Information Protection and Control (IPC) is technology of confidential information protection from internal threats. Solutions of the class IPC are intended for data protection from internal threats, prevention of different types of information leaks, corporate espionage and business investigation. The term IPC unites two main technologies: enciphering of information media on all points of network and control of technical channels of information leak using Data Loss Prevention (DLP) technologies. Access control to network, applications and data is possible third technology in the systems of the class IPC. IPC includes solutions of the class Data Loss Prevention (DLP), an encryption system of corporate information and access control to it. The term IPC one of the first the analyst of IDC Brian Burke in the report "usedInformation Protection and Control Survey: Data Loss Prevention and Encryption Trends". The directory of DLP solutions and projects is available on TAdviser.
Ideology of IPC
The IPC technology is logical continuation of DLP technology and allows to protect data not only from leaks on technical channels, i.e. insiders, but also from unauthorized access of users to network, information, applications and when the direct information medium falls into hands of the third parties. It allows not to allow leaks and when the insider or the person who does not have legal data access gets access to the direct carrier of an inormatsiiya. For example, having got the hard drive from the personal computer or the notebook, the insider will not be able to read information which is available on it. It allows not to allow a compromise of confidential data even in case of loss, theft or withdrawal (for example, at the organization of masks shows by specialists of intelligence agencies, unfair competitors or raiders).
Tasks of IPC
The main objective of IPC systems is prevention of transfer of confidential information out of limits of a corporate information system. Such transfer (leak) can be intended or unintentional. Practice shows that the most part (more than 75%) of leaks occurs not on malicious intent, and because of errors, carelessness, disorder, negligence of workers — to reveal similar a case much more simply. The rest is connected with malice aforethought operators and users of enterprise information systems, in particular by industrial espionage, competitive intelligence. It is obvious that malicious insiders, as a rule, try to deceive IPC analyzers and other control systems.
Additional problems of the systems of the class IPC
- prevention of transfer outside not only confidential, but also other undesirable information (offensive expressions, spam, sensuality, excessive amounts of data, etc.);
- prevention of transfer of undesirable information not only from within outside, but also outside in an information system of the organization;
- prevention of use by workers of Internet resources and resources of network for personal reasons;
- protection against spam;
- protection against viruses;
- optimization of loading of channels, reduction of inappropriate traffic;
- time recording and presence in a workplace;
- tracking of reliability of employees, their political views, beliefs, collecting of a compromising evidence;
- archiving of information on a case of accidental removal or damage of the original;
- protection against accidental or intended violation of internal standards;
- ensuring compliance of standards in information security field and the current legislation.
Control of channels of information leak (Data Loss Prevention)
The DLP technology in IPC supports control of the following technical channels of leak of confidential information:
- corporate e-mail,
- web mail,
- social networks and blogs,
- file exchange networks,
- the forums and other Internet resources including executed on AJAX technology
- IM (ICQ, agent of Mail.ru, Skype, AOL AIM, Google Talks, Yahoo Messenger, MSN and other),
- peripheral devices (USB, LPT, COM, WiFi, Bluetooth and other),
- local and network printers.
DLP technologies in IPC are supported control including the following data exchange protocols:
- HTTP - HTTPS (SSL),
- SMTP Simple Mail Transfer Protocol - Simple mail transfer protocol.
Technologies of detecting of confidential information
Signatures The simplest control method — search in a data stream of some character sequence. Sometimes the prohibited character sequence is called "stop expression", but in more general case it can be given not by the floor, but any symbol set, for example, a certain tag. If a system is customized only on one word, then result of its work — determination of 100% coincidence, i.e. the method can be carried to deterministic. However search of a certain character sequence nevertheless is more often apply in the analysis of the text. In most cases signature systems are customized on search of several words and frequency of occurrence of terms.
