Data loss prevention (DLP) solutions with document encryption
By Simon Thorpe on Sep 24, 2010
This week a new data sheet was approved which details the work done so far on integrating Oracle's industry leading document security solution with the top DLP vendors. The content of the data sheet is below and available as a PDF at the end of the article.
Organizations face the ongoing challenge of protecting their most sensitive information from being leaked. Two of the most popular solutions used to address this problem are Data Loss Prevention and Enterprise Rights Management. This datasheet explains how these technologies are highly complementary and advises how they can most effectively be used together to provide a complete data leakage solution. It also describes the integrations today between Oracle Information Rights Management and the DLP products from Symantec, McAfee, InfoWatch and Sophos.
Data Loss Prevention
Data Loss Prevention (DLP) technologies aim to prevent leaks of sensitive information. They do so by discovering sensitive information at rest, and monitoring and blocking sensitive information in motion, using content-aware scanning technology. The discovery, monitoring and blocking DLP components run either on the network (servers reaching out to scan repositories or intercepting network information flows) or on endpoints (end user computers or laptops).
Information Rights Management
Information Rights Management (IRM) also aims to prevent leaks of sensitive information. It does so by encrypting and controlling access to sensitive documents (and emails) so that regardless of how many copies are made, or where they proliferate (email, web, backups, etc.), they remain persistently protected and tracked. Only authorised users can access IRM-encrypted documents, and authorised users can have their access revoked at any time (even to locally made copies).
Complementary Solutions to Similar Problems
DLP and IRM address very similar problems, but in different and complementary ways:
- DLP is well suited to situations where an organisation doesn't know where its sensitive information is being stored or sent. Content-aware DLP can map the proliferation of this sensitive information and direct remedial efforts, such as tightening existing access controls using blocking, quarantining or encrypting.
- Out-of-the-box DLP remedial actions often prove to be disruptive to business workflows. Sensitive information is required for collaboration with certain third parties; configuring DLP to permit only the desired collaboration whilst preventing other data loss proves to be almost impossible.
- Also DLP provides decisions about content at a point in time, e.g. can this user email this research document to a partner? However, 6 months later the organization may sever ties with the partner at which point the DLP rule may change; but this doesn't affect all the information that has flowed to this partner over the past 6 months. DLP cannot retroactively block access to information that it has previously been allowed to pass beyond its control to third parties.
- Thus DLP customers are looking for a technology to allow secure collaboration triggered by their DLP solution.
- IRM is well suited to situations where an organisation has relatively well defined business processes involving sensitive information, e.g. sharing intellectual property with partners, financial reporting, M&A, etc.. IRM-encrypting sensitive documents or emails ensures that all copies remain secured, regardless of their location.
- IRM continues to work beyond the enterprise firewall or enterprise endpoints, so authorised end users on partner or home networks or endpoints can use IRM-encrypted documents without being able to make unencrypted copies. This access can be audited and revoked at any time, leaving previously authorised users with useless encrypted copies. IRM provides persistent protection, which means that you can revoke access to information at any time. One simple change in an IRM system can stop access to millions of documents shared with partners, customers or suppliers.
- IRM protection requires any document to be encrypted. This can be manually actioned by an end user according to a corporate policy, but this reliance on a manual process may result in reduced uptake. To aid uptake and enforce policy many organizations automate the process via integrations with content management systems and enterprise applications. However many other sensitive documents are collaborated with that fall outside these perimeters.
- Thus IRM customers are looking for a technology to detect sensitive data and trigger the IRM encryption process.
Integration Use Cases
From the above it should be clear that the combination of DLP and IRM will be more effective than either solution in isolation.
- DLP-discover and IRM-encrypt data at rest
DLP is used to discover the proliferation of sensitive information (on endpoints and servers) and classify it in terms of its relative sensitivity. Sensitive classifications can then be IRM-encrypted to have persistent access rights in line with enterprise information security policy. For example DLP discovers a set of financial documents stored in a public file share and automatically protects them against an IRM classification that allows only the finance group to open the documents. The documents stay where they are, but IRM enforces the access controls.
- DLP-monitor and IRM-encrypt data in motion
This time DLP monitoring is used to detect sensitive outbound information flows and to add IRM encryption as a remedial action for policy violations. For example a user attempts to email a sensitive document to a supplier, DLP detects this and uses IRM to protect the document but allows the email to continue onto its destination.
- DLP discovery of IRM-encrypted information at rest
It is important that DLP scanners be enabled to scan IRM-encrypted documents and emails. This can be shallow scans (which verify the document is IRM-encrypted and check the IRM classification) to enable controlled sharing of suitably IRM-encrypted documents, or deep scanning (which temporarily decrypts the IRM-encrypted content) to verify that documents are encrypted to the correct IRM classification.
- DLP monitoring of IRM-encrypted information in motion
Shallow scanning of IRM-encrypted documents could be used to ease potentially disruptive DLP blocking of sensitive outbound content. Certain IRM classifications could be allowed outbound while others could be blocked. Deep scanning could be used to add in content-aware policies and ensure consistency between DLP and IRM policies.
Integrating with DLP Vendors
Oracle has been requested by several customers and partners to integrate Oracle IRM with the leading DLP Vendors' solutions. Whilst all four of the above integration use cases are being scheduled on both Network and Endpoints, work has already been done today to support the following functionality.
Symantec DLP and Oracle IRM
Oracle and Symantec have collaborated to provide a solution that allows DLP to discover and automatically call IRM to encrypt data at rest. This results in sensitive documents being identified by DLP and then automatically encrypted with IRM. The encrypted files can then remain in their original location rather than being quarantined, but can only be opened by authorized users. The DLP product can also discover and monitor IRM-encrypted documents and then audit, quarantine or take no action depending on policy and context.
McAfee DLP and Oracle IRM
McAfee's Data Loss Prevention quickly delivers data security & actionable insight about the data at rest, in motion and in use across your organization. Protecting data requires comprehensive monitoring and controls from the USB drive to the firewall. The powerful combination of McAfee DLP and Oracle IRM automates the process of protecting your data, giving you confidence that policies are enforced consistently wherever your data needs to travel.
InfoWatch DLP and Oracle IRM
Oracle and InfoWatch have collaborated to provide a solution that controls information transferred via removable storage, optical media, web uploads and emails with attachments; as well as inspects contents of IRM-encrypted files and messages. The solution applies policies to prevent sensitive information leakage. A flexible policy can be configured to enforce IRM-encryption of sensitive emails. Digital fingerprinting of the IRM-encrypted content ensures that no parts or quotes of IRM-protected documents can leak outside the corporate network.
Sophos DLP and Oracle IRM
Oracle and Sophos have collaborated to provide a solution to control the transfer of IRM-encrypted information via removable storage, optical media, web uploads and email attachments. A policy can be configured to simply audit the transfer of IRM protected files or, if required, authorise the transfer of IRM protected files and block the transfer of non-IRM protected files.
And you can download the PDF version of this data sheet.