention! Your contact: Andreas Schuster [email_address] Business Development Manager M.E. www.applied-security.com