Data Loss Prevention
Keeping your sensitive data out of the public domain
8/13/2014
What is data?
Data Loss Prevention
Data versus Information
Data
Raw material and
unorganized facts
that need to be
processed
Information
When data are
processed,
structured or
presented in a
certain context so
as to make them
useful, they are
called information
Data Loss Prevention
Data/Information
Data/Information
Tangible
Intangible
Electronic
E-unstructured
E-structured
Data Loss Prevention
Structured
Other
media
Head knowledge
Email
Paper
Web
Database
Unstructured
Documents
What sensitive data do you hold?
Data Loss Prevention
It’s all about the data!
Transaction data
Corporate data
Bank payments
B2B orders
Vendor data
Sales volumes
Purchase power
Revenue potential
Sales projections
Price/cost lists
Target customer lists
New designs
Source code
Formulas
Pending patents
Intellectual property
Customer data
Customer list
Spending habits
Contact details
User preference
Product customer profile
Payment status
Contact history
Data Loss Prevention
Personally identifiable data
Full name
Birthday, birthplace
Biometric data
Credit card numbers
National identification number, passport numbers
Driver's license number, vehicle registration number
Where does your sensitive data reside?
Data Loss Prevention
Data is everywhere
Data at
rest
Databases or Repositories
Workstations
Data in
motion
Data in use
Laptops
Firewall
Internet
Workstations
Data at rest
Data Loss Prevention
Understanding the problem
Data Loss Prevention
Megatrends in data related risks
 Data is the lifeblood of most organizations
 High profile breaches and leaks are in the headlines almost daily
 Data protection will continue to be a significant challenge for organizations
 Four of six megatrends discussed are linked to the risk category “data”
Data Loss Prevention
Megatrends in data related risks
Megatrends
Business benefit
►
Emerging
consumerization
►
►
►
The rise of cloud
computing
►
Mobile computing: Anytime and anywhere
connectivity/high-volume portable data
storage capability.
Social media: New and advanced
information sharing capabilities such as
crowdsourcing.
►
Lower total cost of ownership.
Focus on core activities and reduction of
effort spent on managing IT infrastructure
and applications.
Contribute to reduction of global carbon
footprint.
►
►
►
►
►
►
►
►
The increased
importance
of business
continuity
Enhanced
persistence of
cybercrime
►
►
Increased vulnerability due to anytime, anywhere accessibility.
Risk of unintended sharing, amplification of casual remarks and disclosure of
personal and company data. The availability of this data on the web facilitates
cyber attacks.
Employees may violate company policies in terms of data leakage.
►
Lack of governance and oversight over IT infrastructure, applications and
databases.
Vendor lock-in.
Privacy and security.
Availability of IT to be impacted by the use of the cloud.
Increased risk to regulatory noncompliance (SOX, PCI, etc.). The cloud also brings
about challenges in auditing compliance.
The cloud may impact the agility of IT and organizations; the platform dictated by
the provider may not align with software development and strategic needs of the
user.
►
Failure of the business continuity and disaster recovery plans causing financial or
reputational loss.
►
►
►
►
►
►
►
►
►
►
►
►
►
►
N/A
►
►
►
►
►
Increased
exposure to
internal threats
N/A
►
►
►
The accelerating
change agenda
24/7/365 availability of IT systems to
enable continuous consumer support,
operations, e-commerce, etc.
Categories of IT Risk
Universe affected
Business/IT risks
Fast adoption of new business models or
reducing costs provides organizations with
competitive advantage.
►
Spread of malicious code in company systems causing system outages.
The risk of theft of personal, financial and health information.
Loss of confidential data due to external vulnerabilities.
Financial loss due to unauthorized wire transfers.
►
Assigning access rights that are beyond what is required for the role by employees
or contractors.
Failure to remove access rights to employees or contractors on leaving the
organization.
►
Failure to deliver IT projects and programs within budget, timing, quality and scope
causing value leakage.
►
Data Loss Prevention
►
►
Security and privacy
Data
Legal and regulatory
Infrastructure
Security and privacy
Data
Third-party suppliers and
outsourcing
Applications and databases
Infrastructure
Legal and regulatory
Infrastructure
Applications and databases
Staffing
Operations
Physical environment
Security and privacy
Data
Data
Applications and databases
Programs and change
management
Overview of recent incidents
Web technology
firm
Public health
corporation
International gas
and oil company
US public agency
National retail bank
Online storage
provider
On their official weblog a web technology firm published a message that they uncovered a ploy to collect user passwords, likely through phishing. This
ploy affected the personal accounts of hundreds of users including, among others, senior U.S. government officials, Chinese political activists,
officials in several Asian countries (predominantly South Korea), military personnel and journalists.
