Data protection programs at most organizations are concerned with protecting sensitive data from external malicious attacks, relying on technical controls that include perimeter security, network/wireless surveillance and monitoring, application and point security management, and user awareness and education. In this paper, the different leakage points are mapped with regulations and best practices.
Sponsored by Utimaco and Trend Micro
Data Leakage Landscape:
Where Data Leaks and
How Next Generation Tools Apply
A SANS Whitepaper - April 2008 Written by Barbara Filkins & Deb Radcliff
The Leaking Faucet
Data Leakage Regulatory Landscape
Regulatory and Data Leakage Landscape
Plug Leaks, Stem the Flow
Data Leakage Landscape 1: Data in Use and in Motion
Data Leakage Landscape 2: Data At Rest and In StorageThe Leaking Faucet
Everyone is familiar with the concept of a data breach - con?dential information, usually per-sonally identifying information, falls into the wrong hands, and then suddenly, the data handler becomes reviled as the next TJ Maxx.
Data protection programs at most organizations are concerned with protecting sensitive data from external malicious attacks, relying on technical controls that include perimeter security, network/wireless surveillance and monitoring, application and point security management, and user awareness and education.
But what about inadvertent data leaks that aren't so sensational, for example unen- Educationcrypted information on a lost or stolen lap-top/USB or other device? Like the steady drip from a leaking faucet, everyday data Financial Dataleaks are making headlines more often than Private DataPersonally Identi?able the nefarious attack scenarios around which Information (SSN, Tax ID)Trade Secretsorganizations plan most, if not all, of their ContractsCon?dential Documentsdata leakage prevention methods. However, Credit Card Informationto truly protect their critical data, organiza- Prevention Health Information Detectiontions also need to plan a more data-centric approach to their security programs to pro-tect against leaks that occur everywhere sensitive data lives, rests or is used.
What type of protections would be required for, say, a training site for hospital call center employees, where actual lab reports and other real patient data are posted in the online train-ing forms? How do you implement the same controls around data being cut/copy/pasted and e-mailed or sent out of the organization by other means?
Indeed, there are so many places data can easily leak out of an organization it would be dif?cult to note them, let alone classify and manage them, without some type of map or landscape that lays them all out. Broadly, these data leak points include:
S ensitive data inappropriately removed, transferred, or sent out via postal mail, e-mail, Web mail, ?le transfers or instant messaging
L ax, improper or missing access controls to systems containing sensitive data, from back-end databases and servers to mobile computers
SSAANNSS AAnnaallyysstt PPrrooggrraamm 11 HDaradtaw Laerea kvaegrseu Lsa Snodfstwcaapree L ost or stolen computers, laptops and mobile devices with sensitive data that is unencrypted; hard disks and portable storage (CDs, USB drives) or backup devices; and paper ?les
I nsecure transmission of personal identi?able and other restricted data
A uthorized insider abuse of databases and other back-end systems
I nsecure or improper destruction of information, encompassing both physical locations (dumpsters) and electronic media (laptops and backups)
R e-use of electronic resources (laptops and backup devices)
L ack of separation of duties and access controls on databases and other shared systems
In this paper, we map these leakage points with regulations and best practices. Protection mechanisms can be simpli?ed by breaking them into ?ve major categories: classic malware protections to prevent system infections, enforceable access controls, encryption, ?ltering for data sensitive data types being sent out of the organization, and education.
In addition to traditional malware defenses, encryption and access controls play a huge role in protecting sensitive data from insiders no matter where the data rests or how it being acted upon. Equally important is the ability to ?lter, log, and take action on outbound traf?c and downloads, which is commonly referred to as Data Leakage Protection (DLP). The last piece, education, can be enforced by the actions of the control systems themselves. For example, automatic encryption policies on some types of program actions (e-mailing... [download for more]
