At Nektra we develop custom DLP solutions that can be run as individual components or integrated into third party products. In our comments below we focus on critical capabilities: mobile, BYOD, cloud, operating system coverage, and compliance regulation. We built a feature comparison matrix for data loss prevention products to gain a better understanding of the products currently available on the market. It is available in Google Sheets or pdf form. It is a good starting point for organizations looking to acquire DLP products and will save them a lot of time comparing vendors.
How Data Loss Prevention (DLP) can be applied to mobile devices
Demand for Bring Your Own Device (BYOD) infrastructure is on the rise. BYOD allows sensitive data to be synced and shared across employees’ mobile devices and allows private and business apps to be used at the same time. However, not all DLP vendors offer integrated solutions for mobile situations. The design of mobile operating systems often restricts the visibility and enforceability of security capabilities, making mobile DLP a special challenge.
A complete DLP solution for mobile devices must address:
- Risk of device loss
- Insecure hardware
- OS’ with different security standards and reputations
- The use of employee-owned devices (BYOD)
- The separation between private and business use (Dual Persona)
- Ex-employee access to sensitive data (Remote Data Wipe)
- Installation of insecure apps (Whitelisting)
- Absence of antimalware
- Access to unsecured networks and access points (Virtual Private Networks)
- Unapproved and public cloud services
DLP Hardware
To protect mobile hardware, Samsung uses TrustZone Integrity Measurement Architecture (TIMA) in Samsung KNOX. TIMA acts as a buffer between the Android OS Kernel and the mobile processor and uses hardware-based mechanisms to isolate business data[1].
The Boeing Black, the Blackphone 2, and the Theorem embed advanced hardware security features for the defence and government communities[2]. The Boeing Black is approved for the US Department of Defense and has a self-destruct feature, deleting all data when someone attempts to open the case.
Vendors like MobileIron add more functionality to Samsung KNOX devices with their own Enterprise Mobility Management (EMM) platform[3].
Non-physical containerization for DLP
To protect the sensitive data of businesses, non-physical containerization can be adopted at various levels on mobile devices. In a sandboxing approach, business apps run in one isolated container, and security policies apply to all apps in that container. A more fine-grained approach is to use application-based containers where policies can be adjusted individually. To configure the policies, vendors offer specific Software Development Kits (SDKs).
Recent advances in the iOS, Android and Windows operating systems offer an alternative to proprietary methods by building Mobile Application Management (MAM) and containerization capabilities into the operating system itself[4].
Virtual Private Networks (VPNs) like those used by Symantec[5] and RSA[6] complement the existing mobile device management (MDM) system to protect the communication of mobile devices, including iPhones and iPads which are often left unprotected. BYOD devices using desktop and application virtualization technology from Citrix or VMware can be protected by DeviceLock’s Virtual DLP, which fully controls virtual corporate environments[7].
In addition to conventional DLP methods, such as encryption and monitoring, further measures can be deployed to safeguard business applications and corporate data. These methods include remote data wiping from past employees or stolen devices, as well as app and URL whitelisting, copy/paste DLP, stripping, geofencing, two-factor-authentication (2FA), device locking, and anti-malware.
Keeping up to date about new security risks
Current trends will increasingly affect all Internet of Things (IoT) and wearable devices. Environments with new access points like smartwatches or fitness trackers will be the next target for protection coverage. Security strategies must be designed to keep employees and technology updated as new security risks arise. Employees must follow best-practices to preempt security breaches[8]. Last but not least, employees should know how to keep their personal data private.
Regulatory compliance
Countries establish laws and regulations which protect the private data of employees, customers and patients. Substantial fines are imposed for failure to comply or when data is misused. To conform to recent regulatory changes and to prevent infringement, DLP products must be frequently updated. This can be a complex task if the product is sold in many countries, and provides an interesting opportunity for niche players to develop products for specific countries.
