Presentation to CSBS 10-Nov-10

Presentation to CSBS

10-Nov-10

Why We’re Here - Regulations

Fully aware of increasing threats, federal and state

governments have demanded increased data protection and

enacted increased regulatory requirements.

Health Insurance Portability and Accountability Act (HIPAA)

Health Information Technology for Economic and Clinical Health (HITECH) Act

Gramm-Leach-Bliley Act (GLBA) UK Data Protection Act

Payment Card Industry Data Security Standard (PCI DSS) State laws, such as:

- Massachusetts MA 201 CMR 17.00 - Nevada NRS 597.970

Data Loss Prevention (DLP)

Objective

– Prevent the movement of sensitive data from inside your organization to the internet

– aka “Data-in-motion DLP”

Works on multiple channels

– Mail – Social network – Twitter – Wiki – Blogs – Etc

Data Loss Prevention

Example

– Someone creates a spreadsheet containing data from your customer database and attempts to post it on a blog

– The DLP solution would detect this and execute a defined action

Getting started

– Decide what your objectives are

– What are you current policies surrounding the handling of sensitive data

What/when can data be sent What should be encrypted What should be blocked

– Use DLP tools to implement your objectives and policies

Email DLP 11/15/2010

How Does DLP Work?

Data

DLP

Read, Hash, Store

Data

flow

Hashes policies

Step 1: Data fingerprinting

Step 3: Analyze traffic

Step 2: Define policies

Business Today

Email is the dominant communication tool used

Time spent on email exceeds all others combined

Average cost of a breach of 5,000 customers is $350,000.

*Osterman Research (based on time spent on communication tools during an eight-hour day)

Social Media 8% Email 60% Telephone 22% Instant Messenger 10%

Email Is A Big Exposure

As much as 75% of an organization’s intellectual property

is stored in its email infrastructure

About 70% of data leaks occur via email

Approx 5% of email should be encrypted

– from ZixAuditor stats

What if the data in question has not been fingerprinted yet?

– Inbound email to your organization contains sensitive data and your internal recipient hits “Reply”

Email DLP

Adjustment in interpreting what “loss” means

– Sensitive data sent in clear text is “lost”, in the sense that anyone now has access to it

– secured (encrypted and signed) data ensures that only the owner and designated recipient have access to it and no one else can read it while in transit

privacy, access control, integrity, authentication, non-repudiation

Encrypting vs Blocking

– Blocking and/or quarantining email is not practical

Stops/delays the flow of business

So why not encrypt everything?

– Not everything needs to be

– Minimize recipient inconvenience factor Email DLP

11/15/2010 8

How Email DLP Works

Policies work as follows:

– Define a <condition>, if it is met then execute an <action> on the message

– Conditions allow you to separate out messages of interest (eg. those that contain sensitive info)

– Actions include:

Encrypt, block, forward, cc:, adding custom header and/or footer text

Two main types of conditions

– Sender/recipient address or domain

Eg. From achiu@zixcorp.com to *@xyzpartner.com – Content

Keyword

10

HIPAA Scanning

Lexicons:

1. Health Identifiers 2. Health Terms

3. Social Security Numbers

(

Health Identifiers

AND

Health Terms

)

type of clinical diagnosis, prescriptions

drugs, illness, etc.

OR (

Social Security Numbers

)

number masks for SSN: nine-digit number, number

is divided into three parts, numbers never allocated Patient IDs, policy

numbers, claim numbers, etc.

Terminology, phrases and patterns in the lexicons come from:

Preston-Gates-Ellis, LLP HIPAA Privacy Rule

National Library of Medicine’s Medical Subject Headings (MeSH)

American Medical Association’s Current Procedural Terminology (CPT) Center for Disease Control’s International Classification of Diseases v.9 (ICD-9)

Medicare/Medicaid’s Healthcare Common Procedure Coding System (HCPCS)

Health Insurance Association of America Glossary Juried messages from Healthcare organizations

12

Financial Scanning

Lexicons:

1. Financial Identifiers 2. Financial Terms

3. Credit Card Numbers 4. Social Security Numbers

(

Financial Identifiers

AND

Financial Terms

)

account numbers, loan or policy numbers, etc. balance transfer, checking account, refinance, W-2, etc.

OR (

Credit Cards

OR

SSN

)

number masks for VISA, MasterCard, American Express, Discover, and more

number masks for SSN: nine-digit number, number

is divided into three parts, numbers never allocated

Terminology, phrases and patterns in the lexicons come from:

Preston-Gates-Ellis, LLP

Gramm-Leach-Bliley Act (GLBA)

Privacy of Consumer Financial Information Final Rules by:

– Securities Exchange Commission (SEC) – Federal Trade Commission (FTC)

– Federal Reserve

– Federal Deposit Insurance Corp (FDIC) – National Credit Union Administration

Collaboration with a Fortune 500 consumer lending corporation

New York Times Dictionary of Money and Investing

Juried messages from financial institutions

Lexical Content Detection

Built-in lexicons designed to detect:

– Personal health info – Personal financial info

– Content specific to MA privacy law – Content specific to NV privacy law – Health research

“Personally Identifiable” info contains both:

– something that uniquely identifies an individual

Eg. SSN, account id, patient id

– financial and/or health info

Diseases, drugs, treatments, credit card info, financial services

Flexibility to choose what lexicon(s) to use

Email DLP 11/15/2010

Email DLP

Typical usage

– If sensitive info is found in the body or attachments

Encrypt

cc: to another inbox (so privacy officer can keep track)

– if found in the subject line

Block

Return to sender

Include message to move content to the body and resend

Two main types of conditions

– Sender/recipient address or domain

Eg. From achiu@zixcorp.com to *@xyzpartner.com – Content

Keyword – don’t rely only on keywords Lexical content analysis

Typical Rule Set

Subject line keyword rule to force encryption

Encrypt from *@* to

*@xyzpartner.com

Plaintext from

newsletter@mycompany.com

to *@*

Turn on health and financial lexicons for encryption

CC: a copy of all messages that were encrypted to

privacyOfficer@mycompany.com

an easy way to see

how the rule is working

– Questions:

analysis@zixcorp.com

Add footer to all outbound

email:

Email DLP 11/15/2010

Email DLP

An effective solution should include

– Address government and corporate requirements – Effective content detection

Typically only about 5% of emails need to be encrypted Avoid false positives

– Minimize recipient inconvenience factor

– Do not make recipients decrypt messages that do not need to be encrypted

– Out-of-the-box lexicons (no need to build yourself)

Health Finance

SSN, credit card, etc

– Flexible remediation actions

Encrypt

– Push, pull, TLS, PGP, S/MIME

Block, cc:, Forward, Log Inserting custom text

Inbound Scanning

Scenario

– An external party sends your organization an email containing sensitive info

Inbound scanning allows your organization to detect such

emails

– Alert an internal contact

– Alert the sender, message received but next time please use the portal to send encrypted

Help ensure that your business partners’ DLP policies

match your own

Email DLP 11/15/2010

Summary

Determine what DLP objectives you want to achieve

Email DLP

– How to encrypt messages – How to deliver messages

Build yourself or Saas?

– “Expect adoption of SaaS to far outpace market growth through 2014.” – Gartner July 2010

Lower costs due to shared infrastructure/support

Less pain and effort associated with maintenance/upgrades –

Gartner, July 2010

What are your peers using?

– Leverage existing infrastructure

Questions?

Title of Presentation 11/15/2010