2

What options are available for implementing DLP within an organisation and what are the pros and cons of each?

paj28
  • 32,736
  • 8
  • 92
  • 130
Kiwy
  • 323
  • 1
  • 13
  • 1
    There are solutions, called "Data Loss Prevention" or sometimes "Data Loss Mitigation". Like all security software, they can help, but they are not foolproof. Now you know what they're called, you can search online and find out all you like :-) – paj28 Jan 15 '14 at 14:49
  • possible duplicate of [VCS to manipulate returned trees to prevent leaks?](http://security.stackexchange.com/questions/35431/vcs-to-manipulate-returned-trees-to-prevent-leaks) (about source code not documents. However, same answers apply) – Adi Jan 15 '14 at 15:03
  • @Adnan well I guess this should be closed then – Kiwy Jan 15 '14 at 15:10
  • @Adnan the VCS question is about watermarking to detect leaks, while this question is about PREVENTING leaks – paj28 Jan 15 '14 at 15:19
  • 1
    @paj28 Well, seems like stressing that the **answers** still apply yielded no results. The answers there apply to the OP's case. No reason to repeat them here. – Adi Jan 15 '14 at 15:25
  • @Adnan with the edit, can you remove the "on hold"? – paj28 Jan 19 '14 at 15:21

2 Answers2

4

One approach is to lock down endpoints to block the egress points, which includes:

  • Disabling local media: USB, SD cards, CD writers, firewire, etc. Many enterprises attempt this - disabling USB is considered a standard baseline - but rarely are all these blocked. Thin clients can do this more robustly than a normal computer.
  • Blocking network egress: this is harder; some enterprises use a content filtering proxy to block file sharing sites and webmail, but they never block them all, and in particular corporate email needs to be allowed.
  • You need to prevent unauthorised devices connecting to the network, as these will not have local media disabled, so can be used to egress. Some enterprises attempt this with network access control (NAC).

I see this done in many environments, but never comprehensively. But even if this could be implemented perfectly, there is a major problem: it's too restrictive. We disabled USB because we want to stop Joe copying the top secret database onto a USB stick. Now, Joe may want to - quite legitimately - put some non-confidential marketing material on a USB stick to use at a conference. The lockdown prevents this - it doesn't have any concept of classification, so it can't distinguish between a public presentation and a top secret memo. Most enterprises have a process to request USB be re-enabled, with a business justification, but at that point Joe can steal the top secret database.

To improve on this, various vendors have created Data Loss Prevention (DLP) tools. Some of them are called Data Loss Mitigation (DLM); it's the same technology. These work in various ways, but most have an agent on the endpoint, and a central management system. When the system is installed, various key documents will be marked as confidential, and some patterns may be used (a popular one is 16 digits, indicating a credit card number). Now, when Joe tries to write a file to his USB stick, the agent checks whether the file is confidential, and then allows (or doesn't allow) the file to be written.

Commercial DLP systems are now pretty mature and try to address all the local media and network egress points. It's important to realise that they are only intended to stop your internal staff. They will not generally stop hackers (despite the claims some vendors make). Still, they are a good technology to have, and although they are not that widely used, I think most security conscious organisations should have it. I think the cost/benefit ratio is better than you get from IDS.

As people have mentioned, one egress point that nothing can protect is people. You can stop someone copying a 10gb database to a USB drive. But if the top secret data is one sentence ("it was xxxx who shot JFK") then someone can of course read that, remember it, then leak it outside your organisation. And to stop someone photographing their screen you would need physical security controls, like confiscating personal electronic devices.

paj28
  • 32,736
  • 8
  • 92
  • 130
0

You can't stop someone reading the information, remembering it, and writing it down outside of your control.

Without extreme physical security you can't prevent someone sneaking a camera on-site and taking photos of the screen.

If you allow print-outs, they can stuff the print outs down their pants.

If you allow paper and pens, they can hand copy information from the screen.

Without hardware modifications and lock down you can't prevent someone copying documents to a USB stick. (e.g. reboot to different OS to avoid software restrictions).

Douglas Leeder
  • 1,939
  • 14
  • 9
  • 1
    well you ca still restrict a computer to boot on only one OS and not putting any USB on it. – Kiwy Jan 15 '14 at 14:54
  • Old way would be making a photograph (or today a picture with your smartphone). – Samuel Jan 15 '14 at 15:01
  • While you are correct that you can't stop someone taking a photo of the screen, this somewhat misses the point. Without any precautions, a malicious user can plug in a USB stick and copy gigabytes of data on to it - which is much worse than a photo of the screen. So there is plenty that can be done. – paj28 Jan 15 '14 at 15:22