Monday, October 23, 2017

Data Loss Prevention

If not redirected, please click here

An organization needs to make sure sensitive data like company confidential information or data collected from customers do not get shared outside the internal network without legitimate reasons. Sometimes sensitive data get shared outside the company network purposefully because of internal threats. And, sometimes it happens accidentally by ignorant employees. A company needs to prevent its employees from sharing sensitive data accidentally or purposefully. Data Loss Prevention is a solution or process that is used for that purpose.

What is Data Loss Prevention ?

Data Loss Prevention or DLP is a strategy to make sure that end users do not send sensitive data or critical information outside the corporate network intentionally or accidentally. Sensitive data may include confidential data like Intellectual Property or corporate data like financial documents, strategic planning document, employee information and customer data like Social Security Number, credit card number, medical records etc.

DLP can be effectively used to prevent insider threats as well as to comply with rigorous state privacy laws.

How is Data Loss Prevention done ?

Data loss can be prevented in various ways. Standard security measures include firewalls, IDPS and anti-virus solutions. They are commercially available products that can prevent insider threats and outsider attacks.

Advanced measures may include using Machine Learning to detect and prevent abnormal access of sensitive data. Honeypots (What is a Honeypot ?) and user activity monitoring solutions also can be used for that purpose.

Often designated Data Loss Prevention systems are used to detect and prevent data loss. These DLP solutions use mechanisms like data matching, data fingerpriting, statistical methods etc to prevent unauthorized sharing of sensitive data whether done accidentally or purposefully.

Sensitive data can reside on various computing devices like physical servers, virtual servers, databases, file servers or endpoint devices like computers, POS devices etc. It can also move through various network access points like wireless, VPNs etc. Thus a variety of solutions can be used to prevent data loss, data leaks and data recovery.

Data Loss Prevention solution can identify confidential data, track the data as it moves outside the enterprise network and prevent unauthorized disclosure using disclosure policies. It uses business rules to classify and protect sensitive data.

How does Data Loss Prevention solution identify sensitive data ?

A DLP solution has to first identify sensitive data in order to prevent data losses. This can be done using various techniques.

Sensitive data in fact can be of two types – structured and unstructured. Structured data are data that exist in specific formats. Credit card data, Social Security Number, date of birth, email address etc are examples of structured sensitive data. Regular expressions can effectively used to detect structured sensitive data. Data Loss Prevention solutions in fact use a number of predefined policies that have rules to identify structured sensitive data. Regular expressions are widely used for that purpose. Sometimes data is matched against context also so that sensitivity of data can be identified in a better way. For example, if an employee from payroll department looks into some other employee’s remuneration package, it is usual. But, if someone from sales department does the same, DLP solution should be able to raise a flag and report it.

Unstructured data on the other hand does not have any specific formats. Source code, media files etc are examples of unstructured sensitive data. Without analyzing the contents it is difficult to detect whether it contains any sensitive data. Data Loss Prevention solutions often use fingerprinting for this purpose. Fingerprints of unstructured sensitive data are made using cryptographic hashes and saved in databases. Later, these fingerprints are used to identify sensitive data elsewhere.

Types of DLP Solutions

Data Loss Prevention solutions prevent data breaches by monitoring sensitive data while the data is in-use in endpoint devices, in-motion in network or at-rest in data storage.

Network Based Data Loss Prevention Solution

DLP solution can prevent data loss for data in-motion by monitoring all traffic leaving the internal network. Monitored data may include all data transferred using multiple protocols like HTTP, FTP, IM, P2P, SMTP etc. For example, all files transferred outside the company network using FTP protocol or all emails sent outside the enterprise network can be monitored.

Datacenter or Storage Based Data Loss Prevention Solution

DLP solution can protect data at rest stored within an organization’s datacenter infrastructure like file servers, SharePoint and databases. It can determine where the sensitive data resides and whether it is stored securely. Protecting data at-rest may involve methods such as access control, data encryption and data retention policies.

