1

Enterprise Information Leak Prevention

Recent trends shows Insider’s threat is bigger then the Hacker’s.

2

Knowing ‘what’ is sensitive is a business problem that Technology alone can not solve. (The Policy)

Technology need to know the data, to know ‘How’ and ‘Where’ to manage it. ( Process & Federation)

Ancillary functions are required in order to increase further functionalities. Each DLP program is unique and ancillary functions changes from deployment to deployment.

What is Information or Data Leak Prevention ?Information / Data Leak Prevention (DLP) is a strategy for making sure that sensitive information doesn’t reach to wrong hands either inside or outside of the enterprise network. The term is also used to describe technology products that help a network administrator to control the data that end-users transfer. Terms Information-Data, Leak-Loss and Prevention-Protection are used interchangeably.

3

Quiz - Ahead of Apple much anticipated new product launch. On iCloud, a celebrity picture leak incident caused its share prize to fall by 4.2%. If Apple have total 5.99 Billion shares then Kindly put a price tag on this leak ?a) $ 6 Million b) $15 Million c) $15 Billion d) $25 Billion

Financial Implication of a Single Information Leak; An example

4

“According to Kaspersky Labs Accidental Data sharing leads to loss of more data than software flaws.27% of organizations have lost sensitive business data due to internal threats in last 12 months…”

Industry Trend

Vulnerabilities in Existing software

Accidental Leaks / Sharing od data by staff

Loss / Theft of mobile device by staff

Intentional Leaks / Sharing of data by staff

Information leaked / inappropriately shared on mobile device

Security failure by third part supplier

Fraud by employess

7%

7%

7%

9%

5%

4%

5%

13%

14%

12%

9%

10%

7%

7%

16%

7%

7%

3%

6%

5%

4%

Data Loss ThreatsYes- Of Sensitive Business Data Yes- Of Non Sensitive Data No

5

Obtain top management buy-in, Have a policy and Have a high-level vision of enterprise network to establish the primary boundary and identifying primary gateways Speak to Corporate Governance, Data

Governance, Control Minded Cousin

Speak to IT and understand various Information types and its handling

Speak to sample staff at all levels to understand the culture around information life cycle Survey to business function to understand specific Business Process and develop data flow diagrams

Develop a road map with all the above details

Finding the Starting Point

Policy

Leak Control at Mail

Gateway (@xyz.co.kw)

Leak Control at

Automation (USB,CD, etc.)

Leak Control at Internet Gateway (Gmail,

SkyDrive, etc.)

6

Data Classificatio

n Policy

Framework

Rights Manageme

nt

Gateway Tech Integration

Encryption

Mobile Support

While developing a roadmap, identify the ‘What’, ‘How’ and ‘Where’, and ancillary functionality as per organization priorities.

The Roadmap

‘What’ shall constitute the Information Classification as per the Policy, to achieve the primary building block of the program

‘Where’ shall form the base and extended boundaries thus constituting the Federation

‘Who’ shall constitute the Rights Management ‘How’ shall constitute related Business Processes, flow diagrams and also the deployment of gateway technology (Mostly referred as the DLP Products)Ancillary functions are further added to bring in the functionality for Encryption and Mobility

7

Public Information which is to be shared outside the enterprise

Internal Use Information accessible to staff on need-to- know basis or need-to-have basis.

Business Partners Information accessible to Vendors, Partners or consultant (i.e. outside KFH Domain) .

Confidential Information accessible to staff only on need-to-know or need-to-have basis perform assigned jobs responsibilities within organization only.

Secret Information accessible to highly restricted authorized employees within org with absolute need to know or need to have requirement to perform assigned job.

Information Classification Scheme

Info

rmat

ion

Sens

itiv

ity

Information Classification is the fundamental requirement of identifying sensitive data. In its absence, no amount of technology deployment can be an alternative

Information Classification Policy

1Public Internal use Business Partners Confidential Secret

8

The term ‘Leak’ refers to the breach of boundaries by respective classification Boundaries also constitutes the constituency of each classificationSimilar to Social media framework allows end user to classify his / her information accordingly.

