By Henrique Kodama
INTRODUCTION
Currently, in order to meet their business model, most companies both store and use the information and also handle and process this information, often including personal information (such as employee or customer data). This handling of sensitive information can be necessary for validation, registration, storage, or other purposes. Regardless of its purpose, all units that deal with this information treatment must follow some regulations and standards, as can be seen in the General Personal Data Protection Law (LGPD), which has recently gained more visibility.
LGPD has a greater focus on personal data. Still, other regulations aim to protect sensitive information, such as PCI-DSS for payments and the financial sector, HIPAA for personal health information, and SOX for investors and public companies. Many of these regulations have their origin in the USA. They are applied if the company has activities in its territory so that a multinational company can be affected by these regulations. But it’s common to find situations where, for example, a national hospital may be interested in complying with HIPAA, even though it does not necessarily have a legal requirement.
The purpose of this article is to discuss how the concepts, policies, and technologies of data loss prevention (DLP), as it will be referred to from now on in this article, can help and bring proximity to practical examples regarding the different regulations which organizations may be subjected to. A major focus will be given to the following regulations:
- General Personal Data Protection Law (LGPD)
- Payment Card Industry Data Security Standard (PCI-DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- Sarbanes-Oxley (SOX)
But nothing prevents the model and execution of one from being extended to other regulations.
DLP TECHNOLOGY
As one of its goals, DLP technology seeks to prevent sensitive and/or valuable data from leaking out of the organization, regardless of the reason. Numerous information leak prevention tools are available in the market, containing different functionalities and configuration forms for each of them. Still, despite the differences, many are configured through policies that consider the following aspects:
-Detection: What should be protected?
Ex: E-mails, Social Security numbers, credit cards, organization’s plans, results, etc.
-Destination: Where should the content not be sent?
Ex: To any destination outside the organization, to competitors.
-Output means: What should the tool track?
Ex: E-mail body, file upload to the Web, copy to an external directory.
-Applied group: To whom will the rule be applied?
Ex: To the whole organization, only a specific area, only the executive team.
Exceptions: Who is allowed to send, or who can receive?
Ex: A contracted consultancy, the HR area that sends employee relations.
When combined, we would have something like this:
In addition to the detections mentioned, it’s possible to work with the indexing of sensitive documents and detection from the mapping of information, where an interview work is done with areas of the organization, understanding their processes, treatment, and storage where these areas information transits. Understanding the activities of the area and the directories accessed, it’s possible to indicate directories with confidential files to be indexed and used for detection in the tool. This approach is effective, bringing positive results and, based on the experiences with Tempest Security Intelligence customers. This well-established structure encompasses the mapping of information in conjunction with other established policies, such as those that will be described below.
For the structuring of the policies, it is recommended to know the regulations established by the standard and the DLP concepts. The alternatives can be evaluated and verified whether they should be implemented and controlled by the technology in question since the layered security approach is possible and recommended. Often other technologies can do the same function as a DLP tool in a more efficient way and with less demand on hardware resources, and this path is encouraged. For example, device control, which can be done in antivirus more efficiently.
The next sessions aim to introduce these standards and bring proposals for appropriate policies to address them.
GENERAL LAW FOR THE PROTECTION OF PERSONAL DATA (LGPD)
The LGPD is recent legislation aimed at providing Brazilian citizens with greater control over the treatment of their personal data, applied to all handling of personal data collected within the national territory or to businesses aiming to offer services and products to people in Brazil. With the new law, organizations will only be able to store personal data with the express authorization of these parties.
According to LGPD, personal data is any information that allows identifying an individual, directly or indirectly, through Name, Social Security Number, Employer Identification Number, ID, Gender, Telephone Number, Address, or IP Address.
DLP technology can contribute greatly to the enforcement of the law, as the organization will find it easier to register and control the output of its data and prevent personal information from becoming public. Some of the information mentioned above is extensive and more complicated to map, such as Names and Addresses, where using a word dictionary may be a more promising strategy. On the other hand, information with a standard format can be identified using regular expressions (Regex). Below are a few examples of detection that can be used:
- Name: Word dictionary with the first and last names.
- SSN: \b\d{1,3}[\s.=_;:-]?\d{3}[\s.=_;:-]?\d{3}[\s.=_;:-]?\d{2}\b
- EIN: \b\d{2}[\s.=_;:-]?\d{3}[\s.=_;:-]?\d{3}\/\d{4}[\s.=_;:-]?\d{2}\b
- ID: \b\d{1,2}[\s.=_;:-]?\d{3}[\s.=_;:-]?\d{3}[\s.=_;:-]?(\d{1}|X|x)\b
- Gender: Dictionary of words with possible genres.
