Data theft protection prevents unauthorized disclosure of confidential information. Configuring data theft protection requires two steps:
- Specify any at risk data elements handled by the web application using a Security Policy.
- Enable protection of these elements where needed, using a URL Policy.
Sensitive data elements might require masking to prevent their unauthorized disclosure, or requests containing sensitive data may be blocked altogether. Using a Security Policy, you can specify which data elements need protection, along with how to handle them. These settings can be used by any service associated with the security policy. URL policies applied to narrowly defined URL spaces requiring this protection can be individually enabled as needed. Other URL spaces operate without requiring the additional processing. To optimize performance, you can limit data theft protection to just the sections of the site containing sensitive information.
The Data Theft Protection section on the SECURITY > Security Policies page enables you to configure Identity Theft data types for a Security Policy. You can enable protection for specific URLs on the SECURITY > Advanced Security page, Advanced Security section. Security Policy Data Theft settings are then enforced only for configured URLs. The Barracuda Energize Updates provide a default set of protected data patterns, such as credit card and social security numbers. However, these can be expanded or customized from the SECURITY > Libraries page to include other data patterns. Any configured pattern can be masked, or the response blocked altogether, if a protected pattern occurs in the server response.
When Data Theft Protection is enabled, the Barracuda Load Balancer ADC intercepts the response from the server and matches against the pattern listed in the SECURITY > View Internal Patterns page and SECURITY > Libraries page (for custom identity theft patterns). If the response matches any of the defined patterns, it is blocked or cloaked based on the Action (Block or Cloak) set. If action is set to Block, the response sent by the server is blocked. If set to Cloak, a part of the data is cloaked that is, overwritten with "X"s.
The default identity theft elements provided by the Barracuda Load Balancer ADC are:
- Credit Cards
- Directory Indexing
- Social Security Numbers
Credit Cards and Social Security Numbers
To prevent exposure of personal data such as credit card and social security numbers, select Block to block the response from the server, Cloak to overwrite the characters based on values defined in the Initial Characters to Keep and Trailing Characters to Keep parameters. By default, credit card and social security numbers are set to Cloak.
Directory Indexing
If a web server is configured to display the list of all files within a requested directory, it may expose sensitive information. The Barracuda Load Balancer ADC prevents exposure of valuable data by blocking the response from the server. By default, directory indexing is set to Block.
Steps to Configure Data Theft Protection:
- From the SECURITY > Security Policies page select a policy from the Policy Name list to which you want to enable data theft protection. Click Configure in the Data Theft Protection section. The Data Theft Protection page appears.
- In the Configure Data Theft Protection section, specify values for the following fields:
- Data Theft Element Name – Enter a name for the data theft element.
- Enabled – Select Yes to use this data element to be matched in the server response pages. This data element is used for matching server response pages only when Enable Data Theft Protection is also set to Yes on the SECURITY > Advanced Security page, Advanced Security section.
- Identity Theft Type – Select the data type from the drop-down list that the element mentioned in Data Theft Element Name belongs to. The default identity theft patterns (Credit Card, SSN and Directory Indexing) are associated to data types defined under SECURITY > View Internal Patterns > Identity Theft Patterns. If you want to associate a custom identity theft pattern created on the SECURITY > Libraries page, select CUSTOM from the drop-down list and then select customized identity theft type from the Custom Identity Theft Type field below.
- Custom Identity Theft Type – Select the customized identity theft type to be used from the drop-down list.
- Action – When set to Block, the response sent by the server containing this data type is blocked. The Block mode should be used if the server should never expose this information. In the Cloak mode, a part of the data is cloaked, that is, overwritten with X’s based on Initial Characters to Keep and Trailing Characters to Keep.
- Initial Characters to Keep – Enter the number of initial characters to be displayed to the user when the data of this data type is identified in a server page. For example, an online shopping service displays a user’s credit card number 1234 0000 0000 5678. If Initial Characters to Keep is set to 4, the credit card number is displayed as 1234 XXXX XXXX XXXX.
- Trailing Characters to Keep – Enter the number of trailing characters to be displayed to the user when the data of this data type is identified in a server page. For example, an online shopping service displays a user’s credit card number as 1234 0000 0000 5678. If Trailing Characters to Keep is set to 4, the credit card number is displayed as XXXX XXXX XXXX 5678.
- Click Add to add the above settings.
Custom Identity Theft Patterns
The default data theft types are displayed under Protected Data Types in the SECURITY > Security Policies > Data Theft Protection page. You can also create custom identity theft data types on the SECURITY > Libraries page.
Creating a Custom Identity Theft Pattern
- Go to the SECURITY > Libraries page, Identity Theft Patterns section, enter a name in the New Group field and click Add.
- Click Add Pattern next to the created identify theft pattern group. The Identity Theft Patterns window appears. Specify values for the following fields:
- Pattern Name – Enter a name to identify the pattern.
- Status – Set to On if you wish to use this pattern for pattern matching in the responses.
- Pattern Regex – Define the regular expression of the pattern or click the Edit icon to select and insert the pattern.
- Pattern Algorithm – Select the algorithm to associate with the pattern from the drop-down list.
- Case Sensitive – Select Yes if you wish the pattern defined to be treated as case sensitive.
- Pattern Description – (Optional). Enter the description for the pattern defined. Example, Visa credit card pattern. This indicates the pattern used here is the visa credit card pattern.
- Click Save.
Using a Custom Identity Theft Pattern
- Go to the SECURITY > Security Policies page.
- Select a policy from the Custom Policies list or from the Predefined Policies list.
- Scroll to the Data Theft Protection section. Click Configure.
- In the Configure Data Theft Protection section, enter a name in the Data Theft Element Name text field.
- Set Enabled to Yes to use this data element to be matched in the server response pages. This data element is used for matching server response pages only when Enable Data Theft Protection is also set to Yes on the SECURITY > Advanced Security page, Advanced Security section.
- Select CUSTOM from the Identity Theft Type drop-down list.
- Select the Identity theft pattern you created from the Custom Identity Theft Type drop-down list.
- Set the Action to Block or Cloak. If set to Block, the response sent by the server containing this data type is blocked. The Block mode should be used if the server is never expected to expose such information. In Cloak mode, a part of the data is cloaked, that is, overwritten with X characters based on Initial Characters to Keep and Trailing Characters to Keep.
- Click Add.
- Bind this policy to a Service, so that any request coming to that service is matched with the pattern and then processed.
Turning on Data Theft Protection Using a URL Policy
To use Data Theft Protection for a requested URL:
- Go to the SECURITY > Advanced Security page, Advanced Security section.
- Click Edit for the URL Policy on which you want to enable data theft protection.
- Go to Data Theft Protection and set Enable Data Theft Protection to Yes. Click Save.
When Enable Data Theft Protection is set to Yes for a requested URL, the Data Theft Protection settings from the Service's Security Policy are enforced for this request.