It is possible to refer to advantages of this method simplicity of replenishment of the dictionary of the prohibited terms and evidence of the principle of work and also the fact that it is the most certain way if it is necessary to find compliance of a word or expression for 100%. Shortcomings become obvious after the beginning of industrial use of such technology during the catching of leaks and setup of rules of filtering. Most of producers of DLP systems work for the Western markets, and English very much "сигнатурен" — forms of words are most often formed using pretexts without change of the word. In Russian everything is much more difficult as we have prefixes, the terminations, suffixes. For an example it is possible to take the floor "key" which can mean as "encryption key", "flat key", "spring", "a key or the PIN code from the credit card", and a set of other values. In Russian it is possible to form several tens of different words of the root "key". It means that if in the West from insiders it is enough to data protection specialist to enter one word, in Russia the specialist should enter couple of tens of words and then still to change them in six different codings. Real life application of this method requires presence of the linguist or a team of linguists as at an implementation stage, and in use and updates of base. An undoubted shortcoming is also that "signatures" are unstable to primitive coding, for example, replacement of characters by similar on an outline.
"Digital fingerprints" (Digital Fingerprints or DG) Different type a hash function of samples of confidential documents are positioned by the western developers of DLP systems as a new word in the market of protection against leaks though the technology exists from 70th years. In the West this method sometimes is called "digital fingerprints". An essence of all methods same though specific algorithms at each producer can differ. Some algorithms are even patented that helps with promotion of "new patent DG technology". General scenario of action such: the base of samples of confidential documents is gained. The essence of work of DG is quite simple and is frequent it and attracts: DLP/IPC system is transferred a certain standard document template, from it "digital fingerprint" is created and registers in the DF database. Further in rules of content filtering percentage compliance to a template from base is configured. For example, if to configure 75% compliance to "digital fingerprint" to the delivery agreement, then at content filtering DLP will detect practically all agreements of this form. Sometimes, refer to this technology also systems like Antiplagiat, however the last works only with text information while the technology of "digital fingerprints", depending on implementation, can work also with different media content and be applied to copyright protection and to an obstacle to accidental or intended violation of laws and standards of information security.
It is possible to refer transparency to advantages of Digital Fingerprints technology simplicity of adding of new templates, quite high extent of detecting and transparency for the staff of divisions on data protection. Specialists of SB and cybersecurity should not think of "stop expressions" and other linguistics, to spend a lot of time for the analysis of potentially dangerous word forms and to drive in them into base, to spend resources for implementation and support of linguistic base. The main shortcoming which is at first sight unevident and hidden behind "patent technologies" is that, despite all simplicity and the actual lack of linguistic methods, it is necessary to update the database of "digital fingerprints" constantly. And if in a case with "signatures", such method does not require permanent updating of base words, then he demands updating of base of "digital fingerprints". It is possible to carry to shortcomings of "digital fingerprints" that actually from "addition of base with words" support of DLP in an effective status passes "search and indexing of the new and changed files" that is more difficult task even if it becomes a DLP system semi-automatic. The large companies in which each working day only in server storages often simply being not able to trace all this in real time appears to ten thousand of new and updated documents, not to mention personal computers and notebooks. In that case application of DG is ineffective therefore "digital fingerprints" in most DLP are expected the companies of the SMB sector (less than 500 users). In addition to it digital fingerprints occupy about 10 — 15% of the size of confidential documents, and the base constantly expands that is required additional investments into increase in storage systems of information and capacity of DLP servers. Besides, low-level a hash function (including DG) are unstable to primitive coding which was considered in relation to "signatures".
"Tags" The essence of this method consists in arrangement of special "tags" in the files containing confidential information. On the one hand, such method supplies with the stable and most exact information for a DLP system, on the other hand enough strong changes in infrastructure of network are required. At leaders is DLP-and the IPC market implementation of this method does not meet therefore it does not make to consider it in detail special sense. It is only possible to notice that, despite the explicit advantage of "tags" — quality of detecting, there is a set of essential shortcomings: from need of considerable reorganization of infrastructure in network before introduction of a set of new rules and file formats for users. Actually implementation of such technology turns into implementation of the simplified workflow system.