Endpoint Based Data Loss Prevention Solution

Data Loss Prevention solution may also include agent based solution that sits on end user workstations and laptops and monitors data leaving the endpoint. It can control communication via email, instant messengers etc and can control access to physical devices and block attempted transmission of sensitive data. These solutions must be installed on every endpoint devices.

Data Loss Prevention Solution Vendors

There are quite a number of vendors that provide good Data Loss Prevention solutions. Some reputed ones are mentioned below :

  1. McAfee Total Protection for Data Loss Prevention
  2. Check Point Data Loss Prevention
  3. Digital Guardian Data Loss Prevention
  4. CA Data Protection
  5. Forcepoint DLP

Read More

What is Next Generation Firewall (NGFW) ?

How are malware detected by traditional anti-virus solutions & how is NGAV different from them ?

What is Deep Packet Inspection ?

What is a Honeypot ?

What is Intrusion Detection System & how does it work ?

How can AI, Machine Learning & Deep Learning be used to improve cyber security ?

What is Access Control ?

Tuesday, October 10, 2017

What is Access Control ?

What is Access Control ?

All users may not have permission to access all the resources in a system or network. A system should be able to allow or deny access to certain resources based on identity or role of the user or the group the user belongs to. This can be managed using access control. Access control is the selective restriction of access to a resource based on authenticated identity of the user or the properties of the request.

Access control deals with controlling the access to a resource after a user has provided his credentials and the identity is verified. To give an example, a user or a group of users may have permission to access only a certain set of resources and may be restricted from the rest. It can be managed using access control.

Access Control Models

Access to resources can be enforced through many types of controls :

  • Mandatory Access Control or MAC
  • Discretionary Access Control or DAC
  • Role Based Access Control or RBAC
  • Rule Based Access Control or RAC
  • Attribute Based Access Control or ABAC
  • History Based Access Control or HBAC
  • Identity Based Access Control or IBAC

Mandatory Access Control or MAC

In Mandatory Access Control or MAC, all access to resources are strictly controlled by the Operating System based on settings provided by the system administrator. In this type of access control, security labels are assigned to each resource on a system. This security labels can contain information on classification of the resource (top secret, confidential, public etc) and to whom the resource is available. Similarly, each user is also associated with a classification based on his role, identity, group etc and a set of resources available to him. When an authenticated user requests to access a resource, the Operating System checks the security labels of the resource and the classification of the user and decides whether the request should be allowed or denied.

MAC provides a very secure access control environment and traditionally it has been associated with Govt. System and specialized military systems. Recently, MAC is also implemented in SELinux and AppArmor for Linux and Mandatory Integrity Control for Windows.

Discretionary Access Control or DAC

In Mandatory Access Control, access to resources is controlled by the Operating System using settings provided by the system administrator. But, in Discretionary Access Control or DAC the owner of the resource controls which user or group should be able to access the resource.

In this type of access control, each resource typically has one Access Control List associated with it which specifies which user or group will have access to the resource and what all permissions will be granted. For example, a user may create a confidential file and provide read-only access to only those who belong to the same group as the user and restrict the rest.

Please note that, in DAC a user can control access to resources which he/she owns. User X cannot control access to resource which belongs to User Y.

A system can implement both MAC and DAC, in which case the Operating System can control what all resources an authenticated user can access using MAC and the user can control what all resources owned by him/her can be accessed by others using DAC.

Role Based Access Control or RBAC

Role Based Access Control or RBAC is a non-discretionary access control in which a user is given permission to access a resource based on his/her role in the organization. For example, a system may provide access to certain resources to the Accountant role, in which case all accountants in the organization would be able to access the resources. Similarly, a manager may be assigned to a manager role and a software engineer may be assigned a developer role and they can have permission to access resources based on their roles.

Please note that, a role assigned to a user is not same as a group. A user can belong to different groups, but he/she would have a single role in the organization.

