Cisco Data Security Deployment · PDF fileCisco Data Security Deployment Guide Revision: H1CY11. Using this Data Security Deployment Guide Using this Data Security ... data , using

Cisco Data Security Deployment Guide

Revision: H1CY11

Using this Data Security Deployment Guide


This document is for the reader who:

• HasreadtheBorderlessNetworksforEnterpriseOrganizationsDeployment Guides

• WantstoconnectBorderlessNetworkstoaCiscodatasecuritysolution

• WantstogainageneralunderstandingoftheCiscodatasecuritysolution

• HasalevelofunderstandingequivalenttoaCCNA® certification

• Wantstoprotectsensitiveintellectualpropertyandcustomerdatawithintheorganizationandpreventaccidentalleakage

• Wantstoaddressdatasecuritycomplianceandregulatoryrequirements

• Wantstoimplementdatasecuritypolicieswithintheorganization

• Wantstheassuranceofavalidatedsolution

This guide introduces the Cisco data security solution. It provides details on howCiscocontentsecurityappliancesworkwithRSADataLossPrevention(DLP)productstosolveend-to-enddatasecurityproblems.Anoverviewdiagram of the solution is illustrated in Figure 1.

This document is divided into the following sections:

Business Overview—outlinesthebusinessproblemsfacedbyenterpriseorganizationsintheareaofdatasecurity.

Technology Overview—provides details on data security system concepts andtheimportantcharacteristicsthattheindustrylooksforwhenevaluatingsuch solutions.

Detailed Configuration—discussessomeofthebestpracticesandthestepsrequiredtodeploytheCiscodatasecuritysolution.

Additional Information

ThisisasupplementguidetotheSmartBusinessArchitecture(SBA)forEnterpriseOrganizations(2,000to10,000connectedusers)deploymentguides.TheSBAforEnterpriseOrganizationsisareferencearchitecturethatdeliversaneasy-to-use,flexibleandscalablenetworkwithwiredandwireless security.

CiscoData Security

You are HereConfigurationFiles

Supplemental Guides

Design Overview

Design Guides Deployment Guides

Internet Edge

Foundation


Figure 1. Solution Diagram

Related Documents

SmartBusinessArchitecture(SBA)forEnterpriseOrganizations(2000to10,000connectedusers)deploymentguides(http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns982/landing_sBus_archit.html)

InternetContentAdaptationProtocol(ICAP) http://www.faqs.org/rfcs/rfc3507.html

Technologypartnerdeploymentguidescanbefoundhere: http://www.cisco.com/go/securitypartners

http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns982/landing_sBus_archit.html

http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns982/landing_sBus_archit.html

http://www.faqs.org/rfcs/rfc3507.html

http://www.cisco.com/go/securitypartners

TableofContents

ALLDESIGNS,SPECIFICATIONS,STATEMENTS,INFORMATION,ANDRECOMMENDATIONS(COLLECTIVELY,"DESIGNS")INTHISMANUALAREPRESENTED"ASIS,"WITHALLFAULTS.CISCOANDITSSUPPLIERSDISCLAIMALLWARRANTIES,INCLUDING,WITHOUTLIMITATION,THEWARRANTYOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSEANDNONINFRINGEMENTORARISINGFROMACOURSEOFDEALING,USAGE,ORTRADEPRACTICE.INNOEVENTSHALLCISCOORITSSUPPLIERSBELIABLEFORANYINDIRECT,SPECIAL,CONSEQUENTIAL,ORINCIDENTALDAMAGES,INCLUDING,WITHOUTLIMITA-TION,LOSTPROFITSORLOSSORDAMAGETODATAARISINGOUTOFTHEUSEORINABILITYTOUSETHEDESIGNS,EVENIFCISCOORITSSUPPLIERSHAVEBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.THEDESIGNSARESUBJECTTOCHANGEWITHOUTNOTICE.USERSARESOLELYRESPONSIBLEFORTHEIRAPPLICATIONOFTHEDESIGNS.THEDESIGNSDONOTCONSTITUTETHETECHNICALOROTHERPROFESSIONALADVICEOFCISCO,ITSSUPPLIERSORPARTNERS.USERSSHOULDCONSULTTHEIROWNTECHNICALADVISORSBEFOREIMPLEMENTINGTHEDESIGNS.RESULTSMAYVARYDEPENDINGONFACTORSNOTTESTEDBYCISCO.

AnyInternetProtocol(IP)addressesusedinthisdocumentarenotintendedtobeactualaddresses.Anyexamples,commanddisplayoutput,andfiguresincludedinthedocumentareshownforillustrativepurposesonly.AnyuseofactualIPaddressesinillustrativecontentisunintentionalandcoincidental.CiscoUnifiedCommunicationsSRND(BasedonCiscoUnifiedCommunicationsManager7.x)

©2010CiscoSystems,Inc.Allrightsreserved.

TableofContents

Business Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

Technology Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

Cisco Data Security Configuration Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Endpoint Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Datacenter Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Appendix A: SBA for Enterprise Organizations Document System . . . . . . 20

1BusinessOverview

BusinessOverview

Networkbordersarerapidlybeingerodedbytheneedtoenableanyone,anywheretoconnecttoanything,atanytime.Employees,partners,andcus-tomersareusingmobiledevicesandapplicationstoconnectfromhomes,hotels,airportInternetkiosks,andlocalcoffeeshops,collaboratingthroughmobileplatforms,increasingbusinessefficiency,productivity,andflexibility.However,enhancedcommunicationalsoincreasestheriskoflosingsensi-tiveinformation,suchasintellectualpropertyandcustomerdata,duetoinnocent or malicious activities.

Recently,multipledatalossincidentsaffectinglargeorganizationshavemadeheadlines,resultinginnegativemediacoverageandpublicembar-rassment.Insomecases,penaltiesandcorrectiveactionshavecostmil-lionsofdollars.Organizationsmusttakestepstoprotecttheirintellectualpropertyandsensitivecustomerdata,andtocomplywithlocal,national,andinternationalregulationsthatgovernmanydifferentkindsofdata.

