DLP Suite Architecture and Data Security

Identity Finder DLP Enterprise was designed with security as a primary concern. For more information on the architecture, communication points, and data security available, please contact us or read the detailed information provided below.

• Identity Finder DLP Endpoints - DLP Endpoints are systems throughout the environment that can search and secure data.  DLP Endpoints are managed by the DLP Console and send results to the DLP Console for centralized reporting and data processing.
• Identity Finder DLP Console - The DLP Console provides a centralized interface to manage and report on all DLP Endpoints within the enterprise. The DLP Console can configure policies, remediate findings remotely, update endpoints, schedule searches, analyze aggregated data from filtered lists of devices, and generate any type of customized reports.  The DLP Console consists of two components, which can reside on the same physical system or on two separate systems:
  • IIS Web Server - Primary point of communication from DLP Endpoints via the DLP Services Web Application and provides the DLP Console Web Application user interface.
  • SQL Database Server - Storage center for all results sent from DLP Endpoints, all configurations used to manage DLP Endpoints, and all configuration details for the DLP Console Web Application user interface.
• Identity Finder DLP Console Web Application - The user interface that is accessible as a web interface through the IIS Web Server.  This user interface provides access to all reporting data, interfaces to manage DLP endpoints and configuration data for the user interface itself.
• Identity Finder DLP Services Web Application - A non-interactive web application running on the IIS Web Server that receives communication requests from the DLP Endpoints.  The Services Web application receives all results data from DLP Endpoints and responds to requests from the DLP Endpoints for configuration data.

 

• Identity Finder DLP Console - The DLP Console uses multiple layers of security when processing and storing sensitive information received from DLP Endpoints, entered locally, and when publishing sensitive configuration data for DLP Endpoints.
  • The SQL Database Server employs password based encryption using a passphrase entered during initial installation.  This passphrase can be changed at after installation.  The encryption is performed internally by SQL Database Server using the Transact-SQL functions ENCRYPTBYPASSPHRASE and DECRYPTBYPASSPHRASE.  All identity match data, sensitive DLP Console configuration data, and sensitive configuration data used to manage DLP Endpoints is encrypted in this manner.  The database encryption passphrase is stored in an encrypted state on the IIS Web Server and can only be retrieved by components of the DLP Console suite.
  • During installation of the DLP Console, an RSA 1024 bit public/private encryption key pair is generated.  The private key is stored only in the SQL Database Server and can only be obtained by the IIS Web Server using the database encryption passphrase.  These keys are used to encrypt information stored and subsequently transmitted by the DLP Endpoints to the DLP Console.
  • The IIS Web Server can be configured to use HTTP, HTTPS, or both HTTP and HTTPS on any port.  By default HTTP will run on port 80 and HTTPS on port 443 and may be changed.  Because all sensitive data is  encrypted prior to being transmitted to the DLP Services Web Application, it is not necessary to enable HTTPS ; however HTTPS may be enabled to provide additional security.  The DLP Console Web Application can be configured to suppress the display of any sensitive data or it can be configured to display everything.  To ensure encryption of data between a web browser and the DLP Console Web Application, HTTPS should be used.
• Identity Finder DLP Endpoints – The DLP Endpoints also utilize multiple security mechanisms to ensure that sensitive data is encrypted.
  • Installation of the DLP Endpoint requires configuration information including the location URL of the DLP Services Web Application and the public key from the encryption key pair generated by the DLP Console installation.
  • All sensitive data sent to the DLP Console is encrypted in a SQLite database using, by default, 128 bit AES encryption.  Alternatively, this can be configured to use 256 bit AES encryption or RC-4 encryption.  The passphrase used to encrypt the SQLite database is randomly generated and transmitted to the DLP Console.  The passphrase is encrypted using the 1024 bit RSA public key from the public/private key pair generated by the DLP Console.  If the public key is not available or has been removed from the DLP Endpoint, a strong internal password known only to the DLP Endpoint and DLP Console software is used to encrypt sensitive data.
  • When saving encrypted results files, the DLP Endpoint uses AES 256 bit FIPS 140-2 validated encryption.

 

The following diagram depicts the architecture and data flow of the Identity Finder DLP Suite:

1. DLP Endpoints communicate with the DLP Console via the IIS Web Server component, specifically by accessing the DLP Services Web Application.  This is a one way connection made from a DLP Endpoint to the DLP Services Web Application at two times: when results and status updates are ready to be sent to the DLP Console and on a configurable polling interval for management purposes.  During this polling interval initiated by the DLP Endpoint to the DLP Services Web Application the DLP Endpoint will receive all relevant configuration data published by the DLP Services Web Application that will be used to manage and configure DLP Endpoints.  Once a search completes and the DLP Endpoint software is closed, or a new search is initiated, the DLP Endpoint will send up all results to the DLP Console by initiating a connection to the DLP Services Web Application.  Since all connections are initiated by a DLP Endpoint, no network ports are required to be opened on endpoints.
2. Within the DLP Console all external communications from the DLP Endpoints and the DLP Console Web Application or DLP Services Web Application are filtered through the IIS Web Server.
3. The IIS Web Server will make any connections required to transfer data to/from the SQL Database Server.  The SQL Database Server is never accessed directly by any other component besides the IIS Web Server.
4. The DLP Console Web Application is accessed by any web browser able to connect to the IIS Web Server.  This is a normal web application connection, initiated by the system running the web browser.

