Use DLP to face the demands of modern cloud security with confidence
Organizations are rapidly adopting SaaS and cloud infrastructure with 72% of orgs saying they’re defaulting to cloud-based services when adopting new tech according to Foundry (formerly IDG communications). For early adopters of cloud technology, their SaaS count may be north of 1,000 apps according to McAfee.
Organizations who have no plan for their data when migrating to cloud are in for—forgive the pun—cloudy skies. We’re not afraid to use this analogy because:
- Not having cloud-native data security solutions already in place lengthens the sales cycle for purchasing SaaS applications, meaning you’ll be taking the long and windy path to cloud adoption and can easily be blown off course.
- Cloud environments are distributed and are designed to store large amounts of data, and without the right controls in play, there will be limited visibility. You’ll be flying blind with regards to the types of data employees are storing in your systems, where it’s proliferating, and who has access to it.
- Should your organization face a challenge, like a security breach or an audit, there could be a lot of wreckage from the fallout.
Cloud-native data security makes for clear skies
Cloud infrastructure and even SaaS applications rely on the shared security model to enable data security. All cloud services and applications have default security, permissions, and privacy settings that will impact who has access to your data and what security controls are in place within your environments.
It is your organization's responsibility to determine whether these default settings are adequate for meeting its specific security and compliance requirements. Many times these default configurations are not sufficient and organizations require cloud-native data security solutions, like cloud data loss prevention (DLP) to be implemented in order to fully secure the sensitive data in their cloud environments.
A modern, cloud DLP solution lets you take a proactive approach to implementing controls that make experiencing a breach or failing a compliance audit less likely, allowing your brand to retain trust and value amongst stakeholders.
While many organizations choose to operate without strong cloud-native data security controls in place, this is not a tenable steady state because:
- Incidents like supply chain attacks are up over 700% since 2020. Even if you’re not the direct target of a breach, your organization might be exposed to one as a result of downstream effects. Should this happen, you need to have your controls in place before, not after such an incident occurs.
- Without cloud-native data security, cloud admins cannot enforce their data security policies resulting in the proliferation of customer data, API keys, passwords, and other secrets. For example, we found on average that a company with 100 employees will have 5+ active production API keys stored in any of their cloud apps. This means that API keys in use within production systems may be viewable within Slack, Jira, Confluence, and not just developers in GitHub.
Both of these trends taken together highlight the privilege escalation and compliance violation risk that unmanaged cloud environments.
Do I really need another tool?
Security is a big field with lots of tools, and so you may be wondering what’s the difference between a cloud-native data security solution, like cloud DLP and a legacy solution like a CASB. Do you really need to invest in a cloud-native data security solution?
Sticking to our cloudy skies analogy, using a CASB to secure cloud environments is like flying with a pocket compass. Sure, you’ll have some idea where you’re going but you’re forgoing a whole suite of modern navigational tools designed specifically for the purpose of flying.
CASBs are implemented at the network layer, between user devices and cloud environments, meaning that:
- CASBs cannot perform content inspection without first decrypting traffic. This is against recommended practices for many reasons and highly discouraged by cloud providers like Microsoft and Google who see their users adopt CASBs anyway.
- CASBs cannot see traffic that does not come through the specific proxy or proxies set up by the CASB. This leaves huge visibility gaps for content viewed and modified programmatically via APIs. Today many users, even non-technical power users, add bots to SaaS applications or use third-party APIs to enhance the functionality of the applications they’re using. Should a user, for example, add a Slack bot that can read or modify data in your Slack instance, no CASB would see this.
- CASBs cannot perform comprehensive content inspection anyway. The world of data security has moved on from basic regexes, heuristics, and fingerprinting. More comprehensive types of data classification enabled through modern techniques like machine learning are not possible with a network layer solution, because they’ll introduce significant amounts of latency. With machine learning, cloud DLP lets you actually see all of the context around data being shared in your cloud environments. Additionally, you’ll be able to use APIs to take remediation actions that make sense within the context of the application you’re using. Instead of blocking a user from sending a Slack message with a credit card number, just redact the credit card number from the message the user sent.
These limitations aren’t CASBs fault. Legacy tools are built around the idea of managing a security perimeter. This idea made sense when most of an organization’s data lived on-prem or on a network exclusively owned exclusively by it. However, if the lion’s share of an organization’s data is in the cloud, and their employees are exclusively using cloud applications, this approach is both too slow and imprecise to address today’s challenges.
CISO Brent Lassi, from Bluecore speaks to this transformation below in the following clip:
What does a modern cloud data loss prevention solution look like?
It’s easy to install and manage
A good solution should allow you to get to work quickly. It shouldn’t take days or, worse, weeks to see results. You should be able to get started as soon as you’re ready and begin securing your environments immediately. Additionally, installing it in one application should be as easy as installing it in another, and you should be able to apply the same configurations across all of your environments.
It’s nearly invisible but highly impactful
All you really need to see is your data. You don’t want to be staring at screens all day and clicking buttons. Similarly, you don’t want your end-users to be thwarted by a tool that blocks their every move, daring them to circumvent it. In the cloud, security is no longer about preventing insecure behaviors, but instead about encouraging and enabling secure collaboration. Part of how you enable this is by adopting a tool with a light but powerful touch that can provide end-users a good justification for when it takes action and provide admins with enough context to understand why an alert was triggered.
It scales at the speed of cloud
Today, maybe you have 70 users, but tomorrow, who knows, you could have 200. Either way, it shouldn’t matter. You shouldn’t have to worry about whether your cloud solution will break when your headcount shoots up. With a good solution, you’ll be able to see and secure your data no matter how many employees you have.
It lets you maintain security without an army
You shouldn’t need a full team of dedicated staff to configure and maintain your security solution. You should be able to implement policies in plain english that are automatable, with reviewing alerts and exporting reports that make you look like a security wizard.
In short, a modern cloud DLP solution will make you sleep easy at night because it just works. To help ensure your DLP tool covers these new requirements we created an RFP template that will let you scope out these qualities by evaluating a solution on whether it leverages the specific product features, like machine learning, content inspection across any file type, and more, which will enable this functionality for you. Let us know if you have any questions.
Download the template here.