Upload
amapreetscorpio
View
218
Download
0
Embed Size (px)
Citation preview
8/3/2019 CIPS-2011-0126
1/29
Data Loss Prevention (DLP)Security and Implementation in Government Sector
24 June 2011
Sudeep Kumar Das, CISA, CISSP
Lead Solution Architect, India & SAARC
8/3/2019 CIPS-2011-0126
2/29
Agenda
Why DLP is important
Understanding DLP Methodology
Aligning with NIST Guidelines, IT Act (India)
Deployment Guide & Next Steps
8/3/2019 CIPS-2011-0126
3/29
Privacy data (PII)
Transaction Data
Asset Data
Knowing The D In DLP: Sensitive Data
Regulatory
Data
Personally Identifiable
Information
Government Program
data & communications
Reports
Government
Secrets
8/3/2019 CIPS-2011-0126
4/29
Keep security costs low and
reduce impact on end users
Government Official &
customer data (PII), program
secrets, intellectual property
IT Act, DIT guidelines,
Sector Specific guidelines
etc.
Improve OperationalEfficiencies (security)
Comply WithRegulations
Why DLP Is Important For Government
Secure YourSensitive Data
Fines: Unlimited Liability
Burden: Quarterly audits
Legal: Lawsuits, privacy notices
Damage: Government Repuation
Churn: citizen adoption
Loss: Trust & confidence
Burden: More FTEs for security
Capital: Additional HW & SW
Cost: Higher TCO
8/3/2019 CIPS-2011-0126
5/29
Sensitive Data
DLP Methodology You Can Follow
DISCOVER
User Actions
MONITOR
End Users
EDUCATE
Security Controls
ENFORCE
Policy Framework Based on Governance, Risk & Compliance
?RISK
TIME
Understand Risk
Reduce Risk
8/3/2019 CIPS-2011-0126
6/29
DLP Covers Your Entire Infrastructure
DISCOVER
MONITOR
EDUCATE
ENFORCE
DLP NetworkDLP
DatacenterDLP
Endpoint
Email Web File shares ConnectedPCs
Central DLP Management Console
SharePoint Databases
DisconnectedPCs
8/3/2019 CIPS-2011-0126
7/29
What is a DLP Policy?
Government ororganizationalregulations, standardsor best practices
Accurate, out of the
box, large selection ofpolicies for diverseindustries andgeographies
Policies are built fromContent Blades thatidentify information,and handling,notification andremediation rules.
8/3/2019 CIPS-2011-0126
8/29
Policy is described by
What Who Where Who What How What How
Identification Notification Remediation
1. We identify a violation by specifying
What: the identification of content is done by Content Blades. Check out the library of Content Blades
available in the product. You can further manage this by specifying attributes like file type, file size Who: same content might be a violation for some people or AD groups, departments, while perfectly
ok for others.
Where: in the network, datacenter, endpoint or all; or in a particular subset of scans identified by ascan group (which can represent a BU, geography); or a specific user action (at copy or at print).
2. We set up notification by defining
Who: who is responsible for handling the incident (the user creating it, the administrator, the usersmanager)
What: what is in the notification (eg. notification customized per AD group or policy, include links)
How: Send an email, pop up a window, integrate into Remedy or SIEM solution
3. Remediation
What: We support different remediation options encryption, quarantine, block, copy, move, delete,apply Microsoft AD RMS
How: thru automated actions at the time of the incident; thru workflow that can leverage AD hierarchy;
facilitated actions (operated from our UI) , or manual actions with incident management thru our UI
1 2 3
8/3/2019 CIPS-2011-0126
9/29
Discover Your Sensitive Data
StructuredSemi-StructuredUnstructured
Transactional DataPersonally Identifiable
Information (PII)
Personal Health
Information (PHI)Program Secret Data
Comply With RegulationsProtect Government Trust
Advantage
Reduce uncertainty and understand risk from the data you own
8/3/2019 CIPS-2011-0126
10/29
DLP
How is it being used?
