Order in files and folders: how to organize access control and protection against leaks

About DCAP Technology

DCAP (data-centric audit and protection) solutions are designed to detect, categorize, and protect the so-called "data at rest" (structured, unstructured, and semi-structured data). We are talking about information on the personal computers of employees of the organization, as well as what is scattered among network folders, cloud storage, databases, etc.

One of the main popularizers of the term DCAP was Gartner. Analysts at the research company suggested taking into account the real situation in which business-critical data is not contained in a single database, is modified in each in its own way, and along the way is stored by users on personal devices, in clouds and public folders.

As a result, personal, payment, accounting, trade secret files, drawings and other technical documents multiply uncontrollably, which creates both business and information security risks:

• data is accessed by those who should not;
• information is more difficult to protect from drain, since it is not clear where it is located;
• privileged users become too many, their actions cannot be monitored;
• Employees work with outdated versions of documents.

Part of the "data at rest" monitoring functions are implemented in various related data protection systems. They control the allocated parts of the infrastructure, each has its own control regulations. But the main thing is that it is completely incomprehensible what happens to the data between these systems. For these systems, moreover, a separate staff is often responsible (as in the case of different DBMS or CMS), the number of privileged users increases).

The DCAP solution appeared as the answer to these problems. According to Gartner, a dedicated DCAP solution for protecting "data at rest" should ideally become a single platform for controlling information located in a wide variety of stores, including file systems, databases, clouds, etc.

As of April 2021, such integrated systems are units even in the global market. Systems of different vendors usually focus on the protection of certain types of storage (file systems, databases, clouds, etc.) and are different in functionality.

Despite the differences in functionality, DCAP systems in the "basic" configuration should perform the following functions:

• Detect and classify data.
• Monitor access rights.
• Track data transactions.
• Protect your data by preventing unwanted transactions.

Key Requirements for DCAP Solutions

As of April 2021, the key requirements for DCAP solutions include: 

• Qualitative data classification and discovery.
  • Systems come with built-in linguistic analysis technologies collected on the most business-critical topics (personal data, trade secrets, payment information, etc.). As well as technologies for processing different types of data (for example, images). The system should have settings that allow you not to overload the IT infrastructure during scanning (for example, to check against the rules outside the working hours, scan only edited data, etc.)

• Easily manage data security policies.
  • The ability to configure permissions and prohibitions for different users and different types of data in a single solution. At this stage of market development, in most existing products, the functionality for different types of storage is still divided. Therefore, it is important to pay attention to whether different data control solutions can be integrated with each other.

• Monitor user rights and activity.
  • Monitoring the rights of users, especially those with high privileges, is critical to compliance. The product must record in the report and, if necessary, generate a notification that some user has been changed rights, as well as about what he performed actions with certain information.

• Detailed and complete reporting.
  • A report before a regulator or a retrospective investigation of an incident may require many different reports. The system should provide opportunities to create reports on at least user behavior, data changes, violation of security policies, access truth changes, etc.

• Automated reporting of violations and incident prevention.
  • The ability to create automatic security alerts based on configured security rules is critical. These can include automatically notifying security personnel, automatically blocking the process or removing privileges, terminating access if large amounts of data are loaded, and so on.

• Data protection.
  • Some vendors offer separate data protection tools using encryption, tokenization, and data masking. If no such tools are available, you may need to purchase individual products. Having an archive allows you to restore information if it has been corrupted or deleted by someone from users.

Global DCAP Market Players

As of April 2021, the DCAP market is only forming, despite this, it represents both multidisciplinary IT corporations and niche players: IBM, Oracle, Trustware, Imperva, Symantec, Dell Quest, Netscope, McAfee, Mentis, Identity Finder STEALTHbits, etc.

Despite the perfect idea of ​ ​ the product as a single solution for controlling data at rest in all repositories, so far there are few such integrated products. So in the Gartner report for 2014 there was not a single such decision.

According to 2018 data, there are two such solutions: from Protegrity and Informatica.

The success of more highly specialized IT companies was greatly facilitated by the adoption of laws on the protection of personal data. The year 2016 can be considered a border for Europeans, when the European Union launched a procedure for discussing the General Regulation on the Protection of Personal Data of the European Union (GDPR), finally adopted in 2018. The regulation involves negotiable fines for leaks of information ( up to 4%).

In the United States, the impetus for tightening laws related to personal data was the 2018 scandal related to Cambridge Analytica^[1]. One of the notable outcomes of this was the adoption in 2020 of the California Consumer Privacy Act - the California Act on the Protection of Personal Data.

Thus, it turned out that the demand for DCAP was largely spurred by the new requirements of regulators, which severely punish the leak, since the "orphan" or publicly available information discovered in time allows organizations to avoid leakage or unauthorized access.

Russian Market for DCAP Systems

The Russian market for DCAP solutions, as of April 2021, is relatively young. The first among domestic developers the DCAP solution FileAuditor was released by the SyorchInform company in 2019. Also in 2019, Makves DCAP brought its product to the market and Makves.

Both software products focus on protecting unstructured data - files and folders.

FileAuditor can be used as a stand-alone solution, as well as a component of an integrated security system. In particular, this solution is integrated with all developments of SearchInform (DLP, SIEM, DAM-systems (from the English Digital asset management)).

Makves DCAP is a stand-alone solution. At the same time, the system is integrated with any solutions for IS through REST.API.

