Cisco Data Security Deployment GuideUsing this Data Security Deployment Guide Using this Data Security Deployment Guide This document is for the reader who: • Has read the Cisco

Cisco Data Security Deployment Guide

Revision: H2CY10

Using this Data Security Deployment Guide


This document is for the reader who:

• HasreadtheCiscoSmartBusinessArchitecture(SBA)forGovernmentLargeAgencies—BorderlessNetworksdeploymentguides

• WantstoconnectBorderlessNetworkstoaCiscodatasecuritysolution

• WantstogainageneralunderstandingoftheCiscodatasecuritysolution

• HasalevelofunderstandingequivalenttoaCCNA® certification

• Wantstoprotectsensitiveintellectualpropertyandcustomerdatawithintheagencyandpreventaccidentalleakage

• Wantstoaddressdatasecuritycomplianceandregulatoryrequirements

• Wantstoimplementdatasecuritypolicieswithintheagency

• Wantstheassuranceofavalidatedsolution

This guide introduces the Cisco data security solution. It provides details on howCiscocontentsecurityappliancesworkwithRSADataLossPrevention(DLP)productstosolveend-to-enddatasecurityproblems.Anoverviewdiagram of the solution is illustrated in Figure 1.

This document is divided into the following sections:

• Agency Overview—outlinestheproblemsfacedbylargeagenciesinthe area of data security.

• Technology Overview—providesdetailsondatasecuritysystemconceptsandtheimportantcharacteristicsthattheindustrylooksforwhen evaluating such solutions.

• Detailed Configuration—discussessomeofthebestpracticesandthestepsrequiredtodeploytheCiscodatasecuritysolution.

Additional Information

ThisisasupplementguidetotheSBAforLargeAgencies(2,000to10,000connectedusers)deploymentguides.TheSBAforLargeAgenciesisareferencearchitecturethatdeliversaneasy-to-use,flexibleandscalablenetworkwithwiredandwirelesssecurity.

Design Overview

Internet Edge Configuration Guide

Foundation DeploymentGuides

Network ManagementGuides

Data SecurityDeployment Guide

Design Guides Deployment Guides

You are Here

Supplemental Guides

Internet EdgeDeployment Guide


Figure 1. Solution Diagram

Related Documents

SBAforLargeAgencies(2000to10,000connectedusers)deploymentguides(http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns982/landing_sBus_archit.html)

InternetContentAdaptationProtocol(ICAP) http://www.faqs.org/rfcs/rfc3507.html

Technologypartnerdeploymentguidescanbefoundhere: http://www.cisco.com/go/securitypartners

http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns982/landing_sBus_archit.html

http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns982/landing_sBus_archit.html

http://www.faqs.org/rfcs/rfc3507.html

http://www.cisco.com/go/securitypartners

TableofContents

ALLDESIGNS,SPECIFICATIONS,STATEMENTS,INFORMATION,ANDRECOMMENDATIONS(COLLECTIVELY,"DESIGNS")INTHISMANUALAREPRESENTED"ASIS,"WITHALLFAULTS.CISCOANDITSSUPPLIERSDISCLAIMALLWARRANTIES,INCLUDING,WITHOUTLIMITATION,THEWARRANTYOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSEANDNONINFRINGEMENTORARISINGFROMACOURSEOFDEALING,USAGE,ORTRADEPRACTICE.INNOEVENTSHALLCISCOORITSSUPPLIERSBELIABLEFORANYINDIRECT,SPECIAL,CONSEQUENTIAL,ORINCIDENTALDAMAGES,INCLUDING,WITHOUTLIMITA-TION,LOSTPROFITSORLOSSORDAMAGETODATAARISINGOUTOFTHEUSEORINABILITYTOUSETHEDESIGNS,EVENIFCISCOORITSSUPPLIERSHAVEBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.THEDESIGNSARESUBJECTTOCHANGEWITHOUTNOTICE.USERSARESOLELYRESPONSIBLEFORTHEIRAPPLICATIONOFTHEDESIGNS.THEDESIGNSDONOTCONSTITUTETHETECHNICALOROTHERPROFESSIONALADVICEOFCISCO,ITSSUPPLIERSORPARTNERS.USERSSHOULDCONSULTTHEIROWNTECHNICALADVISORSBEFOREIMPLEMENTINGTHEDESIGNS.RESULTSMAYVARYDEPENDINGONFACTORSNOTTESTEDBYCISCO.

AnyInternetProtocol(IP)addressesusedinthisdocumentarenotintendedtobeactualaddresses.Anyexamples,commanddisplayoutput,andfiguresincludedinthedocumentareshownforillustrativepurposesonly.AnyuseofactualIPaddressesinillustrativecontentisunintentionalandcoincidental.CiscoUnifiedCommunicationsSRND(BasedonCiscoUnifiedCommunicationsManager7.x)

©2010CiscoSystems,Inc.Allrightsreserved.

TableofContents

Agency Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

Technology Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

Cisco Data Security Configuration Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Endpoint Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Datacenter Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Appendix A: SBA for Large Agencies Document System . . . . . . . . . . . . . . . . 20

1AgencyOverview

AgencyOverview

Networkbordersarerapidlybeingerodedbytheneedtoenableanyone,anywheretoconnecttoanything,atanytime.Employees,partners,andconstituentsareusingmobiledevicesandapplicationstoconnectfromhomes,hotels,airportInternetkiosks,andlocalcoffeeshops,collaboratingthroughmobileplatforms,increasingoperationalefficiency,productivity,andflexibility.However,enhancedcommunicationalsoincreasestheriskoflosingsensitiveinformation,suchasintellectualpropertyandconstituentdata,duetoinnocentormaliciousactivities.

Recently,multipledatalossincidentsaffectinglargeagencieshavemadeheadlines,resultinginnegativemediacoverageandpublicembarrassment.Insomecases,penaltiesandcorrectiveactionshavecostmillionsofdollars.Agenciesmusttakestepstoprotecttheirsensitiveagencydatainadditiontoconstituentdata,andtocomplywithgovernmentmandatesthatapplymanydifferentkindsofdata.

