CPSec DLP: Kernel‐Level Content Protection Security System of Data Leakage Prevention

Abstract

Data leakage prevention (DLP) is very important for sensitive or unauthorized data protection, however, most current DLP technologies are based on content monitor, detection and filtering, which can be easily bypassed or cheated. We propose a thorough and highlevel Content protection secure scheme of DLP (CPSec DLP) based on kernel-level mandatory encryption, in which we proposed mutual authentication and key agreement method between client and server, and we adopted SM2 algorithm for session key management; and we propose kernel-level mandatory secure middleware for unstructured data protection, in which the secure middleware works in File system driver (FSD) layer supporting for “write-encryption, open-decryption” operation, once the data is written to storage space either in hard-disk or USB disk the data is mandatorily encrypted, while when the data is open the mandatory secure middleware decrypts the data to plain in system memory. Moreover we propose data share and delivery among domain internal users and external customers. In the CPSec DLP scheme, the encryption algorithms, security policy and rules can be dynamically parameterized when necessary, while in the lifecycle the data management can only be used according to its usage control rules, such as read-only, write, save, print, export, backup rights. Upon the proposed CPSec DLP, we implemented the CPSec DLP system in kernel-level driver layer based on FSD, which supports parameterized process and document format for unstructured data leakage protection. Large amount of experiments manifest the proposed scheme is secure, reliable, extendible and efficient for kinds of format unstructured data leakage protection.