Among the factors creating DCAP products in Russia is a good prospect: a shortage of systems with an increasing need for them, as well as toughening the law on data protection.

What Data-Centric Audit and Protection (DCAP) Does

The term Data-Centric Audit and Protection (DCAP), that is, audit and data protection, has appeared relatively recently. This does not mean that companies did not have the task of auditing documents. The problem has just become more acute: the amount of data is growing exponentially, and it is no longer possible to ensure manual order in the file system.

DCAP systems in an automated format help IB specialists solve several problems at once:

1) Find, on whose computers, which folders contain documents containing critical information: personal data, trade secrets, bank card numbers, passwords.

2) Track all operations that users perform with these files. That is, be aware of who created, edited, moved, deleted, copied the document.

3) Audit access rights to automatically track open resources, files available to both a specific user and group, as well as accounts with privileged rights.

4) Restore lost information if it comes to the mind of some user to delete files, for example, from revenge. To do this, the system creates shadow copies and stores different versions of documents.

There is a problem. Where's the decision?

In the international market, the problem of auditing and data protection at rest is solved mainly by large players, for example, Varonis. But for domestic customers to use their development systems is very expensive, resource-intensive, and in the light of the increasing import substitution, it is simply inaccessible for many.

In Russia, there were attempts to implement the necessary functionality in other solutions - DLP systems, document management systems, etc., but no one until recently provided full DCAP functionality.

In 2019, SearchInform released a file system audit solution - FileAuditor. The young product met the basic requirements for functionality: the system detected and classified vulnerable data, audited access rights, created an archive of critical documents, monitored user actions.

The problem of data control at rest was solved in practice as follows: the software categorizes (this helps to find all files with certain content at once), monitors access rights and monitors all operations with files. Allows you to configure security policies - changing file access rights, critical actions on the file - and notifies the IB of their violation.

In early 2021, the vendor solved the problem of proactive file protection. In the latest version of the FileAuditor, label locks are implemented - prohibiting unauthorized access to documents and sending them through any channel.

Example of an interface FileAuditor

As of March 2021, the DCAP-system "SoundInform FileAuditor" automatically blocks unwanted actions with files depending on their content. The problem is solved using labels that are automatically assigned to files depending on their category - "trade secrets," "personal data," "contracts," "financial statements," "password files," etc. Then, by labels, you configure permissions and prohibitions: which users, which PCs and in which applications you can open and modify the file.

Example: you can prohibit sending files with persistence in instant messengers - and Telegram simply will not attach such documents to attachments. Or allow MS Office to work with documents from the Confidential group only on the director and only on his PC - then all other users, even having access to such a file, will not be able to open it. Labels are invisible to users and are inherited when copying, renaming, changing an extension, etc.

Labels are important for the operation of DLP, their presence allows you to instantly block the leak of sensitive data, because now the security system does not need to check the content of each file. To understand how critical a document is, DLP simply checks its label. This does not overload the system.

Tagging is implemented in the DLP-system "SoundInform CIB."

Advantages of domestic FileAuditor solution in comparison with foreign competitors

1) Domestic product. If the company processes and stores personal data, it in principle does not have the right to use foreign DCAP systems.

2) Availability. FileAuditor more accessible than foreign analogues. Key foreign DCAP systems are available only to large corporations and are not available to other customers. In addition, many foreign products are more demanding on resources, bulky, which is reflected in the load on personnel and iron costs.

3) Russian-speaking technical support nearby. If the customer has questions during deployment or during operation, the speed of response is critical. Customers "SearchInform," familiar with the work of implementation managers, engineers, technical support, note the work of our specialists as one of the key advantages in choosing a vendor.

4) Integration capability. FileAuditor easily integrates with the other SearchInforms, primarily with the DLP SearchInform CIB. As mentioned above, this significantly increases the level of information protection, since not only data is protected "alone" (using FileAuditor), but also "in motion" (which tracks DLP).

Example of an interface FileAuditor

How to Choose a DCAP System and How to Test

The main recommendation for choosing any software - everything is learned in comparison, it is necessary to test different systems, check them for "sparkling": iron requirements, IT infrastructure load. It is necessary to pay attention to the quality of TP, the vendor's readiness for negotiations on improvements, etc.

But the main recommendation is to do load testing on the maximum possible number of machines (especially - this is free). Installing the program on several PCs will not answer what the real load of the program is on the infrastructure. In addition, only with full testing it will be possible to evaluate how well engineers and technical support of the vendor work. This is the advice you can give when deploying any software product for a test.

As for functional testing, in the case of the DCAP system, it makes sense to set a "combat" task. For example, find all computers that bypass security policies to store password files. Or simulate the situation to see how quickly a document with "confidential" information and limited access rights will be separated by team.

Result of blocking

Example: One of the customers of "SearchInform" approached testing FileAuditor with an unsolved task. The company found that the expensive market research that they ordered was on the darknet, and then on the Internet. Already during the test, it became clear how this happened. The study was supposed to be available to several dozen people, and several hundred were on computers. The privileged user posted a document from his closed folder, shared with someone "by friendship," and the information ceased to be a secret.

DCAP systems are a relatively young product for IT and IB services of Russian companies, although these solutions are well known in the financial and trade spheres. As of March 2021, they begin to actively spread to other industries, because any company has the task of keeping files and folders in order. Businesses are too expensive if sensitive information falls into the wrong hands.

Download the White Paper to learn more about how DCAP systems and FileAuditor work.