The frequency of cloud attacks are increasing, in fact, one report found that 79% of companies experienced at least one cloud data breach in the past 18 months between 2022 and 2021. There is a consistent pot of gold at the end of malicious attacks – data. Data has grown to be the number one asset for business today. As a result, enterprises report struggling the most with data security and privacy. Within that overall challenge, the top reported concern is data loss and leakage (69%.) With this concern in mind, it’s only natural to look to a solution to help protect your data in the cloud. Data loss prevention (DLP) in the cloud is the best way forward.
In an effort to help you find the best DLP solution, we will define what cloud DLP tools are, how they work, why companies invest in them, and features to look for when selecting one.
What are cloud data loss prevention (DLP) tools?
Cloud Data Loss Prevention tools are solutions aimed at securing the data hosted in your public cloud environments. This means making sure your data is safe at rest, in-transit and in use. Ultimately, it aims to protect the confidentiality, integrity, and availability of your data. Cloud DLP tools offer your organization security controls to detect anomalous behavior and enforce data security best practices.
Types of cloud DLP tools
Native DLP tools: These can be understood as the data security features that are built-in to cloud provider platforms. Some examples include Google Cloud Platform’s DLP controls or Azure’s Information Protection solution. Cloud providers do a wonderful job at offering security controls to help you use their cloud platform intelligently, but ultimately they are not security-focused providers. Security features and the depth of context, visibility, and protection can fall short, and the native tools only support the platform they are in. Most organizations are multi cloud, but using multiple DLP tools is inefficient, so sometimes third-party cloud security focused solutions are leveraged.
Third-party cloud DLP tools: Third-party cloud DLP solutions are tools that provide focused, detailed, and more advanced security features helping customers to discover, classify, and protect their data in the cloud. Third-party solutions are better able to standardize protection across all stacks and clouds available, address third-party data stores of vendors or partners, and overall offer a more in depth and centralized view. These third-party tools remediate the concern of multi cloud environments because they provide protection across all platforms. Below, we’ll dive into how these third-party cloud data security solutions work and why customers use them.
How do cloud data loss prevention solutions work?
There are a few main pillars core to cloud data loss prevention solutions including the ability to:
To protect your data, you first need to know where it is, not where you think it is or where it should be. To do this, you need to continuously scan for data across all your cloud environments. This not only looks for new data but discovers when data appears in new places. A large part of the discovery process is doing a data inventory. You want a real-time picture of all the data in your environment.
Not all data is created equal. You need to know not only where your data is but also what it is. Data classification analytics determine the data type, importance, and risk to the business. This context is key in helping you prioritize what is most important. Data classification looks like labeling your data with a ‘name tag’ and then a ‘value tag’. An example may look like DataClassification:Confidential or DataType:CustomerPII. These tags allow you to know this is highly-sensitive content and should be prioritized in protection.
Once you have a program in place allowing you to understand and detect security risks, the next step is actually protecting your data. This means stripping away access to your most sensitive assets. Data locating and classification enables your teams to work towards achieving Least Access. Least Access enforces data protection from the inside out, meaning, starting with the data, and working outwards to determine who and what can access it. Then stripping that access to only those that need it.
The next step for effective data loss prevention is to work with operations managers to create controls for reducing data risk. Data controls may be simple at the beginning of a DLP initiative, targeting the most common risky behaviors while generating support from operations. As the data loss prevention program matures, organizations can develop more granular, fine-tuned controls to mitigate specific risks to protect data over time.
Once you have visibility into your data, and enforce Least Access, you must continuously monitor data activity to detect anomalous access. Not all data movement represents data loss. However, many actions can increase the risk of data loss. Organizations should monitor all data movement. Periodic or sporadic auditing doesn’t cut it when Non-Person Identities are accessing your data for seconds at a time, at multiple moments a day. Audits include ensuring that basic platform settings like encryption and logging are enabled and understanding who or what has access to your data. Auditing starts with defining a secure baseline you have a comparison. Once you lock that in, you can effectively monitor for deviations on that baseline. An example might be detecting that an Internet-connected VM in Dev, which has a vulnerability on it, has access to your most sensitive data in Prod. Basically, you need to understand when data is at risk.
A critical component of protecting your data is leveraging automation and organized workflows. The scale and speed of the cloud is unmanageable without automating the process of detecting concerns and notifying the right team, at the right time, in an organized manner. Automation also comes into play for remediation efforts. Some security solutions include pre-set remediation and prevention bots to pick up where people left off.
Why do companies invest in cloud DLP solutions?
It is the responsibility of CISOs and security leaders to help protect their organization. Today, the most valuable asset to a business is its data. The rapid adoption and even faster growth of the cloud places cloud data loss prevention as a top priority to the business.
Diving a bit deeper, we’ve mapped out the top 3 reasons an organization is investing in data security solutions.
Reason #1: Companies do not know where their data is.
This sounds outlandish, but it is true. Most organizations believe they know where their data is, but really most of the time they know where it is supposed to be. The cloud is ephemeral and data is dispersed across an environment and constantly moving. It is difficult to manually keep track of. Cloud data loss prevention solutions assist in finding and visualizing where your most precious assets are.
Reason #2: Companies do not know what their data is.
‘What’ your data is can be understood as the data type, for example customer personal information, credit card numbers, bank details, corporate secrets, and more. Knowing exactly what is being stored is critical in establishing its level of importance to the business. This context comes in handy when your security team receives an alert notifying them that an Azure BLOB hosting PII just got exposed to the internet vs. a singular Google Document hosting brainstorming content from a fun internal team building exercise — the priority seems clear, doesn’t it?