Intellectual property is one of an organization’s most important assets; organizationslosebillionsofdollarseachyearfromtheftoftradesecrets.Intellectualpropertycanbelostthroughinadvertentdisclosure,orthroughmaliciousactionbyanemployeeoranoutsider.

Organizationsneedtoprotectconstituentdata,includingpersonallyidentifiableinformation(PII),creditcardnumbers(CCNs),SocialSecuritynumbers(SSNs),andotherrecords.Sophisticatedcriminalenterprisesareusingbotnetsandmalwaretoinfiltrateagenciesinordertostealthisinformation.Breachedagen-ciesoftenbearthecostsofnotifyingcustomersandthepublicofadatalossincident,andmayalsohavetobearremediationexpenses.

International,national,state,andlocalregulatoryrequirementsareincreas-ing,especiallyforprotectionofsensitiveinformationassets.Thousandsofdataprivacyregulationshavebeencreatedinrecentyears,andcountriesandstateshaveenacteddata-breachnotificationlaws.

Agenciesfromdifferentindustriesandoperatingindifferentcountriesareundermandatestocomplywithdifferentregulations,suchas:

• Health Care—EUDirective,PIPEDA,andHIPAA

• Education—FERPA,HIPAA,andpossiblyPCI-DSS

• Financial—GLBA,SOX,PCI

• Retail—PCI-DSS

Tosolvethesedataprotectionproblemsandmeetregulatoryrequirements,a comprehensive and well thought out data security solution is essential.

2TechnologyOverview

TechnologyOverview

Data Security

Adatasecuritysolutionidentifiesdatabasedonitscontentand/orthecon-textinwhichitoccurs.Theidentificationprocessoccursatmanydifferentlocationsandinmanydifferentways.Forexample,dataidentificationcantakeplacewhendataiscreatedandwhenendpointdevicessuchaslaptops,mobilephones,andremovablemediaconsumeit.Inaddition,identificationcanoccurwhendataismovedorsharedacrossanetwork,andwhenitisstoredorarchivedinthedatacenteroracloudnetwork.Aneffectivedatasecuritysystemmustprotectthedatathroughoutitsentirelifecycle,asdepicted in Figure 2.

Aprimarygoalofdatasecuritysystemsistoprotectagainsttheftofintel-lectual property and confidential customer data. Doing so helps agencies comply with legal and regulatory standards. Data security systems interact withnetworks,endpoints,anddatacenters,andconsistofmultiplecompo-nents,includingDLP,encryption,devicecontrol,informationrightsmanage-ment,andsecuredelivery,asdepictedinFigure3.

DLPisanimportantcomponentofacomprehensivedatasecuritysolution.DLPprovidescontent-baseddatadiscovery,monitoring,andprotectionofsensitivedataatrest,inuse,andinmotion.

Figure 2. Data Security Lifecycle

Endpointdatasecurityusesdevicecontrol,encryption,andcontent-awareDLPtechniquestoprotectdataatrestanddatainuseonmobiledevicessuchaslaptops,netbooksandsmartphones.Onlaptopsandonremov-ablemedia,dataatrestisprotectedbyfulldiskencryptionorintelligent,policy-basedencryptionofsensitivedata.Onsmartphones,dataatrest

isprotectedbyencryptionandbydevicecontrolfeaturessuchasdevicewipesandpersonalidentificationnumber(PIN)locks.Encryptionanddevicecontrolhelpmitigatetheriskoflostorstolendevices.Content-awareDLPcanalsodiscoverandclassifysensitiveinformationonendpointdevices,preventingaccidentalleakageofinformationthroughsuchmeansasUSBflash drives or uncontrolled printouts.

Figure 3. Data Security System

Networkdatasecurityfocusesonsecuredatadelivery,threatprotection,anddatalosspreventionfordatainmotionacrossthenetworkperimeter.Securedatadeliverysolutions,suchasVPNs,protectdataintegrityandconfidentialityforsensitiveinformationoverinsecurepubliclinks.Threatprotectionsolutionslikeintrusionpreventionsystems(IPS)protectagainstthreatssuchasbufferoverflows,injectionattacks,directorytraversals,andothercommonattacks.DLPdata-in-motionsolutionsusecontent-awaretechniquestoensurethatsensitiveinformationdoesnotleaveanagencyaccidentlyorbyanyunauthorizedmeans.

Data center security and cloud data security have many different compo-nents,suchasdatabaseencryption,file-shareencryption,storageareanetwork(SAN)dataencryption,content-awaredatadiscoveryofsensitivedataonservers,andinformationrightsmanagementforpreventionofunauthorizedaccess.DatacenterDLPtechnologiesfocusondiscoveryofsensitiveinformationbylocalorremoteagentsthatcrawldatabases,documentmanagementsystems,andotherservers,andclassifydata.Data center security addresses the need to meet data security regulatory requirements,todiscoverandprotectintellectualproperty,andtoprovideinsight into who has access rights to data.

Data security systems include a central management server for creating andadministeringdatasecuritypolicies,anincidentworkflow,areportingsystem,anddatadiscoveryandenforcementacrossvariouspoints.

3ArchitecturalComponents

Overview of the Cisco Data Security Solution

Cisco is partnering with leading companies through the Cisco Developer Network(CDN)todeliveracomprehensivedatasecuritysolution,includinganarrayoftechnologiestoprotectdatathroughoutitslifecycle,asshowninFigure4below.Thissolutionprovidesagenciesapolicy-basedapproachformonitoring,identifyingandpreventingleakageofinformationacrossthenetwork,endpointsanddatacenter.

Figure 4. Comprehensive Data Security Solution

Network Security

Sensitivedatacanleavethenetworkperimeterbymanydifferentmeans,suchasemail,webapplications,filetransfers,andinstantmessaging.Enforcingcontentpoliciesatthenetworkperimeterisaneffectivedefenseagainstaccidentaldataloss.CiscopartnerswithRSA,aleadingDLPsolu-tionprovider,toprovideintegratedDLPtechnologyonCiscoIronPortEmailandWebSecurityAppliances.

