Comprehensive Data Leak Prevention
•Download as PPTX, PDF•
0 likes•323 views
Info security can not be achieved only by DLP tech. deployment. The people and process area too need to be covered to make it comprehensive.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (15)
Similar to Comprehensive Data Leak Prevention
Similar to Comprehensive Data Leak Prevention (20)
Recently uploaded
Recently uploaded (20)
Comprehensive Data Leak Prevention
- 1. 1 Enterprise Information Leak Prevention Recent trends shows Insider’s threat is bigger then the Hacker’s.
- 2. 2 Knowing ‘what’ is sensitive is a business problem that Technology alone can not solve. (The Policy) Technology need to know the data, to know ‘How’ and ‘Where’ to manage it. ( Process & Federation) Ancillary functions are required in order to increase further functionalities. Each DLP program is unique and ancillary functions changes from deployment to deployment. What is Information or Data Leak Prevention ? Information / Data Leak Prevention (DLP) is a strategy for making sure that sensitive information doesn’t reach to wrong hands either inside or outside of the enterprise network. The term is also used to describe technology products that help a network administrator to control the data that end-users transfer. Terms Information-Data, Leak-Loss and Prevention-Protection are used interchangeably.
- 3. 3 Quiz - Ahead of Apple much anticipated new product launch. On iCloud, a celebrity picture leak incident caused its share prize to fall by 4.2%. If Apple have total 5.99 Billion shares then Kindly put a price tag on this leak ? a) $ 6 Million b) $15 Million c) $15 Billion d) $25 Billion Financial Implication of a Single Information Leak; An example
- 4. 4 “According to Kaspersky Labs Accidental Data sharing leads to loss of more data than software flaws.27% of organizations have lost sensitive business data due to internal threats in last 12 months…” Industry Trend Vulnerabilities in Existing software Accidental Leaks / Sharing od data by staff Loss / Theft of mobile device by staff Intentional Leaks / Sharing of data by staff Information leaked / inappropriately shared on mobile device Security failure by third part supplier Fraud by employess 7% 7% 7% 9% 5% 4% 5% 13% 14% 12% 9% 10% 7% 7% 16% 7% 7% 3% 6% 5% 4% Data Loss Threats Yes- Of Sensitive Business Data Yes- Of Non Sensitive Data No
- 5. 5 Obtain top management buy-in, Have a policy and Have a high-level vision of enterprise network to establish the primary boundary and identifying primary gateways Speak to Corporate Governance, Data Governance, Control Minded Cousin Speak to IT and understand various Information types and its handling Speak to sample staff at all levels to understand the culture around information life cycle Survey to business function to understand specific Business Process and develop data flow diagrams Develop a road map with all the above details Finding the Starting Point Policy Leak Control at Mail Gateway (@xyz.co.kw) Leak Control at Automation (USB,CD, etc.) Leak Control at Internet Gateway (Gmail, SkyDrive, etc.)
