What is Data Loss Prevention (DLP)?
Data Loss Prevention (or DLP for short) is the application of technology and policies in order to detect and prevent potential data breaches and data ex-filtration. Data that is of particular interest include sensitive emails, documents and other information leaving the organizational boundary. Data Loss Prevention is one out of many options used in today's arsenal of defense against threats and attacks, and also a layer to harden overall data security.
While SANS may write that DLP is primarily concerned with identifying sensitive data, we have taken on board a more holistic look beyond identification.
Data loss prevention can be in the form of the following:
- Network-based DLP.
- Endpoint DLP which monitors on the application level such as email client used.
- Network policies enforced for information leaving the network.
- UI, for example in the form of pop up tips, that will help reinforce data protection awareness training.
- Common dictionaries and regular expressions syntax used to create content protections rules.
- Staff awareness training.
- Using file tagging to secure data that can contain intellectual property or trade secrets.
The above is not an exhaustive list.
Data loss prevention tend to be interchanged with data leak prevention when the situation involves the lost data being acquired by an unauthorized third party. However for this article, we will also include both data loss and data leak scenarios under the overall DLP umbrella term.
Upon application of DLP, you can ensure compliance with regulations governing use of data and ensure obligations for best practices are being met. These compliance and regulations include Health Insurance Portability and Accountability Act (HIPAA), (Payment Card Industry) PCI compliance, and General Data Protection Regulation (GDPR) to name a few.
Data loss prevention in file transfers
Within the territory of file transfer, data loss happens via information being inadvertently or intentionally sent to an unauthorized individual through the use of either file transfer software or file transfer protocols. It can also happen due to human ignorance or negligence - for example, uploading sensitive documents using an unapproved cloud provider.
Imagine a scenario where an employee in a large company has just transferred a series of files containing confidential data. Or another scenario where a small business owner has data residing on USB (unencrypted) and has since been lost.
It is with these two scenarios where we see data loss prevention not being applied for both data in transit (the transfer of files containing confidential information) and data at rest (the files residing within the USB).
Types of data in file transfers
As an introduction, the following paragraphs (from Wikipedia) summarizes the differences between data at-rest, data in-use and date in-motion.
Data at-rest
"Data at rest" specifically refers to old archived information. This information is of great concern to businesses and government institutions simply because the longer data is left unused in storage, the more likely it might be retrieved by unauthorized individuals. Protecting such data involves methods such as access control, data encryption and data retention policies.
Data in-use
"Data in use" refers to data that the user is currently interacting with. DLP systems that protect data in-use may monitor and flag unauthorized activities. These activities include screen-capture, copy/paste, print and fax operations involving sensitive data. It can be intentional or unintentional attempts to transmit sensitive data over communication channels.
Data in-motion
"Data in motion" is data that is traversing through a network to an endpoint destination. Networks can be internal or external. DLP systems that protect data in-motion monitor sensitive data traveling across a network through various communication channels.
Data Loss Prevention and SFTPPlus MFT
DLP monitoring network activity
The DLP software is integrated into the network using a network TAP (terminal access point) port to perform real-time scanning and analysis of network traffic.
In addition to DLP inspection for data in-transit, DLP inspection can also be applied for data at-rest, such as within an FTPS or SFTP file server.
DLP and SFTPPlus MFT configuration options
For managed file transfer, data in-motion is of priority concern and is within the realm of control for file transfer software. Data at-rest is also another concern, but controls can also be distributed to controls permissioned by the OS file system.
The use of secure file transfer protocols as well as other processes for secure file transfer should form part of the stock for data loss prevention - transmission security. These services and configuration options can be configured using SFTPPlus.
An SFTPPlus feature, Digital signature validation can be configured to check if files have a valid signature:
SIGNED_CONTENT,SIGNATURE
The signature validation process is based on the RSA Digital Signature Algorithm PKCS#1 v2.1 also known as RSASSA-PSS and documented in RFC 3447.
Post process actions may also be added as part of the automated, client transfer rule in order to contain policy rules. A file dispatcher can then be set so that a transfer is quarantined via a separate folder if it has failed a policy rule.
A UUID prefix can also be appended to a file name in order to create unique names so that for each data uploaded, even if duplicate, there is a unique filename.
For authorization control, SFTPPlus administrators can apply permissions to specific groups or users. These permissions will help determine the access to which resources within the file transfer home directory of that user, and other the specific access rights. Permissions can also be set depending on regular expressions (regex), such as disallowing certain file formats. Through the options covered above, administrators can secure data or set permissions to ensure certain resources are not being inappropriately accessed or changed.
For more details about the above configuration options, please consult our documentation or talk to the Support team.
Audit trails for DLP
While operating, SFTPPlus will emit a set of events. Each event has a unique ID and defines a specific operation carried out by the server.
An example of an audit trail upon first connection to an FTP service is below:
| 20076 2018-03-07 19:44:05 ftp-only-1 Process 0.0.0.0:0 Service “ftp” started on “0.0.0.0:10023” using “ftp” protocol. | 10033 2018-03-07 19:44:10 ftp-only-1 Unknown 127.0.0.1:51290 New FTP/FTPS client connection made.
Administrators can gather a comprehensive picture of data-handling activities performed by users through the detailed, server-side audit trail. For example, see below audit trail for an attempt to access an authorized resource:
| 40007 2018-03-28 11:10:25 Process alice 127.0.0.1:52064 HTTP/HTTPS file access successfully started in "/ftps-folders/alice_files" as "/".
Through this online record of server events, organizations can be made aware for the purposes of any legal framework or compliance obligations.
Please see our Users Guides for specific examples pertaining to audit trails for HIPAA/HITECH, and GPG/PMO obligations. More articles are being written for other compliance and regulations.