Contrasting Data Loss Prevention DLP With HOPZERO’s Sphere of Trust

 

DLP Security and HOPZERO

DLP Data Loss Prevention is depicted top left, where a credit card number format, social security number or medical codes are discovered, for instance, as typed text or as a file attachment to an email.

As a second set of electronic eyes, DLP looks for data in correspondence or a web app submission. On detection DLP holds sensitive data, alerting a user and security that sensitive data is leaking individual records.

HOPZERO DataTravel visibility map

Today’s applications use multitier environment. It might be two or more tiers deep, Web-tier to Middleware-tier to Database-tier would be called a three-tier architecture. Typically, the first tier is a user computer connecting to a front-end or web-tier system. The web-tier provides user authentication allowing access to only one users data records. The web-tier secondarily connects to the back-end database – but only for one user’s account. The back-end database holds millions of other account-holder’s records not accessible to the logged in user. Multitier architecture protects the full database behind the front-end web-tier.

In contrast HOPZERO identifies and protects an entire back-end “Crown-Jewel” server database similar to DLP, but for the whole server, preventing data exfiltration by containing DataTravel to a small “Sphere of Trust” perimeter, keeping vital data inside the organization.

HOPZERO holds the US patent for managing “packet-lifetime value” inside every data packet header sent from any computer using TCP/IP. The technical term is “time-to-live” TTL or more current, HOP value. HOP value controls and limits how many routers data may traverse. The HOP starts with a large value by default allowing worldwide DataTravel. Each router decrements the HOP value. Most times the packet can go all the way to its intended destination before decrementing to zero, unless it gets lost in the network, in which case HOP decrements to ZERO causing routers to expunge the packet from further travel. Because the default value of every computer is large, all data by default can go worldwide. HOPZERO learns how far data needs to travel to keep it safe inside the datacenter, safe, out of reach of external criminals.

Firewalls provide a packet block at the firewall itself, but only at the firewall. HOPZERO sets the crown-jewel server DataTravel distance that is enforced by any router. Essentially HOPZERO adds a “blocking firewall” at any router in a network path. By setting the limit at the vital server end point, at say 3 routers out, HOPZERO’s system will stop DataTravel at any router three hops away, regardless of a firewalls presence. With HOPZERO, routers act as a block discarding the packets when HOP decrements to ZERO, creating the name: HOPZERO.

HOPZERO learns a smaller distance that lets the data go where needed inside a network – but stops it from going outside. When the HOP value is “0” zero, the packet stops, limiting how far it can travel. That setting keeps vital crown-jewel data inside even when criminals try to take it out – even when firewalls are not there or not properly set.

Small organizations have a few “Crown-Jewel” servers while large organizations have hundreds or thousands of servers that never need to communicate BULK data directly to a user. Users communicate through an intermediary middleware or webapp server. Bulk “backend” databases have millions of sensitive records belonging to millions of other accountholders.

When logging into your bank, the front-end server provides access to only one user’s records through the front-end server. An end user never directly connects to these master databases with millions of sensitive records. Users gain access through the front-end server which brokers user credentials allowing access to only records in the back-end belonging to a single authenticated user.

HOPZERO protects the full back-end bulk bank-account database from a hacker directly connecting and getting the entire database. This is the absolute worst type of data compromise as all data can be exfiltrated through direct connect access to the back-end database. Although criminals might like a few single records, what they most desire are full bulk database access to millions of records.

Critical to daily security operations, DLP watches all user correspondence for single record leaks as depicted in the top left of the diagram. HOPZERO protects all records in the back-end databases criminals are most after as they offer the greatest ransom value.

With HOPZERO, a criminal cannot take a server’s data outside the datacenter or company because the packets stop after traveling the suggested distance HOPZERO sets to protect the data.

Combining both DLP and HOPZERO DataTravel limits completes the most powerful data protection solution. Firewalls provide primary limits, while DLP and HOPZERO provide a secondary method of keeping all data safe inside an organization.

HOPZERO’s visibility maps show where vital data is traveling from every computer inside your internal network or to the Internet worldwide. Seeing where your data is traveling opens eyes to the risk and how to mitigate the risk with DLP and or HOPZERO.

HOPZERO DataTravel visibility map

Start your HOPZERO DataTravel adventure mapping where your data is traveling in a few hours.

Tags:
<a href="https://hopzero.com/author/hopzero2/" target="_self">William Alderson</a>

William Alderson

Bill Alderson is CEO and co-founder of HOPZERO. He has been involved with network security since 1980, where he began analyzing secure networks for Lockheed. Formerly Technology Officer of NetQoS/CA Technologies, he is a deep packet analyst, and was an integral member of the 9/11 Pentagon restoral team. Alderson has trained over 50,000 network forensic professionals through his Certified NetAnalyst program, and has assisted 75 Fortune 100 companies with network security needs. He was deployed six times with US Central Command to Iraq and Afghanistan to provide deep packet analysis for large-scale network Department of Defense biometric network systems.

William Alderson

Bill Alderson is CEO and co-founder of HOPZERO. He has been involved with network security since 1980, where he began analyzing secure networks for Lockheed. Formerly Technology Officer of NetQoS/CA Technologies, he is a deep packet analyst, and was an integral member of the 9/11 Pentagon restoral team. Alderson has trained over 50,000 network forensic professionals through his Certified NetAnalyst program, and has assisted 75 Fortune 100 companies with network security needs. He was deployed six times with US Central Command to Iraq and Afghanistan to provide deep packet analysis for large-scale network Department of Defense biometric network systems.

Read More

Keeping Data on a Short Leash to Avoid Breaches

Keeping Data on a Short Leash to Avoid Breaches

Even the best-trained dogs have leashes while in public. Despite how much one trusts their dog to act obediently, it simply is not possible to know what kind of situations one might encounter while on a walk—maybe an enticing squirrel? A loud noise? Another dog? Dogs...