- 6. 6 Data Classification Policy Framework Rights Management Gateway Tech Integration Encryption Mobile Support While developing a roadmap, identify the ‘What’, ‘How’ and ‘Where’, and ancillary functionality as per organization priorities. The Roadmap ‘What’ shall constitute the Information Classification as per the Policy, to achieve the primary building block of the program ‘Where’ shall form the base and extended boundaries thus constituting the Federation ‘Who’ shall constitute the Rights Management ‘How’ shall constitute related Business Processes, flow diagrams and also the deployment of gateway technology (Mostly referred as the DLP Products) Ancillary functions are further added to bring in the functionality for Encryption and Mobility
- 7. 7 Public Information which is to be shared outside the enterprise Internal Use Information accessible to staff on need-to- know basis or need-to-have basis. Business Partners Information accessible to Vendors, Partners or consultant (i.e. outside KFH Domain) . Confidential Information accessible to staff only on need- to-know or need-to-have basis perform assigned jobs responsibilities within organization only. Secret Information accessible to highly restricted authorized employees within org with absolute need to know or need to have requirement to perform assigned job. Information Classification Scheme InformationSensitivity Information Classification is the fundamental requirement of identifying sensitive data. In its absence, no amount of technology deployment can be an alternative Information Classification Policy 1 Public Internal use Business Partners Confidential Secret
- 8. 8 The term ‘Leak’ refers to the breach of boundaries by respective classification Boundaries also constitutes the constituency of each classification Similar to Social media framework allows end user to classify his / her information accordingly. KSA 3rd party Oman UAE Qatar Bahrain KSA Kuwait Examples of LinkedIn, Google, FB : Its fundamental requirement to establish logical enterprise boundaries as per base organization. Federation Framework
- 9. 9 Print Rights Management along with validation features manages the restriction and access control mechanism of program Rights to change the classification are managed to avoid unauthorized business partner classification in order to send the information Outside RM mechanism deployed to restrict the printing of ‘Confidential’ and ‘Secret’ information. RM manages the authorization of Public information. Its required to establish ‘Who’ can do ‘what’ as per job authorization. Rights Management Right Management Mechanism
- 10. 10 Identified sensitive information shall be auto encrypted and do not require interference from average end user Encryption mechanism get auto evoked based on classification without end user intervention. Organization do not need to apply cumbersome encryption across the organization. Special public announcement that needs to be treated as confidential till released are managed with special process. Encryption and Digital Certificates 50% 10% 20% 5% 15% Sensitivity Trends Internal Use Business Partners Confidential Secret Public
- 11. 11 Extend the program on Mobile Devices as per organization appetite, similar to PC. Integrate Mobile Device Management with solution Including device identity parameters For large organization facility can be rolled out with limited staff only to keep license cost down SMB may consider integration with MS Office360 / Google Docs Deploy Black and white (MAC Address) list at the enterprise gateway Mobility Corporate Network Manageme nt Server ProxyData Stora ge Exchange + Policy + Policy DMZ CA Server Forrester Research 2013
- 12. 12 General Benefits # Benefits 1 Gaining Competitive advantage, in both brand value and reputation 2 Data leakage prevention comprehensively covers all information types, that Management do not wish to get leaked 3 Once information is classified, no user interference is required, further security is managed in the background 4 Increases the staff awareness about value and sensitivity of the data adherence to corporate governance and information security policies 5 Confidential information printing is restricted 6 Secure work environment, Archive Data Governance, Intellectual Property protection, Privacy and Regulations, Culture Change 7 Securing Proprietary information against security threats caused by enhanced employee mobility and new communication channels 8 Preventing the misuse of information, both on and off the enterprise network
- 13. 13 Regulatory / Compliance Benefits # Regulation Benefits 1 Payment Card Industry - Data Security Standards V3.0 PCI requirement 4.2: Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat, etc.). PCI requirement 9.6.1: Classify media so the sensitivity of the data can be determined. PCI requirement 12.2 Implement a risk-assessment process that is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), Identifies critical assets, threats, and vulnerabilities, and Results in a formal risk assessment. (KRIs) 2 Central Bank of Kuwait Information Security Instruction ( 2012 /2013) and Corporate Governance Instruction (20112):Banking confidentiality is considered one of the key principles of banking business due to the trust and reassurance it gives to all parties dealing with banks 3 IS027001-2013 Information Security Management A.8.2.1 Classification of Information A.8.2.2 Labelling of Information A.8.2.3 Handling of Assets 4 Intellectual Property Protection All public information are intrinsically protected for Trademarking, © protection and ® 5 Data Governance Primary requirement of any Data Governance program
- 14. 14 https://kw.linkedin.com/in/tanvirh Tanvir is an Information Security professional specializing in managing large scale programs that requires unique blend of expertise in strategy, process re-engineering and technological action planning. Prior to his role at Kuwait Finance House (KFH), He has been associated with leading companies including National Commercial Bank (NCB), Emirates NBD, Riyad Bank and HSBC. Tanvir has MS in Electronics & Communications and CISSP, CISA, AMBCI Certifications. Speaker Profile