Category Archives: DLP

Cloud DLP and Regulatory Compliance: 3 Things You Must Know

This article was originally published at nightfall.ai

It’s well-established that a data breach is an extremely costly event. By some estimates, a data leak can cost a small to medium-sized business more than $7.68 million per incident.

Compliance regimes may seem burdensome, but the goal of these policies is to prevent a devastating data breach that can bankrupt a business and cause myriad problems for consumers. It’s important to understand the differences between compliance and security, as well as how data loss prevention (DLP) allows your organization to accomplish both objectives efficiently and affordably.

Here’s what you need to know about cloud DLP and prevalent compliance policies like HIPAA, GDPR, and others.

Cloud compliance vs. cloud security: what’s the difference?

Cloud compliance and cloud security overlap, but these are two different areas of practice. Cloud compliance refers to the regulations and policies designed to protect individuals and companies from the impact of data loss. More specifically, compliance focuses on the type of data collected and stored by a business, as well as the regulatory frameworks that apply to data protection. Cloud security is made up of the physical tools and platforms that protect and defend customer and company data. This could include software like VPNs, DLP platforms like Nightfall, and tools like multifactor authentication. Cloud security also requires action-oriented cloud security policies that are updated regularly to reflect changes in the business and new online threats

security vs compliance

[Read more: Network, Endpoint, and Cloud DLP: A Quick Guide]

Achieving cloud compliance could mean that your organization must meet requirements set by a few different regulations, depending on what industry you’re in. It’s important to understand the most common compliance regimes and design your cloud security system to meet — and exceed — those policies.

Most common data compliance requirements

There are five main compliance regulations that govern how a company collects, stores, and uses data. These regulations work at the state, federal, or international level to spell out the type of data that needs protection, as well as set forth the penalties for those companies that misuse or fail to follow the legislation.

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. This federal law governs how companies in the health insurance industry secure patients’ personal medical information. Title 2 of HIPAA specifically relates to information privacy and security. HIPAA requires that access to all electronic health records be restricted to those with valid reasons for viewing those records. This restriction applies not only to data that is stored — e.g., data at rest — but also data in motion and in use. Encryption, secure file transfer, and strong access controls are key.

PCI DSS stands for Payment Card Industry Data Security Standard. This is an industry set of standards that rules how companies handle and protect customer credit and debit card data. If your business accepts any non-cash payments, it’s likely you will have to meet PCI DSS standards. Luckily, the PCI compliance is relatively prescriptive: there are 12 requirements that you must meet, from having a firewall to regularly testing network security.

GDPR is one of the most recent compliance regimes passed in 2018 by the European Union. The General Data Protection Regulation aims to protect consumer privacy by mandating companies to be transparent about the data they collect, regulate how companies process data, and to improve reporting of data breaches. GDPR compliance has many requirements, but in practice, it comes down to obtaining an individual’s consent to collect data and minimizing the amount of data stored by your business.

[Read more: How Understanding User Privacy Can Improve Your Cybersecurity]The CCPA, California Consumer Privacy Act, began to take effect in July 2020. It’s seen as one of the most demanding pieces of privacy legislation in recent history. The CCPA will require developing comprehensive data discovery and data security programs organization-wide. Companies will need to know how data is used, where it’s stored, and who has access to it. This will often require building consistent security processes with the help of tools like privileged access management, securely configured firewalls, and application security controls like data loss prevention.

Luckily, the CCPA applies only to: “companies that have gross annual revenues above $25 million; those that buy, receive, or sell the personal information of 50,000 or more consumers, households, or devices; or businesses that derive 50% or more of their annual revenue from selling consumers’ personal information.”

[Read more: Over Half of Orgs are Struggling with CCPA Compliance as Enforcement Begins]

Last but not least, SOX is short for the Sarbanes-Oxley Act of 2002. SOX compliance is primarily concerned with protecting financial information of public companies, and defines what financial data must be kept for a certain amount of time. “Spreadsheets, emails, IMs, recorded phone calls and financial transactions will all need to be preserved for at least five years in case auditors require them, so it’s essential the right management systems are in place,” explains one expert.

With so many different legislations to adhere to, what’s the easiest way for a company to protect its data? A comprehensive cloud DLP solution can help meet requirements of each of these compliance regulations efficiently and effectively.

