Data Loss Prevention on the Cloud

Leonel Navarro

According to many recent surveys, more than 70 percent of IT and business professionals are using cloud applications in both personal and enterprise working environments. Remember the last time you uploaded the financial report or that important presentation to Dropbox because you wanted to download it to your tablet to look well prepared during your board meeting? Or that colleague uploading an important, confidential proposal document to Skydrive to download it later at home to go the extra mile and work during the weekend? These are just two of many very common innocent use cases that leverage  the instant sharing of any data content to company/home PC, laptop, or mobile phones, and unlimited storage of files by, in many cases, a simple click of a button.

Data Loss Prevention on the cloud is not a new challenge. You may remember online services like Slideshare, Slidesix, Slideboom, etc. that allow you to upload presentations and share them with the world. Today, with so many cloud services and SaaS applications like DropBox, Skydrive, Google Drive, iCloud, Office365, Salesforce, etc., possibilities of sharing data are endless. However, most of the time, security is the last variable considered, especially if you think about the difficulty of tracing and detecting very sensitive data leakage — or worse -- the lack of encryption used when storing sensitive data in the cloud.  The truth is that nobody is monitoring cloud-based applications.

How do we effectively tackle the problem?

Identify the data sources, flow and destination

The key to start solving the problem is to have a clear understanding of what information is really most significant to the business. This usually gets accomplished with a data assessment, which must include data discovery and data fingerprinting that provides a better understanding as to where, who, when and in what format the information is being generated and in what devices it is being stored. In addition, identifying the cloud services currently being used and the type of data that is being transferred to the cloud is an important step during this process.

Enforce security as everybody’s responsibility

Once the data classification effort has been done and it is properly documented, awareness is the key ingredient in making security everybody’s responsibility. Many organizations develop awareness programs in which they integrate frequent and continuous communication to share IT security policy specifics like data classification criteria, common threats, who to contact, tools, etc. Additionally, many organizations complement this effort with annual awareness sessions in which employees or associates not only attend a meeting but also sign the actual data classification policy adhering to protecting confidential information.

Choose the right tool for you

Once the type of information that is critical for your organization, business requirements to prevent data loss prevention, as well as the regulations requirements have been identified, it will be time to define, through a risk-based approach, the use cases your company needs to focus on. Tools usually focus on providing the same standard procedure, generally providing continuous monitoring. Thus, when the user attempts to upload a file to a cloud service, the tool inspects the content before uploading to the cloud. If sensitive content is detected, violating a policy, the incident is reported and/or blocked. Therefore, data transfer is stopped to protect company information and logged for later auditing. Evaluating the technical protocols that the DLP solutions support is essential. While some applications use HTTP/HTTPS to upload information, others use secure RDP. On the other hand, based on the specific use cases, at some point you may want to evaluate encryption solutions for data at rest or in transit. Many times, rather than spending a great deal of effort on a DLP initiative, a good encryption strategy may work.

In regard to the delivery model, there are some variations in the DLP tools. Some tools leverage the cloud to store the metadata associated to the events that are being captured. While they provide real-time monitoring and great dashboards that can be accessed from anywhere, their offerings usually articulate the value in simplifying the network and reducing the total cost of ownership. However, some security practitioners would rather keep the information on premise since they consider it is inefficient to copy all the data into the cloud for analysis.

Tune your DLP strategy

Provide visibility! Allowing upper management and the main stakeholders to see and understand the results obtained for the implementation of the DLP process and tools is crucial. Make sure they clearly understand the value that the initiative generates. This will undoubtedly help you to gain even more support and credibility, but most importantly, it will make them aware of the implications of the use of cloud services and applications. This is the way to influence the management team to think about security before adopting new technologies for either operational and/or financial efficiency.

Leonel Navarro, PMP, CISSP

Leonel Navarro is Practice Manager & Business leader for Softtek Information Security Practice. He is a certified project management professional (PMP) and a certified information systems security professional (CISSP). Navarro’s twelve years of experience in IT operations with teams based in Mexico, the United States, and China, combined with critical customer-facing positions he has held, enable him to perform the overall coordination of the Sales, Marketing, Product Management and Strategic Alliances strategy for Softtek’s Information Security Service offering while overseeing the delivery of those services with existing clients. Leo holds a Bachelor in Electrical Engineering & Computer Architecture from ITESM.

Add Comment      Leave a comment on this blog post
Jun 18, 2013 5:24 PM Wendy Wendy  says:
Cloud providers today allow private people (maybe your employees) to create powerful computing environments in the cloud by creating their own machines. The BYOC (bring your own cloud) Users may choose any flavor of Windows, Unix and other VM machines. Such computers are created in a virtual environment and take minutes to create. Users may copy data from their own home or work machine to the cloud by Copy and Paste or just Drag and Drop. Such actions are mostly done utilizing the HTTPS protocol but often we see Cloud providers using Secure RDP. This creates a huge problem for organizations as there is no Visibility to such protocol. Employees can copy/backup their entire C drive to the Cloud in few minutes. These transmissions are a significant risk of data loss to the organization since most 'content aware' DLP systems do not have visibility to such breaches. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.