- Telephone:\b(\+?\(?55\)?[ ]?)?\(?(11|12|13|14|15|16|17|18|19|21|22|24|27|28|31|32|33|34|35|37|38|41|42|43|44|45|46|47|48|49|51|53|54|55|61|62|63|64|65|66|67|68|69|71|73|74|75|77|79|81|82|83|84|85|86|87|88|89|91|92|93|94|95|96|97|98|99)?\)?[ ]?[9]?\d{4}\-?\d{4}\b
- Address: Dictionary of words referring to addresses.
- IP Address: \b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b
Regex detections, besides relying on its logic, it’s recommended to use a validator to identify valid and invalid sequences offered by a DLP tool; for example: besides detecting the SSN through Regex, it’s necessary to apply its validator, which verifies the integrity of the check digit. Some tools allow the implementation of custom validators, but most have their own private validators that can be selected during usage.
As a point of attention for word dictionaries, it’s advisable to concatenate information other than keywords, such as detecting 3 of the address keywords and an ID.
PAYMENT CARD INDUSTRY – DATA SECURITY STANDARD (PCI-DSS)
This standardization consists of 12 essential requirements with 250 controls, including basic security measures, password updates, and even the development and maintenance of secure application systems. It consists of a set of policies and procedures adopted to protect cardholder data and is mandatory for organizations that process, store, and transmit card data over the Internet. Among its requirements, a DLP tool can be used to meet:
Requirement 3 – Protect stored cardholder data.
The organization must protect Personally Identifiable Information (PII’s) about cardholders whose data is processed, transacted, or stored within the organization.
Rules for identifying PII can be made, through a Discovery process, within the entire network and organization to find out where the data is stored, used, and transferred.
A strategy can be adopted based on vulnerabilities, attacking them to be more efficient in combating and using the tool.
Requirement 7 – Restrict access to the cardholder data according to the business knowledge needs.
A DLP tool can be configured to monitor cardholder exposure and attempted cardholder leaks, restrict access to the PII of the individual and corporate cardholders. This can also be achieved with Discovery of sensitive information within the organization, where the technology can detect and remove or even encrypt the information.
Requirement 10 – Track and monitor all access related to network resources and cardholder data.
Track and monitor all access to network resources and cardholder information. Companies should record all security events, servers, and critical systems.
DLP tools have logs regarding the leakage of information identified as sensitive. Even though the tools are not a log, it is still possible to monitor the events happening in all the phases described above to understand better what has happened. Arranging the rules, policies, and groupings can make it easier to analyze and find the information being leaked. In addition, the logs also help in decision-making and in directing organizational strategies.
Requirement 11 – Regularly test security systems and processes.
Periodic scans can be set up to measure the effectiveness of leak prevention technology, verify data movement, and detect sensitive information hidden by the internal network.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
Health-related data are increasingly migrating from the physical to the digital environment, where results and diagnoses are sent electronically and, if requested, printed. Gaining more visibility with this migration to digital media, HIPAA aims to protect personal data privacy, especially health-related and is divided into three main topics: Privacy, Security, and Notification in case of a leak. Cyber security is a crucial point within the regulation. It is one of the first topics to be addressed within this regulation, referring to integrity, availability, and confidentiality, in addition to the need to identify and protect in advance against attacks that may harm these three pillars of information security.
Tools implementing DLP technology play a crucial role. They are of great interest to healthcare organizations, as they cover all the general points of this regulation, allowing them to monitor and control data in motion and scan documents with possibly sensitive information even before they are sent or transferred to other locations. A simple rule that does not allow documents with personal health information to be sent outside the organization through any channel that is not encrypted or transmitted by secure and authorized means can go a long way in meeting the demands. However, despite having technology capable of protecting specific information in various formats, it’s still necessary to identify personal information. To do this, there are dictionaries and word lists previously defined by the companies managing the tools. Still, they may not cover all the information and create unwanted shadows or even a false sense of security.
Shadow in DLP: These are possible documents or information that go unnoticed without being detected, due to how the configuration was done. For example: detecting SSNs only in the format XXX-XX-XXXX opens a shadow for SSNs transited in the current format XXXXXXXXXXX.
Relying on the functionalities of a DLP tool, it is possible to develop and outline the following policies to comply with HIPAA:
- Track and block the transfer of documents containing medication information, International Classification of Diseases (ICDs) codes, and lexical diagnoses. For example: a dictionary of ICDs and fingerprinting of medical results;
- Monitor and possibly block the transfer of information containing PII’s through a variety of channels, such as e-mail, network, online repositories, social networks, printers, removable devices, etc.;
- Create permission lists with authorized people, areas, and/or organizations allowed to handle such information.