Intellectualpropertyisoneofanorganization’smostimportantbusinessassets;businesseslosebillionsofdollarseachyearfromtheftoftradesecrets.Intellectualpropertycanbelostthroughinadvertentdisclosure,orthroughmaliciousactionbyanemployeeoranoutsider.

Organizationsneedtoprotectcustomerdata,includingpersonallyidentifiableinformation(PII),creditcardnumbers(CCNs),SocialSecuritynumbers(SSNs),andotherrecords.Sophisticatedcriminalenterprisesareusingbotnetsandmalwaretoinfiltrateorganizationsinordertostealthisinformation.Breachedcompaniesoftenbearthecostsofnotifyingcustomersandthepublicofadatalossincident,andmayalsohavetobearremediationexpenses.

International,national,state,andlocalregulatoryrequirementsareincreas-ing,especiallyforprotectionofsensitiveinformationassets.Thousandsofdataprivacyregulationshavebeencreatedinrecentyears,andcountriesandstateshaveenacteddata-breachnotificationlaws.

Organizationsfromdifferentindustriesandoperatingindifferentcountriesareundermandatestocomplywithdifferentregulations,suchas:

• Health Care—EUDirective,PIPEDA,andHIPAA

• Education—FERPA,HIPAA,andpossiblyPCI-DSS

• Financial—GLBA,SOX,PCI

• Retail—PCI-DSS

Tosolvethesedataprotectionproblemsandmeetregulatoryrequirements,a comprehensive and well thought out data security solution is essential.

2TechnologyOverview

TechnologyOverview

Data Security

Adatasecuritysolutionidentifiesdatabasedonitscontentand/orthecon-textinwhichitoccurs.Theidentificationprocessoccursatmanydifferentlocationsandinmanydifferentways.Forexample,dataidentificationcantakeplacewhendataiscreatedandwhenendpointdevicessuchaslaptops,mobilephones,andremovablemediaconsumeit.Inaddition,identificationcanoccurwhendataismovedorsharedacrossanetwork,andwhenitisstoredorarchivedinthedatacenteroracloudnetwork.Aneffectivedatasecuritysystemmustprotectthedatathroughoutitsentirelifecycle,asdepictedinFigure2.

Aprimarygoalofdatasecuritysystemsistoprotectagainsttheftofintel-lectualpropertyandconfidentialcustomerdata.Doingsohelpsorganiza-tions comply with legal and regulatory standards. Data security systems interactwithnetworks,endpoints,anddatacenters,andconsistofmultiplecomponents,includingDLP,encryption,devicecontrol,informationrightsmanagement,andsecuredelivery,asdepictedinFigure3.

DLPisanimportantcomponentofacomprehensivedatasecuritysolution.DLPprovidescontent-baseddatadiscovery,monitoring,andprotectionofsensitivedataatrest,inuse,andinmotion.

Figure2.DataSecurityLifecycle

Endpointdatasecurityusesdevicecontrol,encryption,andcontent-awareDLPtechniquestoprotectdataatrestanddatainuseonmobiledevicessuchaslaptops,netbooksandsmartphones.Onlaptopsandonremov-ablemedia,dataatrestisprotectedbyfulldiskencryptionorintelligent,policy-basedencryptionofsensitivedata.Onsmartphones,dataatrest

isprotectedbyencryptionandbydevicecontrolfeaturessuchasdevicewipesandpersonalidentificationnumber(PIN)locks.Encryptionanddevicecontrolhelpmitigatetheriskoflostorstolendevices.Content-awareDLPcanalsodiscoverandclassifysensitiveinformationonendpointdevices,preventingaccidentalleakageofinformationthroughsuchmeansasUSBflash drives or uncontrolled printouts.

Figure 3. Data Security System

Networkdatasecurityfocusesonsecuredatadelivery,threatprotection,anddatalosspreventionfordatainmotionacrossthenetworkperimeter.Securedatadeliverysolutions,suchasVPNs,protectdataintegrityandconfidentialityforsensitiveinformationoverinsecurepubliclinks.Threatprotectionsolutionslikeintrusionpreventionsystems(IPS)protectagainstthreatssuchasbufferoverflows,injectionattacks,directorytraversals,andothercommonattacks.DLPdata-in-motionsolutionsusecontent-awaretechniquestoensurethatsensitiveinformationdoesnotleaveanorganiza-tionaccidentlyorbyanyunauthorizedmeans.

Data center security and cloud data security have many different compo-nents,suchasdatabaseencryption,file-shareencryption,storageareanetwork(SAN)dataencryption,content-awaredatadiscoveryofsensitivedataonservers,andinformationrightsmanagementforpreventionofunauthorizedaccess.DatacenterDLPtechnologiesfocusondiscoveryofsensitiveinformationbylocalorremoteagentsthatcrawldatabases,documentmanagementsystems,andotherservers,andclassifydata.Data center security addresses the need to meet data security regulatory requirements,todiscoverandprotectintellectualproperty,andtoprovideinsight into who has access rights to data.

Data security systems include a central management server for creating andadministeringdatasecuritypolicies,anincidentworkflow,areportingsystem,anddatadiscoveryandenforcementacrossvariouspoints.

3ArchitecturalComponents

Overview of the Cisco Data Security Solution

Cisco is partnering with leading companies through the Cisco Developer Network(CDN)todeliveracomprehensivedatasecuritysolution,includinganarrayoftechnologiestoprotectdatathroughoutitslifecycle,asshowninFigure4below.Thissolutionprovidesorganizationsapolicy-basedapproachformonitoring,identifyingandpreventingleakageofinformationacrossthenetwork,endpointsanddatacenter.

Figure 4. Comprehensive Data Security Solution

Network Security

Sensitivedatacanleavethenetworkperimeterbymanydifferentmeans,suchasemail,webapplications,filetransfers,andinstantmessaging.Enforcingcontentpoliciesatthenetworkperimeterisaneffectivedefenseagainstaccidentaldataloss.CiscopartnerswithRSA,aleadingDLPsolu-tionprovider,toprovideintegratedDLPtechnologyonCiscoIronPortEmailandWebSecurityAppliances.