 

1. DLP Endpoints can send results to the DLP Console or save results locally.  Encryption is required for all results sent to the DLP Console and is used by default when saving results locally.
   1. DLP Endpoint to DLP Console Communications can occur over an HTTP or HTTPS connection, on any desired port.  By default HTTP is port 80, and HTTPS is port 443.  This is configurable on the IIS Web Server either during installation or any point after installation has completed.  This communication is always initiated by the DLP Endpoint, so from a firewall perspective the only communications path that needs to be open is for DLP Endpoints to connect to the IIS Web Server using the desired HTTP or HTTPS port.  All sensitive data sent from the DLP Endpoint to the DLP Console, or obtained by the DLP Endpoint from the DLP Console is encrypted.  Therefore, HTTP can be used without compromising the security of sensitive information.  HTTPS can also be used to ensure that all communication is encrypted.
      1. Results sent to the DLP Console are always encrypted and never pass over the network in an unencrypted state.  For each DLP Console installation, a unique RSA 1024 bit public/private key encryption pair is generated.  The DLP Endpoints are configured with the public key, which in turn is used to encrypt all results stored locally and subsequently transmitted  to the DLP Console.  All results are stored locally in a SQLite database, using passphrase encryption, which by default is AES-128 bit based.  This can be configured to use AES-256 bit or RC-4 as well.  The passphrase is randomly generated for each results set and encrypted using the public/private key pair generated by the DLP Console server.  Once the data is transmitted, the server is able to obtain the encryption passphrase by using the private key to decrypt the passphrase information.  The data is then decrypted and inserted into the SQL Database Server by the IIS Web Server.  In the case where the public key is not available or has been removed from a DLP Endpoint, an internal strong passphrase that is only known to the DLP Endpoint and DLP Console is used.
      2. By default, log data, which can include errors, informational messages or diagnostic information is not sent from the DLP Endpoint to the DLP Console.  However, if log data is transmitted, it is not encrypted but HTTPS can be used to transmit the data securely to the DLP Console.
      3. The DLP Endpoint may require configuration databases created by the DLP Console.  These databases can contain file names to ignore, file paths to exclude and include in searches, and various other configuration information.  All sensitive information is published by the DLP Console and obtained by the DLP Endpoint in an encrypted state using a specific encryption key known only to the DLP Console and DLP Endpoint software.  When this encrypted configuration information is received by the DLP Endpoint, it is saved in a SQLite database using AES-256 bit encryption.  The encryption passphrase for these databases is based upon a unique identification scheme calculated specifically for the local machine.
   2. DLP Endpoints can also save data locally. By default, local Identity Finder Results (.idf) files are encrypted on disk with 256 bit AES FIPS 140-2 validated encryption. It is also possible to print results, save them as comma separated value (.csv) files, or save them as hyper-text markup language (.html) files. In all of these cases it is possible to select whether or not to include any sensitive information in the export.
2. The IIS Web Server containing the DLP Console Web Application and the DLP Services Web Application can be configured to use HTTP, HTTPS or both HTTP and HTTPS on any desired port.
   1. It is recommended that HTTPS be used for the DLP Console Web Application because it can be configured to send plain text results data in reports and the web interface.
   2. The DLP Console Web Application also has the ability to export reports in either comma separated value (.csv) file format, or as a portable document format (.pdf) file.  It is recommended that PDF be used as each saved file can be encrypted with a user supplied password.  Exported reports that are saved as secure PDFs utilize 128 bit RC4 encryption. 
   3. The DLP Services Web Application only receives encrypted results data from DLP Endpoints, so HTTPS is not necessary, but can always be used for an extra layer of security.
3. The SQL Database Server is only accessed by the DLP Console Web Application and DLP Services Web Application, both found on the IIS Web Server.  The SQL Database Server can be on the same system as the IIS Web Server, thus negating any requirement for additional security as all communication will occur only locally on the one system.  If the SQL Database Server and IIS Web Server are on different systems, it is up to the database administrator (DBA) and appropriate network and server personnel to configure the SQL Database Server in a secure manner to ensure data sent between the IIS Web Server and SQL Database Server is properly protected.  During the installation of the DLP Console software custom configuration details, including any custom database connection string parameters can be added if necessary to ensure that the database connection is secure.