Data Governance
Who is accessing it?
DLP
What to educate on?
Data Governance
Who do I educate?
DLP
What do I enforce?
Where do I enforce?
Data Governance
What is the impact?
How can I enforce?
DLP
What data is sensitive?
Where is it?
Data Governance
Who has access to it?
Where to start discovery?
Better Insight into Risk from Data at Rest
DISCOVER MONITOR EDUCATE ENFORCE
Better insight into Data at Rest and more effective remediation process
8/3/2019 CIPS-2011-0126
11/29
Database
SharePoint
Decentralized Data Discovery Architecture
Permanent Scanning agent RSA Temporary Agent
DLP Administrator
Main Data Center
Secondary Data Center
Remote Offices
Note: All RSA Data Discovery componentsare offered as software
8/3/2019 CIPS-2011-0126
12/29
Monitor Your User Actions
Regulatory Data
Corporate Secrets
Compliance
Objectives
Governance & Risk
Objectives
Understand how your user actions impact your corporate objectives
8/3/2019 CIPS-2011-0126
13/29
DLP Network Monitor
Corporate Users
HTTP, HTTPS, FTP
Mail Servers
SMTP
SPAN TAP
Proxy Server
SMTP Outbound Relay
DLP Administrator
IM,
Note: All RSA Network components except for RSA DLP NetworkSensors can be deployed as physical or virtual appliances
8/3/2019 CIPS-2011-0126
14/29
DLP Network How it Works
Corporate Users
HTTP, HTTPS, FTP
Mail Servers
SMTP
Encryption Server
Proxy Server
SMTP Outbound Relay
DLP Administrator
IM,
Note: All RSA Network components except for RSA DLP NetworkSensors can be deployed as physical or virtual appliances
8/3/2019 CIPS-2011-0126
15/29
Monitor & Enforce User Actions on Endpoints
Connected or Disconnected
from Corporate Network
EnforceEducateMonitor
Monitor and mitigate risk from end user actions on endpoints
Not Connected toCorporate Network
Connected toCorporate Network
DLP Endpoint Monitor Agent
8/3/2019 CIPS-2011-0126
16/29
Augment Standard PolicyEducation With
Just-In-Time Education
Emphasized Education Program
Educate End Users About Data Security Policies
Educate end users on policies and violations to reduce risk
Top Violators(Identified through
Discover and Monitor)
Rest of the users
!
user performs
actions
DLP educates
on violation
user acts
responsibly1 2 3
Just-In-Time Education
8/3/2019 CIPS-2011-0126
17/29
Enforce Controls to Prevent Data Loss
BLOCK
AUDIT
ENCRYPTQUARANTINE
JUSTIFY
MOVE
DELETE
SHRED
RMS (DRM)COPY
NOTIFY
ALLOW
User Action Data Sensitivity User Identity
LOW HIGH
Enforce security controls based on the risk of a violation
Definedin DLPPolicy
ManualorAutomated
RISK
8/3/2019 CIPS-2011-0126
18/29
Classification: Flexible Framework
Detection Rules
Context Rules
Exceptions
Described Content
Full & partial match
Databases
Files
Fingerprinting
Transmission metadata
File size, type, etc.
Owner, sender, etc.
