8/13/2014 Keeping your sensitive data out of the public domain Data Loss Prevention

8/13/2014

Keeping your sensitive data out of the public domainData Loss Prevention

Data Loss Prevention

What is data?


Data versus Information

DataRaw material and unorganized facts that need to be processed

InformationWhen data are processed, structured or presented in a certain context so as to make them useful, they are called information


Data/Information

Data/Information

Tangible Intangible

Head

kn

ow

led

ge

Pap

er

E-structuredD

ata

base

E-unstructured

Other media

EmailWeb

Str

uct

ure

d

Un

stru

ctu

red

Documents

Electronic


What sensitive data do you hold?


It’s all about the data!

Corporate dataPrice/cost lists Target customer lists New designsSource codeFormulasPending patentsIntellectual property

Personally identifiable data

Full nameBirthday, birthplace Biometric dataCredit card numbers National identification number,

passport numbersDriver's license number, vehicle

registration number

Transaction dataBank paymentsB2B ordersVendor dataSales volumesPurchase powerRevenue potentialSales projections

Customer dataCustomer list

Spending habits

Contact details

User preference

Product customer profile

Payment status

Contact history


Where does your sensitive data reside?


Data is everywhere

Databases or Repositories

Workstations

Data at rest

Data in motion

Data in use

Data at rest

Workstations

Laptops

Firewall

Internet


Understanding the problem


Megatrends in data related risks

Data is the lifeblood of most organizations

High profile breaches and leaks are in the headlines almost daily

Data protection will continue to be a significant challenge for organizations

Four of six megatrends discussed are linked to the risk category “data”


Megatrends in data related risks

Megatrends Business benefit Business/IT risksCategories of IT Risk

Universe affected

Emergingconsumerization

► Mobile computing: Anytime and anywhere connectivity/high-volume portable data storage capability.

► Social media: New and advanced information sharing capabilities such as crowdsourcing.

► Increased vulnerability due to anytime, anywhere accessibility.► Risk of unintended sharing, amplification of casual remarks and disclosure of

personal and company data. The availability of this data on the web facilitates cyber attacks.

► Employees may violate company policies in terms of data leakage.

► Security and privacy► Data► Legal and regulatory► Infrastructure

The rise of cloudcomputing

► Lower total cost of ownership.► Focus on core activities and reduction of

effort spent on managing IT infrastructure and applications.

► Contribute to reduction of global carbon footprint.

► Lack of governance and oversight over IT infrastructure, applications and databases.

► Vendor lock-in.► Privacy and security.► Availability of IT to be impacted by the use of the cloud.► Increased risk to regulatory noncompliance (SOX, PCI, etc.). The cloud also brings

about challenges in auditing compliance.► The cloud may impact the agility of IT and organizations; the platform dictated by

the provider may not align with software development and strategic needs of the user.

► Security and privacy► Data► Third-party suppliers and

outsourcing► Applications and databases► Infrastructure► Legal and regulatory

The increasedimportanceof businesscontinuity

► 24/7/365 availability of IT systems to enable continuous consumer support, operations, e-commerce, etc.

► Failure of the business continuity and disaster recovery plans causing financial or reputational loss.

► Infrastructure► Applications and databases► Staffing► Operations► Physical environment

Enhancedpersistence ofcybercrime

► N/A ► Spread of malicious code in company systems causing system outages.► The risk of theft of personal, financial and health information.► Loss of confidential data due to external vulnerabilities.► Financial loss due to unauthorized wire transfers.

► Security and privacy► Data

Increasedexposure tointernal threats

► N/A ► Assigning access rights that are beyond what is required for the role by employees

or contractors.► Failure to remove access rights to employees or contractors on leaving the

organization.

► Data► Applications and databases

The acceleratingchange agenda

► Fast adoption of new business models or reducing costs provides organizations with competitive advantage.

► Failure to deliver IT projects and programs within budget, timing, quality and scope causing value leakage.

► Programs and change management


Web technology firm

Public health corporation

International gas and oil company

US public agency

National retail bank

Online storage provider

Personal details for 3.5 million teachers and other employees of a US public agency were accidentally published on the Internet. Information released included names, social security numbers and birthdates. This data had been posted on the Internet for over a year without the organization realizing it.

An international oil and gas company lost a laptop which contained personal information for 13,000 individuals including names, social security numbers and addresses. The laptop was not encrypted and the information lost was for claimants against the company.

On their official weblog a web technology firm published a message that they uncovered a ploy to collect user passwords, likely through phishing. This ploy affected the personal accounts of hundreds of users including, among others, senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists.A public health corporation had to notify 1.7 million patients, staff, contractors, vendors and others about a reported theft of electronic record files that contained their personal information, protected health information or personally identifiable employee medical information. The information included social security numbers, names, addresses and medical histories.

2,000 customer records from a national retail bank were stolen by employees prior to leaving and joining a competitor firm. Records included customer bank account numbers, social security numbers and other highly sensitive personal data such as tax returns and pay statements.

