apsec 7 Golden Rules Data Leakage Prevention / DLP
-
Upload
andreasschuster -
Category
Business
-
view
1.715 -
download
3
description
Transcript of apsec 7 Golden Rules Data Leakage Prevention / DLP
presentation hold 10.04.23 page 1
The seven golden rules of
Data Leakage Prevention
Eng. Andreas Schuster
Business Development Manager
Applied Security GmbH (branch) Middle East
presentation hold 10.04.23 page 2
Applied Security GmbH
Founded in 1998
Main office in Stockstadt/Main, branch offices
in London, Dubai and Grand Rapids, USA
Software development and consulting in IT
security
Member of
www.apsec.de
About apsec
presentation hold 10.04.23 page 3
Applied Security US Incorporated
Founded in September 2008
US HQ Grand Rapids, MI
IT Security Software and Consulting
Member of ACG
www.apsec.us
About apsec
presentation hold 10.04.23 page 4
„I already have a firewall...“
Why DLP?
presentation hold 10.04.23 page 5
No firewall could have prevented...
presentation hold 10.04.23 page 6
Examples of data loss
May 2005 -- Time Warner lost 40 computer backup tapes containing sensitive data of about 600,000 current and former employees and service contractors while being shipped by Iron Mountain to an offsite storage center.
June 2006 – American International Group (AIG) lost personal data (names, adresses, SSNs, medical information) of 970,000 employees of various companies whose insurance information was submitted to AIG due to the burglary of a file server.
presentation hold 10.04.23 page 7
Examples of data loss
November 2007 – In the U.K. Her Majesty's Revenues and Customs (HMRC) had to admit they'd lost computer disks containing personal information on almost half the country's population (25 million records), including nearly all families with children. If that's not bad enough, the databases included the worst kind of information to lose – consumer bank account numbers.
December 2007 –- The U.K. Ministry of Transport lost personal data of 3 million candidates for driver's licenses due to a vanished hard disk at a subcontractor's site in Iowa, USA.
presentation hold 10.04.23 page 8
Who wants to be next in line?
presentation hold 10.04.23 page 9
What should I do?
Seven golden rules of
Data Loss Prevention
presentation hold 10.04.23 page 10
What should I do?
The stated examples have something in common:
None of them has anything to do with an Internet-
based attack or was caused by a security flaw in the
network
Most commonly used protection measures such as
Firewalls, IDS or Virus scanners could not have helped
The data breaches could have been prevented by a
single measure – encryption!
presentation hold 10.04.23 page 11
Rule No. 1:
Accept that there is a risk!
presentation hold 10.04.23 page 12
Regel 1
If you think
„This won‘t happen to me!“,...
presentation hold 10.04.23 page 13
Regel 1
...think again!
presentation hold 10.04.23 page 14
Rule No. 1
...because that‘s exactly what Time
Warner, AIG, HMRC and all the other victims
thought, too. Be smarter!
Hence: Accept that there is a risk!
But: Accept does not mean tolerate!
presentation hold 10.04.23 page 15
Rule No. 2:
Provide
Endpoint Security!
presentation hold 10.04.23 page 16
Rule 2
Identify:
Which data are sensitive?
Who is allowed to work with sensitive data?
Protect sensitive data on their point of
origin: the user‘s workplace!
(Endpoint Security)
presentation hold 10.04.23 page 17
Rule No 2: practical hints
File encryption with access for workgroups
Restrict the use of mobile storage media
Encrypt confidential e-mail attachments
automatically
Log all access to sensitive files
presentation hold 10.04.23 page 18
Rule Nr. 3:
Take security into your own
hands!
presentation hold 10.04.23 page 19
Rule No. 3: practical hints
Demand central policy management!
Separate powers between system
administrator and security officer
Grant access rights according to the „Need-
to-know principle“
Realize a four-eyes-principle
presentation hold 10.04.23 page 20
Rule No. 4:
Make security easy!
presentation hold 10.04.23 page 21
Rule No.4: the human factor
According to many surveys, human error is
the No.1 reason for data breaches
There‘s nothing less secure than a
misconfigured security solution
presentation hold 10.04.23 page 22
Rule No. 4: practical hints
Invisible encryption in the background
Choose a rule-based and centrally managed solution
Care for an easy administration in order to reduce
the chance of misconfiguration
Reduce complexity: don‘t choose the product with
the longest feature list, but the one offering the
functions you really need
presentation hold 10.04.23 page 23
Rule No. 5:
Emergency precautions
presentation hold 10.04.23 page 24
Rule No. 5
Encryption is silver, but decryption is gold!
Ask: what to do if...
Passwords are forgotten?
User keys are lost?
Configuration data are destroyed?
Recovery mechanisms ensure the
availability of your data! Ask your vendor
about the mechanisms his solution offers!
presentation hold 10.04.23 page 25
Rule No. 6:
The Pareto principle
presentation hold 10.04.23 page 26
Rule No. 6: The Pareto principle
A typical dialogue:
Customer: „I want 100% security!“
Consultant: „There is no 100% security!“
Customer: „In this case I want nothing at
all!“
presentation hold 10.04.23 page 27
Rule No. 6: practical hints
Prioritize your requirements!
