InfoSec-Specific Executive Development for
CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive
labs to build you and your team's InfoSec skills
This piece outlines the challenges associated with data loss prevention (DLP) and offers advice on how to architecturally segment your data to ease this process.
All DLP solutions can be problematic and there is no silver bullet. The emphasis and priorities DLP software expects and is built for may not match your organization. Often, DLP alerting is based on obscure rules that are not obvious to the
individual administrator, so data can end up leaving anyway. In addition, data tagging is an onerous task, and the amount of new daily data makes labeling and tagging almost impossible to scale.
For DLP purposes, all existing data must be classified and tagged, and all new data must be tagged on creation. In addition, maintaining that data with the appropriate controls wrapped around it is an extremely non-trivial task.
Third-party partners and supply chain risk management do nothing but exacerbate the issue. How is control maintained around the data when someone else is accessing it?
The real solution to DLP, and the prerequisite data classification issues, is to segregate all data into classification levels and then architecturally segregate the data. While this is a topic that warrants a paper in itself, a short explanation is in
With architectural segregation, all data is segregated by classification level (public, internal, restricted, etc.) and then each classification of data is segregated into its own:
In other words, data at any level of classification is stored, used, transported, and processed by a dedicated set of components: one location, machine, line and program per level of data. If an application is used to process data at two different levels
of classification, split the application, and spin up separate instances to separate the data classification levels.
This way, every piece of data run on a restricted system is automatically restricted, and any piece of data that traverses the line connected to a restricted system is classified as restricted, etc. Every data flow diagram becomes extremely granular.
In some cases, this presents difficulties for inter-application data flows, but those sets of circumstances should be thought through carefully in the first place.
This architectural segregation of data, into deeply separated systems, also allows for grouping of break-glass credentials and automatically classifies data as an added benefit. It’s similar to the Payment Card Industry (PCI) cardholder data environment
(CDE) segmentation, or the U.S. government’s NIPR/SIPR/High Side segregation of data.
Thinking any data loss prevention solution is a silver bullet and that all paths to data exfiltration are closed is a potential pitfall. There are always ways to exfiltrate data. From camera phones, hidden cameras, and narrative clips to simply memorizing it and writing
it down later – there is always a way. The goal is to control access, segregate classification levels and maintain proper processes to handle generated or obtained data, its storage, processing, visualization, and disposal. To get started, consider
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
September 29, 2022
By IANS Faculty
Understand the integration points between information security and enterprise architecture. Find guidance for functional organizational constructs to maintain a solid EA practice.
September 27, 2022
By IANS Research
Learn how to ensure full cyber insurance policy coverage and find 5 tips to help maximize your potential cyber insurance claims.
September 22, 2022
Find information on cyber insurance coverage types along with best practices to choose a cyber insurance carrier and policy for optimal security coverage.