RSAEmailDLPisbuiltintotheCiscoIronPortEmailSecurityAppliancetoprovidecontent-levelscanningofemailmessagesandattachments,andtodetectsensitiveinformationbeforeitleavesanorganization.ItcontainsanintegratedDLPscanningenginewithover100DLPpolicytemplates,andisactivatedthroughasoftwarelicense.DLPpolicyintheEmailSecurityApplianceallowsmessagestobeexaminedfordatapatternsthatareassociatedwithsensitivedatathatshouldnotbeexposedtotheoutsideworld.Severalactionscanbetakenwhenapatternmatchoccurs,rangingfromsendingawarningmessagetoblockingtheentiremessage.

DLPpolicycanalsoenforceencryptionofmessagescontainingsensitivedata,usingtheemailencryptionfeatureoftheappliance.EmailencryptioncanuseeithertheCiscoRegisteredEnvelopeService(CRES)oralocalkeyserver,asshowninFigure5.CRESprovidessecureandtransparentman-agementofkeycreation,distribution,andretention.

Figure5.CiscoRegisteredEnvelopeServiceinUse

Gateway-to-gatewayencryptionthroughTransportLayerSecurity(TLS)isanotherwayofprotectingsensitiveinformation.TheEmailSecurityAppliancecansecurelyrelayamessageoveraTLSconnection,andtheadministratorcanconfigurethepolicytocontrolwhetherTLStransportismandatory,orusedonlywhentheothersideoftheconnectionsupportsit,andwhethermessage-levelencryptionisusedasafallbackwhenTLSisnotavailable.

WhiletheEmailSecurityApplianceprotectsstandardInternetemailsentusingtheSimpleMailTransferProtocol(SMTP),otherincreasinglypopularalternatives,suchasinstantmessagingandweb-basedemailservices,mustalsobeinspectedforsensitivedata.CiscoIronPortWebSecurityAppliancescanconnecttoanexternalDLPsystemusingICAP.ThisenablestheWebSecurityAppliancetoapplyDLPpoliciestoHTTP,HTTPS,andFTPtrafficinthesamewayastheEmailSecurityAppliancedoestoSMTPtraffic,providingconsistentenforcementnomatterwhichprotocolisbeingusedtosend the information.

Endpoint Security

Endpointdatasecurityincludescontentawarepolicyenforcement,mandatoryencryptionofsensitivedataonlaptopsandsmartphones,andprotectionofsensitiveinformationbeingcopiedortransferredtoremov-ablemedia.Ciscopartnerswithendpointdataprotectionmarketleaderstoprovidevalidatedandcompatiblepolicy-basedencryptionanddevicecontrol solutions for data at rest and data in use on endpoints.

4ArchitecturalComponents

CiscorecommendsRSADLPEndpointfortheprotectionofinformationassetsonlaptopsanddesktops.RSADLPEndpointconsistsoftwomodules,DiscoverandEnforce.TheDiscovermoduleprovidescontent-baseddataclassificationandfingerprintingthatprovidesvisibilityforsensitivedataonlaptopsanddesktops.TheenforcementmoduleprovidesprotectionfordatainusebypreventingcopyingofsensitivedatatoUSBdevicesandotherremovablemedia.

Data Center Security

DLPforthedatacenterinvolvesdiscovering,classifyingandencryptingsensitivedatanomatterwhereitresidesinthedatacenter—filesystems,databases,emailsystems,ornetwork-basedstorage.CiscorecommendsRSADLPDatacenter,whichcandiscoversensitivedataandhelptoenforcepoliciesacrossfileshares,databases,networkstorage,MicrosoftSharePointsitesandotherdatarepositoriestoreducetheriskandbusinessimpact associated with enterprise data loss.

RSADLPDatacenterofferspermanentandtemporaryagents.Temporaryagentsscandata,collectpolicyviolations,andself-uninstalltoalloworgani-zationstosurveytheirrisklandscape.RSAEnterpriseManagercandeploypoliciesacrossRSADLPDatacenter,DLPNetworkandDLPEndpoint.

FordatacenterSANstorage,CiscoMDS9000FamilyStorageMediaEncryption(SME)offersaheterogeneous,standards-basedencryptionsolu-tionfordataatrest,withcomprehensivebuilt-inkey-managementfeatures.

Data Security Deployments and Use Cases

Acompletedatasecuritysystemisbestdeployedinstages,asdepicted inFigure6below.CiscorecommendsimplementingDLPinthree sequentialsteps:

1 . Network Deploymentprovidesbroadcoveragewitheaseofmanage-ment,usingthesecuritymanagementfeaturesofCiscoIronPortEmailSecurityandWebSecurityAppliances.

2 . Endpoint Deploymentprovidespolicy-baseddevicecontrolandencryption to prevent sensitive information from leaving through externalremovablemedia,printing,copyingandothermeansofdata in use.

3 . Data Center Deployment,thefinalstep,requiresunderstandingtheorganization’sunstructuredorstructuredsensitivedataassets,anddeterminingwhatpoliciesneedtobeenforcedatvariouspointsinthedatasecuritydeployment.RSADLPDatacenterandCiscoSMEaddress issues of discovering and encrypting sensitive information in the data center.

Inaddition,aftereachstepiscompleted,werecommendtwo additional activities:

• Tuning—afterorganizationsidentifytheirsensitivedata,theyconfigureDLPtomeettheirparticularrequirements.Thisinvolvestestingtoensuretheyaredetectingviolations,frequentlybyconfiguringtheproductsinlearningornon-blockmodetogatherinformationforsecondaryanalysis,beforeimplementingmorestringentcontrols.

• Optimization—finally,thedatasecuritysystemshouldbeoptimizedforeasymaintenanceandmanagement.Inthisphase,automaticupdates,instantreportsforexecutives,automaticdecisionmakinginformationand detailed violation reports are typically configured.

