Signal Turns to Data Leak Protection
Signal Financial Credit Union's DLP architecture protects sensitive data - sometimes a little too well
September 21, 2007
Ever inadvertently sent a sensitive email to the wrong person -- someone with the same first name as your intended recipient? The relative ease of such a mishap was one risk that drove Signal Financial Federal Credit Union's decision to add a data leakage prevention (DLP) system last year.
Signal Financial's CTO, Steve Jones, says that's a risk that hits too close to home for him. "I have one of the most common names around -- it's always worried me that someone in Outlook could be typing an email to me and Outlook [automatically] fills in a 'Steve' from outside of the company, and they hit 'send' and accidentally send proprietary information out to the real world," he says. "Things like that always scared me about email."
The Washington, D.C.-area credit union, which has 35,000 member accounts, today runs three Code Green Networks CI-1500 DLP appliances. The appliances, which cost $25,000 apiece, work hand in hand with a Blue Coat Systems ProxySG 200 series appliance (under $5,000) for securing Web communications.
Jones says Signal Financial added the DLP appliances to help it better protect member account numbers, credit card numbers, Social Security numbers, and sensitive data on its own employees. Underlying all this, of course, are regulatory compliance requirements under the National Credit Union Association and PCI.
"Regulations always drive your decisions," he says. "Beyond that, you want to do your job effectively. Nothing is mandated as far as DLP at this point, but in the future, I think it will be."
The credit union sets policies in the DLP appliances on what information can and can't go outside the organization. The appliance's Content Inspector feature scans each message before handing it off to the messaging server's message transport agent, which runs on the appliance. "It examines the email and makes sure it passes our policies. If it does, it forwards it through the spam filter and into the real world," Jones says.
When a message doesn't pass inspection -- if it contains account information that's not supposed to leave the credit union, for instance -- the DLP appliance sends an email to the sender and to the Content Inspector administrator. "We realize it may have been a user trying to help a member with an account issue... If so, it'll say you need to resend the email without the [prohibited] data in there," Jones says.
The downside of the DLP technology: Signal Financial gets those annoying false positives. "I get about one false positive a week," Jones says.
One catch with the way Signal Financial has configured the appliance is that when a member emails the credit union with account questions and a customer service representative replies to the message without removing the account number, the reply gets flagged by the DLP and held up. "The response has the account holder's number in it, so it gets flagged and stuck in the queue," he says.
While the Code Green DLP can block data leaking out through email, at this point it alone doesn't stop data from going out through other channels such as HTTP or FTP, so Signal Financial also runs Blue Coat's ProxySG 200 series appliance to help it filter that outgoing traffic. "It ensures that sensitive data doesn't sneak out through secured channels such as a hijacked HTTP-S site," he says. "It does a transparent proxy of the traffic and doesn't let it go until it's been inspected by Code Green's [DLP] appliance for policy violations," he says.
And next month, Signal Financial will see firsthand how DLP can help with compliance -- the credit union is scheduled for an audit.
Have a comment on this story? Please click "Discuss" at the top of this page. If you'd like to contact Dark Reading's editors directly, send us a message.
Blue Coat Systems Inc. (Nasdaq: BCSI)
About the Author
You May Also Like