Data Loss Prevention Keeping your sensitive data out of the public domain 8/13/2014 What is data? Data Loss Prevention Data versus Information Data Raw material and unorganized facts that need to be processed Information When data are processed, structured or presented in a certain context so as to make them useful, they are called information Data Loss Prevention Data/Information Data/Information Tangible Intangible Electronic E-unstructured E-structured Data Loss Prevention Structured Other media Head knowledge Email Paper Web Database Unstructured Documents What sensitive data do you hold? Data Loss Prevention It’s all about the data! Corporate data Transaction data Bank payments B2B orders Vendor data Sales volumes Purchase power Revenue potential Sales projections Price/cost lists Target customer lists New designs Source code Formulas Pending patents Intellectual property Customer data Customer list Spending habits Contact details User preference Product customer profile Payment status Contact history Data Loss Prevention Personally identifiable data Full name Birthday, birthplace Biometric data Credit card numbers National identification number, passport numbers Driver's license number, vehicle registration number Where does your sensitive data reside? Data Loss Prevention Data is everywhere Data at rest Databases or Repositories Workstations Data in motion Data in use Laptops Firewall Internet Workstations Data at rest Data Loss Prevention Understanding the problem Data Loss Prevention Megatrends in data related risks  Data is the lifeblood of most organizations  High profile breaches and leaks are in the headlines almost daily  Data protection will continue to be a significant challenge for organizations  Four of six megatrends discussed are linked to the risk category “data” Data Loss Prevention Megatrends in data related risks Megatrends Business benefit ► Emerging consumerization ► ► ► The rise of cloud computing ► Mobile computing: Anytime and anywhere connectivity/high-volume portable data storage capability. Social media: New and advanced information sharing capabilities such as crowdsourcing. ► Lower total cost of ownership. Focus on core activities and reduction of effort spent on managing IT infrastructure and applications. Contribute to reduction of global carbon footprint. ► ► ► ► ► ► ► ► The increased importance of business continuity Enhanced persistence of cybercrime ► ► Increased vulnerability due to anytime, anywhere accessibility. Risk of unintended sharing, amplification of casual remarks and disclosure of personal and company data. The availability of this data on the web facilitates cyber attacks. Employees may violate company policies in terms of data leakage. ► Lack of governance and oversight over IT infrastructure, applications and databases. Vendor lock-in. Privacy and security. Availability of IT to be impacted by the use of the cloud. Increased risk to regulatory noncompliance (SOX, PCI, etc.). The cloud also brings about challenges in auditing compliance. The cloud may impact the agility of IT and organizations; the platform dictated by the provider may not align with software development and strategic needs of the user. ► Failure of the business continuity and disaster recovery plans causing financial or reputational loss. ► ► ► ► ► ► ► ► ► ► ► ► ► ► N/A ► ► ► ► ► Increased exposure to internal threats N/A ► ► ► The accelerating change agenda 24/7/365 availability of IT systems to enable continuous consumer support, operations, e-commerce, etc. Categories of IT Risk Universe affected Business/IT risks Fast adoption of new business models or reducing costs provides organizations with competitive advantage. ► Spread of malicious code in company systems causing system outages. The risk of theft of personal, financial and health information. Loss of confidential data due to external vulnerabilities. Financial loss due to unauthorized wire transfers. ► Assigning access rights that are beyond what is required for the role by employees or contractors. Failure to remove access rights to employees or contractors on leaving the organization. ► Failure to deliver IT projects and programs within budget, timing, quality and scope causing value leakage. ► Data Loss Prevention ► ► Security and privacy Data Legal and regulatory Infrastructure Security and privacy Data Third-party suppliers and outsourcing Applications and databases Infrastructure Legal and regulatory Infrastructure Applications and databases Staffing Operations Physical environment Security and privacy Data Data Applications and databases Programs and change management Overview of recent incidents Web technology firm Public health corporation International gas and oil company US public agency National retail bank Online storage provider On their official weblog a web technology firm published a message that they uncovered a ploy to collect user passwords, likely through phishing. This ploy affected the personal accounts of hundreds of users including, among others, senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists. A public health corporation had to notify 1.7 million patients, staff, contractors, vendors and others about a reported theft of electronic record files that contained their personal information, protected health information or personally identifiable employee medical information. The information included social security numbers, names, addresses and medical histories. An international oil and gas company lost a laptop which contained personal information for 13,000 individuals including names, social security numbers and addresses. The laptop was not encrypted and the information lost was for claimants against the company. Personal details for 3.5 million teachers and other employees of a US public agency were accidentally published on the Internet. Information released included names, social security numbers and birthdates. This data had been posted on the Internet for over a year without the organization realizing it. 2,000 customer records from a national retail bank were stolen by employees prior to leaving and joining a competitor firm. Records included customer bank account numbers, social security numbers and other highly sensitive personal data such as tax returns and pay statements. According to a blog post an Online storage