Figure 6. CiscoDataLossPreventionDeployment

5Cisco Data Security Configuration Details

Cisco Data Security Configuration Details

Network Security

Process

CiscoEmailDataSecurityConfiguration

1. EnableDLP

2. SetUptheBasicDLPPolicy

3. TestingandMonitoringtheDataSecuritySystem

4. MonitoringDLPPolicies

TheCiscoIronPortEmailSecurityApplianceisplacedintheDMZoftheInternetedgeoftheSBABorderlessNetworksforEnterpriseOrganizationsarchitecture.Forsimplicity,theapplianceisconnectedbyasingleinterface,asshowninFigure7.

Figure7.CiscoEmailDataSecurityArchitecture

Email Security Appliance

Internet servers

Firewall

End User

Internet

DMZ switch

ImplementingDLPwithEmailSecurityAppliancesrequiresthefollowinghigh-levelprocedures,eachinvolvingseveralsteps,aslistedbelow:

• EnableDLP

• SetupbasicDLPpolicy

a. HIPAAPolicy

b.GLBAPolicy

c. PCI-DSSPolicy

d.CustomPolicy

• ConnecttheDLPpolicywithoutgoingmailpolicy

• Testandmonitorpolicyviolations

Procedure Enable DLP

DLPisalicensedfeatureontheCiscoIronPortEmailSecurityAppliance.YoucanactivatethisfeaturebyprovidingthelicensekeyintheFeatureKeytabofthewebmanagementinterfacebyselectingSystem Administration > Feature Keysandthenclicking“CheckforNewKeys”.Verifythatthekeyisactive,asshowninFigure8.

Figure8.ActivateDLP

NotethattheemailencryptionfeaturelicenseisalsoactiveintheexampleandisrequiredinordertoemploymessageencryptionasanoptionintheDLPpolicy.Ifyouhavenotlicensedemailencryption,thisactionwillnotbeavailable.

To start scanning the outgoing emails for sensitive data you must first enableDLPontheapplianceusingthefollowingstepsinthewebmanage-ment interface:

Step 1: Select Security Services > RSA Email DLP.

Step 2: ClickEnable. The license agreement page appears.

Step 3: Readtheagreement,thenclickAccept .


Step 4 (optional):EnableMatchedContentLoggingtoallowthelogstoincludethecontentthattriggersaviolation.Notethatthisoptionwillcausepotentiallysensitiveinformation(suchascreditcardnumbers)toappearinthesecuritylogs.Yourorganization’spolicyrequirementswilldetermineifthisisdesirableornot.AlsonotethatthisfeaturerequiresthatthemessagetrackingserviceisenabledunderSecurity Services > Message Tracking.

Procedure Set Up the Basic DLP Policy

TheDLPPolicyManagerisasingledashboardinthewebinterfacethatallowsyoutomanageallemailDLPpolicies.YoucanaccesstheDLPPolicyManagerfromtheMail PoliciesMenu.Theappliancecomeswithover100predefinedpolicytemplatesdevelopedbyRSA,someofwhichareshownbelow.Inthefollowingexamples,configurationsofHIPAA,GLBA,andPCI-DSSpoliciesfrompredefinedRSAtemplates,aswellasonecustompolicy,are shown.

HIPAA Policy

Step 1: Select Mail Policies > DLP Policy Manager.

Step 2: ClickAdd DLP Policy.

Step 3:ClickRegulatory ComplianceandthenclickAdd HIPAA .

Figure9.AddDLPPolicy

Inthisexample,assumetheorganization’spatientIDnumbersfollowapatternofthreedigits,eachrangingfrom2to4,followedbysevendigitsrangingfrom0to9.Thispatternismatchedbyaregularexpressionofthe

form[234]{3}[0-9]{7};additionally,thephrase“PatientID”mustappearinthedata,inorderforthepolicytomatch.

Step 4:Enter[234]{3}[0-9]{7}inthe“PatientIdentificationNumbersasaregularexpression”field.

Step 5: Enter“PatientID”inthe“ANDmatchwithrelatedwordsorphrases”field,asshowninFigure10below.

ThecompletedformisshowbelowinFigure10.Ifanoutgoingemailmes-sagecontainsanumberthatmatchesboththeregularexpressionandthetext“PatientID”,ittriggersthisDLPpolicy.

Figure10.HIPAADLPPolicy

Step 6: Under Severity Settings > Critical Severity Settings,selectQuarantine from the Action Applied to Messages drop-downmenu.MessagesthatcontainDLPviolationswillbeheldinaquarantinearea.

Step 7: Select Sender under Advanced > DLP Notification.Optionally,youcanchoosetoencryptthemessage,modifyitsheader,deliverittoanalternatehost,sendacopy(bcc)toanotherrecipient,andsendaDLPnotification message.

Step 8: If you want to define different settings for messages that match the high,medium,orlowseveritylevel,unchecktheInherit Settingscheckboxfortheappropriatesecuritylevel.Edittheoverallactionforthemessageandtheothersettings.Inthisexampledifferentsettingsbyseveritylevelremainunconfigured.

Step 9: ClickSubmit and then Commit Changes. The policy is added to the DLPPolicyManager.


GLBA Policy

FollowtheprecedingstepsandaddaGLBApolicy.However,inthisexampleassumetheaccountnumbersconsistofthreedigitsintherangeof4to6,followedbysixdigitsintherangeof0to9.


Step 2:ClickAdd DLP Policy.

Step 3: ClickRegulatory ComplianceandthenclickAdd GLBA .

Step 4: Enter[456]{3}[0-9]{6}inthe“CustomAccountNumbersasaregularexpression”field.

Step 5: Enter“AccountNumber”inthe“ANDmatchwithrelatedwordsorphrases”field.

AnoutgoingemailthatcontainsamatchingaccountnumberandkeywordwillnowtriggeranalertforaGLBAviolation.

Step 6: Under Severity Settings > Critical Severity Settings,selectQuarantinefromtheActionAppliedtoMessagesdrop-downmenu.MessagesthatcontainDLPviolationswillbeheldinaquarantinearea.

Step 7: Select Sender under Advanced > DLP Notification.Optionally,youcanchoosetoencryptthemessage,modifyitsheader,deliverittoanalternatehost,sendacopy(bcc)toanotherrecipient,andsendaDLPnotification message.