RSAEmailDLPisbuiltintotheCiscoIronPortEmailSecurityAppliancetoprovidecontent-levelscanningofemailmessagesandattachments,andtodetectsensitiveinformationbeforeitleavesanagency.ItcontainsanintegratedDLPscanningenginewithover100DLPpolicytemplates,andisactivatedthroughasoftwarelicense.DLPpolicyintheEmailSecurityApplianceallowsmessagestobeexaminedfordatapatternsthatareassociatedwithsensitivedatathatshouldnotbeexposedtotheoutsideworld.Severalactionscanbetakenwhenapatternmatchoccurs,rangingfromsendingawarningmessagetoblockingtheentiremessage.

DLPpolicycanalsoenforceencryptionofmessagescontainingsensitivedata,usingtheemailencryptionfeatureoftheappliance.EmailencryptioncanuseeithertheCiscoRegisteredEnvelopeService(CRES)oralocalkeyserver,asshowninFigure5.CRESprovidessecureandtransparentman-agementofkeycreation,distribution,andretention.

Figure 5. CiscoRegisteredEnvelopeServiceinUse

Gateway-to-gatewayencryptionthroughTransportLayerSecurity(TLS)isanotherwayofprotectingsensitiveinformation.TheEmailSecurityAppliancecansecurelyrelayamessageoveraTLSconnection,andtheadministrator can configure the policy to control whether TLS transport is mandatory,orusedonlywhentheothersideoftheconnectionsupportsit,andwhethermessage-levelencryptionisusedasafallbackwhenTLSisnotavailable.

WhiletheEmailSecurityApplianceprotectsstandardInternetemailsentusingtheSimpleMailTransferProtocol(SMTP),otherincreasinglypopularalternatives,suchasinstantmessagingandweb-basedemailservices,mustalsobeinspectedforsensitivedata.CiscoIronPortWebSecurityAppliancescanconnecttoanexternalDLPsystemusingICAP.ThisenablestheWebSecurityAppliancetoapplyDLPpoliciestoHTTP,HTTPS,andFTPtrafficinthesamewayastheEmailSecurityAppliancedoestoSMTPtraffic,providingconsistentenforcementnomatterwhichprotocolisbeingusedtosend the information.

Endpoint Security

Endpointdatasecurityincludescontentawarepolicyenforcement,mandatoryencryptionofsensitivedataonlaptopsandsmartphones,andprotectionofsensitiveinformationbeingcopiedortransferredtoremov-ablemedia.Ciscopartnerswithendpointdataprotectionmarketleaderstoprovidevalidatedandcompatiblepolicy-basedencryptionanddevicecontrol solutions for data at rest and data in use on endpoints.

4ArchitecturalComponents

CiscorecommendsRSADLPEndpointfortheprotectionofinformationassetsonlaptopsanddesktops.RSADLPEndpointconsistsoftwomodules,DiscoverandEnforce.TheDiscovermoduleprovidescontent-baseddataclassificationandfingerprintingthatprovidesvisibilityforsensitivedataonlaptopsanddesktops.TheenforcementmoduleprovidesprotectionfordatainusebypreventingcopyingofsensitivedatatoUSBdevicesandotherremovablemedia.

Data Center Security

DLPforthedatacenterinvolvesdiscovering,classifyingandencryptingsensitivedatanomatterwhereitresidesinthedatacenter—filesystems,databases,emailsystems,ornetwork-basedstorage.CiscorecommendsRSADLPDatacenter,whichcandiscoversensitivedataandhelptoenforcepoliciesacrossfileshares,databases,networkstorage,MicrosoftSharePointsitesandotherdatarepositoriestoreducetheriskandopera-tional impact associated with agency data loss.

RSADLPDatacenterofferspermanentandtemporaryagents.Temporaryagentsscandata,collectpolicyviolations,andself-uninstalltoallowagen-ciestosurveytheirrisklandscape.RSAEnterpriseManagercandeploypoliciesacrossRSADLPDatacenter,DLPNetworkandDLPEndpoint.

FordatacenterSANstorage,CiscoMDS9000FamilyStorageMediaEncryption(SME)offersaheterogeneous,standards-basedencryptionsolu-tionfordataatrest,withcomprehensivebuilt-inkey-managementfeatures.

Data Security Deployments and Use Cases

Acompletedatasecuritysystemisbestdeployedinstages,asdepicted inFigure6below.CiscorecommendsimplementingDLPinthree sequentialsteps:

1. Network Deploymentprovidesbroadcoveragewitheaseofmanage-ment,usingthesecuritymanagementfeaturesofCiscoIronPortEmailSecurityandWebSecurityAppliances.

2. Endpoint Deploymentprovidespolicy-baseddevicecontrolandencryption to prevent sensitive information from leaving through externalremovablemedia,printing,copyingandothermeansofdata in use.

3. Data Center Deployment,thefinalstep,requiresunderstandingtheagency’sunstructuredorstructuredsensitivedataassets,anddeter-miningwhatpoliciesneedtobeenforcedatvariouspointsinthedatasecuritydeployment.RSADLPDatacenterandCiscoSMEaddressissues of discovering and encrypting sensitive information in the data center.

Inaddition,aftereachstepiscompleted,werecommendtwo additional activities:

• Tuning—afteragenciesidentifytheirsensitivedata,theyconfigureDLPtomeettheirparticularrequirements.Thisinvolvestestingtoensuretheyaredetectingviolations,frequentlybyconfiguringtheproductsinlearningornon-blockmodetogatherinformationforsecondaryanalysis,beforeimplementingmorestringentcontrols.

• Optimization—finally,thedatasecuritysystemshouldbeoptimizedforeasymaintenanceandmanagement.Inthisphase,automaticupdates,instantreportsforexecutives,automaticdecisionmakinginformationanddetailed violation reports are typically configured.

