Jaunā Eiropas Savienības personas datu aizsardzības regula teju ikvienā uzņēmumā kļūst par arvien apspriestāku jautājumu, jo tās spēkā stāšanās termiņš (2018.gada 25.maijs) strauji tuvojas. Tādēļ jau ceturto gadu pēc kārtas, sadarbojoties ar “Latvijas Sertificēto Personas Datu Aizsardzības Speciālistu Asociāciju”, viens no vadošajiem kiberdrosības uzņēmumiem Baltijā “Data Security Solutions” 26.aprīlī rīko Latvijas lielāko personas datu aizsardzības regulas pasākumu (EU GDPR - General Data Protection Regulation) “Digitālā Ēra 2017”, kurā vadošie speciālisti no privātā un valsts sektora dalīsies pieredzē un zināšanās, aplūkojot jaunākos un inovatīvākos risinājumus, kā arī jaunākās tirgus tendences un regulatīvās normas kā Latvijā, tā visā Eiropas Savienībā. Vairāk: https://digitalaera.dss.lv/
Informācijas noplūšanas frontes
Let’s start by listing the risks organizations face these days. Typically when we talk about data breaches, we think of a number of groups:
External people attacking an organization to gain access to its critical information
Malicious insiders such as Edward Snowden
And your own employees. Employees who can be well intentioned – they didn’t realise they were exchanging more information than they should have. Employees who might not be up to date on your latest policies or are very busy and negligent. And employees who are just human and who simply make mistakes.
Sensitīvā info – darbinieku, klientu informācija, kritiskā informācija (finanšu datu, jaunu produktu idejas, cenas, plāni), slepenā informācija
SECURE Email Gateway (SEG), SECURE Web Gateway (SWG) and SECURE ICAP Gateway (SIG)
At boundary
Prevent critical information from leaking out of organization inappropriately
If critical information does need to be shared outside of organization, can encrypt to ensure that it is kept secure in transit
Remote Client enforces consistent information protection policy when users connect to the Internet from outside the organization’s network (e.g. teleworker, public Wi-Fi, etc.)
SECURE Exchange Gateway (SXG)
Inside
Extends information protection policy to data and its use within the organization
SXG scans Exchange traffic (internal, outgoing and incoming)
Critical Information Protection Server (CIPMS)
Enforce device policy
Monitor/block/encrypt confidential data
Discover and remediate critical information stored in inappropriate areas (e.g. unencrypted devices, public network shares, etc.)
Information Governance Server (IGS)
Inside
Gain visibility of how critical information is being used
Enforce consistent policy to protect it where appropriate
SECURE File Gateway (SFG)
Inside
Ensure critical information isn’t being moved inappropriately between networks/areas of a network
Software Development Kit (SDK)
Enables developers to add content inspection
DLP is not easy to implement.
It does take a long time to become effective.
It is expensive to purchase and to configure – it takes months or even years of external consultants’ time before they become truly effective.
For it to reach the “Protection” phase of the project takes a lot longer than originally planned. It is often pushed back as a scale of issues becomes more apparent.
It stops the whole transmission as it is set to Stop and Block and delays valid business communications.
It produces a large manual processing overhead with a large amount of false positives that have an impact on the productivity.
And “hidden” sensitive information can be missed as it is present in the metadata.
Clearswift can help with our Adaptive Data Loss Prevention (A-DLP) features that don’t drive up the number of false positives and become a barrier to business communications.
Our Gateway solutions can block, Sanitize or Redact, Encrypt, Authorize and Report.
With the Data redaction, the Gateway detects sensitive information and replaces it with series of asterisks. This cannot be reverse engineered.
The Document sanitization removes metadata, version, comments and document history. It is automated.
The Structural sanitization removes active content, often used in spear phishing attacks as a method of getting users to unwittingly install spyware.
As removing active content typically doesn’t affect the underlying data, client can protect their organization from risk of targeted attacks without pushing up the management overhead.
That said, sometimes you need to send sensitive data outside of your organization, and in that case, you need to protect it while it is in transit.
