Security

How to Help DLP and Encryption Coexist

Learn where to incorporate data loss prevention technologies on encrypted networks.

Karen Scarfone is the principal consultant for Scarfone Cybersecurity. She provides cybersecurity publication consulting services to organizations and was formerly a senior computer scientist for the National Institute of Standards and Technology (NIST).

Data loss prevention (DLP) has become increasingly important for protecting organizational data from being leaked to unsecured or unauthorized locations. For example, these technologies can prevent a disgruntled worker from copying personally identifiable information or intellectual property, or stop someone from accidentally emailing the wrong file attachment to an external recipient.

Unfortunately, DLP technologies often clash with network encryption, which seeks to protect data from eavesdropping. To resolve this conflict, organizations must deploy DLP in places where network traffic isn’t encrypted. Here are some tips for DLP implementation options that are mindful of the need to protect sensitive data communications.

1. Route all user traffic through organization-controlled proxy servers to observe unencrypted traffic.

Without a proxy server, encrypted connections take place directly between the source and the destination. To get around this, an organization can insert a proxy server into the route followed by all incoming and outgoing traffic. This encrypts the segment between the source and the proxy server, and between the proxy server and destination. Network-based DLP software deployed at the proxy server can monitor the unencrypted communications between the two encrypted segments, and therefore stop sensitive information from being transported against policy.

2. Use existing security gateways for web, email and other common protocols.

Most data exfiltration involving network traffic takes place over web or email protocols. An alternative to deploying a proxy server is to deploy a security gateway, such as a web or email appliance. These essentially provide a proxy capability, but they can also perform a variety of security checks on the unencrypted traffic that is routed through them, including DLP inspection.

Organizations with existing security gateways should take advantage of them to provide DLP capabilities. Of course, they still must make sure that network traffic is being routed through these gateways. Mobile devices on external networks might not be able to use these gateways unless traffic is forced through them by a virtual private network or other means.

3. Take advantage of existing endpoint security protection suites.

Many organizations have already deployed endpoint security protection suites to their desktops, notebooks and mobile devices. These suites, which provide an integrated defense-in-depth approach to endpoint security, often include an endpoint-based DLP capability. Once this is properly configured and activated, the suite will examine all activity within the endpoint before encryption is employed.

Endpoint-based DLP can even detect forms of exfiltration that network-based DLP can’t spot, such as transferring sensitive data to USB flash drives. As a result, endpoint-based DLP may offer more effective detection than a network-based solution.

4. Consider adding endpoint-based DLP technologies to endpoints.

As mentioned, many endpoints already have DLP capability built in. But if an organization lacks an endpoint security protection suite, an alternative is to purchase endpoint-based DLP technology as a point solution.

This is particularly helpful for mobile devices that are often being used on networks outside the organization’s control. Unfortunately, endpoint-based DLP technology can be highly resource-intensive, particularly when deployed as a point solution. IT managers should perform extensive pilot testing when evaluating endpoint-based DLP products.

<p>iStock</p>