RE: When , where, how?

["David Gillett" <gillettdavid () fhda edu>]

  DLP can be politically difficult because it tries to protect your
organization's sensitive data from disclosure -- accidental or deliberate --
by your own people.  It really can't be done without management commitment.

  Done wrong (or just cheaply), it can actually make you more vulnerable
rather than less, in at least two ways:

1.  Different DLP solutions have different ways of identifying sensitive
information.  Several rely on you, in setting up the "solution", to list all
of your sensitive information so it can recognize it when it sees it.  If
you deploy one of these, the unintended consequence may be that you now have
a single box on your network that now has a copy of all your most sensitive
and valuable information.  HOPEFULLY it is also a tough box to crack, but
this is by definition a very High Value Target....

2.  Different DLP solutions have different ways of seeing information trying
to leave your network.  We were in the process of setting up an evaluation
test of one product, which I won't name, when the vendor told us that we
were going to need a rule forbidding employees to use HTTPS to access
web-based email services such as GMail, so that their box could read the
messages that were sent.  You might be in an organization where that can be
imposed and enforced, but I'm not.  A "real" solution will proxy HTTPS
rather than force users to abandon it entirely.

  All that said, you may not know whether you have a problem or not; a good
DLP solution can demonstrate that you don't and alert you if/when you do.
If you have information to protect, it would be helpful to at least know
that much.  (Our hope in doing an eval was to get some indication of whether
we had an active problem, or just a potential one....)

David Gillett, CISSP


-----Original Message-----
From: a bv [mailto:vbavbalist () gmail com]
Sent: Thursday, May 26, 2011 00:18
To: security-basics () securityfocus com
Subject: DLP: When , where, how?

Hi,

I would like to have your opinion about when/which organizations  need a DLP
solution? How the need depends on organizations work area, country,region or
culture ? How to implement the solution and handle the data classification
and coorperate with data owners, business  departments.

Regards

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we
examine the importance of Apache-SSL and who needs an SSL certificate.  We
look at how SSL works, how it benefits your company and how your customers
can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server.
Throughout, best practices for set-up are highlighted to help you ensure
efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------