S 4.345 Protection against undesired outflows of information
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator
Confidential information should not be allowed to fall into the wrong hands. A number of organisational or technical safeguards need to be taken to prevent this from happening. A disadvantage of many of these safeguards is that they have a serious impact on the workflows or that they can secure some of the interfaces to the outside, but not all of them.
One solution for improving control of the outflow of confidential information is the use of tools that monitor the flow of data in the network and/or on the devices. They are used to detect or even intervene when confidential information is transmitted over insecure routes or falls into the wrong hands. Such tools can check, for example, if certain information is allowed to be transmitted via email, when exchanging data, or when using the Internet, or if this information needs to be burned to CD or copied to a USB stick. The terms data loss prevention (DLP), information leakage prevention (ILP), or extrusion prevention tool are used to refer to such tools, although the goals and mechanisms of such tools are similar.
These types of systems differentiate between confidential and non-critical information. They can allow non-critical files to be sent via email, but could block the sending of confidential files via email and prevent them from being copied to portable data media such as USB sticks. Some DLP tools can even prevent the contents of one file from being copied to another file.
There are currently two different technical approaches used by DLP tools. In one approach, the tool attempts to detect confidential contents in the data stream using a device or an appliance in the network and then react accordingly. The other approach requires the installation of an agent on all devices to be monitored that controls the movements and processing of sensitive files. Like in the area of intrusion detection, these DLP approaches are also referred to as network-based or host-based approaches.
Network-based approach
When a network-based DLP tool is used, sensors or agents are placed at certain locations in the network. Since additional software only needs to be installed at a few locations, the configuration and operation of such a tool is simpler than for products where software needs to be installed on every device involved. In a network-based approach, though, only the data flows through these sensors or agents in the network will be monitored, but not the data flows over local interfaces or to portable data media, for example to USB sticks. It can also be difficult to monitor information that has been encrypted.
Host-based approach
When a host-based DLP tool is used, the agents or sensors need to be installed on every IT system whose data flow will be monitored. This approach therefore requires more time and effort for installation and operation. The advantage of this approach is that the DLP tool can monitor all user activities that could generate outflows of data.
Conceptional approach
Comprehensive protection against undesired outflows of information can only be achieved when the technical safeguards go hand in hand with the organisational and personnel safeguards and when these safeguards are embedded in the security management process. The classification of all business-related information according to its protection requirement forms an important basis of DLP processes (see S 2.217 Careful classification and handling of information, applications and systems). Based on these classifications, it is then necessary to specify who is allowed to process, store and send this information, under what general conditions this is allowed, and what needs to be protected in each case.
It is not necessary to classify every single file to use a DLP tool. The tools can usually be configured so that the protection requirement of a file is derived from its storage location (context-based), certain structural properties, or its contents (by searching for predefined keywords, for example). When a context-based approach is used, then structured data storage must be applied in which the files with higher protection requirements are strictly separated from less confidential files, for example through the use of separate directory structures (see S 2.138 Structured data storage).
Before purchasing a DLP tool, it is necessary to precisely define the purpose of its use. Before putting a DLP tool into operation, it is necessary to create a policy for its use and specify the set of rules determining what the tool should monitor. The use of the tool and the corresponding rules should be planned carefully and adapted to meet the organisation's needs. The employee union representative and the Data Protection Officer should be involved in this planning. It is recommended to state the rules and regulations specified in an employment agreement.
It is important not to overreact. The people responsible are usually appalled at the large number of potential vulnerabilities pointed out by a DLP tool after conducting the first tests. However, the rules should not be too strict so that it is still possible to work efficiently with the tool.
The employees should be informed of the use of DLP tools, what these tools check, and what responses to violations of the rules can be expected. DLP tools offer different levels of response to violations of the rules defined. The possible responses include the following, for example:
- displaying a warning to the user that the planned transaction would violate the rules
- querying the user for explicit confirmation
- blocking the action
- logging
- informing a third party such as an administrator or a superior
Experience has shown that displaying a warning is a very effective method for making employee aware that they need to handle confidential information responsibly. Specifying restrictions or controls using the DLP tool that are too strict can have a negative impact on the motivation of the employees.
The configuration of the DLP tool must be checked regularly, optimised, and adapted to reflect any changes in the organisation, to the business processes, or to the IT.
Review questions:
- Are the safeguards for protection against undesired outflows of information integrated into the security management process?
- Have the safeguards for protection against undesired outflows of information been coordinated with the employee union representative and data protection officers?
- Has it been ensured that the safeguards for protection against undesired outflows of information are compatible with the workflows of the employees?
- Have the employees been informed of the use of the DLP tool, of the rules relating to protection against undesired outflows of information, and of the possible sanctions when these rules are violated?