Pillars of Enterprise Protection: Data Loss Prevention The business case for end-toend data protection
Technical Brief: Data Loss Prevention Pillars of Enterprise Protection: Data Loss Prevention Contents The business case for Data Loss Prevention................................................................ 1 Data loss: risks, origins, and regulations................................................................... 1 Causes.................................................................................................. 1 Changes in the threat environment.......................................................................... 2 Regulatory environment................................................................................... 2 Data Loss Prevention: technology......................................................................... 2 Data Loss Prevention: processes.......................................................................... 3 Discovery............................................................................................... 3 Monitoring.............................................................................................. 3 Protection............................................................................................... 4 Management............................................................................................ 4 Supporting technologies and processes.................................................................... 5 Symantec Data Loss Prevention.......................................................................... 6 Why Symantec?......................................................................................... 6
The business case for Data Loss Prevention Data loss is the unintentional release of sensitive information to non-trusted parties: scenarios include accidental disclosure, loss of physical assets like backup tapes or laptops, phishing email and other forms of fraud or outright theft of physical or electronic assets. It is the number one information-security concern of Fortune 1000 companies. 1 And no wonder much of a modern business s value is locked up in blueprints, customer records, source code, and other information assets. And the same technologies that accelerate the legitimate flow of business information lead to public embarrassment, regulatory penalties, customer defections, and financial loss when they are accidentally or criminally misused. Data Loss Prevention (DLP) is now and has always been a business problem, addressed through a combination of policies, physical controls, agreements, and business processes. New Data Loss Prevention technologies simply extend those traditional measures with security software designed to protect sensitive information assets in today's high-speed connected world. Data loss: risks, origins, and regulations The risks and costs of data-loss incidents are rising as fast as information itself grows in volume and value. Confidential information has become an attractive target for thieves operating out of remote jurisdictions. And local, national, and international regulations, remediation requirements, and lawsuits raise the costs of any breach, whether accidental or malicious. Causes Data breaches have multiple causes, but most of them depend on the actions, errors, or oversights of insiders: Insider negligence is a factor in 88% of data breaches, 2 including: data left exposed and unencrypted on servers, desktops, and laptops confidential information sent in or with e-mail or Web mail information left on removable media and devices information disclosed to and mishandled by third parties Insider malice is less common, but more costly 3, and includes instances of white-collar crime, data theft by disgruntled or terminated employees, 4 and industrial espionage Targeted attacks by organized criminals exploit weak or poorly-managed processes and technologies through the use of improper credentials, advanced persistent threats, or malicious code to steal customer and employee identity information, often for resale online 1-The Info Pro. Security Wave 11. (New York. July, 2009). 2-Ponemon Institute. 2008 Annual Study: Cost of a Data Breach. (US: 2008). 3-Ibid. 4-Ponemon Institute. Data Loss Risks During Downsizing. (US: 2009). 1
Changes in the threat environment Incidence of data loss data breaches have grown more visible and widespread. Massive breaches at large retailers and payment-card processors make headlines, but cyber attacks now extend to 75% of all enterprises, not just a few large ones. And data breaches in 2009 exposed 285 million records more than in the previous four years combined. 5 The April, 2010 Symantec Internet Security Threat Report 6 documents a deteriorating situation. Regulatory environment There are hundreds of data-protection standards and regulations worldwide, including 38 state laws in the US alone. These examples convey their range and scope: European Union Data Protection Directive 95/46/EC creates a worldwide obligation to protect information that could identify individuals in the European Union Health Insurance Portability and Accountability Act Privacy Rule regulates the use and disclosure of Protected Health Information in the US Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard and processes to protect payment cardholders data US Federal Energy Regulatory Commision (FERC) and North American Electric Reliability Corporation (NERC) cyber security standards Data Loss Prevention: technology Data Loss Prevention technologies apply to both structured and unstructured data. Structured data follows a pattern such as NNN-NN-NNNN for a US Social Security number, or occupies a place in a structured record such as a database. Unstructured data includes text files, spreadsheets, and any other record for which its format is not an essential component of its meaning. Data loss prevention starts with discovery of information assets in areas of highest priority or risk across an organization, often starting from one of the regulatory or standards frameworks cited above. DLP technologies then apply and enforce data-protection policies in three important contexts: Data at rest data can live forever in servers, databases, desktops, laptops USB drives and other data repositories and all their backup copies and archives. Protection here starts with inventory of information discovery of so-called "data spills", followed by remediation and new controls to prevent reoccurrence. Data in use at network endpoints electronic information is "in use" when an end-user is working on it at a network endpoint: a laptop, desktop, or other computing platform. Protection here means restricting use at the endpoint, for example by blocking and reporting attempts to copy information to a USB drive or print it while connected outside the corporate network. Data in motion information moves instantaneously through e-mail, instant messages, peer-to-peertransactions, file transfers, Web postings, and other communications. Protection here includes implementing solutions at network gateways to monitor, encrypt, filter, and block sensitive information in outbound messages without restricting the flow of non-sensitive communications. 5-Verizon Business Risk Team. 2009 Data Breach Investigation Report. (New York: Verizon Communications Inc., 2009). 6-Symantec Corporation. Internet Security Threat Report XV. (Cupertino, CA: April, 2010). 2
