Preventing Data Loss = DLP + ICAP Proxy
Aside from a few new features each year, the core of the Data Loss Prevention marketplace has been pretty well-baked for a number of years. That’s why it surprises me still to hear new buyers of DLP frustrated to find that they will need to have an ICAP-capable proxy in order to block sensitive data leakage via HTTP (and HTTPS, FTP). This is true of leading DLP vendors Symantec, RSA, McAfee, Websense and Code Green Networks, among many others.
Some of these vendors have their own proxy solutions, while others rely on one of many available proxy solutions that support ICAP (Internet Content Adaptation Protocol). ICAP, simply put in DLP terms, is a protocol that allows a proxy to communicate with a DLP solution to provide visibility and blocking for HTTP/S and FTP. ICAP is a feature found on many commercial (and even open source) proxy solutions.
So, why does blocking HTTP require an ICAP-capable proxy? The proxy accepts and holds the request to be inspected by the DLP solution. The proxy uses ICAP to pass the request to the DLP solution for inspection and the DLP solution returns its response via ICAP. If sensitive data is detected per DLP policies, the proxy does not forward the request. If sensitive data is not found, the proxy sends the request along normally. All this happens in milliseconds with no perceivable latency to the end-user.
The proxy also provides two additional and critical features for the DLP solution:
- Username. The proxy passes the Microsoft Active Directory username to the DLP solution so the incident shows the end-user information rather than an IP address. This saves precious time and energy in handling a data breach.
- HTTPS. Most ICAP proxies have the ability to open SSL-encrypted communications. This allows the DLP solution to not only inspect communication with websites such as Gmail.com, but also facilitates blocking when sensitive data is detected.
For companies with an existing proxy in place, adding data loss prevention technologies presents little added concern. But what if your organization is proxy-free? Will you have to pony up budget dollars for a proxy in addition to DLP? Probably so, if you intend to block sensitive data leakage via the web. But, before you get too bothered, consider these points:
- Companies rarely come out of the DLP gate blocking. It’s recommended to run in monitor-only mode for a period of time prior to blocking. This allows you to tune policies for accuracy in anticipation of blocking in the future. What this means is that most companies have a time lag between the monitoring and blocking phases of their DLP project. So, don’t stress it if you can’t put the DLP and Proxy purchases in the same budget period. The ICAP proxy purchase can still be made down the road.
- Proxies provide other benefits. Most major proxies now provide full Secure Web Gateway (SWG) protection and provide plenty of benefit outside of DLP. In fact, many companies are considering SWG solutions for their non-DLP capabilities. URL filtering is delivered very competently using a proxy. And given that malicious code is often delivered via the web, it can be a huge benefit to have this additional protection at the gateway, making DLP integration just a nice plus.
- An ICAP proxy doesn’t have to be expensive. A number of open source proxies are available that support ICAP for DLP integrations. If you’re not averse to Linux and open source, one of these may meet your requirements. In my experience, however, open source proxy solutions are not as full-featured as their commercial counterparts. This is especially true when considering the full breadth of Secure Web Gateway solution capabilities. You get what you pay for, right?
Given the need to secure the gateway, for my money it’s best to go with an ICAP-capable proxy that supports full SWG capabilities. Below are some of the leading ICAP proxy vendors in the space. Keep in mind that while these vendors support ICAP, the specific implementations may differ, resulting in varying results with different DLP vendors.
- Blue Coat. By far the leading proxy/SWG solution on the market. Not only do 85% of FORTUNE Global 500 companies use Blue Coat, the company also provides solutions that scale downward to support very small installations.
- Cisco IronPort. Cisco’s IronPort Web Security Appliance supports ICAP.
- M86 Security. M86’s Secure Web Gateway solution is best known for protecting against malware with its real-time code analysis technology.
- McAfee. The McAfee Web Gateway (Webwasher) supports ICAP.
- Symantec. The newest version of Symantec Web Gateway provides SSL visibility.
- Websense. While Websense can provide their SWG as a standalone solution, the company promotes TRITON, providing a single integrated solution for DLP, SWG and email security.
Before delving into a data loss prevention project, consider whether you intend to block HTTP/S and FTP. If so (and most companies do), be sure to plan and budget for an ICAP-compatible proxy. By selecting a proxy that provides critical web gateway security, you’ll be able to address DLP blocking while also improving network security.