Step 8: If you want to define different settings for messages that match the high,medium,orlowseveritylevel,unchecktheInherit Settingscheckboxfortheappropriatesecuritylevel.Edittheoverallactionforthemessageandtheothersettings.Inthisexampledifferentsettingsbyseveritylevelremainunconfigured.

Step 9: ClickSubmit and then Commit Changes. The policy is added to the DLPPolicyManager.

Figure 11. GLBADLPPolicy

PCI-DSS Policy

PCIstandardsmandatethatcreditcardnumbersneverbetransmittedinunencryptedform.BeforeaddingaPCI-DSSPolicy,enabletheencryptionprofileinordertotakeencryptionasactionwithinthePCI-DSSpolicy:

Step 1: ClickSecurity Services and then IronPort Email Encryption Services.

Step 2: MakesuretheIronPortEmailEncryptionisenabledandthattheproxyserversettingiscorrectforyournetwork.Inourexample,noproxyserverisrequired,asshownbelow.

Figure12.EnablingEmailEncryption


Step 3: Click Add Encryption ProfileanduseEncryption_Enableastheprofile name.

Forexample,useCRESforkeymanagementandselectCisco Registered Envelope ServicefromtheKeyServiceTypelistasshownbelow.

Figure 13. AddinganEncryptionProfile

ToenablethePCI-DSSpolicy,followthesamestepsthatyouusedtoaddtheHIPAAPolicy,withthefollowingexception:

InStep5,intheCriticalSeveritySettingssection,choosetheQuarantine action asinthepreviousexample,butalsoselecttheEnable encryption on release from quarantine option. From the Encryption Ruledrop-downlist,selectOnly use message encryption if TLS fails and choose the Encryption_Enable profilefromStep2inthe Encryption Profiledrop-downlist.

Figure 14. EnablingMessageEncryptionifTLSFails

Custom Policy

Whenusingthepre-builtPCI-DSSpolicyortheCreditCardNumberClassifierfeature,itisimportanttonotethatthosecoverCCNsfromAmericanExpress,Discover,DinersClub,JCB,MasterCard,andVisa.Ifyouwanttoaddsupportforspecificstorecreditcards,youmustuseacustompolicyandconfigureregularexpressionstomatchtheCCNsine-mail.

Thefollowingexample,illustratedinFigure15,configuresaregularexpres-siontomatchaCCNthatis16digitslongandbeginswiththeprefix6035,witheachgroupoffourdigitsseparatedbyaspace,sotheCCNstructureis6035000000000000.Inaregularexpression,thiscanberepresentedas6035\s\d{4}\s\d{4}\s\d{4}.Notethathere,“\s”representsaspace,and“\d”adigit,equivalenttotherange[0-9].


Step 2: ClickAdd DLP Policy.

Step 3:ClickCustom PolicyandassignthenameStore_Card.

Step 4: Configure the following three rules:

• RegularExpression:6035\s\d{4}\s\d{4}\s\d{4}

• Entity:USAddress

• Entity:ProperName

Figure15.CreatingaCustomDLPPolicy

Step 5: Under Severity Settings > Critical Severity Settings,chooseQuarantine from the Action Applied to Messages list.


Step 6: Select Sender under Advanced > DLP Notification.Optionally,youcanchoosetoencryptthemessage,modifyitsheader,deliverittoanalter-natehost,sendacopytoanotherrecipient,orreturnasystem-generatednotification message to the sender.

Step 7: ClickSubmit and then Commit Changes. The policy is added to the DLPPolicyManager.TheDLPpolicieswilllooklikethoseshowninFigure16below.

The order of the policies is important. The appliance evaluates the policies intheorderthattheyarelistedintheDLPPolicyManager,readingfromtoptobottom.IfamessagematchesmorethanoneDLPpolicy,onlythefirstonefoundinthelistwillbeapplied.Edit Policy Ordercanbeusedtorearrangetherules,ifneeded.

Figure 16. SettingtheOrderofPolicies

Procedure Connect the DLP policy with Outgoing Mail Policy

OutgoingmailpolicydetermineswhichDLPpoliciesareappliedtomes-sagesleavingtheorganization.ToapplytheDLPrulescreatedinthestepsabove,gotoMail Policies > Outgoing Mail Policies and select the current DLPpolicyrulesfortheoutgoingdefaultpolicy.NotethatifyouhavenotyetsetupDLPpolicies,thecurrentDLPpolicyruleswillappearas“Disabled”.ClickingonthatlinkwillallowyoutoselectEnable DLPandtoenableordisabletheindividualpolicies.

Figure17.ConfiguringOutgoingDLPMailPolicies


Procedure Testing and Monitoring the Data Security System

HIPAA Policy Example

Thepre-definedHIPAApolicyintheRSAEmailDLPenginelooksfordatainthis fashion:

(DrugdictionaryORDiseasedictionaryORInjurydictionary)AND(PIIclassi-fiersthatareORedtogether)

Inotherwords,amessagemustcontainsomethingthatmatchesoneoftheHIPAAdictionaries,aswellaPIIidentifier,inorderforthemessagetomatchthe policy.

Totesttheoutgoingmailpolicy,composeatestemailthatincludessomeillness-relatedterms,thetext“PatientID”,andapatientIDnumberthatmatchesthepatterndefinedintheHIPAAexampleconfiguration.Theimagebelowshowsasimpletestmessage.Sendthetestemailtoadestinationoutsidethenetwork.

Figure18.TestingtheOutgoingDLPMailPolicy

Iftheruleisbeingappliedcorrectly,thesenderwillreceiveanotificatione-mailsimilartotheoneshownbelow,indicatingtheHIPAAviolation.

Figure19.ExampleNotificationEmail

BecausetheHIPAApolicywasconfiguredtoquarantinemessagesthatcontainDLPviolations,manuallyinspectthetestmessage,andeitherdeleteitorforwardit.Quarantineareasalsohaveadefaultaction,whichcanbeeithertoreleasethemessageortodeleteit,andatimeperiodafterwhichthedefaultactionisautomaticallytaken.Inthisexample,manuallyreleasethemessage,allowingittobedelivered:

Step 1: Select Monitor > Quarantines > Policytoviewquarantined messages,asshowninFigure20.