According to a blog post an Online storage provider explained that due to an authentication bug, all accounts were at risk of a data breach. As soon as the bug was discovered, as a precaution all logged in sessions were disconnected. The bug was active for almost 4 hours and took 5 minutes to fix.

Overview of recent incidents


Cause► Loss or theft of laptops

and mobile devices

► Unauthorized transfer of data to USB devices

► Improper categorization of sensitive data

► Data theft by employees or external parties

► Printing and copying of sensitive data by employees

► Insufficient response to intrusions

► Unintentional transmission of sensitive data

Effect► Brand damage and loss

of reputation

► Loss of competitive advantage

► Loss of customers

► Loss of market share

► Erosion of shareholder value

► Fines and civil penalties

► Regulatory fines/sanction

► Significant cost and effort to notify affected parties and recover from the breach

Corporate data

Customer data

Personallyidentifiable

data

Transaction

data

R&DCustomerservice

Sales

HR, Legal Finance

ContractorsYour data

Your business environment

Data loss risks

Data risk: cause and effect


► Lack of data usage policies/guidance

► Lack of data transmission procedures

► Lack of data usage monitoring

Process

► Lack of awareness

► Lack of accountability

► Lack of user responsibility for their actions

People

► Lack of flexibility in remote connectivity

► No content aware DLP tools

► Lack of secure communication platforms

Technology

Why does data loss occur?


Data loss prevention


Data loss prevention is the practice of

detecting and preventing confidential information

from being “leaked” out of an organization’s boundaries for

unauthorized use,which may be thought of as

physical or logical

What is data loss prevention?


Data leakage vector

► Internal threats► Instant messaging► Mail► FTP► Webmail► Web logs► Web pages/social media► Removable media► Classification errors► Hard copy► Cameras► Inadequate logical access

► External threats► Hackers/data theft

by intruders► SQL injection► Malware► Dumpster diving► Phishing► Social engineering► Physical theft


Insights on information security

► 74% of respondents to our Global Information Security Survey 2013 have defined a policy for classification and handling of sensitive data as a control for data leakage risk

Source: Ernst & Young’s Global Information Security Survey 2013

74%

69%

60%

45%

45%

43%

39%

38%

35%

24%

15%

Defined a specific policy regarding the classification and handling of sensitive information

Employee awareness programs

Implemented additional security mechanisms for protecting information (e.g., encryption)

Locked down/restricted use of certain hardware components (e.g., USB drives or FireWire ports)

Utilized internal auditing for testing of controls

Defined specific requirements for telecommuting/telework regarding protection of information taken outside office

Implemented log review tools

Implemented data loss prevention tools (McAfee, Symantec, Verdasys, etc.)

Restricted or prohibited use of instant messaging or email for sensitive data transmission

Prohibited use of camera devices within sensitive or restricted areas

Restricted access to sensitive information to specific time periods

Which of the following actions has your organization taken to control data leakage of sensitive information?


Insights on information security

► However, 66% of respondents have not implemented data loss prevention (DLP) tools

66%

15%

14%

14%

12%

6%

4%

We have not implemented DLP tools

Users have largely not noticed the impact of these tools

Our implementation has been a success

Implementation has gone smoothly and according to schedule

It has taken longer than expected to implement

Users have been upset with the impact to their daily routines

Our implementation has not been as successful as expected thus far

Regarding DLP tools implementation, how would you describe that deployment?

Source: Ernst & Young’s Global Information Security Survey 2013


What an organization needs to do

► Know your data

► Know where it is

► Know where it is going

► Know who accesses it

A data loss prevention program can address these issues


EY data-centric security model

Data governance

Policies and standards Risk assessment Classification ArchitectureIdentification

Supporting information security processes

Data controlStructured data

Unstructured data

Foc

us a

reas

Data in use

Data anonymisation

Use of test data

Privileged user monitoring

Access/Usage monitoring

Data redaction

Export/Save control

Data in motion

Perimeter security

Network monitoring

Internet access control

Data collection and exchange

Messaging (Email, IM)

Remote access

Data at rest

EndPoint security

Host encryption

Mobile device protection

Network/intranet storage

Physical media control

Disposal and destruction

Quality

Configuration management

Physical security

Employee screening and vetting

Training and awareness

Third-party management and assurance

Vulnerability management

Incident response

Data privacy/document protection

Digital rights management

Asset management

Identity/access management Security information/event management

Business continuity Disaster recovery Regulatory compliance management Change management/SDLC


Data in motion

Focus area Example control objective Supporting technologies

Perimeter securityPrevent unencrypted sensitive data from leaving the perimeter.

DLP technology, firewalls, proxy servers

Network monitoringLog and monitor network traffic to identifying and investigate inappropriate sensitive data transfers.

DLP technology

Internet access controlPrevent users from accessing unauthorized sites or uploading data through the web through personal webmail, social media, online backup tools, etc.

Proxy servers, content filters

Data collection and exchange with third parties

Data exchange with third parties only occurs through secure means.

Secure email, secure FTP, secure APIs, encrypted physical media

Use of instant messaging

Prevent file transfers to external parties through instant messaging and other non web-based applications

Firewalls, proxy servers, workstation restrictions

Remote accessRemote access to the company network is secured and control the data that can be saved through remote facilities such as Outlook Web Access.

Encrypted remote access, restrictions on use of remote access tools to prevent data leakage to non-corporate assets


Data in use


Privileged user monitoring

Monitor the actions of privileged users with the ability to override DLP controls, perform mass data extracts, etc.

Security information and event monitoring, operating database and application log files.

Access/usage monitoring

Monitor access and usage of high risk data to identify potentially inappropriate usage.

Security information and event monitoring, operating database and application log files, endpoint DLP logs.

Data sanitationSanitize/anonymize sensitive data when it is not required for the intended use.

Data sanitation routines and programs.

Use of test dataDo not use or copy sensitive data into non-production systems. Sanitize data before moving into test systems when possible.

Data sanitation routines and programs.

Data redactionRemove sensitive data elements from reports, interfaces and extracts when they are not necessary for the intended use.

Data redaction tools.

Export/save control

Restrict user abilities to copy sensitive data into unapproved containers, such as e-mail, web browsers, etc., including controlling the ability to copy, paste and print sections of documents.

Endpoint DLP technology, application controls.


Data at rest


Endpoint securityRestrict access to local admin functions such as the ability to install software and modify security settings. Prevent malware, viruses, spyware, etc.

Operating system workstation restrictions, security software (A/V, personal firewall, etc.), endpoint DLP technology.

Host encryptionEnsure hard disks are encrypted on all servers, workstations, laptops and mobile devices.

Full disk encryption tools.

Mobile device protection

Harden mobile device configurations and enable features such as password protection, remote wipe facilities, etc.

Built in security features, third-party mobile device control products.

Network/intranet storage

Govern access to network-based repositories containing sensitive data on a least privilege basis.

Access control software and permission control in operating systems, databases and file storage systems.

Physical media control

Prevent the copying of sensitive data to unapproved media. Ensure authorized data extraction only takes place on encrypted media.

Endpoint DLP technology, endpoint media encryption tools, operating system workstation restrictions.

Disposal and destruction

Ensure all equipment with data storage capabilities are cleansed or destroyed as part of the equipment disposal process. (Including devices such as digital copiers, fax machines, etc.)

Data erasure/data wiping software.


Data risk reduction


Why data loss prevention?


Costs


Data protection life cycle


Implementing a DLPP


Key Components of a DLPP


Data loss prevention drivers and benefits

Prevent brand damage and loss

of reputation

Maintain competitive advantage

Prevent loss of customers

Prevent loss of shareholder value

Prevent fines and civil penalties

Prevent regulatory actions or sanctions

Prevent legal actions – litigation

Limit cost and effort for notification


Example approachE

rnst

& Y

ou

ng

ser

vice

Cli

ent

issu

e

Data in motion Data at restProgram assessment/

strategic roadmapData privacy assessment

Control assessments

► It is not known to what extent data leakage is an issue within the organization.

► Evidence of data loss is needed to: ► Build a business case

for DLP investment.► Support a DLP risk

assessment ► Test effectiveness

of DLP controls

► Meet with key stakeholders to understand network weaknesses for DLP.

► Conduct a facilitated workshop to determine high-risk data.

► Customize DLP rules to focus on high-risk data and add company specific criteria.

► Utilize our DLP appliance onsite to analyze electronic communications for an agreed period of time.

► Review and validate the incidents generated and develop a report highlighting high-risk exposures.

► The security of company data stored on repositories such as share drives, SharePoint sites and intranet sites is uncertain.

► Sensitive customer data or client intellectual property may be stored on widely accessible internal systems.

► ‘Rogue’ servers/workstations may be sharing sensitive data in an uncontrolled way.

► Meet with key stakeholders in a facilitated workshop to determine high-risk data.

► Customize DLP rules to focus on high-risk data and add company specific criteria.

► Utilize our DLP appliance to scan high-risk data repositories or network segments.

► Review and validate the incidents generated and develop a report highlighting high-risk exposures.

► The lack of a robust DLP program is a known issue.

► However, the root cause of data loss is unknown.

► An assessment of DLP processes and controls and/or a roadmap for developing the program and integrating it into the existing security program is needed.

► Services in options 1 and 2.► Conduct a current state

assessment of the overall DLP program.

► Develop a strategy and roadmap to build a robust DLP program that is integrated with the existing security program.

► Provide a report of high-level issues that were identified with recommendations for risk mitigation and control improvement.

Data discovery

► Assistance with managing the complex regulatory and compliance requirements associated with customer privacy or responding to inquiries and incidents is required.

► Conduct a current state privacy assessment.

► Assess compliance with specific regulations.

► Recommend improvements to data privacy controls and practices.

► Assist in responding to specific privacy incidents/ breaches.

Ernst & YoungAssurance | Tax | Transactions | Advisory

About Ernst & YoungErnst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 141,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.

Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com.

© 2014 EYGM Limited. All Rights Reserved.

This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.