Regular expressions Search in regular expressions ("to masks) is also long ago the known method of detecting of necessary contents, however in DLP began to be applied relatively recently. Often this method is called "text identifiers". Regular expressions allow to find coincidence in a form of data, it is impossible to specify in it precisely exact value of data, unlike "signatures". Such method of detecting is effective for search:
- CHECK POINT,
- account numbers,
- credit card numbers,
- phone numbers,
- passport numbers,
- client numbers.
Search in "masks" is allowed to DLP-or an IPC system to provide compliance to requirements of more and more popular PCI DSS standard developed by international payment systems of Visa and MasterCard for financial institutions.
First of all it is worth carrying to advantages of technology of regular expressions that they allow to detect content type, specific to each organization, beginning from credit cards and finishing names of the schemes of the equipment specific to each company. Besides, forms of the basic confidential data change extremely seldom therefore their support will practically not require temporary resources. It is possible to carry their limited scope of application within DLP-and IPC systems as it is possible to find using them only confidential information only of a certain form to shortcomings of regular expressions. Regular expressions cannot be applied irrespective of other technologies, however can effectively supplement their opportunities.
Linguistic methods (morphology, stemming) Analysis method most widespread today in DLP/IPC systems is linguistic analysis of the text. It is so popular that often it in a popular speech hereinafter is referred to as "content filtering", i.e. bears on itself(himself) characteristic of all class of methods of the analysis of contents. The linguistics as science consists of many disciplines — from morphology to semantics, and linguistic methods of the analysis differ among themselves. There are technologies using only the "stop expressions" which are entered only at the level of roots, and a system already makes the unabridged dictionary; is based on placing of scales of the terms which are found in the text. There are in linguistic methods and the prints which are based on statistics; for example, the document undertakes, fifty most used words are considered, then it is selected on 10 the most used from them in each paragraph. Such "dictionary" represents almost unique characteristic of the text and allows to find the meaning quotes in "clones". The analysis of all subtleties of linguistic analysis is not included into a framework of this article, however it is necessary to notice width of opportunities of this technology within IPC systems.
In DLP it is possible to carry to advantages of linguistic methods that in morphology and other linguistic methods the high efficiency rate comparable with signatures, at much smaller labor costs on implementation and support (decrease in labor costs by 95% in relation to "signatures"). At the same time in a case using linguistic methods of detecting there is no need to monitor emergence of new documents and to direct them to the analysis in an IPC system as the efficiency of linguistic methods of determination of confidential information does not depend on the number of confidential documents, the frequency of their emergence and system performance of filtering of contents. Shortcomings of linguistic methods are also quite obvious, the first of them — dependence on language — if the organization is provided in several countries, bases of confidential words and expressions should be created separately for each language and the country, considering all specifics. At the same time the normal efficiency of such method will average 85%. If to involve professional linguists, then the efficiency can increase up to 95% — only manual check or "signatures" can provide more, however on the relation of efficiency and labor costs equal to linguistic methods did not find yet.
Manual detecting ("Quarantine") Manual verification of confidential information sometimes is called Quarantine. Any information which gets under rules of manual check, for example, in it meets the word "key", gets to the console of the specialist of information security. The last in turn in manual browses such information and makes the decision on the admission, blocking or a delay of data. If data are blocked or delayed, the corresponding message is sent to the sender. The undoubted advantage of such method can be considered the greatest efficiency. However, such method in real business is applicable only for limited scope of data as it is required a large number of human resources as for qualitative analysis of all information, going beyond the company, the number of employees of information security should match the number of other office employees approximately. And it is impossible even in law enforcement and military agencies. Real life application for such method — data analysis of the selected employees where more delicate work, than automatic search in templates, "digital fingerprints" or coincidence to words from base is required.