Attributes
A classification framework to suit your unique needs
Highly accurate results in identifying sensitive data
8/3/2019 CIPS-2011-0126
19/29
User Identity Analysis
Name
Title
Business group
Organization hierarchy
Special privileges
What policies to apply
Define the risk of actions
What controls to enforce
Who to notify
Real-time data from your Windows Active Directory
Used across all phases of DLP
8/3/2019 CIPS-2011-0126
20/29
Incident Workflow to Effectively Manage Violations
HIGH
MEDIUM
LOW
SecurityIncident
Alert Manager
Alert Security
Officer
No Alerts. AuditOnly
ViolationEvent 1
ViolationEvent 2
ViolationEvent 3
ViolationEvent 4
ViolationEvent n
Policy Based
Logical Grouping
SecurityIncident
DLP + enVision = More intelligent alerts and prioritization
Consolidate Violations Send Alerts Based on Risk
Reduce noise, prioritize incidents and manage workflow
8/3/2019 CIPS-2011-0126
21/29
Amount of data
Sources of data
Number of office sites
Types of office sites
Number of users
Types of users
Scalability For Government Deployments
PEOPLE PLACES DATA
Flexible policy framework to
support a million plus users
and 100s of user types
Expandable site and agent
architecture to support 1000s
of sites
Unique grid technology to
scan large amounts of data
most cost effectively
8/3/2019 CIPS-2011-0126
22/29
Connecting DLP With Your Business and IT
INCIDENTSINFRASTRUCTURE
POLICY
CONTROLS
Your DLP Deployment
8/3/2019 CIPS-2011-0126
23/29
Built-in DLP for the Infrastructure: DLP Ecosystem
Your DLPStrategy
Leverage your currentinfrastructure for DLP
Faster and costeffective deployments
Centralize policies andmanagement
Whats in it for youData LossPrevention
DataGovernance
Policy &Incident
Management
StorageInfrastructure
Security
Monitoring
RightsManagement
8/3/2019 CIPS-2011-0126
24/29
Comparison of Critical Criteria
Critical Criteria For Sustainable DLP
Discover Information Risk
Non-invasive endpoint scanning
Effective scanning of data repositories (grid scanning)
Insight into users and real owners
Accuracy in identifying data
Respond to Information Incidents
Apply reactive controls for incidents
Add business context for incidents
Establish workflow for incidents
Understand Root Cause & FixIdentify the IT root cause
Identify business root cause
Effectively engage business users
Apply controls proactively at root cause level
8/3/2019 CIPS-2011-0126
25/29
Conduct a technology requirement assessment
Identify current technology you can leverage
Evaluate fit with IT roadmap (cloud, virtualization, etc.)
Do not boil the ocean. Deploy in phases.
Prioritize deployment phases by risk (data, group, etc.)
Establish a process for remediation and reporting
Gain support from executives and business managers
Make sure employee education is part of the plan
Establish SLAs and MOUs with group heads
DLP Deployment Playbook For You
PEOPLE
PROCESS
TECHNOLOGY
8/3/2019 CIPS-2011-0126
26/29
DLP Project Process & Check List
DLP champion (team)
Buy in from groups beyond IT
Top 3-5 drivers & corporate policies
Education process & resources
Remediation process & resources
Technology provisioning
DLP administration hours
Project Timeline and next phase
Your DLP Pre-Deployment Check List
Pre-Deployment
Discover &
Monitor
Educate
Enforce
Next Phase
(New policies / groups)
8/3/2019 CIPS-2011-0126
27/29
DLP RFP Templates
DLP POC Consideration Metrics
Risk Assessment
DLP Miniscan
DLP Workshop
DLP Demo
EMC CIRC Tour
Free Scan
DLP Workshop
EMC CIRC Tour
DLP TCO Tool
DLP Sizing Guide
Next steps
Considering DLP Scoping DLP Project Evaluating DLP Vendors
What stage are you in today? We can help you: Better understand DLP
Develop a DLP project internally
Develop a framework to evaluate and select the right DLP vendor
8/3/2019 CIPS-2011-0126
28/29
28
8/3/2019 CIPS-2011-0126
29/29
Five Critical Factors For DLP Solutions: RSAs Take
Policy &Classification EnterpriseScalability
E
IdentityAware IncidentWorkflow Built-In vs.Bolt-On
Policies covering abroad range ofregulations and
topics. Developedby an expert team
Identity awarenessfor classification,
controls andremediation
Consolidated alertswith the right
information to theright people for the
right actions
Scan more datafaster with lesser
hardware andresources
Common policiesacross the
infrastructure -EMC, Cisco and
Microsoft