Figure20.ViewingQuarantinedEmailMessages


Step 2: Clickthesubjecttoviewthedetailsofthequarantinedmessage,asshowninFigure21below.

Figure21.ViewingDetailsofQuarantinedMessages

Step 3: Under Quarantine Details ,youhavetheabilitytoeitherdeletethequarantinedmessageortoreleaseit,ortoextendthequarantineperiod.Toreleasethemessagetoitsdestination,checktheSelectboxforthetestmessage,chooseRelease from the Select Actiondrop-downlist,and then Submit.

Procedure Monitoring DLP Policies

InthemanagementGUI,selectMonitor > DLP Incidents.FromtheDLPIncidentSummaryscreenshownbelow,onecanclickonanyofthepoliciestoseethereportforthatspecificpolicyviolation.Byclickingonthepolicyin“DLPIncidentDetails”,onecanviewindividualuserswhohaveviolatedthatpolicy.Thisallowstheadministratortoseetheirmailprofile,whichprovidesinformationaboutwhatinformationassetsareleavingthenetworkbye-mail.AdministratorscanalsosearchforDLPviolationsandseethespecificcontentthattriggeredtheDLPviolation.ThisprovidesdetailaboutwhattranspiredintheDLPincidentsduringauditinganddiscovery.

Figure22.MonitoringDLPIncidents


Process

DLPConfigurationforWebTraffic

1. EnableDLPontheAppliance

2. ConfiguretheRSADLPNetwork

3. ValidatetheSetup

ACiscoIronPortWebSecurityAppliancedeployedattheInternetedgeinteroperateswithRSADLPtechnologytoidentifyandprotectsensitivedata.TheapplianceactsasaproxyserverandusesICAPtooffloadcontentscanningtoexternalsystems.RSAEnterpriseManagermanagespoliciesforthenetwork,endpoints,anddata-center.CiscoIronPortWebSecurityAppliance,RSAEnterpriseManager,andtheRSADLPNetworkControllerarethemaincomponentsshownbelow.

Figure23.MainComponentsforWebTrafficDLP

Web Security Appliance

ICAP server

RSA Network

Controller

RSA Enterprise Manager

Firewall

End User

HTTP/HTTPS/FTP proxy connection

Internet

Inthisdeploymentguide,RSADLPNetworkController,theICAPserver,andRSAEnterpriseManagerareinstalledandconfiguredintheSBABorderlessNetworksforEnterpriseOrganizationsarchitecture.

Thefollowingsectionsprovidearecommendedconfigurationforblockingsensitiveinformationsentthroughwebmail.CiscoIronPortWebSecurityApplianceversion6.3.3istheverifiedplatform.Inthisexample,thepre-definedPCI-DSSpolicyforthenetworkisused.

ImplementingDLPwithWebSecurityAppliancesrequiresthefollowinghigh-levelprocedures,eachinvolvingseveralsteps,aslistedbelow:

• EnableDLPontheappliance

• ConfiguretheRSADLPnetwork

• Validatethesetup

• Testandmonitorpolicyviolations

Procedure Enable DLP on the Appliance

Step 1: EnableexternalDLPserver,whichinthisexamplehasIPaddress10.4.200.118:

FromtheWebSecurityAppliancewebmanagementGUI,selectNetwork > External DLP Servers,thenclickEdit Settings. In the Server Addressfield,entertheaddressoftheRSADLPserver,inthiscase10.4.200.118.ThePort willusuallybeleftsettotheICAPdefaultportof1344.TheService URL is of theformicap://serverIP/srv_conalarm,sointheexampleshowninFigure24,itisicap://10.4.200.118/srv_conalarm.

Figure24.ConfiguringanExternalDLPServerUsingICAP

TotesttheconnectionbetweentheapplianceandtheexternalDLPserver,clickStart Test.

ClickSubmit,thenCommit Changes.


Step 2: SetUpExternalDLPPolicy

CreateexternalDLPpoliciesthatdeterminewhichtrafficissenttotheICAPserver for content scanning.

Go to Web Security Manager > External DLP PoliciesandclickAdd Policy. Give the policy a name in the Policy Namefield.Inthisexample,use“GmailPolicy”asthename.UnderPolicy Member Definition,selectcriteriaforthepolicy.Inthisexample,applythepolicytoallusersandleave Identities and Users set to the default value of All Identities.Forthissetting,atleastonefurtherselectionoptionisrequired.ClickonAdvanced and then set the ProtocolsdefinitiontoincludeHTTP,HTTPS,FTPoverHTTP,NativeFTP,andAllothers.ClickSubmit.

ClickontheScan settings under Destinations for the policy. Choose Define Destinations Scanning Custom Settingsfromthedrop-downlist,andsetDestinations to Scan to Scan all uploads.Theresultingpolicyshouldlooklikethe“Gmailpolicy”entryshownbelow:

Figure25.ConfiguringtoScanAllProtocols

Step 3:ClickSubmit and then Commit Changes.

Procedure Configure the RSA DLP Network

Step 1:InRSAEnterpriseManager,enabletheICAPserverandNetworkController.TheNetworkControllercommunicatesbetweenRSAEnterpriseManagerandnetworkdevices.

Go to Admin > Network > StatusandverifythattheNetworkControllerandICAPserversareoperating.FordetailedinstructionsonsettinguptheDLPNetworkICAPserverandNetworkController,pleaserefertotheRSAdocumentationforRSADataLossPrevention.

Step 2: WriteaPCI-DSSpolicytopreventthelossofsensitiveinformationvia Gmail.

Go to Policies > New Policy > Use Policy Template.

ClickPCI–DSSpolicy.ThePCI-DSSpolicypageopens.

UndertheNetworktab,selectthefollowingoptions:

• UnderWho,selectall Users.

• UnderDetect,selectProtocols.

• UnderAction,Audit only.

ClickSave.

Figure26.SettingaPolicyforGmail


Procedure Validate the Setup

Step 1: ConfigureawebbrowsertoproxyoutgoingtrafficthroughtheCiscoIronPortWebSecurityAppliance.