A public health corporation had to notify 1.7 million patients, staff, contractors, vendors and others about a reported theft of electronic record files
that contained their personal information, protected health information or personally identifiable employee medical information. The information
included social security numbers, names, addresses and medical histories.
An international oil and gas company lost a laptop which contained personal information for 13,000 individuals including names, social security
numbers and addresses. The laptop was not encrypted and the information lost was for claimants against the company.
Personal details for 3.5 million teachers and other employees of a US public agency were accidentally published on the Internet. Information released
included names, social security numbers and birthdates. This data had been posted on the Internet for over a year without the organization realizing
it.
2,000 customer records from a national retail bank were stolen by employees prior to leaving and joining a competitor firm. Records included
customer bank account numbers, social security numbers and other highly sensitive personal data such as tax returns and pay statements.
According to a blog post an Online storage provider explained that due to an authentication bug, all accounts were at risk of a data breach. As soon as
the bug was discovered, as a precaution all logged in sessions were disconnected. The bug was active for almost 4 hours and took 5 minutes to fix.
Data Loss Prevention
Data risk: cause and effect
Data loss risks
Cause
►
Loss or theft of laptops and mobile
devices
►
Unauthorized transfer of data to USB
devices
►
Improper categorization of sensitive
data
►
Printing and copying of sensitive data by
employees
►
Insufficient response to intrusions
►
Unintentional transmission of sensitive
data
Customer
service
Corporate data
R&D
Your
data
Sales
Data theft by employees or external
parties
►
Effect
Your business environment
HR, Legal
Personally
identifiable
data
Data Loss Prevention
Customer data
Contractors
Finance
Transaction
data
►
Brand damage and loss of reputation
►
Loss of competitive advantage
►
Loss of customers
►
Loss of market share
►
Erosion of shareholder value
►
Fines and civil penalties
►
Regulatory fines/sanction
►
Significant cost and effort to notify
affected parties and recover from the
breach
Why does data loss occur?
People
Technology
►
►
►
►
Lack of awareness
►
Lack of
accountability
►
Lack of user
responsibility for
their actions
Lack of flexibility in
remote connectivity
No content aware
DLP tools
Lack of secure
communication
platforms
Data Loss Prevention
Process
►
Lack of data usage
policies/guidance
►
Lack of data
transmission
procedures
►
Lack of data usage
monitoring
Data loss prevention
Data Loss Prevention
What is data loss prevention?
Data loss prevention
is the practice of
detecting and preventing
confidential information
from being “leaked” out
of an organization’s boundaries for unauthorized use,
which may be thought of as
physical or logical
Data Loss Prevention
Data leakage vector
►
Internal threats
►
Instant messaging
► Mail
► FTP
► Webmail
► Web logs
► Web pages/social media
► Removable media
► Classification errors
► Hard copy
► Cameras
► Inadequate logical access
►
Data Loss Prevention
External threats
Hackers/data theft
by intruders
► SQL injection
► Malware
► Dumpster diving
► Phishing
► Social engineering
► Physical theft
►
Insights on information security
►
74% of respondents to our Global Information Security Survey 2013 have
defined a policy for classification and handling of sensitive data as a control for
data leakage risk
Which of the following actions has your organization taken to control data leakage of sensitive information?
74%
Defined a specific policy regarding the classification and handling of sensitive information
69%
Employee awareness programs
60%
Implemented additional security mechanisms for protecting information (e.g., encryption)
Locked down/restricted use of certain hardware components (e.g., USB drives or FireWire ports)
45%
Utilized internal auditing for testing of controls
45%
43%
Defined specific requirements for telecommuting/telework regarding protection of information taken outside office
39%
Implemented log review tools
38%
Implemented data loss prevention tools (McAfee, Symantec, Verdasys, etc.)