SARBANES-OXLEY (SOX)
The Sarbanes-Oxley Act was initiated in 2002 with the aim of protecting investors against fraudulent financial activities in the corporate landscape. The regulation is officially organized in 11 distinct sessions and does not directly reference any IT requirements but addresses several aspects of the security of the systems involved.
SOX covers all publicly traded companies in the United States. It can be even more interesting with Brazilian companies going public in the American stock exchange National Association of Securities Dealers Automated Quotations (NASDAQ). Any company with at least 500 American shareholders and registered in the American stock exchange must be compliant. Companies such as Itaú Unibanco (ITUB), Banco Bradesco (BBD), Vale (VALE) are examples of national companies listed on NASDAQ and subjected to the regulation.
DLP technology plays a fundamental role in SOX because financial reports should not be accessed or sent by unauthorized parties and the subject of data leakage implies the breach of confidentiality and/or integrity of these documents. In addition to preventing leakage, most DLP tools are able to scan the organization’s internal network in search of such documents, which keywords can detect, for example: Financial Report, Financial Statement, Report of Condition & Income.
Regarding the SOX sessions, it is possible to consider items 302 and 404 as being the most related to IT and DLP technology:
- 302 – Corporate responsibility for financial reporting: Every public company must issue periodic financial reports signed by the CEO and CFO, certifying that the content has been reviewed and has no false information. Additionally, both are responsible for reviewing all internal controls 90 days before publication.
A DLP technology tool is directly linked to this item, one of the agents responsible for protecting financial data through its policies. For example: create policies that detect reports and financial spreadsheets through the document layout. Or use regular expressions to detect financial values in spreadsheets, documents, and e-mails outside the organization.
- 404 – Evaluation of the management of internal controls: Organizations are now required to undergo annual external audits that verify the effectiveness of their controls.
In turn, a DLP tool implements these controls to prevent leakage of information and financial reports and must be properly configured and frequently reviewed.
CONCLUSION
The DLP tool can add a lot of value to organizations through detections of specific information concerning regulatory norms, bringing greater control over what is going outside the organization and logs that can assist in achieving compliance with rules and regulations. The policies and their detections have stages of development ranging from monitoring, justification up to blocking, and it is recommended to continuously treat the alerts generated so that a higher level of development can be achieved.
The use of tools implementing DLP technology usually goes through a maturing process within the organizations. This process starts with identifying the information that must be protected, then becomes monitoring rules that verify false positives, and only then reaching a higher degree of maturity, where justifications and blocks that may effectively prevent the leak of this information are analyzed. For example, we can take the following case, where an initial rule for EIN detection can be implemented in monitoring to verify what is being detected. Upon validating the detection and certifying that it is indeed detecting EIN numbers, one can move on to the next step of justification, where employees will receive a notification if the information is intentionally or unintentionally leaked. This step is usually done in conjunction with a data protection awareness campaign.
Finally, as with many security tools, it is worth taking a layered approach, drawing out the strengths of multiple features and tools and avoiding single points of failure.
REFERENCES
GORDON, Lawrence A., LOEB, Martin P., LUCYSHYN, William e SOHAIL Tashfeen. The impact of the Sarbanes-Oxley Act on the corporate disclosures of information security activities. Available at. Accessed on 10/07/2021
Health Information Privacy. Summary of the HIPAA Privacy Rule. Available at https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html. Accessed on 16/07/2021.
LGDP Brasil. Conheça a Lei Geral de Proteção de Dados (LGPD) – Lei N. 13.709/18. Available at https://www.lgpdbrasil.com.br/o-que-muda-com-a-lei/. Accessed on 14/06/2021.
Payment Card Industry Security Standards Council. Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures. Available at https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf. Accessed on 03/05/2021.
Payment Card Industry Security Standards Council. PCI Quick Reference Guide. Available at https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf. Accessed on 21/05/2021.
PETTERS, Jeff. What is SOX Compliance? Everything you need to know in 2019. Available at https://pcaobus.org/About/History/Documents/PDFs/Sarbanes_Oxley_Act_of_2002.pdf. Accessed on 05/07/2021.
SARBANES, Paul e OXLEY, Michael G. Public Law 107-204-July 30, 2002. Available at https://pcaobus.org/About/History/Documents/PDFs/Sarbanes_Oxley_Act_of_2002.pdf. Accessed on 18/06/2021.