Archiving of information passing through technical channels of leak
Obligatory komponenty IPC is the archive which is conducted for the selected information streams (packets, messages). All information on actions of employees is stored in one and several connected databases. The leading IPC systems allow to archive all channels of leak which they can control. Copies of the documents downloaded in the Internet and the text, e-mails, the printed documents and files written on peripheral devices are stored in IPC archive. At any time the administrator of cybersecurity can get access to any document or the text in archive, using linguistic information search in uniform archive (or to all distributed archives once). Any letter if necessary can be looked or sent, and any file or the document gone in the Internet written on the external device or printed to browse or copy. It allows to carry out the retrospective analysis of possible leaks and, in some cases, to conform to the documents regulating activity, for example, to the Standard of the Bank of Russia of service station of BR IBBS-1.0-2008.
Enciphering of information on all points of network
The IPC technology includes opportunities for enciphering of information on all key points of network. Subjects to data protection are:
- Hard drives of servers,
- Magnetic tapes,
- Disks CD/dVD/blue-ray,
- Personal computers,
- External devices.
IPC technologies use the different connected cryptographic modules, including the most effective algorithms of DES, Triple DES, RC5, RC6, AES XTS-AES. The most used algorithms in IPC solutions are RC5 and AES which efficiency can be checked on the project [distributed.net]. They are most effective for solving of tasks of data encryption of large volumes of data in server storages and backup copies. In the solutions IPC integration with the Russian algorithm is supported GOST 28147-89 that allows to apply modules of enciphering of IPC in the state organizations
Access control to network, applications and information
Two-factor authentication is the implementation of access control which is user identification on the basis of the fact that it knows also what he owns. The most common form of authentication it is frequent - it is normal passwords which the user keeps at himself in memory. Passwords create weak protection as they can be easily opened or solved (one of the most widespread passwords — "password"). The security policy based on some passwords does the organization vulnerable therefore in IPC two-factor authentication using widespread USB tokens is applied.
Information network of the modern organizations of a geterogenn in most cases. It means that in one network jointly there are servers running different operating systems and a large number of application programs. Depending on a kind of activity of the enterprise, it can be applications of e-mail and group work, CRM- ERP- Sharepoint- systems, electronic document management systems, financial and accounting and so on. The number of passwords which the normal user needs to remember can reach from 3 to 7 on average in the organization. Users write passwords on pieces of paper and paste on foregrounds, nullifying thereby all efforts on data protection, or constantly confuse and forget passwords, causing the raised load of internal service IT. Application of IPC in this case allows to solve also a secondary problem — simplification of life to the normal employees together with increase in level of security.
Agents as all key points of network have IPC systems: servers, storages, gateways, PCs/notebooks, peripheral and network user devices. IPC technologies are implemented for Windows Linux Sun Solaris Novell. Interaction with Microsoft Active Directory, Novell eDirectory and others is supported LDAP. The majority a component can effectively work in the working groups.
- Data Loss Prevention;
- E-mail filtering;
- Monitoring of information leaks;
- Article in BYTE/Russia: As it is correct to implement DLP ;
- Article in BYTE/Russia: DLP for control of mail .
Standards of cybersecurity
- Standard of the Bank of Russia of service station of BR IBBS-1.0-2006 (Russia, 2009).
- PCI DSS is the information protection standard in the industry of payment cards created by community PCI Security Standards Council.
- FFMS is the Code of corporate governance FFMS (Russia).
- Basel II (European Union).
- Law SOX (USA, Sarbanes-Oxley Act of 2002).
- Соглашение International Convergence of Capital Measurement and Capital Standards, Basel Committee on Banking Supervision.
- Directive of the European Union on preserving of data of Data Retention Directive.
- Rule 17a-4 of SEC.
- HIPAA (Health Insurance Portability and Accountability Act of 1996, США).
- GLBA (USA).
- Combined Code on Corporate Governance (England).
- Documents on information technical protection.
- Federal law of August 12, 1995 No. 144-FZ "About operational search activity";
- Federal Law "About Archiving in the Russian Federation";
- Federal law of the Russian Federation of July 27, 2006 No. 152-FZ "About personal data";
- Government decree No. 687 of 9/15/2008;
- Government decree No. 781 of 11/17/2007;
- Order of Three. Order of FSTEC of Russia, FSB of Russia and Ministry of Information Technologies and Communications of 2/13/2008 No. 55/86/20.