35%
Restricted or prohibited use of instant messaging or email for sensitive data transmission
24%
Prohibited use of camera devices within sensitive or restricted areas
Restricted access to sensitive information to specific time periods
Source: Ernst & Young’s Global Information Security Survey 2013
Data Loss Prevention
15%
Insights on information security
►
However, 66% of respondents have not implemented data loss prevention
(DLP) tools
Regarding DLP tools implementation, how would you describe that deployment?
We have not implemented DLP tools
66%
Users have largely not noticed the impact of these tools
15%
Our implementation has been a success
14%
Implementation has gone smoothly and according to schedule
14%
It has taken longer than expected to implement
Users have been upset with the impact to their daily routines
Our implementation has not been as successful as expected thus far
Source: Ernst & Young’s Global Information Security Survey 2013
Data Loss Prevention
12%
6%
4%
What an organization needs to do
►
Know your data
►
Know where it is
►
Know where it is going
►
Know who accesses it
A data loss prevention program can address these issues
Data Loss Prevention
EY data-centric security model
Data governance
Policies and standards
Identification
Risk assessment
Focus areas
Data control
Classification
Architecture
Quality
Structured data
Data in motion
Data in use
Data at rest
Perimeter security
Privileged user monitoring
EndPoint security
Network monitoring
Access/Usage monitoring
Host encryption
Internet access control
Data anonymisation
Mobile device protection
Data collection and exchange
Use of test data
Network/intranet storage
Messaging (Email, IM)
Data redaction
Physical media control
Remote access
Export/Save control
Disposal and destruction
Unstructured data
Supporting information security processes
Identity/access management
Security information/event management
Configuration management
Vulnerability management
Digital rights management
Incident response
Physical security
Training and awareness
Asset management
Data privacy/document protection
Employee screening and vetting
Third-party management and assurance
Business continuity
Disaster recovery
Regulatory compliance management
Change management/SDLC
Data Loss Prevention
Data in motion
Focus area
Example control objective
Supporting technologies
Perimeter security
Prevent unencrypted sensitive data from leaving the
perimeter.
DLP technology, firewalls, proxy servers
Network monitoring
Log and monitor network traffic to identifying and
investigate inappropriate sensitive data transfers.
DLP technology
Internet access control
Prevent users from accessing unauthorized sites or
uploading data through the web through personal
webmail, social media, online backup tools, etc.
Proxy servers, content filters
Data collection
Data exchange with third parties only occurs through
and exchange with third
secure means.
parties
Secure email, secure FTP, secure APIs,
encrypted physical media
Use of instant
messaging
Prevent file transfers to external parties through instant
messaging and other non web-based applications
Firewalls, proxy servers, workstation
restrictions
Remote access
Remote access to the company network is secured
and control the data that can be saved through
remote facilities such as Outlook Web Access.
Encrypted remote access, restrictions on
use of remote access tools to prevent data
leakage to non-corporate assets
Data Loss Prevention
Data in use
Focus area
Example control objective
Supporting technologies
Privileged user
monitoring
Monitor the actions of privileged users with the
ability to override DLP controls, perform mass data
extracts, etc.
Security information and event
monitoring, operating database and
application log files.
Access/usage
monitoring
Monitor access and usage of high risk data to identify
potentially inappropriate usage.
Security information and event monitoring,
operating database and application log files,
endpoint DLP logs.
Data sanitation
Sanitize/anonymize sensitive data when it is not
required for the intended use.
Data sanitation routines and programs.
Use of test data
Do not use or copy sensitive data into non-production
systems. Sanitize data before moving into test
systems when possible.
Data sanitation routines and programs.
Data redaction
Remove sensitive data elements from reports,
interfaces and extracts when they are not necessary for
the intended use.
Data redaction tools.
Export/save control
Restrict user abilities to copy sensitive data into
unapproved containers, such as e-mail, web browsers,
etc., including controlling the ability to copy, paste
and print sections of documents.
Endpoint DLP technology, application
controls.
Data Loss Prevention
Data at rest
Focus area
Example control objective
Supporting technologies
Endpoint security
Restrict access to local admin functions such as the
ability to install software and modify security settings.
Prevent malware, viruses, spyware, etc.
Operating system workstation restrictions,
security software (A/V, personal firewall,
etc.), endpoint DLP technology.
Host encryption
Ensure hard disks are encrypted on all servers,
workstations, laptops and mobile devices.
Full disk encryption tools.