Step 2: Usingthebrowser,accessGmail,composeanewmessage,andattachafilethatviolatesthePCI-DSSpolicy.

Step 3: VerifythataNetworkICAPdiscardmessageisdisplayedinthebrowser.

Step 4: UseRSAEnterpriseManagertoviewtheresultingeventandinci-dent that were created as a result of this violation of policy.

Figure27.ViewingIncidentsandEventsCausedbyPolicyViolations

15EndpointSecurity

EndpointSecurity

RSADLPEndpointallowsyoutomonitorandcontrolhowendusersinteractwithsensitiveinformation.Ittracksandcontrolsarangeofuseractionsasdefinedbypolicy,anditauditsuseractionsinvolvingsensitivedata,sendingalertsofpolicyviolations,andcreatingauditlogs.

Configuration of RSA DLP Endpoint

AdeployedinstanceofRSADLPEndpointincludesthefollowingcompo-nents,showninFigure28.

• RSADLPEndpointAgents

• RSADLPEnterpriseManager

• RSADLPSiteCoordinator

• RSADLPEnterpriseController

Figure28.ADeployedInstanceofRSADLPEndpoint

EndpointAgentsrunoneachuser’scomputertomonitoruseractionsandperformcontentanalysis.Theagentsareresponsibleforenforcingusagepolicy and collecting audit data. The Site Coordinator controls the custom-er’sdeployment.Itsendsinstructionsto,andgathersresultsfrom,endpointagents,definedintoEndpointGroups.

TheEnterpriseManageristheinterfacetoDLPEndpointforbothusersandadministrators.TheEnterpriseManagersendsconfigurationsettingsandpoliciestotheSiteCoordinatortobepickedupbyallendpointagentsonthenetwork.Atpredefinedintervals,theEnterpriseManagerpicksupeventssenttotheSiteCoordinatorbythoseendpointagents,andbasedonpolicy,generates incidents for review and analysis.

Process

RSADLPEndpointExample

Inthisexample,assumeEnterpriseandSiteCoordinators“SanJose”areconfigured.Thisexampleshowsthat,ifausertriestocopyfilesontoexter-nalmediasuchasaUSBdrive,thisactiontriggersaDLPviolation.

Step 1: CreateanewEndpointAgentgroup

InRSADLPEnterpriseManager,gotoAdmin > Endpoint.ClickNew Endpoint Group. Select the site San Jose.

In the Computers (DNS names or IP addresses)field,specifytheIPaddressofthecomputer(forexample,192.168.21.36).

In the Configure passwordssection,entertheGPO/PushAgentPassword,which is the password for installing endpoint agents with push technol-ogy. If you have already installed endpoint agents on the target machines intheEndpointgroup,enterthesamepasswordthatwasusedforthoseinstallations.

Step 2: ActivateRSADLPEndpointpolicyusingpre-definedpolicytemplates

GotoPoliciestab.

ClickNew Policy at the top of the policy list.

Select Use Policy Template Libraryfromthedrop-downmenu.

UndertheRegulatoryandCompliancesection,selectthePCI-DSSpolicytemplateandactivateitforEndpoint.

ClickthePCI-DSSpolicyandthenselecttheEndpointtabwithinthePCI–DSS template.

Figure29.PolicyValidationRules

16EndpointSecurity

Createapolicyviolationrule.IntheWhofield,keepthedefault“Allusers”option.

UnderDetect,thedetectionfilterletsyouspecifyuseractions,fileattri-butes,destinationattributesandtransmissionattributethatcantriggerDLPviolation.

Adda“Useraction”detectionrule,whichletsyouspecifyauseractionthattriggersaDLPviolation.SelectCopy to Removable Drive.

Figure30.DefiningaUserActionDetectionRuleforRemovableDrives

UnderSeverity—Action,chooseNotify and Audit as the action the policy shouldtakeifaviolationoccurs.

ClickSave. The new or edited policy will appear in the policy list on the PolicyManagerpage.Bydefault,thepolicyisenabled.Totestthepolicyontheclientmachine,trycopyingadocumentoranyotherfiletypethatcontainsaCCNwithaddressinformationtoaUSBdrive.ThiswillgenerateDLPviolation.

View DLP Violation:ClicktheIncidenttabtodisplaytheDLPviolation.

Figure 31. ConsoleMessagesShowingDLPViolations

17Datacenter Security

Datacenter Security

RSADLPDatacenterisasoftwaresolutionthatpermitslocatingandact-ingonsensitiveinformationstoredanywhereintheenterprise.Inuse,DLPDatacenterscansanorganization’snetworks,examiningfilesonallmachines of interest.

RSA DLP Datacenter Configuration

AdeployedinstanceofRSADLPDatacenterincludesthefollowingcompo-nents,asshowninFigure32.

• RSADLPEndpointAgents

• RSADLPEnterpriseManager

• RSADLPSiteCoordinators

• RSADLPEnterpriseCoordinator

Figure32.RSADLPDatacenterComponents

Duringascan,endpointagentsperformthecontentanalysis.Eachagentreceivesinstructionsfrom,andreturnsresultsto,itsSiteCoordinator.AnRSADLPDatacenterinstallationcanhaveasmanySiteCoordinatorsasrequired,possiblyinwidelydispersedlocations.TheEnterpriseCoordinatoristhemastercontrollerfortheDLPDatacenterdeployment.Itsends

instructionsto,andgathersscanresultsfrom,allSiteCoordinatorsinvolvedin all scans.

Whenitscans,DLPDatacenteraccessesaspecificscangroup,whichisasetofmachinesonthenetworkthatyouspecifyasbeingofinterest.

Thereareseveraltypesofscangroupsavailable:

• Agent: Scangroupsforagent-basedscan

• Grid: Scan groups for grid scans

• Repository: Scan groups for scan

Agent-Based Scanning

Inthistypeofscan,anendpointagentisinstalledoneverymachinewhosecontentshouldbescanned.Toperformascan,EnterpriseManagersendsarequesttotheEnterpriseCoordinator,whichsendsacommandtotheappropriateSiteCoordinatoronalocalorremotenetwork.TheSite Coordinator installs or connects to an endpoint agent on each target machineinthescangroupandcommandsittostartscanning.Eachagentaccessesandanalyzesallfilesonitslocalhostandthensendsresults—informationaboutfilesthatviolatethepoliciesbeingscannedfor—backtotheSiteCoordinator,whichcollatesresultsandsendsthemtotheEnterpriseCoordinatorandontoEnterpriseManagerfordisplaytotheuser.