Figure 6. CiscoDataLossPreventionDeployment

5Cisco Data Security Configuration Details

Cisco Data Security ConfigurationDetails

Network Security

Process

CiscoEmailDataSecurityConfiguration

1. EnableDLP

2. SetUptheBasicDLPPolicy

3. TestingandMonitoringtheDataSecuritySystem

4. MonitoringDLPPolicies

TheCiscoIronPortEmailSecurityApplianceisplacedintheDMZoftheInternetedgeoftheSBAforLargeAgencies—BorderlessNetworksarchi-tecture.Forsimplicity,theapplianceisconnectedbyasingleinterface,asshown in Figure 7.

Figure 7. CiscoEmailDataSecurityArchitecture

Email Security Appliance

Internet servers

Firewall

End User

Internet

DMZ switch

ImplementingDLPwithEmailSecurityAppliancesrequiresthefollowinghigh-levelprocedures,eachinvolvingseveralsteps,aslistedbelow:

• EnableDLP

• SetupbasicDLPpolicy

a. HIPAAPolicy

b.GLBAPolicy

c. PCI-DSSPolicy

d.CustomPolicy

• ConnecttheDLPpolicywithoutgoingmailpolicy

• Testandmonitorpolicyviolations

Procedure 1 Enable DLP

DLPisalicensedfeatureontheCiscoIronPortEmailSecurityAppliance.YoucanactivatethisfeaturebyprovidingthelicensekeyintheFeatureKeytabofthewebmanagementinterfacebyselectingSystem Administration > Feature Keysandthenclicking“CheckforNewKeys”.Verifythatthekeyisactive,asshowninFigure8.

Figure 8. ActivateDLP

NotethattheemailencryptionfeaturelicenseisalsoactiveintheexampleandisrequiredinordertoemploymessageencryptionasanoptionintheDLPpolicy.Ifyouhavenotlicensedemailencryption,thisactionwillnotbeavailable.

To start scanning the outgoing emails for sensitive data you must first enableDLPontheapplianceusingthefollowingstepsinthewebmanage-ment interface:

Step 1: Select Security Services > RSA Email DLP.

Step 2: ClickEnable. The license agreement page appears.

Step 3: Readtheagreement,thenclickAccept.


Step 4 (optional):EnableMatchedContentLoggingtoallowthelogstoincludethecontentthattriggersaviolation.Notethatthisoptionwillcausepotentiallysensitiveinformation(suchascreditcardnumbers)toappearinthesecuritylogs.Youragency’spolicyrequirementswilldetermineifthisisdesirableornot.Alsonotethatthisfeaturerequiresthatthemessagetrack-ingserviceisenabledunderSecurity Services > Message Tracking.

Procedure 2 Set Up the Basic DLP Policy

TheDLPPolicyManagerisasingledashboardinthewebinterfacethatallowsyoutomanageallemailDLPpolicies.YoucanaccesstheDLPPolicyManagerfromtheMail PoliciesMenu.Theappliancecomeswithover100predefinedpolicytemplatesdevelopedbyRSA,someofwhichareshownbelow.Inthefollowingexamples,configurationsofHIPAA,GLBA,andPCI-DSSpoliciesfrompredefinedRSAtemplates,aswellasonecustompolicy,are shown.

HIPAA Policy

Step 1: Select Mail Policies > DLP Policy Manager.

Step 2: ClickAdd DLP Policy.

Step 3:ClickRegulatory ComplianceandthenclickAdd HIPAA .

Figure 9. AddDLPPolicy

Inthisexample,assumetheagency’spatientIDnumbersfollowapatternofthreedigits,eachrangingfrom2to4,followedbysevendigitsrangingfrom0to9.Thispatternismatchedbyaregularexpressionoftheform[234]{3}

[0-9]{7};additionally,thephrase“PatientID”mustappearinthedata,inorderfor the policy to match.

Step 4:Enter[234]{3}[0-9]{7}inthe“PatientIdentificationNumbersasaregularexpression”field.

Step 5: Enter“PatientID”inthe“ANDmatchwithrelatedwordsorphrases”field,asshowninFigure10below.

ThecompletedformisshowbelowinFigure10.Ifanoutgoingemailmes-sagecontainsanumberthatmatchesboththeregularexpressionandthetext“PatientID”,ittriggersthisDLPpolicy.

Figure 10. HIPAADLPPolicy

Step 6: Under Severity Settings > Critical Severity Settings,selectQuarantine from the Action Applied to Messages drop-downmenu.MessagesthatcontainDLPviolationswillbeheldinaquarantinearea.

Step 7: Select Sender under Advanced > DLP Notification.Optionally,youcanchoosetoencryptthemessage,modifyitsheader,deliverittoanalternatehost,sendacopy(bcc)toanotherrecipient,andsendaDLPnotification message.

Step 8: If you want to define different settings for messages that match the high,medium,orlowseveritylevel,unchecktheInherit Settingscheckboxfortheappropriatesecuritylevel.Edittheoverallactionforthemessageandtheothersettings.Inthisexampledifferentsettingsbyseveritylevelremainunconfigured.

Step 9: ClickSubmit and then Commit Changes. The policy is added to the DLPPolicyManager.


GLBA Policy

FollowtheprecedingstepsandaddaGLBApolicy.However,inthisexampleassumetheaccountnumbersconsistofthreedigitsintherangeof4to6,followedbysixdigitsintherangeof0to9.


Step 2:ClickAdd DLP Policy.

Step 3: ClickRegulatory ComplianceandthenclickAdd GLBA .

Step 4: Enter[456]{3}[0-9]{6}inthe“CustomAccountNumbersasaregularexpression”field.

Step 5: Enter“AccountNumber”inthe“ANDmatchwithrelatedwordsorphrases”field.

AnoutgoingemailthatcontainsamatchingaccountnumberandkeywordwillnowtriggeranalertforaGLBAviolation.

Step 6: Under Severity Settings > Critical Severity Settings,selectQuarantinefromtheActionAppliedtoMessagesdrop-downmenu.MessagesthatcontainDLPviolationswillbeheldinaquarantinearea.

Step 7: Select Sender under Advanced > DLP Notification.Optionally,youcanchoosetoencryptthemessage,modifyitsheader,deliverittoanalternatehost,sendacopy(bcc)toanotherrecipient,andsendaDLPnotification message.