What is a „must“?
What is only „nice to have“?
What might even be counterproductive?
Remember: 80% is much better than
nothing!
The remaining risk must be tolerable!
presentation hold 10.04.23 page 28
Rule No. 7:
Security costs money –
but it is worth it!
presentation hold 10.04.23 page 29
Rule No. 7: Value for money
A professional solution does not come as
freeware from the Internet!
Data Leakage Prevention is a complex task
– better ask a specialist!
Specialists earn their money with this –
otherwise they wouldn‘t be specialists!
presentation hold 10.04.23 page 30
Don‘t wait until the damage is done – it is called
Data Leakage Prevention!
presentation hold 10.04.23 page 31
fideAS® file enterprise
A professional DLP solution
presentation hold 10.04.23 page 32
Security for files and folders
presentation hold 10.04.23 page 33
Sicherheit für Dateien und Ordner
presentation hold 10.04.23 page 34
Management
Human Resources
Research & Development
System Administrator
Central file server(s)
Access for workgroups
Management. . . .
Human Resources. . . .
Research & Development. . . .
All. . . .
presentation hold 10.04.23 page 35
does in
it ial e
ncry
ptio
n
Components of fideAS® file enterprise
File Server
exchange encry
pted data
use
Str
on
gau
then
tica
tion
to configure th
e
fidefideASAS®® file enterprise file enterprise Security ServerSecurity Server
fidefideASAS ®®
file enterprise
file enterprise
Private Agent
Private Agent
sends security policy to the
use
str
on
gau
then
tica
tion
Security
SecurityOfficer
Officer
presentation hold 10.04.23 page 36
Master/Slave concept
Arbitratry number of Security Servers can be
installed
Master/Slave operation
Automatic synchronisation of configurations
Load balancing (if the clients are configured
appropriately )
High availability at a minimum of administrative
effort
presentation hold 10.04.23 page 37
Simple central administration
presentation hold 10.04.23 page 38
Control of mobile devices
presentation hold 10.04.23 page 39
Emergency precautions
Forgotten password? No problem!
Lost smartcard/token? No problem!
presentation hold 10.04.23 page 40
Emergency precautions
Recovery key for quick disaster recovery
Access to encrypted files even if the SecurityServer
is down (or even physically damaged!)
presentation hold 10.04.23 page 41
Encrypted E-Mail-Attachements
Encrypted files can be sent via E-Mail
Recipient decrypts by a password and a free tool
presentation hold 10.04.23 page 42
Advantages
Sensitive documents can be transmitted securely
Free decryption tool
Secure communication with any recipient
presentation hold 10.04.23 page 43
Several security officers
Different levels of administrative rights
Four-eyes-principle
presentation hold 10.04.23 page 44
Advantages
Control of the security officer‘s actions
Interesting for audit/revision
presentation hold 10.04.23 page 45
Data Leakage Prevention
Encrypted files can only be copied/moved within
protected folders
Warning when attempting to send encrypted files via
Journal, which users decrypt files, when this
happens, what application is used
presentation hold 10.04.23 page 46
Revision proof logging
Digitally signed „action journals“ for administrators and
users
Verification tool checks integrity
Protection from manipulation
presentation hold 10.04.23 page 49
Long-time security
RSA keys can be up to 4096 bits long
Attention: this requires powerful hardware!
presentation hold 10.04.23 page 50
Emergency acces by self-service
Emergency access answering a personal question
Fast recovery in case of lost keys or forgotten
passwords
presentation hold 10.04.23 page 51
LDAP-interface + external PKI
User, groups and
certificates can be imported
from any LDAP-directory,
e.g. Active Directory, Novell
eDirectory
An external PKI can be
integrated via bridge
certificates
presentation hold 10.04.23 page 52
Technical stuff
OS: Windows 2000, 2003, XP, Vista, 2008
Also runs on terminal servers
Easy client-roll out via MSI
Optional real-time central logging (syslog)
Supports every fileserver (Unix, Linux, Windows, …)
Encryption algorithms: AES, RSA
Certificates: X.509
Interface for smartcards/tokens: PKCS#11, MS CSP
presentation hold 10.04.23 page 54
Secure encryption for files and folders
Protects file servers, local drives,
mobile storage devices
Invisible for the user
Role separation between system
administrator and security officer
Easy central administration
Data Leakage Prevention
Encrypted e-mail attachments
Innovative key management
fideAS® file enterprise in a nutshell
presentation hold 10.04.23 page 55
What others sayExpertise of the eGovernment consultant of the regional government of the state of Bavaria: „Using fideAS®
file enterprise significantly raises a company‘s security level.“ (Complete expertise available in German)
Awards (Germany)
Test SC Magazine (USA): 4 out of 5 Stars; in particular 5 Stars for performance
presentation hold 10.04.23 page 56
Thank you for your attention!
Your contact:
Andreas [email protected]
Business Development Manager M.E.
www.applied-security.com