topic Re: How do you stop an employee emailing a sensitive document? in Tech Talk

How do you stop an employee emailing a sensitive document?

gidyn — Mon, 09 Oct 2023 10:13:11 GMT

How do you stop an employee sending a sensitive document through their personal email? Endpoint DLP is supposed to prevent such things, but when going into the details, the products that I've looked at seem to provide little or no protection to this route.

If you have a product to suggest - what technical measures does it use to stop someone opening gmail and uploading the document?

Re: How do you stop an employee emailing a sensitive document?

tmekelburg1 — Mon, 20 Jun 2022 20:06:25 GMT

Web filters or web security gateways are another way to do it. It's not 100% perfect, as in there are ways around it just like DLP but the combination of the two would certainly be better than just one solution.

Re: How do you stop an employee emailing a sensitive document?

AlecTrevelyan — Mon, 20 Jun 2022 20:47:15 GMT

Is there a reason you can't just block access to Gmail entirely? You can do this with NGFW or proxy (a.k.a secure web gateway) solutions pretty easily.

Many will allow you to be granular with the actions users can take if you don't want to block access entirely. e.g. Users can login and read emails but not compose new ones, or compose new ones but not add attachments.

If the company uses Gmail itself, then are you really asking how to differentiate between the company's Gmail and users' personal Gmail accounts? Google themselves have documented some options to achieve this, one of which is HTTP header insertion again using an NGFW or proxy:

https://support.google.com/a/answer/1668854

Re: How do you stop an employee emailing a sensitive document?

steampunk — Mon, 20 Jun 2022 20:53:02 GMT

There are a few ways. The easiest way to remove Gmail is using a firewall or IPS with application control. They can still browse but will not be able to log in to Gmail. Some IPS solutions are smart enough to know if they are using the upload option, but there are still ways around it by using regular Gmail. You could still open up a file and cut and paste it. I would disable Gmail (All webmail) altogether. Cisco FirePower, I believe, has this function. Not cheap.

Re: How do you stop an employee emailing a sensitive document?

AlecTrevelyan — Mon, 20 Jun 2022 21:32:15 GMT

@steampunk wrote:
There are a few ways. The easiest way to remove Gmail is using a firewall or IPS with application control. They can still browse but will not be able to log in to Gmail. Some IPS solutions are smart enough to know if they are using the upload option, but there are still ways around it by using regular Gmail. You could still open up a file and cut and paste it. I would disable Gmail (All webmail) altogether. Cisco FirePower, I believe, has this function. Not cheap.

If the endpoint DLP isn't catching this, then network DLP should.

Additionally, capabilities like user and entity behaviour analytics (UEBA) can identify users doing things like stealing intellectual property oftentimes more effectively than traditional DLP solutions.

This is all high-end capability though, so the appetite to deploy it depends on the value of your company's data and the assessment the company has made of the risks to that data.

Re: How do you stop an employee emailing a sensitive document?

Steve-Wilme — Tue, 21 Jun 2022 07:11:42 GMT

You could consider looking at Proofpoint as an email gateway as it has DLP functionality built in, plus the capability to encrypt email in transit. Secondly, classify your emails by sensitivity and provide awareness training around email security. There is obviously the risk that employee may directly login to web mail clients and upload sensitive information so you either need an endpoint DLP product and/or to block all webmail.

Re: How do you stop an employee emailing a sensitive document?

gidyn — Tue, 21 Jun 2022 07:30:08 GMT

To those advising that I block Gmail or implement network filtering - perhaps I wasn't clear enough in the scenario.

An employee, who uses a laptop for work, takes it home (or to a public hotspot or wherever), with a sensitive file. Company policy allows this.
They log into their personal email, which could be Gmail, some boutique provider that you've never heard of, or something they host themselves with old-style web hosting. Nothing on the corporate network or mail gateway can see this.
They email the sensitive document as an attachment.

Employees must be allowed to take their laptops home (particularly during pandemics). The only solution I can think of is VDI, which is more overhead than corporate is prepared to invest in.

Re: How do you stop an employee emailing a sensitive document?

Steve-Wilme — Tue, 21 Jun 2022 10:14:11 GMT

You could put a proxy agent on the laptop for internet traffic. And so long as you had administrative control of the laptop you could control what could be accessed. It would be worth looking at removable media controls at the same time.