Your finance team might need to send sensitive financial details to auditors for example.
In this case you can encrypt the data as it leaves the organisation using TLS (Transport Layer Security), S/MIME, PGP, Password and Portal based encryption.
It all starts around our deep content inspection engine. Our ability to take a document and decompose it until we get to the end of it. Here you have an example of an executable file embedded in an Excel spreadsheet which is contained within a Word document, itself compressed in a ZIP file.
We are able to see every component parts of a file.
Document Sanitisation is all about preventing data harvesting. The Gateway detects and removes document properties, revision histories, comments, etc . It can do this either completely or in a selected manner.
After all there might be some properties you want to keep if you use classify your documents.
As documents pass through our systems, the metadata can be removed automatically and consistently.
It’s all about removing the information that you might not know is there: printer, author, version of Windows, software, network paths, comments, version, revisions, auto save data,….. That hidden data is a vector for attackers using social engineering to target your organisation.
By removing it you protect the sensitive information leaving your company.
By removing revision history and comments from the most commonly shared documents such as Microsoft Office, OpenOffice and PDF files, you also prevent human error. After all your staff might not know the information is present in the documents they send or upload.
What they thought they sent
What they actually sent
What the Gateway sent
Structural Sanitisation is here to prevent targeted attacks with active code embedded within MS, Openoffice, PDF docs.
Even with sandboxing, AV and zero-hour malware detection, active code can go through. It can be because the AV doesn’t know about a virus yet or because the code is simply not a virus.
Although our products can simply block the content altogether, this can create false positives and overhead for your IT team. With Structural Sanitisation, you can remove what might be malicious and let the traffic through, so as not to block the business communication completely. The Gateway strips the active code automatically.
(CLICK) In the example on screen you can see some lines of codes that have been added to a MS Office file. With Document Sanitisation, you can automatically remove the code and only let the data through (CLICK).
Although this feature was originally designed around inbound targeted attacks, it is also very useful on outbound DLP to prevent the loss of intellectual property in the form of code. It is better if that code is stripped before it leaves the organisation.
Last thing is that in the example of emails, the recipient of the file might block the active content on their side. From a business perspective, by removing active code on outbound traffic, you make sure your email is getting to the recipient and is not blocked by the recipient’s Gateway solution.
Our products can detect sensitive information and replace it with asterisks. The Data Redaction is triggered by lexical analysis. You can for example look for profanity, credit card numbers, patient IDs, serial numbers, account numbers, etc - any kind of patterns or even specific data coming from your own databases.
The redacted document is delivered, human errors are eliminated as the process is automated and this can work for either incoming or outgoing traffic.
The redaction of text within emails, Microsoft Office, OpenOffice, PDF, RTF files is beneficial in many ways.
You can remove your critical sensitive information from outgoing traffic as part of your DLP policy.
Financial institutions can remove PCI information from emails coming in and out to ensure they are PCI compliant, which is very useful when you think of the European regulation such as GDPR.
You can also remove profanity from inbound traffic to protect your staff from upsetting comments that could have an impact on their mental health. In the domain of school and education, you can prevent trolling/bullying. For example the UK government has put a policy in place to avoid radicalisation, so schools have to know what's happening within their walls.
In the example you can see on screen, the user is trying to send an email containing credit card information (CLICK). The Gateway has been setup to detect credit card pattern through lexical analysis. After it recognises the text, it replaces it with stars (CLICK).
And we can take it a step further by using your own live data rather than just detecting patterns.
We can target the search using your own data sources.
This option offers improved DLP capabilities in this that the records are easier to maintain, as they come from an existing database.
It reduces the amount of false positives and is a method to detect PCI and PII data with greater confidence.
The confidential data is safely stored and it can support for up to 10 million items.
In this example we are looking at live data from the patients database and are able to detect the actual name of the patient and their ID number so as to redact this information before it is sent out.
Innovating in Adaptive Data Loss Prevention and Information Governance
Client can invest in solution(s) that meet immediate business needs
Then leverage investment by deploying subsequent solutions to provide consistent protection
Complements existing solutions – not rip and replace