Rule Based Access Control or RAC

In Rule Based Access Control or RAC, when a request is made to access a resource, the properties of the request is checked against a predefined set of rules to decide whether the request can be allowed or should be denied. For example, a firewall can use Rule Based Access Control. When a request is made to access a device or network, the properties of the request like IP address, port, application etc are analyzed and checked against a pre-defined set of rules to decide whether to block or allow the request.

So, in Role Based Access Control or RBAC access request is permitted based on role of the user requesting the resource and in Rule Based Access Control or RAC a request to access a resource is allowed or denied based on properties of the request and a set of predefined rules.

Rule Based Access Controls are commonly used to permit access to certain resources to certain users or group during certain hours of a day or certain days in a week. For example, Rule Based Access Control can be used to permit students to access resources during 9 am to 5 pm from Monday to Friday.

Attribute Based Access Control or ABAC


Attribute Based Access Control or ABAC uses a set of attributes as building blocks to define access control rules of a resource.

Attributes are sets of labels or properties that can be used to describe the resource. Fr example, when a user wants to access a resource in a given context, the request can contain the following building blocks :

  • Subject – The user who is requesting the resource. Common attributes are user ID, group, role etc.
  • Action – The action the user wants to perform. Common attributes are permission to read, write execute, edit etc.
  • Resource – The resource the user wants to access.
  • Environment – The context in which the access is requested. Common attributes include timestamp of the request, location of the user, protocol used in the request, encryption strength etc.

Typically each attribute consists of a key = value pair like role = manager. These attributes are used in a structured language to define an access rule or describe a request. For example, permit managers to have read-only access to employee data if the employee belongs to the same department as the manager.

The main difference between Attribute Based Access Control and Role Based Access Control is that unlike Role Based Access Control, Attribute Based Access Control can use complex Boolean rule sets to evaluate many different attributes at a time and grant access based on that. Structured language like XACML or eXtensible Access Control Markup Language is often used for that purpose.

ABAC is also considered the “next-generation” authorization model as it can provide dynamic, context-aware and risk-intelligent access control to allow access to resources. Policy Based Access Control or PBAC and Claims Based Access Control or CBAC are Microsoft specific terms for ABAC.

Identity Based Access Control or IBAC

In Identity Based Access Control or IBAC, access to resources are controlled based on identity of the authenticated user. For example, Cyberoam offers a network security system in which a user’s identity can be used as a part of the firewall rule matching criteria. In this case, a user’s identity is treated as the 8th Layer in the network protocol stack and is used while authenticating, authorizing and auditing the network. This in turn allows an organization to create security policies based on users and groups rather than on IP addresses. Identity Based Access Control gives more precise control over who can access the network and what they can access.

History Based Access Control or HBAC

In History Based Access Control or HBAC, access to a resource is granted or denied based on the history of activities of the request. Past behavior, access patterns, time between requests, contents requested etc are usually used in History Based Access Control or HBAC. For example, a user can be denied to access a resource if the number of requests per second exceeds a certain threshold or any past abusive access pattern is detected.

What is the difference between Access Control and Identity Management ?

Identity Management covers a whole range of functions like access control, user provisioning, privileged account management, directory services, account auditing, role and group management, Single Sign On or SSO etc. Access control is only a subset of Identity Management.

Vendors like Oracle, Microsoft, IBM, Novell etc provide Identity Management suites that include identity administration, identity infrastructure, access management and auditing.

In short, identity administration sets up user roles and groups that allow access only to authorized systems. Identity infrastructure holds information on user accounts and user identity, such as LDAP. Access management sets up user accounts with user Ids, passwords, smart cards, biometrics etc. And, auditing deals with reporting on accounts.

On the other hand, access control is concerned with providing users with access based on their authenticated identity. It is not concerned with proving their identity. While Identity Management can use multiple pieces of proofs to verify the identity of a user, access control focuses on providing users with access to resources once their identity is verified.