Mobile device
protection
Harden mobile device configurations and enable
features such as password protection, remote wipe
facilities, etc.
Built in security features, third-party
mobile device control products.
Network/intranet
storage
Access control software and permission
Govern access to network-based repositories containing
control in operating systems, databases
sensitive data on a least privilege basis.
and file storage systems.
Physical media
control
Prevent the copying of sensitive data to unapproved
media. Ensure authorized data extraction only takes
place on encrypted media.
Endpoint DLP technology, endpoint media
encryption tools, operating system
workstation restrictions.
Disposal and
destruction
Ensure all equipment with data storage capabilities
are cleansed or destroyed as part of the equipment
disposal process. (Including devices such as digital
copiers, fax machines, etc.)
Data erasure/data wiping software.
Data Loss Prevention
Data risk reduction
Data Loss Prevention
Why data loss prevention?
Data Loss Prevention
Costs
Data Loss Prevention
Data protection life cycle
Data Loss Prevention
Implementing a DLPP
Data Loss Prevention
Key Components of a DLPP
Data Loss Prevention
Data loss prevention drivers and benefits
Prevent brand
damage and loss
of reputation
Maintain
competitive advantage
Prevent loss
of customers
Prevent loss of
shareholder value
Prevent fines and civil
penalties
Prevent regulatory
actions or sanctions
Prevent legal
actions – litigation
Data Loss Prevention
Limit cost
and effort for
notification
Example approach
Data in motion
Client issue
►
►
Ernst & Young service
►
►
►
►
►
It is not known to what
extent data leakage is an
issue within the organization.
Evidence of data loss is
needed to:
► Build a business case
for DLP investment.
► Support a DLP risk
assessment
► Test effectiveness
of DLP controls
Program assessment/
strategic roadmap
Data at rest
►
►
►
The security of company data
stored on repositories such as
share drives, SharePoint sites
and intranet sites is uncertain.
Sensitive customer data or
client intellectual property may
be stored on widely accessible
internal systems.
‘Rogue’ servers/workstations
may be sharing sensitive data
in an uncontrolled way.
Meet with key stakeholders
► Meet with key stakeholders in a
to understand network
facilitated workshop to
weaknesses for DLP.
determine high-risk data.
Conduct a facilitated workshop ► Customize DLP rules to focus
to determine high-risk data.
on high-risk data and add
company specific criteria.
Customize DLP rules to focus
on high-risk data and add
► Utilize our DLP appliance to
company specific criteria.
scan high-risk data repositories
or network segments.
Utilize our DLP appliance
onsite to analyze electronic
► Review and validate the
communications for an agreed
incidents generated and
period of time.
develop a report highlighting
high-risk exposures.
Review and validate the
incidents generated and
develop a report highlighting
high-risk exposures.
Data discovery
Data Loss Prevention
►
►
►
►
►
►
►
Data privacy assessment
The lack of a robust DLP
program is a known issue.
However, the root cause of
data loss is unknown.
An assessment of DLP
processes and controls and/
or a roadmap for developing
the program and integrating
it into the existing security
program is needed.
►
Assistance with managing
the complex regulatory
and compliance requirements
associated with customer
privacy or responding
to inquiries and incidents
is required.
Services in options 1 and 2.
Conduct a current state
assessment of the overall
DLP program.
Develop a strategy and
roadmap to build a robust
DLP program that is integrated
with the existing security
program.
Provide a report of high-level
issues that were identified with
recommendations for
risk mitigation and
control improvement.
►
Conduct a current state privacy
assessment.
Assess compliance with
specific regulations.
Recommend improvements
to data privacy controls
and practices.
Assist in responding to specific
privacy incidents/ breaches.
►
►
►
Control assessments
Ernst & Young
Assurance | Tax | Transactions | Advisory
About Ernst & Young
Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 141,000 people are united by
our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our
wider communities achieve their potential.
Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate
legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more
information about our organization, please visit www.ey.com.
© 2014 EYGM Limited.
All Rights Reserved.
This publication contains information in summary form and
is therefore intended for general guidance only. It is not intended to be a substitute
for detailed research or the exercise of professional judgment. Neither EYGM Limited
nor any other member of the global Ernst & Young organization can accept any
responsibility for loss occasioned to any person acting or refraining from action as a
result of any material in this publication. On any specific matter, reference should be
made to the appropriate advisor.