5 Essential Steps for Effective Data Loss Prevention
Data loss prevention (DLP) is a critical component of any organization’s security strategy. With the increasing amount of sensitive data being stored and shared online, it’s more important than ever to have a comprehensive DLP plan in place.
In this guide, we’ll cover the five essential steps for effective data loss prevention. From identifying your sensitive data to implementing strong access controls and utilizing encryption, these steps will help you protect your business from data breaches and other security threats using Gloo Gateway:
- Identify Your Sensitive Data
- Implement Strong Access Controls
- Utilize Encryption and Other Security Measures
- Implement DLP policies
- Protect Your Business with Gloo Gateway
ℹ️ NOTE: The complete set of scripts and code used to write this blogpost can be found in this repo.
Identify Your Sensitive Data
Before you can effectively protect your sensitive data, you need to know what it is. Sensitive data can include anything from personal information like names and addresses to financial data like credit card numbers and bank account information.
To identify your sensitive data, start by conducting a thorough inventory of all the data your organization collects and stores. This should include both digital and physical data, such as paper records or backup tapes.
Once you have a complete inventory, categorize the data based on its sensitivity level. This will help you prioritize your protection efforts and ensure that your most sensitive data is receiving the highest level of security.
Some common categories of sensitive data include:
- Personal information (e.g. names, addresses, social security numbers)
- Financial information (e.g. credit card numbers, bank account information)
- Health information (e.g. medical records, insurance information)
- Intellectual property (e.g. patents, trade secrets, proprietary data)
- Legal information (e.g. contracts, legal documents)
By identifying your sensitive data and categorizing it based on its level of sensitivity, you can develop a targeted data loss prevention strategy that will help you protect your most valuable assets.
Utilize Encryption and Other Security Measures
Once you’ve identified your sensitive data, the next step is to utilize encryption and other security measures to protect your sensitive data. Encryption is the process of converting data into a code that can only be deciphered with a key or password.
We’ll have one of our applications exposed in Gloo Gateway.
Let’s make sure that our application is exposed securely with a TLS certificate.
apiVersion: networking.gloo.solo.io/v2
kind: VirtualGateway
metadata:
name: north-south-gw
namespace: istio-gateways
spec:
workloads:
- selector:
labels:
istio: ingressgateway
cluster: cluster1
listeners:
- http: {}
port:
number: 80
# ---------------- Redirect to https --------------------
httpsRedirect: true
# -------------------------------------------------------
- http: {}
# ---------------- SSL config ---------------------------
port:
number: 443
tls:
parameters:
minimumProtocolVersion: TLSv1_3
mode: SIMPLE
secretName: tls-secret
# -------------------------------------------------------
allowedRouteTables:
- host: '*'
Implement Strong Access Controls
In addition to enabling encryption in the gateway, the next thing to do is to implement strong access controls to ensure that only authorized users can access it. Access controls should be implemented in multiple layers to ensure that a single compromised layer won’t grant access to sensitive data.
Here are some best practices for implementing strong access controls:
- Web Application Firewall (WAF) policy
- Authentication with OAuth
- Authorization with Open Policy Agent (OPA)
- Cross-site request forgery (CSRF) policy
- Control access or route traffic based on verified claims in a JSON web token (JWT)
Gloo Gateway provides all protections in the list and many more protections (CORS, Rate limiter, LDAP, ApiKeys, etc).
Let’s see how easy is to add WAF protection to our app:
apiVersion: security.policy.gloo.solo.io/v2
kind: WAFPolicy
metadata:
name: basic-protection
namespace: httpbin
spec:
applyToRoutes:
- route:
labels:
waf: "true"
config:
disableCoreRuleSet: true
customRuleSets:
- ruleStr: |
SecRuleEngine On
SecRequestBodyAccess On
SecRule REQUEST_HEADERS_NAMES "Proxy-Connection|Lock-Token|Content-Range|Translate|via|if" "log,deny,id:48,status:403,t:lowercase,msg:'Malicious header detected'"
SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@*
"@rx \\\${jndi:(?:ldaps?|iiop|dns|rmi)://"
"id:1000,phase:2,deny,status:403,log,msg:'Potential Remote Command Execution: Log4j CVE-2021-44228'"
And then a combination of authentication with OAuth 2.0 protocol and authorization with OPA.
apiVersion: security.policy.gloo.solo.io/v2
kind: ExtAuthPolicy
metadata:
name: httpbin
namespace: httpbin
spec:
applyToRoutes:
- route:
labels:
oauth: "true"
config:
server:
name: ext-auth-server
namespace: gloo-mesh-addons
cluster: cluster1
glooAuth:
configs:
- oauth2:
oidcAuthorizationCode:
appUrl: "https://${ENDPOINT_HTTPS_GW_CLUSTER1}"
callbackPath: /callback
clientId: ${KEYCLOAK_CLIENT}
clientSecretRef:
name: oauth
namespace: httpbin
issuerUrl: "${KEYCLOAK_URL}/realms/master/"
logoutPath: /logout
afterLogoutUrl: "https://${ENDPOINT_HTTPS_GW_CLUSTER1}/get"
session:
failOnFetchFailure: true
redis:
cookieName: keycloak-session
options:
host: redis:6379
scopes:
- email
- opaAuth:
modules:
- name: allow-solo-email-users
namespace: httpbin
query: "data.test.allow == true"
As you can see, these policies can be added or removed very easily, so you can very quickly get a more than decent level of protection for your data.
Implement DLP Policies
Protecting and controlling who accesses the data is important, but humans make mistakes, and your applications can also expose sensitive information as credit cards, personal IDS, etc. These data leaks are usually found in app responses and logs.
All first-class API gateways allow you to protect from such situations, and with Gloo Gateway this is insanely easy. Let’s check how it is done:
apiVersion: security.policy.gloo.solo.io/v2
kind: DLPPolicy
metadata:
name: basic-dlp-policy
namespace: httpbin
spec:
applyToRoutes:
- route:
labels:
dlp: "true"
config:
sanitize: ALL # Enable DLP masking for both responses bodies and access logs
actions:
- predefinedAction: ALL_CREDIT_CARDS
- predefinedAction: SSN
- customAction:
regexActions:
- regex: '[0-9]{8,8}[A-Za-z]' # Spanish National ID number
- regex: '((?:ASIA|AKIA|AROA|AIDA)([A-Z0-7]{16}))' # AWS key
- regex: '([a-zA-Z0-9+/]{40})' # AWS secret
Testing Time!
Open the Istio Ingress Gateway external IP from a browser: https://172.18.1.4/forms/post
Let’s sign in with user2/password in order to pass the first defense filter.
Now we’ll try to inject some malicious code:
Oops! Looks like it didn’t work.
This time we’ll include some valid personal data, that will be sent back from the upstream, and hopefully masked by the gateway before getting back to me.
As expected, our data is safe, even in the event of human errors.
As you can see, it’s easy to add different layers of protection using Gloo Gateway policies!
Protect Your Business with Gloo Gateway
Data loss prevention is an ongoing process, and it’s important to continuously monitor and update your strategy to ensure that it remains effective.
With its strong access controls and policy implementation, Gloo Gateway can help prevent data loss.
Gloo Gateway also allows easy integration with OpenTelemetry (OTel). To learn how to configure and set it up, check out this blog post about observability and OpenTelemetry within service mesh.
Gloo Gateway
Get a free trial of the next generation API gateway for all your microservices
Request a Trial