8/3/2019 CIPS-2011-0126

1/29

Data Loss Prevention (DLP)Security and Implementation in Government Sector

24 June 2011

Sudeep Kumar Das, CISA, CISSP

Lead Solution Architect, India & SAARC

8/3/2019 CIPS-2011-0126

2/29

Agenda

Why DLP is important

Understanding DLP Methodology

Aligning with NIST Guidelines, IT Act (India)

Deployment Guide & Next Steps

8/3/2019 CIPS-2011-0126

3/29

Privacy data (PII)

Transaction Data

Asset Data

Knowing The D In DLP: Sensitive Data

Regulatory

Data

Personally Identifiable

Information

Government Program

data & communications

Reports

Government

Secrets

8/3/2019 CIPS-2011-0126

4/29

Keep security costs low and

reduce impact on end users

Government Official &

customer data (PII), program

secrets, intellectual property

IT Act, DIT guidelines,

Sector Specific guidelines

etc.

Improve OperationalEfficiencies (security)

Comply WithRegulations

Why DLP Is Important For Government

Secure YourSensitive Data

Fines: Unlimited Liability

Burden: Quarterly audits

Legal: Lawsuits, privacy notices

Damage: Government Repuation

Churn: citizen adoption

Loss: Trust & confidence

Burden: More FTEs for security

Capital: Additional HW & SW

Cost: Higher TCO

8/3/2019 CIPS-2011-0126

5/29

Sensitive Data

DLP Methodology You Can Follow

DISCOVER

User Actions

MONITOR

End Users

EDUCATE

Security Controls

ENFORCE

Policy Framework Based on Governance, Risk & Compliance

?RISK

TIME

Understand Risk

Reduce Risk

8/3/2019 CIPS-2011-0126

6/29

DLP Covers Your Entire Infrastructure

DISCOVER

MONITOR

EDUCATE

ENFORCE

DLP NetworkDLP

DatacenterDLP

Endpoint

Email Web File shares ConnectedPCs

Central DLP Management Console

SharePoint Databases

DisconnectedPCs

8/3/2019 CIPS-2011-0126

7/29

What is a DLP Policy?

Government ororganizationalregulations, standardsor best practices

Accurate, out of the

box, large selection ofpolicies for diverseindustries andgeographies

Policies are built fromContent Blades thatidentify information,and handling,notification andremediation rules.

8/3/2019 CIPS-2011-0126

8/29

Policy is described by

What Who Where Who What How What How

Identification Notification Remediation

1. We identify a violation by specifying

What: the identification of content is done by Content Blades. Check out the library of Content Blades

available in the product. You can further manage this by specifying attributes like file type, file size Who: same content might be a violation for some people or AD groups, departments, while perfectly

ok for others.

Where: in the network, datacenter, endpoint or all; or in a particular subset of scans identified by ascan group (which can represent a BU, geography); or a specific user action (at copy or at print).

2. We set up notification by defining

Who: who is responsible for handling the incident (the user creating it, the administrator, the usersmanager)

What: what is in the notification (eg. notification customized per AD group or policy, include links)

How: Send an email, pop up a window, integrate into Remedy or SIEM solution

3. Remediation

What: We support different remediation options encryption, quarantine, block, copy, move, delete,apply Microsoft AD RMS

How: thru automated actions at the time of the incident; thru workflow that can leverage AD hierarchy;

facilitated actions (operated from our UI) , or manual actions with incident management thru our UI

1 2 3

8/3/2019 CIPS-2011-0126

9/29

Discover Your Sensitive Data

StructuredSemi-StructuredUnstructured

Transactional DataPersonally Identifiable

Information (PII)

Personal Health

Information (PHI)Program Secret Data

Comply With RegulationsProtect Government Trust

Advantage

Reduce uncertainty and understand risk from the data you own

8/3/2019 CIPS-2011-0126

10/29

DLP

How is it being used?

Data Governance

Who is accessing it?