Step 8: If you want to define different settings for messages that match the high,medium,orlowseveritylevel,unchecktheInherit Settingscheckboxfortheappropriatesecuritylevel.Edittheoverallactionforthemessageandtheothersettings.Inthisexampledifferentsettingsbyseveritylevelremainunconfigured.

Step 9: ClickSubmit and then Commit Changes. The policy is added to the DLPPolicyManager.

Figure 11. GLBADLPPolicy

PCI-DSS Policy

PCIstandardsmandatethatcreditcardnumbersneverbetransmittedinunencryptedform.BeforeaddingaPCI-DSSPolicy,enabletheencryptionprofileinordertotakeencryptionasactionwithinthePCI-DSSpolicy:

Step 1: ClickSecurity Services and then IronPort Email Encryption Services.

Step 2: MakesuretheIronPortEmailEncryptionisenabledandthattheproxyserversettingiscorrectforyournetwork.Inourexample,noproxyserverisrequired,asshownbelow.

Figure 12. EnablingEmailEncryption


Step 3: Click Add Encryption ProfileanduseEncryption_Enableastheprofile name.

Forexample,useCRESforkeymanagementandselectCisco Registered Envelope ServicefromtheKeyServiceTypelistasshownbelow.

Figure 13. AddinganEncryptionProfile

ToenablethePCI-DSSpolicy,followthesamestepsthatyouusedtoaddtheHIPAAPolicy,withthefollowingexception:

InStep5,intheCriticalSeveritySettingssection,choosetheQuarantine action asinthepreviousexample,butalsoselecttheEnable encryption on release from quarantine option. From the Encryption Ruledrop-downlist,selectOnly use message encryption if TLS fails and choose the Encryption_Enable profile from Step 2 in the Encryption Profiledrop-downlist.

Figure 14. EnablingMessageEncryptionifTLSFails

Custom Policy

Whenusingthepre-builtPCI-DSSpolicyortheCreditCardNumberClassifierfeature,itisimportanttonotethatthosecoverCCNsfromAmericanExpress,Discover,DinersClub,JCB,MasterCard,andVisa.Ifyouwanttoaddsupportforspecificstorecreditcards,youmustuseacustompolicyandconfigureregularexpressionstomatchtheCCNsine-mail.

Thefollowingexample,illustratedinFigure15,configuresaregularexpres-siontomatchaCCNthatis16digitslongandbeginswiththeprefix6035,witheachgroupoffourdigitsseparatedbyaspace,sotheCCNstructureis6035000000000000.Inaregularexpression,thiscanberepresentedas6035\s\d{4}\s\d{4}\s\d{4}.Notethathere,“\s”representsaspace,and“\d”adigit,equivalenttotherange[0-9].


Step 2: ClickAdd DLP Policy.

Step 3:ClickCustom Policy and assign the name Store_Card.

Step 4: Configure the following three rules:

• RegularExpression:6035\s\d{4}\s\d{4}\s\d{4}

• Entity:USAddress

• Entity:ProperName

Figure 15. CreatingaCustomDLPPolicy

Step 5: Under Severity Settings > Critical Severity Settings,chooseQuarantine from the Action Applied to Messages list.


Step 6: Select Sender under Advanced > DLP Notification.Optionally,youcanchoosetoencryptthemessage,modifyitsheader,deliverittoanalter-natehost,sendacopytoanotherrecipient,orreturnasystem-generatednotification message to the sender.

Step 7: ClickSubmit and then Commit Changes. The policy is added to the DLPPolicyManager.TheDLPpolicieswilllooklikethoseshowninFigure16below.

The order of the policies is important. The appliance evaluates the policies intheorderthattheyarelistedintheDLPPolicyManager,readingfromtoptobottom.IfamessagematchesmorethanoneDLPpolicy,onlythefirstonefoundinthelistwillbeapplied.Edit Policy Ordercanbeusedtorearrangetherules,ifneeded.

Figure 16. SettingtheOrderofPolicies

Procedure 3 Connect the DLP policy with Outgoing Mail Policy

OutgoingmailpolicydetermineswhichDLPpoliciesareappliedtomes-sagesleavingtheagency.ToapplytheDLPrulescreatedinthestepsabove,go to Mail Policies > Outgoing Mail PoliciesandselectthecurrentDLPpolicyrulesfortheoutgoingdefaultpolicy.NotethatifyouhavenotyetsetupDLPpolicies,thecurrentDLPpolicyruleswillappearas“Disabled”.ClickingonthatlinkwillallowyoutoselectEnable DLPandtoenableordisabletheindividualpolicies.

Figure 17. ConfiguringOutgoingDLPMailPolicies


Procedure 4 Testing and Monitoring the Data Security System

HIPAA Policy Example

Thepre-definedHIPAApolicyintheRSAEmailDLPenginelooksfordatainthis fashion:

(DrugdictionaryORDiseasedictionaryORInjurydictionary)AND(PIIclassi-fiersthatareORedtogether)

Inotherwords,amessagemustcontainsomethingthatmatchesoneoftheHIPAAdictionaries,aswellaPIIidentifier,inorderforthemessagetomatchthe policy.

Totesttheoutgoingmailpolicy,composeatestemailthatincludessomeillness-relatedterms,thetext“PatientID”,andapatientIDnumberthatmatchesthepatterndefinedintheHIPAAexampleconfiguration.Theimagebelowshowsasimpletestmessage.Sendthetestemailtoadestinationoutsidethenetwork.

Figure 18. TestingtheOutgoingDLPMailPolicy

Iftheruleisbeingappliedcorrectly,thesenderwillreceiveanotificatione-mailsimilartotheoneshownbelow,indicatingtheHIPAAviolation.

Figure 19. ExampleNotificationEmail

BecausetheHIPAApolicywasconfiguredtoquarantinemessagesthatcontainDLPviolations,manuallyinspectthetestmessage,andeitherdeleteitorforwardit.Quarantineareasalsohaveadefaultaction,whichcanbeeithertoreleasethemessageortodeleteit,andatimeperiodafterwhichthedefaultactionisautomaticallytaken.Inthisexample,manuallyreleasethemessage,allowingittobedelivered:

Step 1: Select Monitor > Quarantines > Policytoviewquarantined messages,asshowninFigure20.

Figure 20. ViewingQuarantinedEmailMessages


Step 2: Clickthesubjecttoviewthedetailsofthequarantinedmessage,asshowninFigure21below.

Figure 21. ViewingDetailsofQuarantinedMessages

Step 3: Under Quarantine Details ,youhavetheabilitytoeitherdeletethequarantinedmessageortoreleaseit,ortoextendthequarantineperiod.Toreleasethemessagetoitsdestination,checktheSelectboxforthetestmessage,chooseRelease from the Select Actiondrop-downlist,andthen Submit.

Procedure 5 Monitoring DLP Policies

InthemanagementGUI,selectMonitor > DLP Incidents.FromtheDLPIncidentSummaryscreenshownbelow,onecanclickonanyofthepoliciestoseethereportforthatspecificpolicyviolation.Byclickingonthepolicyin“DLPIncidentDetails”,onecanviewindividualuserswhohaveviolatedthatpolicy.Thisallowstheadministratortoseetheirmailprofile,whichprovidesinformationaboutwhatinformationassetsareleavingthenetworkbye-mail.AdministratorscanalsosearchforDLPviolationsandseethespecificcontentthattriggeredtheDLPviolation.ThisprovidesdetailaboutwhattranspiredintheDLPincidentsduringauditinganddiscovery.

Figure 22. MonitoringDLPIncidents


Process

DLPConfigurationforWebTraffic

1. EnableDLPontheAppliance

2. ConfiguretheRSADLPNetwork

3. ValidatetheSetup

ACiscoIronPortWebSecurityAppliancedeployedattheInternetedgeinteroperateswithRSADLPtechnologytoidentifyandprotectsensitivedata.TheapplianceactsasaproxyserverandusesICAPtooffloadcontentscanningtoexternalsystems.RSAEnterpriseManagermanagespoliciesforthenetwork,endpoints,anddata-center.CiscoIronPortWebSecurityAppliance,RSAEnterpriseManager,andtheRSADLPNetworkControllerarethemaincomponentsshownbelow.

Figure 23. MainComponentsforWebTrafficDLP

Web Security Appliance

ICAP server

RSA Network

Controller

RSA Enterprise Manager

Firewall

End User

HTTP/HTTPS/FTP proxy connection

Internet

Inthisdeploymentguide,RSADLPNetworkController,theICAPserver,andRSAEnterpriseManagerareinstalledandconfiguredintheSBAforLargeAgencies—BorderlessNetworksarchitecture.

Thefollowingsectionsprovidearecommendedconfigurationforblockingsensitiveinformationsentthroughwebmail.CiscoIronPortWebSecurityApplianceversion6.3.3istheverifiedplatform.Inthisexample,thepre-definedPCI-DSSpolicyforthenetworkisused.

ImplementingDLPwithWebSecurityAppliancesrequiresthefollowinghigh-levelprocedures,eachinvolvingseveralsteps,aslistedbelow:

• EnableDLPontheappliance

• ConfiguretheRSADLPnetwork

• Validatethesetup

• Testandmonitorpolicyviolations

Procedure 1 Enable DLP on the Appliance

Step 1: EnableexternalDLPserver,whichinthisexamplehasIPaddress10.4.200.118:

FromtheWebSecurityAppliancewebmanagementGUI,selectNetwork > External DLP Servers,thenclickEdit Settings. In the Server Addressfield,entertheaddressoftheRSADLPserver,inthiscase10.4.200.118.ThePort willusuallybeleftsettotheICAPdefaultportof1344.TheService URL is of theformicap://serverIP/srv_conalarm,sointheexampleshowninFigure24,it is icap://10.4.200.118/srv_conalarm.

Figure 24. ConfiguringanExternalDLPServerUsingICAP

TotesttheconnectionbetweentheapplianceandtheexternalDLPserver,clickStart Test.

ClickSubmit,thenCommit Changes.


Step 2: SetUpExternalDLPPolicy

CreateexternalDLPpoliciesthatdeterminewhichtrafficissenttotheICAPserver for content scanning.

Go to Web Security Manager > External DLP PoliciesandclickAdd Policy. Give the policy a name in the Policy Namefield.Inthisexample,use“GmailPolicy”asthename.UnderPolicy Member Definition,selectcriteriaforthepolicy.Inthisexample,applythepolicytoallusersandleave Identities and Users set to the default value of All Identities.Forthissetting,atleastonefurtherselectionoptionisrequired.ClickonAdvanced and then set the ProtocolsdefinitiontoincludeHTTP,HTTPS,FTPoverHTTP,NativeFTP,andAllothers.ClickSubmit.

ClickontheScan settings under Destinations for the policy. Choose Define Destinations Scanning Custom Settingsfromthedrop-downlist,andsetDestinations to Scan to Scan all uploads.Theresultingpolicyshouldlooklikethe“Gmailpolicy”entryshownbelow:

Figure 25. ConfiguringtoScanAllProtocols

Step 3:ClickSubmit and then Commit Changes.

Procedure 2 Configure the RSA DLP Network

Step 1:InRSAEnterpriseManager,enabletheICAPserverandNetworkController.TheNetworkControllercommunicatesbetweenRSAEnterpriseManagerandnetworkdevices.

Go to Admin > Network > StatusandverifythattheNetworkControllerandICAPserversareoperating.FordetailedinstructionsonsettinguptheDLPNetworkICAPserverandNetworkController,pleaserefertotheRSAdocumentationforRSADataLossPrevention.

Step 2: WriteaPCI-DSSpolicytopreventthelossofsensitiveinformationvia Gmail.

Go to Policies > New Policy > Use Policy Template.

ClickPCI–DSSpolicy.ThePCI-DSSpolicypageopens.

UndertheNetworktab,selectthefollowingoptions:

• UnderWho,selectall Users.

• UnderDetect,selectProtocols.

• UnderAction,Audit only.

ClickSave.

Figure 26. SettingaPolicyforGmail


Procedure 3 Validate the Setup

Step 1: ConfigureawebbrowsertoproxyoutgoingtrafficthroughtheCiscoIronPortWebSecurityAppliance.

Step 2: Usingthebrowser,accessGmail,composeanewmessage,andattachafilethatviolatesthePCI-DSSpolicy.

Step 3: VerifythataNetworkICAPdiscardmessageisdisplayedinthebrowser.

Step 4: UseRSAEnterpriseManagertoviewtheresultingeventandinci-dent that were created as a result of this violation of policy.

Figure 27. ViewingIncidentsandEventsCausedbyPolicyViolations

15EndpointSecurity

EndpointSecurity

RSADLPEndpointallowsyoutomonitorandcontrolhowendusersinteractwithsensitiveinformation.Ittracksandcontrolsarangeofuseractionsasdefinedbypolicy,anditauditsuseractionsinvolvingsensitivedata,sendingalertsofpolicyviolations,andcreatingauditlogs.

Configuration of RSA DLP Endpoint

AdeployedinstanceofRSADLPEndpointincludesthefollowingcompo-nents,showninFigure28.

• RSADLPEndpointAgents

• RSADLPEnterpriseManager

• RSADLPSiteCoordinator

• RSADLPEnterpriseController

Figure 28. ADeployedInstanceofRSADLPEndpoint

EndpointAgentsrunoneachuser’scomputertomonitoruseractionsandperformcontentanalysis.Theagentsareresponsibleforenforcingusagepolicy and collecting audit data. The Site Coordinator controls the custom-er’sdeployment.Itsendsinstructionsto,andgathersresultsfrom,endpointagents,definedintoEndpointGroups.

TheEnterpriseManageristheinterfacetoDLPEndpointforbothusersandadministrators.TheEnterpriseManagersendsconfigurationsettingsandpoliciestotheSiteCoordinatortobepickedupbyallendpointagentsonthenetwork.Atpredefinedintervals,theEnterpriseManagerpicksupeventssenttotheSiteCoordinatorbythoseendpointagents,andbasedonpolicy,generates incidents for review and analysis.

Process

RSADLPEndpointExample

Inthisexample,assumeEnterpriseandSiteCoordinators“SanJose”areconfigured.Thisexampleshowsthat,ifausertriestocopyfilesontoexter-nalmediasuchasaUSBdrive,thisactiontriggersaDLPviolation.

Step 1: CreateanewEndpointAgentgroup

InRSADLPEnterpriseManager,gotoAdmin > Endpoint.ClickNew Endpoint Group. Select the site San Jose.

In the Computers (DNS names or IP addresses)field,specifytheIPaddressofthecomputer(forexample,192.168.21.36).

In the Configure passwordssection,entertheGPO/PushAgentPassword,which is the password for installing endpoint agents with push technol-ogy. If you have already installed endpoint agents on the target machines intheEndpointgroup,enterthesamepasswordthatwasusedforthoseinstallations.

Step 2: ActivateRSADLPEndpointpolicyusingpre-definedpolicytemplates

GotoPoliciestab.

ClickNew Policy at the top of the policy list.

Select Use Policy Template Libraryfromthedrop-downmenu.

UndertheRegulatoryandCompliancesection,selectthePCI-DSSpolicytemplateandactivateitforEndpoint.

ClickthePCI-DSSpolicyandthenselecttheEndpointtabwithinthePCI–DSS template.

Figure 29. PolicyValidationRules

16EndpointSecurity

Createapolicyviolationrule.IntheWhofield,keepthedefault“Allusers”option.

UnderDetect,thedetectionfilterletsyouspecifyuseractions,fileattri-butes,destinationattributesandtransmissionattributethatcantriggerDLPviolation.

Adda“Useraction”detectionrule,whichletsyouspecifyauseractionthattriggersaDLPviolation.SelectCopy to Removable Drive.

Figure 30. DefiningaUserActionDetectionRuleforRemovableDrives

UnderSeverity—Action,chooseNotify and Audit as the action the policy shouldtakeifaviolationoccurs.

ClickSave. The new or edited policy will appear in the policy list on the PolicyManagerpage.Bydefault,thepolicyisenabled.Totestthepolicyontheclientmachine,trycopyingadocumentoranyotherfiletypethatcontainsaCCNwithaddressinformationtoaUSBdrive.ThiswillgenerateDLPviolation.

View DLP Violation:ClicktheIncidenttabtodisplaytheDLPviolation.

Figure 31. ConsoleMessagesShowingDLPViolations

17Datacenter Security

Datacenter Security

RSADLPDatacenterisasoftwaresolutionthatpermitslocatingandact-ingonsensitiveinformationstoredanywhereintheagency.Inuse,DLPDatacenterscansanagency’snetworks,examiningfilesonallmachinesofinterest.

RSA DLP Datacenter Configuration

AdeployedinstanceofRSADLPDatacenterincludesthefollowingcompo-nents,asshowninFigure32.

• RSADLPEndpointAgents

• RSADLPEnterpriseManager

• RSADLPSiteCoordinators

• RSADLPEnterpriseCoordinator

Figure 32. RSADLPDatacenterComponents

Duringascan,endpointagentsperformthecontentanalysis.Eachagentreceivesinstructionsfrom,andreturnsresultsto,itsSiteCoordinator.AnRSADLPDatacenterinstallationcanhaveasmanySiteCoordinatorsasrequired,possiblyinwidelydispersedlocations.TheEnterpriseCoordinator

isthemastercontrollerfortheDLPDatacenterdeployment.Itsendsinstruc-tionsto,andgathersscanresultsfrom,allSiteCoordinatorsinvolvedinallscans.

Whenitscans,DLPDatacenteraccessesaspecificscangroup,whichisasetofmachinesonthenetworkthatyouspecifyasbeingofinterest.

