Loading ...

Data Leakage Protection | IOA Knowledge Base Community

Posted in: All Community Discussions » ASK THE IOA EXPERTS (BETA)

Data Leakage Protection

Subscribe to RSS
  • dmsherr

    I have been reviewing the patterns, and while I do see a set of security patterns,  do you know of any related to Data Leak Protection ( DLP) ?

     
  • tpeluso

    Hello and thanks for the question!

      Snarkier  -- as one of the main authors of the blueprints, he can provide the best guidance here.

    Terri Peluso IOA Knowledge Base & Community Manager
     · dmsherr likes this.
     
  • Snarkier

    Hello dmsherr , thanks for the question. This is a complex topic and needs a an answer that covers a number of important aspects:

    Data Leakage Prevention is becoming a growing concern for enterprises as they distribute their applications and services out from behind their centralized firewall and use a variety of clouds to run their applications or integrate with SaaS platforms. There are a variety of tactics that will help enterprises minimize this threat.

    • There are 2 major causes of data leakage that I will write about here
      • An unauthorized user gets into data that they are not allowed to see or use and steals it
      • Messages or transactions with sensitive data is sent to unauthorized  users or destinations

    The use of secure network intersection control points at the digital edge provide the basis for minimizing data leakages

     

    • In the Network blueprint, two  design patterns provide initial guidance for  building a foundation
      • Segment the traffic flows- this is a policy driven approach to direct traffic flows by message type and source to defined designations. This tactic would also leverage a few design patterns in the security blueprint which I will expand upon below
      • Multiload connectivity – is a good example of that segmentation at work where policy driven segmentation directs messages between clouds based. It is also important to note that cloud connectivity in this hub can be set up as a one to many connection, reducing complexity which reduces the potential for security breaches.
    • The Security blueprint emphasizes  techniques to use at these network intersection points to ensure greater security  
      • All five security design patterns can be used to secure the network intersection hub and turn it into a control hub
        • The first 3 patterns (Boundary control, Inspection zone, and policy enforcement) leverage the segmentation capabilities established in the network blueprint to provide a granular level of protection against outward leakage and incoming intrusion. These tactics also ensure that intercloud traffic is inspected from all directions because a no trust zone is established within the edge
        • ID & Key management is used to safely store all IDs and keys in the edge in a safe data repository gated by a secure API gateway. This minimizes unauthorized entry opportunities
        • Security logging and Analytics – will coordinate with the inspection zone to analyze current and evolving threats and recommend policy changes
    • The Data blueprint depicts the use of data caches to keep data that no cloud should safely house  in the control hub, where multiple clouds can access the data but not keep it
    • The Application blueprint depicts the use of APIs and messaging  to act as gatekeepers to access any data, leveraging  the defined security policies.

     

    All of these tactics when combined can be used to effectively reduce data leakage. By leveraging an ecosystem of security service partners that are discoverable in the network control hub, enterprises can take advantage of an ecosystem of well tested security and analytic services, reducing deployment time and risk. These services can be composed into a service chain that can be configured at each hub to meet the needs of the local traffic and policy requirements.

    All of these capabilities will help reduce data leakage, but there are process components as well. Policy changes need to be rapidly propagated to all distributed nodes for the security measures to be effective

    I hope this helps

    Regards 

    Sheppard

    I have practiced pattern based design for over 20 years and am passionately curious about how technology affects our lives.
     
  • tpeluso

    Hello  dmsherr !  Please advise if this answer was helpful.  This in turn, helps others with the same question.  Many thanks for the question!

    Terri Peluso IOA Knowledge Base & Community Manager
     
  • Page 1 of 1 (4 items)