How cloud DLP helps you stay compliant 

Keeping up with data security compliance is impossible without help, especially within cloud applications — and this is where a cloud DLP solution comes into play. A tool like Nightfall can monitor and provide visibility into your data and systems, filter data streams to restrict suspicious or unidentified activity, log data for incident response and auditing, and pull everything together to help you prevent customer data from falling into the wrong hands.

Compliance regimes like GDPR, CCPA, HIPAA, and PCI DSS require effective management & protection of customer data to keep consumers safe. Nightfall can help you first discover and classify sensitive customer data like PII, PHI, and PCI that many compliance regimes identify as data that must be protected. The tool also gives you a quick way to remediate issues by taking actions like notifying admins and quarantining or deleting data. This reduces the risk of losing or exposing sensitive customer data and reinforces your commitment to protecting this information.

HIPAA compliance is one of the hardest benchmarks to achieve, especially for health industry companies that have shifted to working remotely. Nightfall is essential for ensuring HIPAA compliance within SaaS applications like Slack and is critical to development teams scaling healthcare applications within a production environment. Read our case studies to see how we help companies like Galileo Health and Springbuk maintain HIPAA compliance.

Regards

Tegan Johnson

Custom Transport rules in Exchange 2013

By using transport rules in Exchange 2013  we can filter, inspect or block any confidential emails that match any specific conditions with the email that matches the transport rule. By using this we would be able to prevent the leakage of the sensitive data in any organization.

Transport rules along with DLP and policy tips can be used to give end users warning informational tips when they try to send any emails which does not abide the company policy.

In-order to achieve this we need to create a transport rule first, and then create a associated DLP policy and then configure policy tips for the same. we will look into how to perform this with a small example.

Below example is a simple rule that helps us to block any emails with attachments that has a character set invoice

Open EAC – Go to Mail Flow – Select Rules

Click on the + sign to create a new rule – Give it a name

pic1

 

We have scope to choose as well. In my example im selecting the option if the recipient is located outside the organization this applies for external users.

 

pic2

 

We can apply a condition to this rule. Specify a character set. In my case im specifying name invoice so that all emails which contains character invoice will be sent for review and approval.

 

pic3

 

We can take the following action on the message that matches the criteria for invoice. In my case im forwarding the email for approval by administrator.

 

pic4

 

We can add an exception too by excluding few recipients who are entitled to send those messages or even according to subject or few other parameters as shown below.

 

pic5

 

We can still enhance this rule and notify end users before they try to send any emails which do not meet the company policy. This task can be accomplished with the help of policy tips.

Policy tips are informative messages displayed to the end users in owa, outlook and owa for devices before they tend to send any offending content in any organization.

They function similar to MailTips where an informational message is given to the user while he/she tries to add any attachment like pdf file which an organization restricts to send through email to external users. By using this users will come to know that this kind of email is not allowed to send and they can abide the rules.

 

Policy Tips works along with DLP. An associated DLP policy also should be created for the same.

To create Custom DLP Policy

Open EAC – Click Compliance management – Select Data Loss Protection – Select New Custom DLP Policy

 

DLP1

 

Now give it a name and specify the description.

Select the state to be enabled and choose option Test DLP policy with Policy Tips and click save.

 

DLP2

 

Now Click on the DLP policy created and click edit

Select Rules – You can create a new rule.

im selecting option notify sender when sensitive information is sent outside organization rule in my case.You can create a new rule or an existing one which matches your criteria and click save.

 

DLP3

 

To edit Policy Tips

In-order to do that  click edit on the custom created DLP policy and select Manage policy tips

 

DLP4

Click on the option notify the sender option .

 

pic6

 

Select the locale language

And specify the text message  that needs to be displayed to the end user when he/she tries to send an email which matches our Transport rule, DLP and policy tips.

 

pic7

 

Below is the example of the policy tip notification.

 

DLP5

Note : If you are using policy tip for SSN, Passport Numbers , Credit Card numbers with already existing DLP templates then policy tips will be triggered only  for valid passport numbers,credit card numbers and SSN numbers.

Sathish Veerapandian

%d bloggers like this: