How Firm Implemented Data Loss Prevention System

Credit unions have made great strides in protecting their confidential data from outside intruders, but they also need protection from well-meaning employees who use web mail to send passwords and other confidential information to members.

In the past, credit unions have been keenly interested in improving security from the inside out, but they are rightly concerned about new solutions that magnify administrative complexity or cause a flood of false positives that burden their IT personnel.

In our case, we operate a service center that processes data for approximately 30 credit unions. Our external network security has been in place for years. A recent management mandate to obtain ISO Certification prompted us to further harden our information security procedures and as such we began to explore data loss prevention (DLP)

There are many regulations governing the use and safeguarding of financial information such as payment card data, Social Security numbers, and the like. Most credit unions have policies and procedures in place to comply with these regulations, but in their efforts to provide outstanding member service, CU representatives can sometimes violate them. For example, a member might call Member Service because he or she forgot a password or user-name, and the rep may follow up that request with an e-mail to the member. However, sending that information through a non-secure e-mail system is a security violation.

In another instance, an employee may want to take some work home on a non-secure laptop, or download data to a non-secure USB drive for transfer to a home system. Again, these are security violations, and cases of such data falling into the wrong hands are well known.

Data loss prevention systems prevent these types of data leakage by inspecting traffic as it moves over the network and as it is accessed at workstations or servers, and blocking previously-identified sensitive data from being transmitted over non-secure means. A DLP system works like this:

1. The security administrator characterizes the data that will be considered sensitive. DLP systems use various methods to identify data, including pattern matching, exact or partial document matches, regular expressions, and database fingerprinting.

2. The administrator defines policies that will be enforced at servers and desktop systems, such as blocking webmail containing sensitive data, encrypting regular e-mail that contains sensitive data, or preventing users from copying sensitive data to USB drives, laptops, or PDAs.

3. The DLP system scans the network and discovers the locations of all sensitive data.

4. The DLP system performs ongoing monitoring of data in use over the network at the endpoints, checking for policy violations. This involves not only monitoring IP ports on the network, but also system bus ports at user workstations. The system must also be able to "crack" binary files such as Microsoft Office documents or PDFs in order to inspect their contents.

5. The DLP system takes appropriate action when a policy is breached. This can include quarantining the data, alerting the user, the user's manager, or the IT department, and encrypting e-mail.

6. The DLP system maintains a log of activity and produces compliance reports if needed.

By taking these actions, a DLP system prevents unauthorized data loss and ensures compliance with banking regulations.

To function properly, the DLP system must implement the above functions in a way that matches the credit union's data and use profiles as well as its security management and reporting needs. In our case, the system we chose would need to fill several requirements. For example:

* Data characterization. We wanted to set the system up to properly identify sensitive data without generating a lot of "false positives" that would eat up IT time and frustrate users. For example, we needed the DLP system to recognize a customer's account number or debit card number as sensitive information, but we didn't want the system to prevent someone from using the company credit card to purchase office supplies.

* Policy management. We wanted to use our Active Directory profiles to group users, but to also have the flexibility to apply policies by application, time of day, and other parameters.

* Discovery and monitoring. For complete protection, we wanted to be able to discover and monitor sensitive data usage while it is in motion on the network, while it "at rest" in server or desktop storage, or while it is in use by end users. On our network, the DLP appliance monitors data in motion, while server and user client software monitors data at rest and at user desktops.

* Blocking activities. We wanted flexibility in how the system worked when it recognized a policy violation. For example, we wanted it to not only block the action, but to alert the user, the user's supervisor, or the IT department in escalating order, depending on the severity of the violation.  

* Management. We wanted to be able to manage and configure all endpoints and the appliance from one console to minimize IT labor.

Once we found a DLP system that met our requirements, it took about a day to deploy the appliance and the client software for 30 users, and to characterize data and create policies. We used the DLP product's built-in financial industry templates to speed data characterization and policy creation, and we have since tweaked policies and data definitions to optimize accuracy.

Before activating the system, we alerted our staff about what to expect with the DLP system. The operation of the system is fairly transparent and we have not seen an increase in the latency of e-mail or other applications over our internal network, but it does produce alerts that would confuse users who weren't aware that the system was in place.

Since the rollout, the system has quietly gone about its tasks, reviewing potentially sensitive data transfers that once went on unnoticed, and giving us and our credit union customers an added level of comfort that we are being as aggressive as possible in deploying security systems that protect their data against all threats.

Matt Lefler is Vice President, Enhanced Software Products, Inc. (ESP), Spokane, Wash. For info: www.espsolution.net.