Adapting DLP to small and medium-sized enterprises (SMEs)
SMEs are also vulnerable to cybercrime and subject to tight compliance and regulatory mandates, but state-of-the-art DLP technology is too complex and expensive for most.
A full DLP solution for a multinational corporation can cost up to $500,000[9] for three years. If vendors want to enter the SME sector, they need to adapt their products, services and prices to the needs and budgets of SMEs. The creation of new formats such as Pay-Per-Use, Software as a Service (SaaS) and services without the need for dedicated IT personnel, could be one way to go.
DLP for the cloud
Companies are often sceptical about entrusting their most carefully guarded business secrets to cloud services, SaaS, and file sharing services like Microsoft OneDrive, Google Drive, Box and Dropbox. On the other hand, the outstanding benefits of cloud computing are undeniable: flexibility, scalability, collaboration, mobility, remote access and BYOD compatibility. Reliable DLP security for the cloud is a challenging and growing market; 90% of DLP violations happen in cloud storage apps[10]. This means that it is important for companies to feel confident when data is leaving their premises. To ensure adequate protection, the DLP vendor must know the data model, sharing semantics and access rights of the cloud service he or she wants to protect. Or, alternatively, the cloud provider must integrate its own DLP mechanisms. Symantec currently offers a cloud security product called Symantec DLP 14 and collaborates closely with Box and Microsoft Office 365[11]. Netskope offers another DLP service for the cloud which monitors cloud apps and shadow IT[12]. Finally, CloudCodes secures Google Apps by enforcing security policies using Cloud Access Security Brokers (CASBs)[13].
OS X
According to Zoran Cocoara of CoSoSys[14], OS X has recently become an important attack vector and deserves DLP mechanisms. CoSoSys, McAfee, Digital Guardian, and others now offer DLP solutions for OS X. However, since there are still significantly fewer security solutions available for OS X than for other OS’, companies’ IT teams often leave out security measures for Macs. Macs sharing the same network with PC’s thus become a risk factor.
Niche market
New situations and vulnerabilities which are not covered by the standard DLP products arise from the combination of on-premises DLP, SME needs, mobile use, BYOD infrastructure and cloud computing. New niche products with special features are needed to address these vulnerabilities.
For example, if hospital employees use a specific mobile device to manage patient data on the cloud, a special feature could be implemented to apply kiosk policies and prevent patient data loss. The users of the mobile device would not be able to use browsers or other apps. An administrator would be able to set exact specifications and lock apps.
The increasing demand for individual solutions generates a highly fragmented market and encourages smaller vendors to operate as niche players.
At Nektra, we specialize in custom solutions for the DLP market. These are some examples of our work:
- Developing Microsoft Outlook, Ootw/OWA, and Office 365 add-ins to prevent leaks of information in emails and attachments
- Developing Microsoft Windows drivers to limit access to files depending on their content
- An API which restricts Microsoft Windows system shortcuts, blocks execution of alien applications, and disables execution on virtual machines
Conclusion
It is difficult to find a single product that covers the full spectrum of data loss prevention needs. Our data loss prevention products matrix helps customers and vendors understand the full array of available features and make an informed choice.
This work by Nektra Advanced Computing is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
References
[2] http://www.zdnet.com/pictures/the-most-secure-smartphones-in-the-world-pictures
[3] https://www.mobileiron.com/en/solutions/multi-os-management/android/knox-solution
[5] http://searchsecurity.techtarget.com/feature/How-to-deploy-the-right-DLP-products-for-the-right-jobs
[6] http://www.emc.com/collateral/data-sheet/h12413-rsa-dlp-for-byod-ds.pdf
[7] http://www.devicelock.com/products/byod-virtual-dlp.html
[10] http://www.infosecurity-magazine.com/news/90-data-loss-prevention-violations/
[12] http://security-musings.blogspot.com.ar/2015/04/comparing-cloud-access-security-broker.html
[13] https://www.cloudcodes.com
[14] https://www.helpnetsecurity.com/2015/05/06/the-importance-of-data-loss-prevention-for-os-x
Permalink