Reason #3: Companies do not know what can access their data or even what they might be doing with it.
Insight into the relationships between data and identities may be one of the greatest challenges in cloud security today. Identities – person and non-person ones— are proliferating, and every single one of them holds access to something. Managing these permissions is overwhelming, but necessary. In order to understand the risks to your data, you need a full picture of what and who can access it. Every access point is an opportunity for exploitation. Organizations need to know what direct permissions identities have to data, and realize what more covert or indirect accesses an identity may have through permission chains, toxic combinations and effective permissions.
Important functions to look for in a cloud DLP solution
Data sprawl is a common concern in the cloud, as you may store some of your data locally or on one or more cloud storage platforms. Asking ‘where is my data?’ may seem elementary or obvious, but many organizations do not actually know where their data lies — perhaps they know where it should be.
Data classification and tagging
Data classification refers to the process of establishing or classifying a data type. Within data classification, data tagging is a technique to help this process. Data tagging allows you to clearly label your data so that you know exactly what it is and where it is. This is often broken down into something like a ‘name’ tag and then a ‘value’ tag. For example: DataClassification:Confidential, DataType:CustomerPII, DataOwner:DevOpsTeam1. These tags allow you to better manage your data as well as identify risks such as sensitive data that is found in a Dev environment.
It is no longer sufficient to just classify data as ‘sensitive’ or not, as there are gradations of data sensitivity. Additionally, there are different data formats, structures and storage. This is why custom classification and tagging is a must-have. Understanding your data allows you to prioritize what is most business-critical.
Continuous activity monitoring
Without activity data, you can’t understand who needs access to what data, or alert on improper access. Understanding historical access and future protection access are both needed. Continuous activity monitoring works by considering a unified picture of activity logs to keep you up to date on which identities are accessing what data and when. Access and changes inside secret stores are an especially critical part of the picture.
Once you understand where your data is and what’s happening to it, you can apply rules to each piece of data, or establish secure thresholds that, when stepped outside of, raise alarm bells. One example of a policy to enforce is least access. Creating these policies from scratch is burdensome, which is why Cloud DLP tools often come with established policies to abide by, with the ability to create customized policies for your organization.
It’s important to review the documentation of your data classification standards to ensure it is specific to the data type and sensitivity, clear about what to do when disaster strikes, and is specific to working in the cloud.
One other thing to consider in your data security policies is how your data is influenced by third-parties. Maybe organizations work with vendors – make sure you consider how sensitive the data is that you’re sharing with them, how you’re ensuring they are taking the right precautions, and how you’re transferring data securely.
We’ve mentioned the questions ‘where is my data?’ and ‘what is my data?’ The next one to consider is ‘who has my data?’ Least access is a best practice policy ensuring that data access is restricted to only those that absolutely need it. Least access works via secure policies on the data itself, looking outward to get an understanding of who or what is accessing your data. Least access allows you to lock in a secure baseline or set up ‘tripwire’ around your most sensitive assets, so that you know when something has gone wrong.
When your environment is at a secure baseline, and in accordance with policies like least access, you can get a picture of what your cloud should look like. This then enables the ability to detect when your cloud slips out of that secure baseline, or ‘drifts’. Continuous monitoring of activity data, historical access, and logging will keep you up to date on what is accessing your data.
Real-time alerts and notifications
It is no longer sufficient to audit data every 90 days, instead you need to continuously monitor your data to remain secure or compliant. This allows your team to know something is wrong as it happens. When drift is detected, a strong DLP tool will provide you real-time alerts so that you can take action immediately. This brings us to our next feature to look for in a cloud data loss prevention solution.
Once a security concern is identified, the next step is ensuring the right team receives the notification, and that priorities are noted. Sending a ticket to a general queue, where there may be hundreds of alerts for teams to sort through, is not an efficient solution. There needs to be a way to contextualize your alerts to understand where your attention is most needed.
Intelligent workflows offer cloud teams a holistic and automated way to manage their cloud in real-time by routing alerts where they need to be in an organized fashion that matches how your business actually functions. Other features include organizing environments by the team responsible for them and setting specific security goals tailored to the environment or group.
Look for solutions that leverage automation in remediation efforts. This can look like prebuilt remediation or prevention bots, or the ability to customize your own. The option of automated remediation is a must-have to ease your mind for those moments danger strikes at a time human intervention falls short (think 6pm on a Friday holiday weekend.)
Data loss prevention with Sonrai
The best DLP solution for the cloud will allow you to know where your data is, know who can access it, and know it’s locked down. There is great benefit in investing in one centralized tool allowing you to consider the relationships between data, identity, platform and workloads, as opposed to the tool sprawl of multiple cloud platforms.
Sonrai Dig has a data classification engine that works across all cloud providers. You can use its defined classifiers and 24 pre-set policies, or build your own custom standards. Sonrai will help get your data to Least Access so you can lock in a baseline, and detect concerning behavior through analysis like reviewing access history and continuous monitoring. Dig doesn’t stop there – notify the right team, at the right time, so you can take action when it’s most critical.
Explore our Cloud DLP use case or the rest of our cloud security platform.
This blog was originally featured on VMBlog, available here: https://vmblog.com/archive/2022/06/27/8-features-to-seek-in-cloud-data-loss-prevention-tools.aspx#.YrnS1ezMJYh