How the technical side of data leakage protection is organised

Ruslan Rakhmetov, Security Vision

The publication of personal data online or the transfer of confidential information to competitors is the result of accidental mistakes or malicious intent. Regardless of the reasons for such leaks, the consequences endanger people and companies, which are then no longer trusted. Protecting data from leaks is therefore a task that will be relevant as long as people and companies exist. It is solved by various organisational measures and the use of special technical means.

Organisational methods are based on the recommendations and requirements of the relevant laws. For example, personal data is protected in accordance with the requirements of 152-FZ (in the Russian Federation) and GDPR (when it comes to data of subjects located in the territory of the European Union countries, even if these data are processed in other countries), and other types of confidential data are determined by internal regulations and the establishment of a confidentiality regime (know-how, trade secrets), which works similarly to patent and copyright.

Technical tools are also different: some of them provide traffic monitoring (CMS - Content Monitoring System), others - investigation of leaks that have already occurred (ILD - Information Leakage Detection) and the last, but not the least in importance, are designed to protect traffic on the fly (DLP).

In this article we will talk about how DLP systems are organised, what tasks they perform and what data channels can be protected using them.

DLP is a generic name for various software that provides monitoring and protection. The term itself stands for Data Leakage Prevention or Data Loss Protection.

If interfering with data transmission is not part of your plans, a DLP system is installed in parallel with outgoing traffic and works in ‘mirroring’ mode. If you want to protect data on the fly, you need to ensure that traffic is fed through the DLP system, so that DLP works in quarantine and/or burst mode.

Depending on how a particular vendor's DLP system has evolved, you may notice a particular focus on specific channels. For example, InfoWatch Traffic Monitor evolved from a means of controlling network hosts, data protection on the agent appeared already during the upgrade process; SearchInform CIB in its first versions controlled traffic exactly at the host level; Google DLP provides data protection only inside its web services within the framework of a special corporate subscription.

A modern DLP system is most often a client-server application:

- A part of the software runs centrally (SERVER), which allows controlling network and mail traffic through appropriate gateways (proxy and mail servers).

- The second part is installed on user hosts (AGENT) to provide control of physical device connections, clipboard, text entered from the keyboard, application launches and other channels that can only be controlled at this level.

This is the ‘average hospital’ image of a data leakage protection system depicted in the figure below.

With this architecture, you can control different data paths, from remote connections via VPN and terminal sessions, to DMZ organisation and data copying via physically connected devices. We have analysed the solutions of various vendors and have compiled a general list of data paths that they manage to protect effectively.

Data in motion:

- HTTP, FTP, SMB network traffic;

- Mail traffic POP3, IMAP4, SMTP;

- Printing documents via local or network printers;

- Transfer to external devices USB, MTP and others.

Data at rest:

- Documents and files on workstations;

- Data on servers and databases.

Data in use:

- Running applications;

- Transferring data through applications;

- Entering text from the keyboard and pasting from the clipboard.

Most often DLP works to protect a specific area, such as the perimeter of your company, but integrations can take protection to the next level - beyond the perimeter. We will conclude this review with ways to go beyond DLP out of the box.

1) You can analyse public social media postings (Cribrum, https://www.kribrum.ru/technology/) for sensitive data that should not be published;

2) You can analyse documents printed on hard media without installing a DLP agent on the workstation - centrally from the print management server (Konica Minolta Business Solitons Russia, https://www.infowatch.ru/company/presscenter/news/17119);

3) MDM solutions can also be integrated to enable control of corporate data on personal mobile devices (BYOD technology, https://habr.com/ru/post/281463/);

4) Even when using cloud services (e.g. Yandex 360 or Office 365), data within them can be analysed in on-premise DLP via integrations or natively (Google, https://cloud.google.com/dlp).

Technically, almost any data channel can be sent to DLP for analysis, using:

- inbuilt capabilities of systems (from the list above);

- SDK API connector development tools;

- low-code tools for integration.

Existing DLP systems can monitor and block data transmission outside the organisation, for this purpose software is installed on network nodes and employee workstations. And ‘out-of-the-box’ capabilities are extended through integrations and can be extended beyond the usual protected perimeter.