DLP is back, but not as you know it
Damien Manuel
The need to become PCI-DSS compliant has driven the internal security agenda in a number of commercial organisations over the last five years in an unforeseen way. It has pushed organisations to focus purely on compliance and consequently Data Loss Prevention (DLP) became a simple tick box must have for most organisations.
There is nothing wrong with using the spectre of compliance breaches and fines to drive the security posture within an organisation and many CISOs (me included) are guilty of using compliance to move security front and centre to the attention of boards and executive management.
However, using compliance alone as a security driver in an organisation misses the larger opportunity and value of DLP. Organisations are starting to move from solely compliance driven security to business aligned security, a process of security capability maturity. Consequently, I am witnessing a resurgence and adoption of holistic DLP solutions. For me, Data Loss Prevention should be renamed or described as Data Enablement Protection (DEP) and I’ll explain why shortly.
Firstly, what was wrong with organisations using DLP as a compliance tool? Well in short, nothing. A compliance driven approach is needed to improve the security posture of organisations from a low base and in some sectors, compliance is key. Passing compliance audits can be the difference between losing a license and the ability to trade. The banking sector is a classic example where compliance failures can lead to fines from regulators in the order of billions of dollars or the cessation of a banking license.
In a business aligned security approach, DLP is used to identify, understand and manage business processes, rather than just hunting for PII or Credit Card numbers leaving the organisation. This distinction is important as organisations can identify core issues (visibility), understand required technology changes, identify and manage business processes and usage habits allowing these organisations to deal with the core issues, rather than constantly treating the symptoms, to be more secure.
For example, I have seen businesses send credit card information (card number, name, CVV and expiry date) to external parties for data processing over email. Once the widespread practice was discovered using a simple checkbox DLP, using email regex pattern matching, the response from the security team was to instruct the business users to simply use WinZip to add a password or basic encryption to secure the data. So the management graphs showing unencrypted files leaving the organisation went from high to low, which was a win for management, however the graph of encrypted files leaving rapidly increased.
The organisation simply shifted a business process problem from clear text into an encrypted channel they were no longer able to monitor, which in my view diminished the power of their DLP solution.
In the case above, a proper DLP approach would have questioned if the business practice of emailing customer credit card details to 3rd party providers needed to be modified or changed to ensure data safety and integrity. By analysing the business practice and working with the business it would have become evident that the organisation needed a safe, secure and simple way to communicate with 3rd party providers via a dedicated business to business gateway.
In other instances some of the communications should not have occurred as they lacked the governance rigor demanded by executive management and enterprise operational risk teams.
Increasing organisational and technology complexity means we need to rethink how we use DLP tools. Cloud based systems, and to a smaller degree mobile applications, are offering hundreds of platform options and access routes, degrading the control of IT departments and moving it to a distributed model.
The proliferation of mobile computing and remote workers has forced many organisations expend a lot of effort and resources to compensate for poor habits, instead of recognising and directly addressing the core issues raised by rapidly changing technology, the relentless evolving threat landscape and end user demands for flexible and uninhibited working.
The last thing addressed by these organisations was the culture and habits of the people using technology in the field. The insurmountable wall of technology issues consumed the IT Department for every waking moment.
It was almost impossible to get a clear view of what detection rules to use in the system, how to manage the alerts, who was to perform the inevitable investigations and how to deal with mundane system maintenance post project deployment.
But occasionally a few organisations were victorious. It worked for these organisations for the following reasons:
- DLP wasn’t just about compliance; they adopted a risk based business focused approach to the implementation and ongoing operations of DLP. In other words, DLP was a business owned resource, managed by the IT / Security department covering multiple communication channels.
- They selected the right technology – flexibility to cover multiple channels, ease of maintenance, ease of deployment and ongoing operation.
- They selected a provider with a very large customer install base. A large customer install base typically equates to a product that can address diverse use cases and ensures the continued evolution / development of the product.
- They focused on internal communication across the business; not just within the IT or Security department. Education of staff and an understanding of business process (the how and why) is a key component often overlooked.
The DLP of today needs to address the challenges posed by always-connected cloud environments operated from any device we can grab. Most large organisations use hundreds of cloud applications as part of their business processes without even realising the extent of their dependence on the services. Regrettably, this has also led to 47% of enterprises losing data in the cloud at one time or another, proof that clearly it is time for us to address the underlying issues with better applied DLP and reboot the existing thinking.
The good news is that DLP is transforming to encompass cloud based applications (e.g. like Box, DropBox, Office 365, Salesforce etc). DLP is set to become front and centre again for a lot of organisations and it will enable businesses to protect data both on-premise and in the cloud.
Here are eight steps to mitigate some of the risks and to create a cleaner and safer way of handling data.
#1 Discover what’s on your network
There are two types of organisations: those that openly use cloud, and those that use cloud without realising it. Even as far back as 2014, researched showed large enterprises on average had over 400 unsanctioned cloud apps in use. Without a full understanding of how employees use cloud applications, the organisation could feel a false sense of security.
While IT staff might follow the protocols and block common applications, employees often find alternatives. Without knowing or understanding employee behaviours it’s very hard to implement effective security policies. Start with the simple process of discovery, by looking at the firewall log data to see which cloud services are being accessed and then expand this out to your proxy logs. There are CASB (Cloud Access Security Broker) solutions which can help automate this process and complement existing DLP deployments. Don’t forget DLP tools can be extremely powerful when used to gain visibility and an understanding of how documents are used, consumed and transmitted within an organisation (and when transmitted to external parties).
#2 Assess security implications
On average, there are more than 2,000 files stored per user in a cloud-based file-sharing app like Box or Google Drive. Out of these, on average 185 files will be “broadly shared” - meaning files that are either shared publicly or externally - allowing easy access by someone outside the organisation.
Alarmingly, up to 20% of broadly shared files contain some sort of compliance-related data. This is a frighteningly large number, as this content could comprise critical personal and financial information. Determine your organisation’s risk appetite in relation to these files being publicly released. This means you need to understand the likelihood of data inadvertently or deliberately shared with the general public and the importance of that data to your organisation. The other consideration is the reliability of the cloud service provider (i.e. not being compromised).
#3 Act to compensate for risk
In the past prevention was binary, an application or service was either allowed or not, without exceptions. This approach does not easily work with cloud apps, where a more granular and detailed control approach is needed.
Traditional firewalls can only determine that user Bob accessed a file sharing service like Dropbox or Google Drive. This is no longer sufficient, as businesses require a more detailed insight - Bob went to Google Drive and shared file named confidential.docx, which contained proprietary information, with a user named ‘Alice’ from a particular IP address.
Unusual user behaviour can also lead to the exposure of security risks. A red flag could be raised if the VP of Sales is suddenly accessing customer records that she doesn’t typically access. The ability to understand and profile user behaviour, and then look for deviations is incredibly valuable. Consider how you will achieve this level of control with your existing security stack. If you are unable to implement granular controls then you either need to supplement your security stack with a solution or make a risk based business call to either block or allow in a binary fashion.
#4 Control identity
Previously IT managed the identities for all of the resources that employees used. It was relatively safe because resources were all within the corporate firewall. Today, these resources reside not only outside the firewall, but also on disparate systems.
When users access cloud apps outside the firewall, their identity is not related to their central corporate identity. This means that IT has no control over the access to the outside apps, and users must remember and manage credentials across multiple apps, sites, and services.
These issues can be solved with a centrally managed identity. By implementing a sign-on solution which is device, network, location and user role aware, employees can use their corporate identity rather than managing different external usernames and passwords. Remember to be vigilant and implement monitoring in the event an account is compromised.
#5 Managing user accounts and access rights
Critical for controlling app security, is the ability to automatically set-up and disable accounts. As employees are hired, change job titles, move between groups, and eventually leave the company, their app entitlement and accounts should automatically change.
When apps were all within the corporate perimeter, IT could easily control user roles and application access. Now with external systems, it’s a challenge to automatically change what rights people have as they move around in and out of the organisation. Cloud identity and access management solutions should enable automatic set-up, changes and deactivating or simply grant or deny access of user accounts, based on their roles as defined in a centralised directory service.
#6 Secure mobile and BYO devices
Once IT has better management and visibility of user apps, it makes sense to finally look at the mobile devices used by employees. Not all BYOD usage is bad – people want to use their smartphones, tablets or personal laptops to access work resources, creating a streamlined and synchronous environment for the user.
Mobile device solutions should also integrate with central identity and access management solutions, to allow matching of new devices to existing users from the central user database.
There is little point in keeping our head out of the cloud – cloud-based apps are not a passing fad and it is important to include them in a data loss prevention framework. Any organisation that does not get ahead of employee behaviours and at least consider the risks and implications of their data in the cloud, might as well put its sensitive information on the sidewalk with a ‘Please do not steal’ sign.
#7 Invest in the right DLP technology solution
Not all DLP technology solutions are equal; invest in one that has a comprehensive roadmap of future investment, large user install base and is easy to operate post deployment. Future integration with CASB DLP solutions is also something to consider as your staff consume more and more cloud services. This is where a multi-channel detection, prevention and end user coaching solution is critical to cater for the present and future needs of the business.
Also, remember that a DLP solution is a great discovery tool to identify business processes that don’t comply with your security policy or risk appetite. Use the information you discover to have business discussions focused on empowering the business to protect the information assets believed to be important. As the organisation matures in security capability and awareness, you will be able to move from a coaching mode to a detection and blocking mode of operation if the business deems it necessary.
I often hear from various organisations that DLP is too hard, and subsequently too expensive. The reality is that DLP is a requirement of doing business in the digital age and can be implemented in stages. Think about the importance of your data, the increase in insider threats, accidental data loss and the pending data breach legislation waiting to go through parliament, before writing off adopting a data loss prevention framework.
#8 Creating a culture of education and awareness
Good security involves three core pillars: People, Process and Technology. Excellent security involves a fourth pillar which is often ignored in this highly outsourced and interconnected world, Suppliers.
Security awareness and education of doing the right thing to protect yourself, your colleagues and the organisation is critical in developing a high performing security culture that can be extended to your suppliers and your people to drive process improvements. Suppliers and your people need to understand which data assets are critical to the organisation, how they should be accessed, how they should be handled (throughout the data lifecycle) and to always think about the protection of that asset as if it was a tangible item like diamonds or gold.