provider explained that due to an authentication bug, all accounts were at risk of a data breach. As soon as the bug was discovered, as a precaution all logged in sessions were disconnected. The bug was active for almost 4 hours and took 5 minutes to fix. Data Loss Prevention Data risk: cause and effect Data loss risks Cause ► Loss or theft of laptops and mobile devices ► Unauthorized transfer of data to USB devices ► Improper categorization of sensitive data ► Printing and copying of sensitive data by employees ► Insufficient response to intrusions ► Unintentional transmission of sensitive data Customer service Corporate data R&D Your data Sales Data theft by employees or external parties ► Effect Your business environment HR, Legal Personally identifiable data Data Loss Prevention Customer data Contractors Finance Transaction data ► Brand damage and loss of reputation ► Loss of competitive advantage ► Loss of customers ► Loss of market share ► Erosion of shareholder value ► Fines and civil penalties ► Regulatory fines/sanction ► Significant cost and effort to notify affected parties and recover from the breach Why does data loss occur? People Technology ► ► ► ► Lack of awareness ► Lack of accountability ► Lack of user responsibility for their actions Lack of flexibility in remote connectivity No content aware DLP tools Lack of secure communication platforms Data Loss Prevention Process ► Lack of data usage policies/guidance ► Lack of data transmission procedures ► Lack of data usage monitoring Data loss prevention Data Loss Prevention What is data loss prevention? Data loss prevention is the practice of detecting and preventing confidential information from being “leaked” out of an organization’s boundaries for unauthorized use, which may be thought of as physical or logical Data Loss Prevention Data leakage vector ► Internal threats ► Instant messaging ► Mail ► FTP ► Webmail ► Web logs ► Web pages/social media ► Removable media ► Classification errors ► Hard copy ► Cameras ► Inadequate logical access ► Data Loss Prevention External threats Hackers/data theft by intruders ► SQL injection ► Malware ► Dumpster diving ► Phishing ► Social engineering ► Physical theft ► Insights on information security ► 74% of respondents to our Global Information Security Survey 2013 have defined a policy for classification and handling of sensitive data as a control for data leakage risk Which of the following actions has your organization taken to control data leakage of sensitive information? 74% Defined a specific policy regarding the classification and handling of sensitive information 69% Employee awareness programs 60% Implemented additional security mechanisms for protecting information (e.g., encryption) Locked down/restricted use of certain hardware components (e.g., USB drives or FireWire ports) 45% Utilized internal auditing for testing of controls 45% 43% Defined specific requirements for telecommuting/telework regarding protection of information taken outside office 39% Implemented log review tools 38% Implemented data loss prevention tools (McAfee, Symantec, Verdasys, etc.) 35% Restricted or prohibited use of instant messaging or email for sensitive data transmission 24% Prohibited use of camera devices within sensitive or restricted areas Restricted access to sensitive information to specific time periods Source: Ernst & Young’s Global Information Security Survey 2013 Data Loss Prevention 15% Insights on information security ► However, 66% of respondents have not implemented data loss prevention (DLP) tools Regarding DLP tools implementation, how would you describe that deployment? We have not implemented DLP tools 66% Users have largely not noticed the impact of these tools 15% Our implementation has been a success 14% Implementation has gone smoothly and according to schedule 14% It has taken longer than expected to implement Users have been upset with the impact to their daily routines Our implementation has not been as successful as expected thus far Source: Ernst & Young’s Global Information Security Survey 2013 Data Loss Prevention 12% 6% 4% What an organization needs to do ► Know your data ► Know where it is ► Know where it is going ► Know who accesses it A data loss prevention program can address these issues Data Loss Prevention EY data-centric security model Data governance Policies and standards Identification Risk assessment Classification Architecture Quality Data control Focus areas Structured data Data in motion Data in use Data at rest Perimeter security Privileged user monitoring EndPoint security Network monitoring Access/Usage monitoring Host encryption Internet access control Data anonymisation Mobile device protection Data collection and exchange Use of test data Network/intranet storage Messaging (Email, IM) Data redaction Physical media control Remote access Export/Save control Disposal and destruction Unstructured data Supporting information security processes Identity/access management Security information/event management Configuration management Vulnerability management Digital rights management Incident response Physical security Training and awareness Asset management Data privacy/document protection Employee screening and vetting Third-party management and assurance Business continuity Disaster recovery Regulatory compliance management Change management/SDLC Data Loss Prevention Data in motion Focus area Example control objective Supporting technologies Perimeter security Prevent unencrypted sensitive data from leaving the perimeter. DLP technology, firewalls, proxy servers Network monitoring Log and monitor network traffic to identifying and investigate inappropriate sensitive data transfers. DLP technology Internet access control Prevent users from accessing unauthorized sites or uploading data through the web through personal webmail, social media, online backup tools, etc. Proxy servers, content filters Data collection Data exchange with third parties only occurs through and exchange with third secure means. parties Secure email, secure FTP, secure APIs, encrypted physical media Use of instant messaging Prevent file transfers to external parties through instant messaging and other non web-based applications Firewalls, proxy servers, workstation restrictions Remote access Remote access to the company network