DLP - Data Loss Prevention
Overview
End user devices are personal computers or consumer devices that can store information—such as a laptop or tablet, a smartphone or other consumer computing device. These devices are used to conduct most university business, and provide a gateway to university data, research, and teaching platforms. As such, these devices are bound by TAMU Security Controls.
Security Categorization (RA-2) requirements for systems that store or process critical or confidential data include 1) use of file encryption or whole-disk encryption software and 2) appropriate use of data loss prevention (DLP) software provided and managed by the Office of the CISO. Currently, the DLP solution provided by Texas A&M Technology Services is Proofpoint Endpoint DLP.
Appropriate Use
Effective use of Data Loss Prevention software requires recognizing that endpoints and servers operate with different usage profiles and characteristics. The DLP agent is required under the following conditions:
-
When the device stores or processes Critical data (DC-6).
-
When the device is assigned to a person designated by security as a Very Attacked Person (VAP).
-
When the device belongs to a business unit designated by security as storing or processing monitored data (RA-2).
-
When the device is used for travel outside of the United States. The DLP agent is required for the duration of the travel and may be rmoved upon return.
However, this type of active monitoring tool may be inappropriate for some scenarios or information resources. Some examples where DLP software would be inappropriate to be installed include:
- End user devices used exclusively by individuals who cannot access critical or confidential data
- Endpoints that cannot reasonably access critical or confidential data (e.g., digital signage, open access workstations, etc.)
- Ephemeral desktops or systems which do not exist longer than 30 days
- Servers as described by the Client-Server Model below
- Application servers that do not store confidential data directly, but only source code
Client-Server Model
In certain circumstances, servers that are used exclusively in a client-server mode, and which do not allow for interactive user sessions, should not need to have a DLP agent installed if the information resource owner can establish that an active DLP agent has been installed on all endpoints connecting to the server.
It may also be inappropriate to run DLP software on certain servers —especially database servers— even if they are known to store confidential information. Instead, access to these servers should be restricted following the principles of least privilege, and endpoints used to access those servers should have DLP software installed.
Devices Designated as Requiring the DLP Agent
Very Attacked Persons (VAPs)
The VAP list will be maintained by IT Security. On a monthly basis, a list with users needing to have the DLP agent installed due to this status will be provided to the IT personnel responsible for installing the agent.
Business Units Which Store or Process Monitored Data (RA-2)
- Office of the Provost
- Division of Operations
- Division of Finance & Business
- Division of HROE
- TAMU Health
Service Details
Data In Motion Detections
Unlike previous DLP agents, the Proofpoint Endpoint DLP agent only scans for sensitive information on data-in-motion actions and specifically when data leaves the TAMU environment. Currently, the Proofpoint agent is configured to scan under the following conditions:
- Copy to USB (i.e. USB, thumb drive, external hard drive, etc.)
- Web File Sync (i.e. folders that sync with cloud storage systems with which there is no University contractual agreement in place such as Dropbox, iCloud, etc)
- Web File Upload (i.e. upload to web-based cloud storage systems such as OneDrive or Google drive other than the TAMU tenants for these services)
Note: Other activities, such as printing, web file download, and document open may be monitored in the future.
Activities that trigger a policy will appear in the Proofpoint console. Technology Services security teams review all alerts but your campus IT teams also have the ability to review and respond to alerts within the console. If an alert qualifies as a policy violation incident, Technology Services will send a notification via ServiceNow, and ask for confirmation and a response from the data owner/steward. Campus IT admins are also able to be more interactive if desired and can manage their unit’s findings in concert with Technology Services security teams.
Request
Information technology professionals on campus may contact endpoint-security@tamu.edu to request access to the console, obtain access to the repository containing the DLP software, or ask any questions.