According to many recent surveys, more than 70 percent of IT and business professionals are using cloud applications in both personal and enterprise working environments. Remember the last time you uploaded the financial report or that important presentation to Dropbox because you wanted to download it to your tablet to look well prepared during your board meeting? Or that colleague uploading an important, confidential proposal document to Skydrive to download it later at home to go the extra mile and work during the weekend? These are just two of many very common innocent use cases that leverage the instant sharing of any data content to company/home PC, laptop, or mobile phones, and unlimited storage of files by, in many cases, a simple click of a button.
Data Loss Prevention on the cloud is not a new challenge. You may remember online services like Slideshare, Slidesix, Slideboom, etc. that allow you to upload presentations and share them with the world. Today, with so many cloud services and SaaS applications like DropBox, Skydrive, Google Drive, iCloud, Office365, Salesforce, etc., possibilities of sharing data are endless. However, most of the time, security is the last variable considered, especially if you think about the difficulty of tracing and detecting very sensitive data leakage — or worse -- the lack of encryption used when storing sensitive data in the cloud. The truth is that nobody is monitoring cloud-based applications.
How do we effectively tackle the problem?
Identify the data sources, flow and destination
The key to start solving the problem is to have a clear understanding of what information is really most significant to the business. This usually gets accomplished with a data assessment, which must include data discovery and data fingerprinting that provides a better understanding as to where, who, when and in what format the information is being generated and in what devices it is being stored. In addition, identifying the cloud services currently being used and the type of data that is being transferred to the cloud is an important step during this process.
Enforce security as everybody’s responsibility
Once the data classification effort has been done and it is properly documented, awareness is the key ingredient in making security everybody’s responsibility. Many organizations develop awareness programs in which they integrate frequent and continuous communication to share IT security policy specifics like data classification criteria, common threats, who to contact, tools, etc. Additionally, many organizations complement this effort with annual awareness sessions in which employees or associates not only attend a meeting but also sign the actual data classification policy adhering to protecting confidential information.
Choose the right tool for you
Once the type of information that is critical for your organization, business requirements to prevent data loss prevention, as well as the regulations requirements have been identified, it will be time to define, through a risk-based approach, the use cases your company needs to focus on. Tools usually focus on providing the same standard procedure, generally providing continuous monitoring. Thus, when the user attempts to upload a file to a cloud service, the tool inspects the content before uploading to the cloud. If sensitive content is detected, violating a policy, the incident is reported and/or blocked. Therefore, data transfer is stopped to protect company information and logged for later auditing. Evaluating the technical protocols that the DLP solutions support is essential. While some applications use HTTP/HTTPS to upload information, others use secure RDP. On the other hand, based on the specific use cases, at some point you may want to evaluate encryption solutions for data at rest or in transit. Many times, rather than spending a great deal of effort on a DLP initiative, a good encryption strategy may work.
In regard to the delivery model, there are some variations in the DLP tools. Some tools leverage the cloud to store the metadata associated to the events that are being captured. While they provide real-time monitoring and great dashboards that can be accessed from anywhere, their offerings usually articulate the value in simplifying the network and reducing the total cost of ownership. However, some security practitioners would rather keep the information on premise since they consider it is inefficient to copy all the data into the cloud for analysis.
Tune your DLP strategy
Provide visibility! Allowing upper management and the main stakeholders to see and understand the results obtained for the implementation of the DLP process and tools is crucial. Make sure they clearly understand the value that the initiative generates. This will undoubtedly help you to gain even more support and credibility, but most importantly, it will make them aware of the implications of the use of cloud services and applications. This is the way to influence the management team to think about security before adopting new technologies for either operational and/or financial efficiency.
Leonel Navarro, PMP, CISSP
Leonel Navarro is Practice Manager & Business leader for Softtek Information Security Practice. He is a certified project management professional (PMP) and a certified information systems security professional (CISSP). Navarro’s twelve years of experience in IT operations with teams based in Mexico, the United States, and China, combined with critical customer-facing positions he has held, enable him to perform the overall coordination of the Sales, Marketing, Product Management and Strategic Alliances strategy for Softtek’s Information Security Service offering while overseeing the delivery of those services with existing clients. Leo holds a Bachelor in Electrical Engineering & Computer Architecture from ITESM.