KSA

C-In-C

Circle of Trust

Untrusted

Circle

3rd party

Federation

Circle of trust Oman

UAE

Qatar

Bahrain

KSA

Kuwait

Org

Circle of trust

Examples of LinkedIn, Google, FB :

Its fundamental requirement to establish logical enterprise boundaries as per base organization.

Federation Framework

9 Print

Rights Management along with validation features manages the restriction and access control mechanism of program Rights to change the classification are managed to avoid unauthorized business partner classification in order to send the information Outside RM mechanism deployed to restrict the printing of ‘Confidential’ and ‘Secret’ information.

RM manages the authorization of Public information.

Its required to establish ‘Who’ can do ‘what’ as per job authorization.

Rights Management

Right Manageme

nt Mechanism

10

Identified sensitive information shall be auto encrypted and do not require interference from average end user

Encryption mechanism get auto evoked based on classification without end user intervention.Organization do not need to apply cumbersome encryption across the organization.

Special public announcement that needs to be treated as confidential till released are managed with special process.

Encryption and Digital Certificates

50%

10%

20% 5%

15%

Sensitivity Trends

Internal Use Business Partners Confidential Secret Public

11

Extend the program on Mobile Devices as per organization appetite, similar to PC.

Integrate Mobile Device Management with solution Including device identity parameters

For large organization facility can be rolled out with limited staff only to keep license cost down

SMB may consider integration with MS Office360 / Google Docs

Deploy Black and white (MAC Address) list at the enterprise gateway

Mobility

Corporate Network

Management Server

ProxyData

Stora

ge Exchange

+Policy

+Policy

DMZ

CA Server

Forrester Research 2013

12

General Benefits # Benefits 1 Gaining Competitive advantage, in both brand value and reputation2 Data leakage prevention comprehensively covers all information types,

that Management do not wish to get leaked3 Once information is classified, no user interference is required, further

security is managed in the background4 Increases the staff awareness about value and sensitivity of the data

adherence to corporate governance and information security policies5 Confidential information printing is restricted6 Secure work environment, Archive Data Governance, Intellectual Property

protection, Privacy and Regulations, Culture Change 7 Securing Proprietary information against security threats caused by

enhanced employee mobility and new communication channels8 Preventing the misuse of information, both on and off the enterprise

network

13

Regulatory / Compliance Benefits #

Regulation Benefits

1 Payment Card Industry - Data Security Standards V3.0

PCI requirement 4.2: Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat, etc.).PCI requirement 9.6.1: Classify media so the sensitivity of the data can be determined.PCI requirement 12.2 Implement a risk-assessment process that is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), Identifies critical assets, threats, and vulnerabilities, and Results in a formal risk assessment. (KRIs)

2 Central Bank of Kuwait

Information Security Instruction ( 2012 /2013) and Corporate Governance Instruction (20112):Banking confidentiality is considered one of the key principles of banking business due to the trust and reassurance it gives to all parties dealing with banks

3 IS027001-2013 Information Security Management

A.8.2.1 Classification of InformationA.8.2.2 Labelling of InformationA.8.2.3 Handling of Assets

4 Intellectual Property Protection

All public information are intrinsically protected for Trademarking, © protection and ®

5 Data Governance Primary requirement of any Data Governance program

14https://kw.linkedin.com/in/tanvirh

Tanvir is an Information Security professional specializing in managing large scale programs that requires unique blend of expertise in strategy, process re-engineering and technological action planning. Prior to his role at Kuwait Finance House (KFH), He has been associated with leading companies including National Commercial Bank (NCB), Emirates NBD, Riyad Bank and HSBC.

Tanvir has MS in Electronics & Communications and CISSP, CISA, AMBCI Certifications.

Speaker Profile