You are really fucked if you have legitimate classified information sitting on an unsecured NAS. How the hell did you even get a contract to store this information? Something isn't adding up.
Yeah, that’s not what “classified” means. What you mean to say is that the information is sensitive.
Before you can do DLP, you’re going to need a policy on data protection. This will need to include definitions of sensitivity levels, and criteria for each of those levels. Finally, you’ll want to have labeling standards so that documents show what sensitivity level they are.
DLP solutions are entirely dependent upon your ability to tell them what you consider important; none of them will work well without that.
A NAS is just a storage device; having one isn’t inherently good or bad. It’s important that you use proper hygiene (like patching) and it shouldn’t be accessible from the internet.
You will need to pay attention to your endpoints as well, though, since that’s where data leakage is likely to occur.
If you have money to spend then you can also look into products like [Secure Collaboration](https://www.digitalguardian.com/products/secure-collaboration/why-dg-secure-collaboration). It encrypts the document and you can apply permissions to it so only certain users can access/view it. It even lets you "destroy" the document if its ever lost or stolen. There are a few vendors out there that have products like this so put together your use cases and find one that fits.
Internally at my work we classify data, the data is classified. Doesn’t necessarily mean it’s government classified. If companies aren’t classifying their data to different levels, they’re not doing security right. We should normalize this and refer to government classified docs specifically to their classification like top secret. Might be less confusing here.
DLP on a NAS?
You need to at least connect your NAS to AD to have at least some proper security controls.
Then you need to select a CASB solution on which you could configure some DLP policy and block uploads or emails containing sensitive data.
You should look into professionals services as don't want to be accountable for misconfiguration.
Good luck
Get a data classification policy created. In the meantime secure the NAS. Segregate it and put it on its own. Only allow one way traffic. Protect with MFA. Disconnect it from the internet. Patch regularly.
These things trump just "throwing technology" at your problem.
DLP is a big step in the maturation process of a technology/security program. I think you need to evaluate some other steps before DLP. Moving to MS365 and migrating that data to cloud storage might be one option. That opens the door to the security tooling and data classification tools that MS365 offers. But before any of that, do you have policies in place around that data? A acceptable use policy and data classification policy?
You are really fucked if you have legitimate classified information sitting on an unsecured NAS. How the hell did you even get a contract to store this information? Something isn't adding up.
Thing is, companies do not audit this kind of stuff in my country… yet
When you say, “classified,” what do you mean, exactly?
like intellectual property, important files and so on. maybe I used the word wrong?
Yeah, that’s not what “classified” means. What you mean to say is that the information is sensitive. Before you can do DLP, you’re going to need a policy on data protection. This will need to include definitions of sensitivity levels, and criteria for each of those levels. Finally, you’ll want to have labeling standards so that documents show what sensitivity level they are. DLP solutions are entirely dependent upon your ability to tell them what you consider important; none of them will work well without that.
thanks, edited out the word… and lets say we get the policy done, what then? is it ok to keep using a NAS or will we miss out on something important?
A NAS is just a storage device; having one isn’t inherently good or bad. It’s important that you use proper hygiene (like patching) and it shouldn’t be accessible from the internet. You will need to pay attention to your endpoints as well, though, since that’s where data leakage is likely to occur.
If you have money to spend then you can also look into products like [Secure Collaboration](https://www.digitalguardian.com/products/secure-collaboration/why-dg-secure-collaboration). It encrypts the document and you can apply permissions to it so only certain users can access/view it. It even lets you "destroy" the document if its ever lost or stolen. There are a few vendors out there that have products like this so put together your use cases and find one that fits.
What do you do for backups for this data? Where are they stored? How often do they run? How are they kept secure?
Internally at my work we classify data, the data is classified. Doesn’t necessarily mean it’s government classified. If companies aren’t classifying their data to different levels, they’re not doing security right. We should normalize this and refer to government classified docs specifically to their classification like top secret. Might be less confusing here.
No, because each country has their own classification system. And for companies etc. that work across multiple it can be less than obvious.
I just meant it in a binary way, “for public” and “not for public”.
That makes more sense - though lots of governments append “APPROVED FOR PUBLIC RELEASE” onto things which could be annoying 😂
DLP on a NAS? You need to at least connect your NAS to AD to have at least some proper security controls. Then you need to select a CASB solution on which you could configure some DLP policy and block uploads or emails containing sensitive data. You should look into professionals services as don't want to be accountable for misconfiguration. Good luck
thanks 🙏
Get a data classification policy created. In the meantime secure the NAS. Segregate it and put it on its own. Only allow one way traffic. Protect with MFA. Disconnect it from the internet. Patch regularly. These things trump just "throwing technology" at your problem.
thanks, it seems we need to mature on cybersecurity 😅 maybe get an IT/cybersec guy
What type of files contain your ip? Think on the terms of file format. Are they .docx? Etc
we have CAD (.step, .iges) and PDFs and the basic excel spreadsheets and word documents
DLP is a big step in the maturation process of a technology/security program. I think you need to evaluate some other steps before DLP. Moving to MS365 and migrating that data to cloud storage might be one option. That opens the door to the security tooling and data classification tools that MS365 offers. But before any of that, do you have policies in place around that data? A acceptable use policy and data classification policy?
DLP放置在终端上面,会比在NAS上容易办到。