Figure 33. Agent-basedDLPScanning

Grid Scanning:

Gridscanningprovidesforefficient,scalableanalysisofverylargefilerepositories(suchasSANorNASsystems),distributingtheburdenofanalyzingthelargeamountsofdata(uptoterabytes)inthestoragedevice.

Figure 34. Grid-basedDLPScanning

18Datacenter Security

Repository Scan and Database Scan

Specializedtypesofgridscansincludedatabasescanningofenterprisedatabases,andrepositoryscanningofcollaborationanddocument-man-agementsystems,suchasSharePointorDocumentum.

Inthisguide,onlyagent-basedscanninghasbeenvalidated.Gridscanningis out of the scope of this guide.

RSA DLP Datacenter Agent-based Scanning Example

Thisexamplescansagroupofmachinesthatcontainspecificdatedfiles.

Step 1: InEnterpriseManager,clicktheAdmintab.TheAdministrationStatusOverviewappears.BeneaththeAdmintab,clickDatacenter. The Datacenter administration page appears.

Step 2: Createanewagent-scangroup

Inthedeploymenttree,selecttheSiteCoordinatorthatthenewagentgroupbelongsto.Abovethetree,clickNew Object and select New Agent Scan Groupfromthedrop-downmenu.TheNew/EditAgentGrouppanelappearson the right

Step 3: ActivateDataCenterDLPpolicyusingpre-definedpolicytemplates

ClickthePoliciestabandthenNew Policy at the top of the policy list. Select Use Policy Template Libraryfromthedrop-downmenu.UnderregulatoryandcompliancesectionselectPCI-DSSpolicytemplateandactivateitforDataCenter.ClickthePCI-DSSpolicyandthenselecttheDatacentertabwithinthePCI–DSStemplate.

a.Createapolicyviolationrule.ClickAll Agent and Grid Scan Groups for selectingthescangroup.Selectthescangroup“Agent_Scan1”.

b.UnderDetect,addadetectionfilterthatletsyouspecifybydatethosefilesthatcanbeconsideredtobepolicyviolations.Clickthelink(bydefault Any File Dates)todisplaythisdialogbox:SelectFiles modified before May 2010.

c. Under Severity — Action,specifyAudit Only as action the policy should takeifaViolationoccurs.Youcanspecifydifferentactions(allow,auditonly,audit&encrypt,quarantine&audit,block&audit)fordifferenteventseverities.Inthisexample,settheseveritytoHigh and select the action Quarantine.

d.SavethePolicy.ClickSave. The new or edited policy will now appear inthepolicylistonthePolicyManagerpage.Bydefault,thepolicyisenabled.

e.StarttheScan.Inthedeploymenttree,selectthescangroup“Agent_Group”usedforthescan.TheAgentGrouppanelappears,showingstatusinformationforthescangroupthatyouhaveselected.IntheAgentGrouppanel,clickScan Now.Fromthedrop-downlist,chooseRun Full Scan.Scanalldocumentsonalltargetmachinesinthescangroup.Afterthefilesareidentified,thesystemmovesthemautomaticallytoasecurelocation,dependingupontheseverity.Iftheseverityishigh,thenthesecurityadministratorshouldinspectitandcheckwhythebusinessprocesseswerebroken.

f. ViewLogs.ClicktheHistorytabandthenselectView Status Log.Awindow displays all status messages as they are logged. This window displaysthesamestatuslogthatisvisiblewhentheStatustabisactive—coveringboththeagent-deploymentphaseandthecontentanalysis phase of the scan.

19Summary

Summary

Datasecuritychallengesaregrowingastheseconddecadeofthe21stcenturyunfolds.Organizationswanttoprotectintellectualpropertyandcomplywithnewlyintroducedregulatoryrequirements.Toaddressthesecustomerchallengesandbusinessproblems,CiscohasintroducedtheCiscoDataSecuritySystem,whichconsolidateskeydata-securitytrendslikeDLPwithotherdataprotectiontechnologiesinasingleframework.Thisguideprovidesastepwise,streamlinedimplementationapproachtoenablethefullsuiteofDLPinaprioritizedorderacrossthenetwork,endpointsanddata center.

Additional Information:

Technologypartnerdeploymentguidescanbefoundhere: http://www.cisco.com/go/securitypartners.

http://www.cisco.com/go/securitypartners

20AppendixA

AppendixA: SBAforEnterpriseOrganizationsDocumentSystem

Advanced Guest Wireless

Network Device Authentication and Authorization

Collapsed Campusand Data Center Core

Wireless CleanAir

3G Wireless Remote Site

Layer 2 WAN

Group Encrypted Transport VPN

VPN Remote Site

Lumension Data Security

CREDANT Data Security

CiscoData Security

Splunk SIEM

RSA SIEM

nFx SIEM

LogLogic SIEM

ArcSight SIEM

Cisco SIEM

ConfigurationFiles

ConfigurationFiles

Service and Availability–Cisco LMS

Service and Availability–SolarWinds

Network Analysisand Reporting

Traffic Analysis–Netflow and SolarWinds

Cisco LANManagement Solution

Traffic Analysis–Netflow and NetQoS

SolarWinds

Network Management

ConfigurationFiles

Supplemental Guides

Supplemental Guides

Supplemental Guides

Foundation

LAN

WAN

IPv6 Addressing

Design Overview

Design Guides Deployment Guides

You are Here

Internet Edge

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)

Americas HeadquartersCisco Systems, Inc.San Jose, CA

Asia Pacific HeadquartersCisco Systems (USA) Pte. Ltd.Singapore

Europe HeadquartersCisco Systems International BVAmsterdam, The Netherlands

C07-609142-0201/11