Professional Documents
Culture Documents
Combining Classification and DLP
Combining Classification and DLP
Combining Classification and DLP
Information in this document is subject to change without notice. Complying with all applicable
copyright laws is the responsibility of the user. No part of this document may be reproduced or
transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express
written consent of Titus.
Titus may have patent applications, trademarks, copyrights or other intellectual property rights covering
subject matter in this document.
Copyright 2011 Titus Inc.
Microsoft Windows, Windows 2000, Windows XP, Windows Server 2003, Microsoft Windows Rights
Management Services, and Microsoft SharePoint are either registered trademarks or trademarks of
Microsoft Corporation in the U.S.A. and/or other countries.
At Titus we work to help businesses better manage and secure valuable corporate information. Our
focus is on building policy management solutions that make it easier for IT administrators to protect and
manage corporate correspondence including email and documents.
For further information, contact us at (613) 820-5111 or email us at info@titus.com
http://www.titus.com
Table of Contents
1.0 | Introduction
Rapid sharing of electronic information is crucial to effective collaboration and decision making. When
that information is sensitive in nature great care must be taken to safeguard it without overly impacting
the work of those who rely on it.
The task would be greatly simplified if mistakes and malicious behavior did not need to be considered.
Unfortunately they are part of the reality of information protection, and will continue to be as long as
humans are involved.
Recent events involving WikiLeaks have clearly illustrated that and have shown that additional data
leakage controls are required to account for the identified exposures.
This paper will discuss a number of information security advances made possible through the
combination of commercially available products from McAfee and Titus. The paper will specifically
address leakage of sensitive information originating from user desktops. An important aspect of these
technologies is the ability to prevent data loss without resorting to mechanisms which would impede
rapid and efficient collaboration. The approach described combines information classification
techniques with data leakage prevention tools.
2.0 | Background
Protection of sensitive information has recently come to the forefront as a result of the exposure of
sensitive information on the WikiLeaks site. Based on the alleged flow of events, two security issues
were central to the leakage of information related to Afghanistan, Iraq, and diplomatic cables:
1. Analysts had access to everything at their security clearance level, with minimal consideration
given to need to know or relevance.
2. Removable media was enabled with no controls on what information could acceptably be
removed through this channel. This risk can also be extended to other methods of removing
information such as webmail, email, printing and other techniques.
The first issue will require a long term effort to redesign information sharing systems. Post 9/11 there is
a greater understanding of the need to provide broad, seamless information sharing to allow analysts to
do their job. Enforcing overly strict need to know policies may be counterproductive. There are
certainly ways to reduce the risks inherent with this approach without impacting analysts work, but
many are longer term and require significant changes to infrastructure and workflow.
This paper addresses the second issue what can be done to prevent the removal (exfiltration) of
sensitive information. Disabling removable media and other exfiltration channels is an option, but may
also have impacts on day to day productivity of users. A more palatable approach is to enforce controls
on the types of information that can acceptably be removed from workstations. This requires that
information is consistently and reliably classified, and that the classification metadata be readily
available to security systems.
Titus Message Classification for the classification of emails in Microsoft Outlook, Outlook
Web Access , and mobile devices
Titus Document Classification for the classification of Microsoft Office Word, PowerPoint,
and Excel documents
McAfee Host Data Loss Prevention provides protection against theft and accidental disclosure
of confidential data across networks, through applications, and via removable storage devices
McAfee ePolicy Orchestrator provides unified management of endpoint, network, and data
security with end-to-end visibility and powerful automations that slash incident response times
Figure 1 shows a document that has been classified by a user as SECRET/NOFORN. It includes visual
markings in the top header as well as a watermark.
Figure 2 illustrates how documents include classification metadata once a document has been classified
and marked. Now that the information has been classified, the McAfee family of DLP solutions can be
used to prevent leakage of certain classifications of information.
Figure 3 - Defining a McAfee policy to block the copying of sensitive files based on Titus classification metadata.
Figure 3 shows the McAfee ePolicy Orchestrator being used to define a policy that assigns specifically
classified content to a category named Sensitive based on the Titus metadata.
Figure 4 shows ePO protection rules defined to block copying of sensitive content to removable media.
Additional protection rules can be defined to block exfiltration via web upload & webmail, instant
messaging, network copy, etc.
Once the policy is pushed to computers (end-points) running the McAfee hDLP agent, enforcement
begins and all attempted file copy actions to removable media are screened for any content that
matches the defined category of SECRET.
In this example copying sensitive information to removable storage is blocked, and the user is notified
via an optional popup message as shown in Figure 5. McAfee hDLP can also allow users to request
exceptions via a helpdesk or simply by providing business justifications where appropriate.
5.0 Conclusion
Sharing information and intelligence effectively requires that many users are given access to large
amounts of sensitive information.
To mitigate the risks of accidental or malicious leakage of this information without overly restricting
users a security approach combining information classification and data leakage prevention technologies
from Titus and McAfee is recommended. This approach has classification information stored within the
content in both human readable visual labels and machine readable metadata by Titus products. This
metadata can then be consistently and reliably used to convey classification and sensitivity to McAfee
data leakage prevention systems for enforcement.