Data Loss Prevention is a form of content-aware data protection, because it examines the information and applies policies to determine what protections are appropriate. Other technologies like encryption or digital-rights management (DRM) depend on human or automated decisions about whether to encrypt, and how to assign rights. Combining encryption or DRM with Data Loss Prevention creates powerful options for content-aware selective encryption for example delivering e-mail with sensitive content encrypted, to be unlocked when an administrator determines that the recipient and business context are legitimate. Data Loss Prevention: processes Data Loss Prevention technologies discover, monitor, and protect information in use at endpoint laptops, desktops and other devices, in motion across network gateways, or at rest in storage systems and devices. Just as important, DLP management capabilities work across technologies and contexts to assure a unified policy, coordinated action, and consistent reporting. Discovery Discovery technologies identify sensitive structured and unstructured data wherever it is stored. In evaluating discovery technologies, look for: Pre-written content-matching policies data patterns or content elements found to signal sensitive information in different industries, languages and regions, customizable to your organization's requirements Broad technology coverage across scan targets servers, endpoints, databases, e-mail servers and gateways, operating systems, virtualization platforms, groupware content management systems, and mobile computing devices Flexible deployment options that include agent-based DLP to protect data on endpoints even when disconnected from the network, and agentless options that protect data on third-party devices whenever they connect, without installing software on them Data owner/user identification this major advance integrates data protection into established business processes, by informing data owners and key users of risks to the data they are responsible for, or depend on Discovery gives an organization insight into the distribution of critical data assets across the organization including the unauthorized, personal, or "just-in-case" copies that account for a large number of embarrassing breaches. Discovery is often a wake-up call to organizations, energizing subsequent steps in loss prevention. Monitoring Monitoring technologies assess activities on endpoints and across networks to: Show how confidential information is used on endpoint devices, whether connected to corporate networks or roaming off-network Identify and remediate broken business processes by analyzing all traffic leaving your network, even using automated Web and FTP protocols Link DLP policies to security incident management workflows to identify and counteract external threats that target business information 3
One key to selecting effective monitoring technologies is scalability monitoring must cover all traffic crossing your entire network, so look for a solution that has been proven in busy global corporate networks. Protection Protection technologies keep confidential data from leaving the organization; ideally, they launch processes to change employee behavior by raising awareness of risks to confidential data and proper steps to protect it. Protection technologies use: Automatic quarantine or removal of inappropriately stored data, with notification of data owners or key users Real-time prevention that may include: User and manager notifications Quarantine, relocation, removal, or blocking Automated encryption or application of digital rights management Custom combination of alerts and actions Remediation according to organizational policies, pre-configured expert response rules, or a custom combination of both Protection technologies are a current innovation "hot spot", so it's unlikely that any single company will have all the technologies you wish to deploy. Look for tools and APIs that can link your DLP solution with third-party data-protection such as encryption and DRM, and make it ready to accommodate future solutions. Management As with IT security, the key to an effective data loss prevention program is efficient management. End users and managers will work around or disable any data-protection solution that gets in the way of productivity. An effective management solution: Unifies all DLP technologies under a single set of policies, from a single management console that integrates with an enterprise management platform Applies policies that consider the content of the protected information, the context in which it is used, the identity and actions of the users, and more Supports both pre-configured and custom policies that can be developed once and then shared throughout the enterprise, with partners, or with an extended user community Management tools such as workflow, open reporting, geographic localization, policy import/export help integrate across suppliers, so there's no longer any reason for DLP to be an "island" solution isolated from other IT security processes. 4
Supporting technologies and processes Not even the best security solution can work effectively in isolation. Data Loss Prevention technologies can be compromised by poor employee background checks, inconsistent supervision, inadequate physical security and access controls, and more. Putting an end to data breaches and their associated costs and embarrassment depends on a coordinated approach: Close system vulnerabilities to stop targeted attacks from outside Insist on---and enforce---strong password protection for key infrastructure and data Deploy multilevel security solutions that block suspicious behavior, even if the exploit itself has never been seen before Monitor threat levels by correlating real-time alerts and global security intelligence Use content-aware data protection policies at storage locations and endpoints as well as gateways Automate security using IT compliance controls to check password settings, server and firewall configurations, patches and updates Don't neglect low-tech: include copiers and fax machines in your data-protection plans Integrate DLP and response strategies into security operations to avoid gaps, fragmentation, and wasted effort Press coverage, fines, penalties, hearings, and lawsuits have raised data protection to a top enterprise priority. Industry standards and frameworks outline what needs to be done---and the technology is now available for an enterprise-wide approach. An organization-wide needs assessment and Discovery process is the next step to build momentum for dataloss prevention on an enterprise scale. 5
Symantec Data Loss Prevention Figure 1: Symantec Data Loss Prevention solutions protect confidential and sensitive information wherever it is stored, used, or transmitted, with powerful capabilities for enforcement, remediation, and integrated management. Why Symantec? Symantec, the world leader in Data Loss Prevention, delivers proven, content-aware solutions to discover, monitor and protect confidential data wherever it is stored or used. The solution set supports measurable reduction of data breach risks, helps demonstrate compliance with privacy regulations, and safeguards an organization s customers, brand equity and intellectual property. Unlike other solutions, Symantec Data Loss Prevention covers all data types and exit points, and has been proven in a long series of successful deployments. The solution helps organizations protect their information in advance of threats, respond quickly to changes in the external threat environment and make use of content awareness to improve the overall effectiveness of enterprise security. 6
About Symantec Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. For specific country offices and contact numbers, please visit our website. Symantec World Headquarters 350 Ellis St. Mountain View, CA 94043 USA +1 (650) 527 8000 1 (800) 721 3934 www.symantec.com Symantec helps organizations secure and manage their information-driven world with IT Compliance, discovery and retention management, data loss prevention, and messaging security solutions. Copyright 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 6/2010 21032641