Control Information, or Three Fun Letters - DLP
For a start, a small introduction, as it should be, is boring and formal. Information rules the world. Information is more precious than gold. What other hackneyed idea to bring to confirm the thesis that no one doubts anyway?
Any information has the feature to flow away. And usually to competitors. To keep your information with you, it must be protected. We list three main ways to protect, look at the pros and cons. Well, so that you can talk on equal terms with your head of IT security, we will add a portion of clever words describing these methods in professional terms.
The first way. You can build a wall, cut a gate in the wall, put a sentry near the gate, and he will stick his nose into every document that they are trying to bring out of the wall. If the document looks like a secret one, the gate closes and the security chief is called.
Clever words. This method is called the boundary DLP (Border DLP). It is clear why the boundary: we forbid documents to leave the boundaries of our organization. The abbreviation DLP stands for Data Leak Prevention - data leak prevention. Documents are defined as secret files either by file name (the method is simple but unreliable, because it is very easy to rename the file) or by its contents. The so-called signature is calculated - a binary sequence that will be unique for each source document. When a document tries to leave the organization in any way — over the network, via a USB disk (USB flash drive), by mail, and so on — its signature is determined and compared with the database of protected documents. If the signature is found in the database, the operation is blocked and IT security is notified.
')
Pros. It is quite simple to make such a system, therefore there are many of them on the market and they are relatively inexpensive.
Minuses. It is not necessary to make a document from the organization on the network or by mail. There are alternative ways. First, you can read and remember it. Secondly, take a screenshot and send by mail. Thirdly, take a picture of a document opened on the monitor screen. Fourthly, to change the document in general, now it will not coincide with the signature, which means that the system will not notice anything.
Findings. Should you pay for such a system - decide for yourself. As a supplement, it may fit. The only problem is that often two of the same type, but differently working systems tend to conflict.
The second way. You can not build a wall (what is the severity for?), But you can attach a secret service officer to each employee so that he goes after him and keeps an eye on what documents he is trying to read. And only he will want to open the prohibited document, how to grab his sleeve, the secret document back on the shelf, and the violator of the regime - where to.
Clever words. This version of the DLP is called agent (Agent DLP). An agent is installed on every computer in the organization that monitors any attempt to work with any documents (opening, copying, deleting, printing, etc.). At each such attempt, it calculates the document signature, compares it with the database of signatures. If the document is protected, the user who tries to work with it is determined and whether this user has the right to perform this operation. If there is a right, the operation is performed; if not, the security service is blocked and notified.
Pros. With this method you can really protect documents. They can not even open, and if you can not open, then you can not get acquainted with the contents. Although, if the main task is precisely the ban on opening documents, there is a fairly standard mechanism for delimiting access rights to Windows files.
Minuses. Oddly enough, there are plenty of them. First, an agent works on every computer on the network, which does not have a positive effect on the overall computer performance. Network performance also suffers, because each computer periodically refers to the database of document signatures (no, it, of course, is stored locally on computers, but it must be updated periodically). Secondly, before opening, copying, printing each document, its signature is calculated, compared and other actions, which in the case of average computer hardware can provide 1–5-second delays (or even more) between the launch of the operation and its execution . Thirdly, the system needs to be configured, specifying all the files that need to be protected, and access rights to them for different users. And finally - the money. A license for each agent is not cheap - $ 50-100, and closer to $ 100 than to $ 50. At the same time, you need to buy a license for each computer, otherwise you can sit down at the unprotected machine and get access to the files.
Findings. A good approach, if the cons for you are irrelevant. Works with any documents, but not effective in all situations.
The third way. You can not build walls, and do not spend money on spies. Just encrypt documents. What is the use of a document that cannot be read? Do you want to read, go to the keystore, there your identity will be checked and the key will be given. But even with the key you are not omnipotent if he does not allow the document to be printed or modified.
Clever words. Each company calls this technology differently. But there is a common name - DRM (Digital Rights Management), digital rights management. This technology is implemented by embedding the encryption / decryption mechanism in standard programs for viewing and editing documents. For Microsoft, these are most of the programs included in Office: Word, Excel, PowerPoint, Outlook; for Adobe - Acrobat and Acrobat Reader. When attempting to open a document, the client part accesses information about the document and the user opening it to the key server, which stores information about the rights of various users to access various documents. If there is a right of access, a key is sent, with the help of which the client unnoticed by the user decrypts the document and gives the opportunity to perform the permitted operations. That is, if the rights are set to “View Only”, then printing the document will no longer work.
Pros. Protected emails in Outlook open noticeably slower than usual, but in general, this technology has good performance in terms of work speed and doesn’t load the computer and the network a little.
Minuses. I said for a reason that all companies call this technology in their own way. Each company also implements this technology in its own way. Microsoft Office software is used to protect Microsoft Office documents (preferably with a specific version of Office), to protect Adobe PDF — yes, they guessed it — software from Adobe. And if you want to open the document from the working laptop that you took home, make sure that the servers are accessible from outside your organization.
Conclusion. The solution is generally good, but very niche. It is necessary in those cases when there is a small amount of documents that need to be protected. Documents in a uniform format, the client software of the same version is installed for all employees who will work with these documents (for example, the top management of the company). But for mass use the solution is rather difficult and inefficient.