Re: How do you stop an employee emailing a sensitive document?

dcontesti — Tue, 21 Jun 2022 10:24:17 GMT

There are many questions unanswered.

1. Do the laptop users have admin privilege on the device?

2. Is gmail your corporate emails system?

3. Do you have any "Security" software on the devices? Which ones?

4. What operating systems (which browsers do you allow or is it a free-for all)?

5. Do you have any DLP on the devices?

6. Do you have any type of "content filtering software" on the devices?

Also keep in mind, that confidential data can be stolen in other ways (hard copy, thumb drive), so you may have to implement Printing security software. Additionally, you should disable either the CD drive or the thumb drive.

There are also things you can do to the data that will not allow a user to download (that is they can only see it or touch it at work). Check out: https://support.microsoft.com/en-us/office/prevent-users-from-downloading-content-from-a-site-98821ec7-cc99-4393-a002-f73370ba6694

We would love to help you, so send along some additional information.

Regards

Re: How do you stop an employee emailing a sensitive document?

tmekelburg1 — Tue, 21 Jun 2022 12:00:54 GMT

As @Steve-Wilme and others have said, it's installing a web proxy agent that filters back to either an on-prem filter or SaaS cloud filter. This is pretty much what every school in the U.S. does to keep kids safe when using school devices at home.

Re: How do you stop an employee emailing a sensitive document?

gidyn — Tue, 21 Jun 2022 12:19:14 GMT

Putting all the replies together, it looks like I need some endpoint solution that can force all network traffic through a corporate filter (regardless of what network the user has connected to), and the filter will use its own certificate to intercept SSL connection. DLP should be able to work with the filter to prevent data leaks - I haven't actually implemented this in the past, but it sounds like a pretty basic capability.

This just leaves finding an endpoint that can force this kind of proxying.

Re: How do you stop an employee emailing a sensitive document?

denbesten — Tue, 21 Jun 2022 18:02:41 GMT

Realize that if I screenshot and/or put into a password-protected zip file, it becomes nearly impossible to apply technical measures to classify and protect as Intellectual Property without going scorched-earth. Therefore, you also need to ensure you have written policy, disciplinary procedures and exec/HR buy-in to cover the cases where employees are actively attempting to bypass the controls.

Given the commonality of briefcases and work-from-home, you also need to decide if printing (at home or at the office) is an acceptable risk.

Also, consider solutions that encrypt the files in a way that they are unusable if accessed on a non-company (e.g. not domain joined) PC (or with an unauthorized account). Then, you no longer need to enumerate all the possible egress methods.

Re: How do you stop an employee emailing a sensitive document?

denbesten — Tue, 21 Jun 2022 18:13:06 GMT

@gidyn wrote:
This just leaves finding an endpoint that can force this kind of proxying.

Most any VPN/remote access software can do this. "Split Tunneling" is a good search term. Split tunneling is the act of sending most stuff to the company and allowing other stuff (e.g. SAAS services) to directly use the home-ISP for performance/capacity reasons. Your goal is to set up split tunneling with most/all Internet destinations "hairpinning" through the company firewall and little to nothing splitting off locally.

A home printer is an example of something that must be "split" if one wants to support it.

Re: How do you stop an employee emailing a sensitive document?

gidyn — Tue, 21 Jun 2022 18:50:58 GMT

@denbesten wrote:

Most any VPN/remote access software can do this.

Most VPN software won't prevent the user from making non-VPN connections. That's what's needed here, prevent them from making any network connections that don't go through the VPN. Or maybe I'm just not familiar enough with what's available?

Re: How do you stop an employee emailing a sensitive document?

tmekelburg1 — Tue, 21 Jun 2022 19:47:23 GMT

Based on my experience, you'd have to enforce the use of a proxy via group policy to your company firewall in conjunction with VPN software to prevent any non-vpn connections or Internet access. If your firewall has a built in IPS to provide layer 7 content filtering, that could serve as your filter to prevent email access that's not specifically allow-listed. If it wasn't enforced by a proxy GPO, you'd have to enforce a full tunnel instead of hairpinning to catch all of the traffic but I'm not sure that's possible alone with just the remote access software.

But that's assuming all of your devices are using Windows. The best way I've found for all OS types is via an agent to proxy traffic to a filter and MDM software to enforce device restrictions, e.g., app installs, certs for wireless networks, USB access, etc.

Re: How do you stop an employee emailing a sensitive document?