DLP

What to educate on?

Data Governance

Who do I educate?

DLP

What do I enforce?

Where do I enforce?

Data Governance

What is the impact?

How can I enforce?

DLP

What data is sensitive?

Where is it?

Data Governance

Who has access to it?

Where to start discovery?

Better Insight into Risk from Data at Rest

DISCOVER MONITOR EDUCATE ENFORCE

Better insight into Data at Rest and more effective remediation process

8/3/2019 CIPS-2011-0126

11/29

Database

SharePoint

Decentralized Data Discovery Architecture

Permanent Scanning agent RSA Temporary Agent

DLP Administrator

Main Data Center

Secondary Data Center

Remote Offices

Note: All RSA Data Discovery componentsare offered as software

8/3/2019 CIPS-2011-0126

12/29

Monitor Your User Actions

Regulatory Data

Corporate Secrets

Compliance

Objectives

Governance & Risk

Objectives

Understand how your user actions impact your corporate objectives

8/3/2019 CIPS-2011-0126

13/29

DLP Network Monitor

Corporate Users

HTTP, HTTPS, FTP

Mail Servers

SMTP

SPAN TAP

Proxy Server

SMTP Outbound Relay

DLP Administrator

IM,

Note: All RSA Network components except for RSA DLP NetworkSensors can be deployed as physical or virtual appliances

8/3/2019 CIPS-2011-0126

14/29

DLP Network How it Works

Corporate Users

HTTP, HTTPS, FTP

Mail Servers

SMTP

Encryption Server

Proxy Server

SMTP Outbound Relay

DLP Administrator

IM,

Note: All RSA Network components except for RSA DLP NetworkSensors can be deployed as physical or virtual appliances

8/3/2019 CIPS-2011-0126

15/29

Monitor & Enforce User Actions on Endpoints

Connected or Disconnected

from Corporate Network

EnforceEducateMonitor

Monitor and mitigate risk from end user actions on endpoints

Not Connected toCorporate Network

Connected toCorporate Network

DLP Endpoint Monitor Agent

8/3/2019 CIPS-2011-0126

16/29

Augment Standard PolicyEducation With

Just-In-Time Education

Emphasized Education Program

Educate End Users About Data Security Policies

Educate end users on policies and violations to reduce risk

Top Violators(Identified through

Discover and Monitor)

Rest of the users

!

user performs

actions

DLP educates

on violation

user acts

responsibly1 2 3

Just-In-Time Education

8/3/2019 CIPS-2011-0126

17/29

Enforce Controls to Prevent Data Loss

BLOCK

AUDIT

ENCRYPTQUARANTINE

JUSTIFY

MOVE

DELETE

SHRED

RMS (DRM)COPY

NOTIFY

ALLOW

User Action Data Sensitivity User Identity

LOW HIGH

Enforce security controls based on the risk of a violation

Definedin DLPPolicy

ManualorAutomated

RISK

8/3/2019 CIPS-2011-0126

18/29

Classification: Flexible Framework

Detection Rules

Context Rules

Exceptions

Described Content

Full & partial match

Databases

Files

Fingerprinting

Transmission metadata

File size, type, etc.

Owner, sender, etc.

Attributes

A classification framework to suit your unique needs

Highly accurate results in identifying sensitive data

8/3/2019 CIPS-2011-0126

19/29

User Identity Analysis

Name

Title

Business group

Organization hierarchy

Special privileges

What policies to apply

Define the risk of actions

What controls to enforce

Who to notify

Real-time data from your Windows Active Directory

Used across all phases of DLP

8/3/2019 CIPS-2011-0126

20/29

Incident Workflow to Effectively Manage Violations

HIGH

MEDIUM

LOW

SecurityIncident

Alert Manager

Alert Security

Officer

No Alerts. AuditOnly

ViolationEvent 1

ViolationEvent 2

ViolationEvent 3

ViolationEvent 4

ViolationEvent n

Policy Based

Logical Grouping

SecurityIncident

DLP + enVision = More intelligent alerts and prioritization

Consolidate Violations Send Alerts Based on Risk

Reduce noise, prioritize incidents and manage workflow

8/3/2019 CIPS-2011-0126

21/29

Amount of data

Sources of data

Number of office sites

Types of office sites

Number of users

Types of users

Scalability For Government Deployments

PEOPLE PLACES DATA

Flexible policy framework to

support a million plus users

and 100s of user types

Expandable site and agent

architecture to support 1000s

of sites

Unique grid technology to

scan large amounts of data

most cost effectively

8/3/2019 CIPS-2011-0126

22/29

Connecting DLP With Your Business and IT

INCIDENTSINFRASTRUCTURE

POLICY

CONTROLS

Your DLP Deployment

8/3/2019 CIPS-2011-0126

23/29

Built-in DLP for the Infrastructure: DLP Ecosystem

Your DLPStrategy

Leverage your currentinfrastructure for DLP

Faster and costeffective deployments

Centralize policies andmanagement

Whats in it for youData LossPrevention

DataGovernance

Policy &Incident

Management

StorageInfrastructure

Security

Monitoring

RightsManagement

8/3/2019 CIPS-2011-0126

24/29

Comparison of Critical Criteria

Critical Criteria For Sustainable DLP

Discover Information Risk

Non-invasive endpoint scanning

Effective scanning of data repositories (grid scanning)

Insight into users and real owners

Accuracy in identifying data

Respond to Information Incidents

Apply reactive controls for incidents

Add business context for incidents

Establish workflow for incidents

Understand Root Cause & FixIdentify the IT root cause

Identify business root cause

Effectively engage business users

Apply controls proactively at root cause level

8/3/2019 CIPS-2011-0126

25/29

Conduct a technology requirement assessment

Identify current technology you can leverage

Evaluate fit with IT roadmap (cloud, virtualization, etc.)

Do not boil the ocean. Deploy in phases.

Prioritize deployment phases by risk (data, group, etc.)

Establish a process for remediation and reporting

Gain support from executives and business managers

Make sure employee education is part of the plan

Establish SLAs and MOUs with group heads

DLP Deployment Playbook For You

PEOPLE

PROCESS

TECHNOLOGY

8/3/2019 CIPS-2011-0126

26/29

DLP Project Process & Check List

DLP champion (team)

Buy in from groups beyond IT

Top 3-5 drivers & corporate policies

Education process & resources

Remediation process & resources

Technology provisioning

DLP administration hours

Project Timeline and next phase

Your DLP Pre-Deployment Check List

Pre-Deployment

Discover &

Monitor

Educate

Enforce

Next Phase

(New policies / groups)

8/3/2019 CIPS-2011-0126

27/29

DLP RFP Templates

DLP POC Consideration Metrics

Risk Assessment

DLP Miniscan

DLP Workshop

DLP Demo

EMC CIRC Tour

Free Scan

DLP Workshop

EMC CIRC Tour

DLP TCO Tool

DLP Sizing Guide

Next steps

Considering DLP Scoping DLP Project Evaluating DLP Vendors

What stage are you in today? We can help you: Better understand DLP

Develop a DLP project internally

Develop a framework to evaluate and select the right DLP vendor

8/3/2019 CIPS-2011-0126

28/29

28

8/3/2019 CIPS-2011-0126

29/29

Five Critical Factors For DLP Solutions: RSAs Take

Policy &Classification EnterpriseScalability

E

IdentityAware IncidentWorkflow Built-In vs.Bolt-On

Policies covering abroad range ofregulations and

topics. Developedby an expert team

Identity awarenessfor classification,

controls andremediation

Consolidated alertswith the right

information to theright people for the

right actions

Scan more datafaster with lesser

hardware andresources

Common policiesacross the

infrastructure -EMC, Cisco and

Microsoft