Any information has the feature to flow away. And usually to competitors. To keep your information with you, it must be protected. We list three main ways to protect, look at the pros and cons. Well, so that you can talk on equal terms with your head of IT security, we will add a portion of clever words describing these methods in professional terms.
The first way. You can build a wall, cut a gate in the wall, put a sentry near the gate, and he will stick his nose into every document that they are trying to bring out of the wall. If the document looks like a secret one, the gate closes and the security chief is called.
Clever words. This method is called the boundary DLP (Border DLP). It is clear why the boundary: we forbid documents to leave the boundaries of our organization. The abbreviation DLP stands for Data Leak Prevention - data leak prevention. Documents are defined as secret files either by file name (the method is simple but unreliable, because it is very easy to rename the file) or by its contents. The so-called signature is calculated - a binary sequence that will be unique for each source document. When a document tries to leave the organization in any way — over the network, via a USB disk (USB flash drive), by mail, and so on — its signature is determined and compared with the database of protected documents. If the signature is found in the database, the operation is blocked and IT security is notified.
')
Pros. It is quite simple to make such a system, therefore there are many of them on the market and they are relatively inexpensive.
Minuses. It is not necessary to make a document from the organization on the network or by mail. There are alternative ways. First, you can read and remember it. Secondly, take a screenshot and send by mail. Thirdly, take a picture of a document opened on the monitor screen. Fourthly, to change the document in general, now it will not coincide with the signature, which means that the system will not notice anything.
Findings. Should you pay for such a system - decide for yourself. As a supplement, it may fit. The only problem is that often two of the same type, but differently working systems tend to conflict.
The second way. You can not build a wall (what is the severity for?), But you can attach a secret service officer to each employee so that he goes after him and keeps an eye on what documents he is trying to read. And only he will want to open the prohibited document, how to grab his sleeve, the secret document back on the shelf, and the violator of the regime - where to.
Clever words. This version of the DLP is called agent (Agent DLP). An agent is installed on every computer in the organization that monitors any attempt to work with any documents (opening, copying, deleting, printing, etc.). At each such attempt, it calculates the document signature, compares it with the database of signatures. If the document is protected, the user who tries to work with it is determined and whether this user has the right to perform this operation. If there is a right, the operation is performed; if not, the security service is blocked and notified.
Pros. With this method you can really protect documents. They can not even open, and if you can not open, then you can not get acquainted with the contents. Although, if the main task is precisely the ban on opening documents, there is a fairly standard mechanism for delimiting access rights to Windows files.
Minuses. Oddly enough, there are plenty of them. First, an agent works on every computer on the network, which does not have a positive effect on the overall computer performance. Network performance also suffers, because each computer periodically refers to the database of document signatures (no, it, of course, is stored locally on computers, but it must be updated periodically). Secondly, before opening, copying, printing each document, its signature is calculated, compared and other actions, which in the case of average computer hardware can provide 1–5-second delays (or even more) between the launch of the operation and its execution . Thirdly, the system needs to be configured, specifying all the files that need to be protected, and access rights to them for different users. And finally - the money. A license for each agent is not cheap - $ 50-100, and closer to $ 100 than to $ 50. At the same time, you need to buy a license for each computer, otherwise you can sit down at the unprotected machine and get access to the files.
Findings. A good approach, if the cons for you are irrelevant. Works with any documents, but not effective in all situations.
The third way. You can not build walls, and do not spend money on spies. Just encrypt documents. What is the use of a document that cannot be read? Do you want to read, go to the keystore, there your identity will be checked and the key will be given. But even with the key you are not omnipotent if he does not allow the document to be printed or modified.
Clever words. Each company calls this technology differently. But there is a common name - DRM (Digital Rights Management), digital rights management. This technology is implemented by embedding the encryption / decryption mechanism in standard programs for viewing and editing documents. For Microsoft, these are most of the programs included in Office: Word, Excel, PowerPoint, Outlook; for Adobe - Acrobat and Acrobat Reader. When attempting to open a document, the client part accesses information about the document and the user opening it to the key server, which stores information about the rights of various users to access various documents. If there is a right of access, a key is sent, with the help of which the client unnoticed by the user decrypts the document and gives the opportunity to perform the permitted operations. That is, if the rights are set to “View Only”, then printing the document will no longer work.
Pros. Protected emails in Outlook open noticeably slower than usual, but in general, this technology has good performance in terms of work speed and doesn’t load the computer and the network a little.
Minuses. I said for a reason that all companies call this technology in their own way. Each company also implements this technology in its own way. Microsoft Office software is used to protect Microsoft Office documents (preferably with a specific version of Office), to protect Adobe PDF — yes, they guessed it — software from Adobe. And if you want to open the document from the working laptop that you took home, make sure that the servers are accessible from outside your organization.
Conclusion. The solution is generally good, but very niche. It is necessary in those cases when there is a small amount of documents that need to be protected. Documents in a uniform format, the client software of the same version is installed for all employees who will work with these documents (for example, the top management of the company). But for mass use the solution is rather difficult and inefficient.
Source: https://habr.com/ru/post/213209/
All Articles