Data Loss Prevention Meets the Cloud: How Safe Is Your Organization?

By Mike Baker

Data loss prevention, or DLP, is back in the spotlight. Historically, DLP was primarily utilized in heavily regulated industries, such as health care and financial services, for regulatory compliance purposes. Later, it gained popularity among organizations that needed to protect intellectual property assets.

Today, cyber criminals are more sophisticated, organized, and well-funded than ever, and organizations in all industries face the threat of having sensitive data stolen. According to Gartner, 50% of organizations have already implemented some form of integrated DLP, and that number will nearly double to 90% by 2018.

Traditionally, DLP has focused on on-site data loss prevention, but as cloud computing explodes in popularity, organizations must adopt DLP strategies that specifically protect cloud data. However, according to a survey by the Ponemon Institute, while 73% of IT and security professionals said that cloud-based services and platforms were important to their operations, over half admitted that their organizations were not being proactive about cloud security, privacy, and data protection. Further, only one-third of sensitive data stored in the cloud is encrypted.

Cloud Data Is Scattered and Easily Accessible

Arguably, the biggest challenge in protecting cloud data is that, unlike data stored on a network, it’s not located in one place. The data could be stored in any number of locations, such as an enterprise cloud storage solution like Amazon Web Services or even a Hadoop database, where the data is further scattered into thousands of fragments. At least organizations know about those storage locations.

The popularity of cloud-based collaboration and storage services, such as Slack and Dropbox, have prompted many employees, especially remote workers, to engage in shadow IT practices. Whether they realize it or not, the average organization uses 755 different cloud applications. Even worse, cloud data can be accessed anywhere, anytime, using any number of networks or devices, which may or may not be secure.

These employees aren’t necessarily violating company rules. A study by Verizon and the Harvard Business Review revealed that almost half of organizations have no formal policies regarding which applications may be run in the cloud, and one-third of organizations do not consult with their security staff when evaluating cloud services.

Implementing Cloud DLP

Organizations have two options for cloud DLP: They can use an API within the cloud application itself to inspect the data, or they can use a cloud access security broker (CASB).

The advantage of the API approach is its simplicity. Developers are familiar with programming APIs and can easily use them to enact security measures at the application level to ensure that sensitive information is not being improperly accessed. However, most cyber attacks happen over APIs, and the data is inspected only after it arrives in the cloud, leaving it vulnerable while in transit. These issues led to the development of a new type of cloud DLP: cloud access security brokers.

Cloud access security brokers (CASBs) emerged about five years ago and were readily embraced. A CASB solution is a security tool that sits between a cloud service application and its end users, enforcing organizational security policies and best practices, protecting against intrusions, and preventing “data leakage.” Organizations can run CASBs on their physical premises or in the cloud, and CASBs are easily integrated into existing on-premises DLP solutions. Organizations don’t have to start over at square one; they simply extend their existing DLP to the cloud.

CASBs have four key advantages, which Gartner calls the “four pillars of functionality”:

• Visibility: CASBs centralize cloud security control and allow security personnel to monitor all cloud activity, inside and outside the organization’s network, including shadow IT applications and access by remote workers.

• Compliance: CASBs can control user activity to ensure compliance with industry regulatory requirements such as HIPAA and PCI and detect if cloud usage poses a threat to compliance.

• Data security: CASBs enforce internal security policies regarding encryption, tokenization, and access to sensitive data without interfering with application features, such as search capabilities. Most CASB solutions can also prevent data leakage by labeling certain data as sensitive, preventing its download, or redacting it. They may also provide templates that organizations that do not currently have DLP policies can use to identify sensitive data.

• Threat protection: CASBs prevent unauthorized users and devices from accessing corporate cloud services and protect against malware, provide threat intelligence, and detect anomalous activity.

When choosing a CASB, it’s important that the solution integrates with the applications you use right now, as well as those you anticipate using in the future. In the ever-changing tech world, that can be a challenge, which is why many organizations turn to a managed security service provider (MSSP) for help in choosing a CASB solution, as well as putting together a comprehensive on-premises and cloud DLP plan if they do not already have one.

Regardless of the cloud DLP solution an organization chooses, it’s important for DLP policies to be consistent. The same data policies that apply within the enterprise must be enforced within the cloud. This is especially important for organizations that must comply with HIPAA, PCI DSS, and other industry-specific regulatory requirements; cloud data is treated the same way under the law as data stored on a server.

A Brave New 'Borderless' Work World

Cloud applications have ushered in a brave new “borderless” work world that promotes open collaboration and the free flow of information. This has allowed workers to be more productive and, in many cases, has made remote work possible, allowing organizations to tap a larger talent pool.

Unfortunately, it has also opened up a whole host of vulnerabilities for hackers to exploit. Organizations that do not know where their data is, how it is being accessed, and who is accessing it also don’t know if the data is being breached by outside hackers or misused by malicious insiders. On-premises DLP alone is no longer sufficient to prevent data breaches and leaks.