AlecTrevelyan — Tue, 21 Jun 2022 23:11:53 GMT

@gidyn wrote:
To those advising that I block Gmail or implement network filtering - perhaps I wasn't clear enough in the scenario.

An employee, who uses a laptop for work, takes it home (or to a public hotspot or wherever), with a sensitive file. Company policy allows this.
They log into their personal email, which could be Gmail, some boutique provider that you've never heard of, or something they host themselves with old-style web hosting. Nothing on the corporate network or mail gateway can see this.
They email the sensitive document as an attachment.

Yes, this is a very different set of requirements than those you originally described.

Employees must be allowed to take their laptops home (particularly during pandemics). The only solution I can think of is VDI, which is more overhead than corporate is prepared to invest in.

As I questioned earlier, what value does your company put on their data, what is their assessment of the risks to that data given their current security posture, and how does that translate into a budget to secure that data appropriately?

There are platforms out there that do exactly what you want (e.g. Security Services Edge solutions, or if you don't want cloud-hosted, on-prem NGFWs can deliver SSE capability as well), but they are not inexpensive.

Given what you mentioned about VDI solutions being more overhead than corporate is willing to invest, unfortunately these will likely be out of reach for you, so what security capabilities do you already have to help deliver against your requirements?

BTW - I appreciate this was last updated a year ago, therefore it may not be current, but it shows that VDI is not especially expensive:

https://www.infusedinnovations.com/blog/secure-intelligent-workplace/microsoft-365-secure-intelligent-workplace/wvd-pricing-guide-windows-virtual-desktop

I wouldn't personally recommend VDI solutions to deliver against a set of security requirements typically, but it makes me question, is the value of your corporate company's data really lower than ~$29 per user, per month? (Lowest price mentioned for 50 users is $1,433 per month.)

If it isn't, you need to approach your business leaders and look to educate them on core risk management principles, and setting appropriate budgets!

Re: How do you stop an employee emailing a sensitive document?

denbesten — Wed, 22 Jun 2022 05:30:19 GMT

@gidyn wrote:
@denbesten wrote:
Most any VPN/remote access software can do this.
Most VPN software won't prevent the user from making non-VPN connections. That's what's needed here, prevent them from making any network connections that don't go through the VPN. Or maybe I'm just not familiar enough with what's available?

I am doing this today with the Gartner "enterprise network firewalls" magic quadrant leader. And "disable split tunneling" was a feature in the other enterprise-grade firewalls we eval'ed. Its fundamental technique is sending default route over the tunnel and preventing users from reconfiguring/disabling the agent. No proxy settings; it works 100% by manipulating the PC's routing table.

That said, I do confess that I have very little knowledge of the SMB markets, so I probably am speaking with "big business" blinders on.

For what it's worth "disable split tunneling" is the magic incantation to use when discussing with your vendor.

Re: How do you stop an employee emailing a sensitive document?

RichT — Fri, 24 Jun 2022 13:59:14 GMT

It is possible to classify a document as Internal Use Only and restrict access to that document to within the organisation only.

We've used Microsoft technology to do this for a while now but it's important to educate users in the application of the classification scheme.

We can see when the classification has been amended to allow external transfer so there are some detective controls in place too.

Here's a useful starting point to see what is possible:

https://docs.microsoft.com/en-us/azure/information-protection/what-is-azure-rms

https://docs.microsoft.com/en-us/azure/information-protection/rms-client/track-and-revoke-admin

Other products are available which do a similar thing but here are the key things we have in place to reduce the risk:

Classify the information properly (and use tools to determine whether the classification has been correctly set - if possible)
Restrict access to webmail (gmail etc.) on company endpoints.
Restrict access to information that has been classified as for Internal Use Only so that it cannot be accessed outside of the organisation's environment.
Monitor/alert on classification adjustments.

I hope this helps.

Re: How do you stop an employee emailing a sensitive document?

Caute_cautim — Mon, 27 Jun 2022 21:30:20 GMT

@tmekelburg1and all. Here is a prime example of and good use case of applying Zero Trust Security for protecting users and remote workers.

An ideal migration to for example ZScaler with its capabilities and apply an SASE architecture.

Another approach would be to use Cloud services such as Crowdstrike, but the fact that the user is using using Gmail on a corporate owned system, then you have every right to apply agents to protect the organiation.

Regards

Caute_Cautim