is secured and control the data that can be saved through remote facilities such as Outlook Web Access. Encrypted remote access, restrictions on use of remote access tools to prevent data leakage to non-corporate assets Data Loss Prevention Data in use Focus area Example control objective Supporting technologies Privileged user monitoring Monitor the actions of privileged users with the ability to override DLP controls, perform mass data extracts, etc. Security information and event monitoring, operating database and application log files. Access/usage monitoring Monitor access and usage of high risk data to identify potentially inappropriate usage. Security information and event monitoring, operating database and application log files, endpoint DLP logs. Data sanitation Sanitize/anonymize sensitive data when it is not required for the intended use. Data sanitation routines and programs. Use of test data Do not use or copy sensitive data into non-production systems. Sanitize data before moving into test systems when possible. Data sanitation routines and programs. Data redaction Remove sensitive data elements from reports, interfaces and extracts when they are not necessary for the intended use. Data redaction tools. Export/save control Restrict user abilities to copy sensitive data into unapproved containers, such as e-mail, web browsers, etc., including controlling the ability to copy, paste and print sections of documents. Endpoint DLP technology, application controls. Data Loss Prevention Data at rest Focus area Example control objective Supporting technologies Endpoint security Restrict access to local admin functions such as the ability to install software and modify security settings. Prevent malware, viruses, spyware, etc. Operating system workstation restrictions, security software (A/V, personal firewall, etc.), endpoint DLP technology. Host encryption Ensure hard disks are encrypted on all servers, workstations, laptops and mobile devices. Full disk encryption tools. Mobile device protection Harden mobile device configurations and enable features such as password protection, remote wipe facilities, etc. Built in security features, third-party mobile device control products. Network/intranet storage Access control software and permission Govern access to network-based repositories containing control in operating systems, databases sensitive data on a least privilege basis. and file storage systems. Physical media control Prevent the copying of sensitive data to unapproved media. Ensure authorized data extraction only takes place on encrypted media. Endpoint DLP technology, endpoint media encryption tools, operating system workstation restrictions. Disposal and destruction Ensure all equipment with data storage capabilities are cleansed or destroyed as part of the equipment disposal process. (Including devices such as digital copiers, fax machines, etc.) Data erasure/data wiping software. Data Loss Prevention Data risk reduction Data Loss Prevention Why data loss prevention? Data Loss Prevention Costs Data Loss Prevention Data protection life cycle Data Loss Prevention Implementing a DLPP Data Loss Prevention Key Components of a DLPP Data Loss Prevention Data loss prevention drivers and benefits Prevent brand damage and loss of reputation Maintain competitive advantage Prevent loss of customers Prevent loss of shareholder value Prevent fines and civil penalties Prevent regulatory actions or sanctions Prevent legal actions – litigation Data Loss Prevention Limit cost and effort for notification Example approach Data in motion Client issue ► ► Ernst & Young service ► ► ► ► ► It is not known to what extent data leakage is an issue within the organization. Evidence of data loss is needed to: ► Build a business case for DLP investment. ► Support a DLP risk assessment ► Test effectiveness of DLP controls Program assessment/ strategic roadmap Data at rest ► ► ► The security of company data stored on repositories such as share drives, SharePoint sites and intranet sites is uncertain. Sensitive customer data or client intellectual property may be stored on widely accessible internal systems. ‘Rogue’ servers/workstations may be sharing sensitive data in an uncontrolled way. Meet with key stakeholders ► Meet with key stakeholders in a to understand network facilitated workshop to weaknesses for DLP. determine high-risk data. Conduct a facilitated workshop ► Customize DLP rules to focus to determine high-risk data. on high-risk data and add company specific criteria. Customize DLP rules to focus on high-risk data and add ► Utilize our DLP appliance to company specific criteria. scan high-risk data repositories or network segments. Utilize our DLP appliance onsite to analyze electronic ► Review and validate the communications for an agreed incidents generated and period of time. develop a report highlighting high-risk exposures. Review and validate the incidents generated and develop a report highlighting high-risk exposures. Data discovery Data Loss Prevention ► ► ► ► ► ► ► Data privacy assessment The lack of a robust DLP program is a known issue. However, the root cause of data loss is unknown. An assessment of DLP processes and controls and/ or a roadmap for developing the program and integrating it into the existing security program is needed. ► Assistance with managing the complex regulatory and compliance requirements associated with customer privacy or responding to inquiries and incidents is required. Services in options 1 and 2. Conduct a current state assessment of the overall DLP program. Develop a strategy and roadmap to build a robust DLP program that is integrated with the existing security program. Provide a report of high-level issues that were identified with recommendations for risk mitigation and control improvement. ► Conduct a current state privacy assessment. Assess compliance with specific regulations. Recommend improvements to data privacy controls and practices. Assist in responding to specific privacy incidents/ breaches. ► ► ► Control assessments Ernst & Young Assurance | Tax | Transactions | Advisory About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 141,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com. © 2014 EYGM Limited. All Rights Reserved. This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.