Thereareseveraltypesofscangroupsavailable:

• Agent: Scangroupsforagent-basedscan

• Grid: Scan groups for grid scans

• Repository: Scan groups for scan

Agent-Based Scanning

Inthistypeofscan,anendpointagentisinstalledoneverymachinewhosecontentshouldbescanned.Toperformascan,EnterpriseManagersendsarequesttotheEnterpriseCoordinator,whichsendsacommandtotheappropriateSiteCoordinatoronalocalorremotenetwork.TheSite Coordinator installs or connects to an endpoint agent on each target machineinthescangroupandcommandsittostartscanning.Eachagentaccessesandanalyzesallfilesonitslocalhostandthensendsresults—informationaboutfilesthatviolatethepoliciesbeingscannedfor—backtotheSiteCoordinator,whichcollatesresultsandsendsthemtotheEnterpriseCoordinatorandontoEnterpriseManagerfordisplaytotheuser.

Figure 33. Agent-basedDLPScanning

Grid Scanning:

Gridscanningprovidesforefficient,scalableanalysisofverylargefilerepositories(suchasSANorNASsystems),distributingtheburdenofanalyzingthelargeamountsofdata(uptoterabytes)inthestoragedevice.

Figure 34. Grid-basedDLPScanning

18Datacenter Security

Repository Scan and Database Scan

Specializedtypesofgridscansincludedatabasescanningofagencydatabases,andrepositoryscanningofcollaborationanddocument-man-agementsystems,suchasSharePointorDocumentum.

Inthisguide,onlyagent-basedscanninghasbeenvalidated.Gridscanningis out of the scope of this guide.

RSA DLP Datacenter Agent-based Scanning Example

Thisexamplescansagroupofmachinesthatcontainspecificdatedfiles.

Step 1: InEnterpriseManager,clicktheAdmintab.TheAdministrationStatusOverviewappears.BeneaththeAdmintab,clickDatacenter. The Datacenter administration page appears.

Step 2: Createanewagent-scangroup

Inthedeploymenttree,selecttheSiteCoordinatorthatthenewagentgroupbelongsto.Abovethetree,clickNew Object and select New Agent Scan Groupfromthedrop-downmenu.TheNew/EditAgentGrouppanelappearson the right

Step 3: ActivateDataCenterDLPpolicyusingpre-definedpolicytemplates

ClickthePoliciestabandthenNew Policy at the top of the policy list. Select Use Policy Template Libraryfromthedrop-downmenu.UnderregulatoryandcompliancesectionselectPCI-DSSpolicytemplateandactivateitforDataCenter.ClickthePCI-DSSpolicyandthenselecttheDatacentertabwithinthePCI–DSStemplate.

a.Createapolicyviolationrule.ClickAll Agent and Grid Scan Groups for selectingthescangroup.Selectthescangroup“Agent_Scan1”.

b.UnderDetect,addadetectionfilterthatletsyouspecifybydatethosefilesthatcanbeconsideredtobepolicyviolations.Clickthelink(bydefault Any File Dates)todisplaythisdialogbox:SelectFiles modified before May 2010.

c. Under Severity — Action,specifyAudit Only as action the policy should takeifaViolationoccurs.Youcanspecifydifferentactions(allow,auditonly,audit&encrypt,quarantine&audit,block&audit)fordifferenteventseverities.Inthisexample,settheseveritytoHigh and select the action Quarantine.

d.SavethePolicy.ClickSave. The new or edited policy will now appear inthepolicylistonthePolicyManagerpage.Bydefault,thepolicyisenabled.

e.StarttheScan.Inthedeploymenttree,selectthescangroup“Agent_Group”usedforthescan.TheAgentGrouppanelappears,showingstatusinformationforthescangroupthatyouhaveselected.IntheAgentGrouppanel,clickScan Now.Fromthedrop-downlist,chooseRun Full Scan.Scanalldocumentsonalltargetmachinesinthescangroup.Afterthefilesareidentified,thesystemmovesthemautomaticallytoasecurelocation,dependingupontheseverity.Iftheseverityishigh,thenthesecurityadministratorshouldinspectitandcheckwhytheoperationalprocesseswerebroken.

f. ViewLogs.ClicktheHistorytabandthenselectView Status Log.Awindow displays all status messages as they are logged. This window displaysthesamestatuslogthatisvisiblewhentheStatustabisactive—coveringboththeagent-deploymentphaseandthecontentanalysis phase of the scan.

19Summary

Summary

Data security challenges are growing as the second decade of the 21st centuryunfolds.Organizationswanttoprotectintellectualpropertyandcomplywithnewlyintroducedregulatoryrequirements.Toaddresstheseconstituentchallengesandagencyproblems,CiscohasintroducedtheCiscoDataSecuritySystem,whichconsolidateskeydata-securitytrendslikeDLPwithotherdataprotectiontechnologiesinasingleframework.Thisguideprovidesastepwise,streamlinedimplementationapproachtoenablethefullsuiteofDLPinaprioritizedorderacrossthenetwork,endpointsanddata center.

Additional Information:

Technologypartnerdeploymentguidescanbefoundhere: http://www.cisco.com/go/securitypartners.

http://www.cisco.com/go/securitypartners

20AppendixA

AppendixA:SBAforLargeAgenciesDocumentSystem

Design Overview

IPv6 AddressingGuide

LAN DeploymentGuide

LAN Configuration Guide

WAN DeploymentGuide

WAN Configuration Guide

Internet EdgeDeployment Guide

Internet Edge Configuration Guide

SolarWinds Deployment Guide

Foundation DeploymentGuides

Network ManagementGuides

Wireless CleanAirDeployment Guide

Data SecurityDeployment Guide

Nexus 7000 Deployment Guide

ArcSight SIEM Partner Guide

LogLogic SIEM Partner Guide

nFx SIEM Partner Guide

RSA SIEM Partner Guide

Splunk SIEM Partner Guide

CREDANT Data Security Partner Guide

Lumension Data Security Partner Guide

SIEM DeploymentGuide

Design Guides Deployment Guides

You are Here

Supplemental Guides

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)

Americas HeadquartersCisco Systems, Inc.San Jose, CA

Asia Pacific HeadquartersCisco Systems (USA) Pte. Ltd.Singapore

Europe HeadquartersCisco Systems International BVAmsterdam, The Netherlands

C07-640736-0012/10