9 Steps to Create a Data Loss Prevention Policy

Cloud Security Data Governance Skill Level: Learner
Reading Time: 9 minutes

According to Gartner, through 2025, 90% of the organizations that fail to control public cloud use will inappropriately share sensitive data. The real challenge exists not in the security of the cloud itself but in the policies for security and control of the infrastructure and data. In nearly all cloud data breaches, we hear it is not the cloud providers’ fault but the organizations using the cloud who have inefficient Data Loss Prevention policies. No organization wants to compromise its environment or have data loss. So how do you reduce the risk to your data in the cloud? By having a strong cloud data loss prevention policy.

Cloud Data Loss Prevention platforms aim to secure the data hosted in your public cloud environments. This means ensuring your data is safe at rest, in transit, and in use. Ultimately, it aims to protect the confidentiality, integrity, and availability of your data. Cloud DLP tools offer your organization security controls to detect anomalous behavior and enforce data security best practices. With the right tools, you can create iron-clad data loss prevention policies.

Data loss prevention policy_Image

What is cloud data loss prevention (DLP) policy?

A data loss prevention policy is a basic data rule within an effective data loss prevention (DLP) tool. These rules dictate how your identities, whether they are a person or non-person, can and should be accessing, sharing, and using data in your cloud environment. You can think of data loss prevention as the process of detecting and preventing a data breach, data leak, or unwanted loss of sensitive information. 

In a recent webinar entitled, “It’s All About the Data,” speaker Eugene Tcheby said that DLP policies are a must to help identify, prevent, and remediate unseen risks. He states, ”You have thousands of pieces of compute flying around in the cloud, there is no way you can keep track of everything that’s going on manually and focus on the really critical risks that need your attention.”

Why do companies need a DLP policy?

Companies need DLP policies to prevent data loss, enforce compliance, and protect intellectual property. 

Data regulation and compliance

Company policies are guided by mandatory compliance standards specified by governments and industry regulators, such as SOX, HIPAA, GDPR, and PCI DSS. These standards outline how an organization should safeguard personally identifiable information (PII) and other sensitive data whether you are in the cloud or on-premise.

A DLP policy is the first step in becoming compliant and helps provide accurate reporting for audits. Typically, DLP tools are designed for the requirements of a particular industry’s common standards and the continuous auditing needed to remain compliant.

Teams undertake manual security auditing after months of harmful activities have already occurred, making the value of manual efforts debatable regarding regulatory compliance or assessing real risk. Assessing past procedures and processes positively impacts future activities. Of course, your organization shouldn’t halt these practices before implementing continuous auditing. Therefore, continuous auditing will enable you to take more immediate action against risks by continuously mapping permissions, managing configurations, and controlling access to data. With a strong cloud DLP policy, data sovereignty, data movement, and identity relationships are monitored and reported to ensure conformance to the sovereign, GDPR, HIPAA, and other compliance mandates. 

Data visibility

Sensitive data is found throughout a cloud environment such as virtual machines, cloud storage, data stores, and so on. A DLP policy can help organizations enforce how identities access sensitive information. An organization can better safeguard its information when it has visibility into what data exists, where it resides, who is accessing it, and other contextual information.

Implementing controls around what has access to data is fundamental to any data security and compliance program. Although each unique cloud provider delivers services and APIs to manage identity and access to information for their stack, they are different across all the stacks available (e.g., AWS, GCP, and Azure), do not address third-party data stores, and often require the use of low-level tools and APIs. Creating policies that help your organization identify configuration risks, public data exposure, and excess privilege risks across cloud providers, accounts, countries, teams, and applications significantly reduce risk.

Intellectual property

Trade secrets and other intangible assets, including organizational strategies and customer lists, might be of greater value than physical assets. Losing this kind of intellectual property may result in financial and reputational damage, misappropriation, criminal penalties, and legal action. Creating policies that can prevent crown jewel data from being accessed through least access or least privilege is a big benefit.

Among the first questions cloud security professionals should be asking themselves when tasked with classifying data are “What is my data?”,  “Where is my sensitive data?”,  “What information, if made public, would be detrimental to the business as a whole?”, “Who can access this data?” and “When did they access it?”  In other words, asking these questions should be fundamental to any risk management strategy. The end goal of a risk assessment should be to identify critical assets and the associated risks. Identifying the risk helps enable security teams to classify better, including which data is necessary to protect and at what level of protection is best.

How to create a data loss policy

DLP policies are the backbone of data security – without them, a DLP tool wouldn’t work. Creating effective policies is key.

Identify which data needs protection

You need to identify and prioritize which data would cause the biggest problem if it were leaked or which data is most likely to be targeted by bad actors. DLP policies automatically recognize the infraction and mitigate the risk through a set of predetermined actions. This could include suspending the user, quarantining the content, or breaking the file share.

Find where the data is located

Your organization’s cloud is complex, and you’ll need to identify all the places your data can reside, including shared objects, files, block storage, data stores, and so on. If identities can access your environment, whether it is a person or a piece of compute, they can access your data. Be sure to understand completely where your data resides and who can access it.

