Fri Apr 8 06:51:40 PDT 2016

Content control: What mechanisms keep control over content with business utility?


Option 1: Egress filtering.
Option 2: Transform sensitive content.
Option 3: Access controls.
Option 4: Separation mechanisms.
Option 5: Flow rate controls.
Option 6: Contractual mechanisms.
Option 7: Chain of custody mechanisms.
Option 8: Exfiltration/movement detection.


"Yes" indicates that the technique should be applied, "?" indicates that it is optional, and no entry implies it should not be chosen over other methods.
Option Low Risk Med Risk High Risk
Egress filtering Yes Yes Yes
Transform sensitive content Yes Yes
Access controls Yes Yes Yes
Separation mechanisms Yes Yes
Flow rate controls Yes Yes
Contractual mechanisms Yes Yes
Chain of custody mechanisms Yes Yes
Exfiltration/movement detection Yes Yes
Controls over content with business utility


Egress filtering is not reliable as a method for blocking intentional or even much accidental leakage of sensitive content, but is is good for detecting certain classes of accidental leakage and in low sensitivity environments may be an option. It is also viable as detection to support medium and high risk situations, however, in this mode it is more often used to detect the presence of content that should never reach a particular network zone at all, rather than to limit outputs to a known valid subset.

Transforming sensitive content, in particular by using encryption, is appropriate except in primary stores, and should follow the controls identified under data at rest, in motion, and in use identified elsewhere in Security Decisions.

Access controls should always be used at the network, system, and data record level as a basic and widely available mechanism that is a sound first line of defense against attempts at unauthorized access. The more trustworthy the system, the more effective these access controls are. As risks increase, higher surety trusted systems should be applied for these separation access controls.

Separation mechanisms include access controls, but are more commonly considered in terms of network separation via zoning and subzoning, physical separation, and other related mechanisms. Digital diodes, one-way UDP traffic, and guards may also be used to allow inward-only information flows and restricted release of sensitive information through review processes.

Flow rate controls are used to limit the amount of harm that can result from leakage. This typically applies to situations in which communication is required but particular classes of use are provided to particular individuals. The individuals who are only supposed to access small quantities of content are limited in the amount they can gain access to per unit time and therefore in the extent to which they can cause harm through leakage. Similarly, databases are managed to limit total flows so as to limit consequences of protection failures over time.

Contractual mechanisms are used when multiple parties are involved in the content lifecycle. These mechanisms should include adequate liability for all aspects of protection, defined in agreements and other legal mechanisms, and include the ability to audit and test 3rd party protections to the extent required for the enterprise. For high sensitivity information, 3rd parties should be avoided where feasible as the risks are typically too high to transfer via contract.

Chain of custody mechanisms are used when custody is vital to the utility of content. These mechanisms should include personal responsibility and accountability (typically in the form of documented custody and control) for content across its lifecycle and for all processes interacting with it.

Exfiltration/movement detection mechanisms are used to detect movement of content where it should not go. Data leakage prevention and similar low surety mechanisms are widely used while higher surety mechanisms like tagged architectures provide protection as parts of trusted systems.

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved