Comprehensive, business-focused DLP programs achieve greater risk reduction by integrating Symantec DLP into their existing security program and leveraging the software to promote enterprise-wide initiatives that drive cultural change across the organization.
This is accomplished with a solution that intends to identify and target the organization's confidential information, high-risk exposure points and define the incident response process. Occasionally, a highly risk averse organization will initiate an inquiry into the DLP system itself, seeking validation that the stored configurations and data transmissions are completely safe and secure.
I have personally performed this assessment and will break it down into the core areas that need to be evaluated.
DLP Configuration and Settings
Oracle is the backend relational database for the DLP system and is not only a powerhouse of reliability and performance, what it stores is kept private via Advanced Encryption Standard (AES). Policies, Configuration and Incident data is stored here.
DLP Server to Server Communication
- All communication channels between the Symantec DLP detection servers and Symantec DLP Enforce in both directions are encrypted with SSL. These SSL communications between the Symantec DLP detection servers and Symantec DLP Enforce use server- and client-side certificates to perform mutual authentication.
- The encryption keys are rotated on a configurable time period (30-day default) and are securely updated from Symantec DLP Enforce to the Symantec DLP detection servers via the SSL connection.
- Current encryption keys reside in the memory of the detection servers and are never stored on disk in a persistent manner. All “past” encryption keys are kept in a secure keystore which resides inside the Oracle database and are additionally protected by Oracle security. This keystore is encrypted with a Master key that is derived from the Symantec DLP “Administrator” account password.
DLP User Communication
- SSL authentication is used for user access to Symantec DLP Enforce.
- All system passwords are hashed with a cryptographic seed and encrypted using AES encryption. This includes the logon information used by Symantec DLP Storage products to gain access to file repositories for file scanning
- The Symantec DLP Agent is fully encrypted, and it also encrypts any data sent up to the Symantec
DLP Endpoint Server using AES.
- The Symantec DLP Agents authenticate the Symantec DLP Endpoint Server with a shared secret key on every connection to ensure that the Symantec DLP Agent is communicating with and transferring data to a Symantec DLP Endpoint Server.
- The objective is to review the DLP system security configuration based on the components listed below and in conjunction with Symantec best practice.
The scope of the review consists of the security configuration for the following components:
- Active Directory Authentication
- Enforce Login
- Detection Server Communication
- Directory Connection
- Network Prevent Web
- Network Prevent Email
- Endpoint Agent Communication
- Network Discover Scan Credentials
- Exact Data Match
Organizations will find that much of the Symantec DLP system/agents is secured natively, but anything involving external integration, like certificates or ICAPS redirect can be implemented outside of best practice. Those looking to make their DLP system as reliable as the data and workloads it’s protecting, should consider the above areas to further fortify the underlying infrastructure, communications and management securely.