Classify and tag data sources

Data classification provides a way to categorize organizational data based on criticality and sensitivity to help you determine appropriate protection and retention controls. Data sovereignty, data movement, and identity relationships must be monitored to ensure conformance to data sovereign and other compliance mandates. This means your data needs to be classified and tagged so that it can be enforced, like social security numbers or credit card numbers of customers, vendors, and others. Pre-configured rules for the payment card industry (PCI), personally identifiable information (PII), and the like are available with some enterprise cloud security tools making classification and normalization easy in a multi-cloud environment.

Define roles and levels of data access

Determine who and what should be able to access certain types of sensitive information and who should be disallowed. The permissions of your organization will be different across your organization. Based on the sensitivity of the data or type of identity, decide how the DLP tool will enforce the policy once a violation occurs. This will help you understand when data is at risk. Do not create broad sharing permissions such as public, external or internal across the organization. In addition, sensitive files owned by privileged identities can be at risk.

Continuously monitor data movements

Your organization will want to continuously monitor data movements, whether it is object storage, warehouses, databases, block storage. Along with the location and movement history of data, your organization will want to provide cloud teams with a uniform view and true picture of the current security posture.

As you work through your cloud data loss prevention policy, it’s important to consider data in all its forms: data at rest, data in transit, and data in use.

Data at rest is storage. You should ensure when your data is stored that, it is using encryption. By providing the appropriate level of protection for your data at rest, you protect your data stored.

Data in transit is traveling. Data in transit is any data that is sent from one system to another. This includes communication between resources within your workload as well as communication between other services and your identities. By providing the appropriate level of protection for your data in transit, you protect the confidentiality and integrity of your workload’s data.

Data in use is memory actively being utilized, updated, processed, erased, accessed, or read by a system. This type of data is actively moving through your infrastructure.

Outline remedial actions

In the cloud, your perimeter is your identities, and it’s important to block potential entry points for breaches for all data regardless of the form. To ensure sensitive assets are best protected, you’ll want to use a data-centric approach that enables quick and simple defense of critical resources. You’ll want a tool that can limit your blast radius and isolate your cloud accounts if they are breached. 

Start with your ‘crown jewel’ data 

Starting a cloud DLP can be challenging. We recommend you start with your crown jewel data or a type of risk you want to address. The goal is to secure the most critical data first.

Get executive buy-in

Get buy-in from organization leadership. Each business unit has a role in shaping a data loss prevention policy that aligns with corporate objectives. Having executive buy-in means meeting the strategy of all departments and functions it affects.

Educate and train your workforce

Educate everyone in the organization about how and why the data loss prevention policy is in place. Get help enforcing the policies in the development cycle by including security earlier in the process.

Data loss prevention templates

Data loss prevention tools should include out-of-the-box policy templates as well as the ability to customize controls to meet your industry and organizational standards. These are preset rules designed for specific regulatory environments. Templates are extremely helpful for setting up data loss prevention policies in the cloud. Cloud providers may have ready-to-use policy templates that address common compliance requirements, such as helping you to protect sensitive information subject to the U.S. Health Insurance Act (HIPAA), U.S. Gramm-Leach-Bliley Act (GLBA), or U.S. Patriot Act. Each policy template will cover what types of sensitive information they look for in your organization and what the default conditions and actions are when they are turned on.

Enforce your DLP policy with Sonrai

With cloud security data breaches making headlines, organizations need to share sensitive data without compromise or incident appropriately. Therefore, implementing controls, data protection around what has access to data is fundamental to any data security and compliance program. Finding the right tools to meet and enforce your cloud DLP security standards can be easy.  

Automatically locate, classify and tag data

Sonrai automatically locates, classifies, and tags data. Use prebuilt configurations that recognize common PII and sensitive data formats (such as credit card numbers, magnetic strip numbers, health claim numbers, etc), or build your own customized tagging scheme using classification bots. Data sovereignty, data movement, and identity relationships are all monitored and reported to ensure conformance to a sovereign GDPR, HIPAA, and other compliance mandates.

Enforce Least Access

Least access is extremely important to apply to critical resources. But as a strict policy goal, it’s difficult to apply it to every piece of data. When you consider that your cloud comprises tens of thousands of pieces of compute and thousands of roles with rights and privileges to access data, this becomes a daunting task.

Monitor critical resources

Least access is extremely important to apply to critical resources, and it’s difficult to apply it to every piece of data. When you consider that your cloud comprises tens of thousands of pieces of compute and thousands of roles with rights and privileges to access data, this becomes a daunting task. Sonrai’s Identity Graph lets you understand every identity’s historical data access and potential access, allowing you to enforce a least access policy.

Automate remediation

Sonrai lets you organize your teams around your unique cloud environments and the sensitivity of those environments so you can secure your cloud at scale. 

Compliance Enforcement

Frameworks covering regulations and industry-recognized controls provide you with the ability to create your own frameworks to meet the exact needs of your organization.