One of people's biggest concerns about adopting cloud computing is the potential risk to their data. Anytime we
"lose" physical control of an asset, it's only natural to worry about it. And since data loss prevention is one of only a handful of security technologies dedicated to protecting data, it's also only natural we take a hard look at expanding it to protect that cloud-based data.
Today there are three different business problems related to cloud computing where DLP is helpful. The first is to use it as a tool to control the migration of data to the cloud. The second is as a control to protect data in the cloud. And finally, we can use DLP tools to find sensitive data that's "leaked" to the cloud.
Using DLP tools to control data migration
One of the most useful ways to use DLP for cloud computing is to monitor, and even block, data migrations to the cloud from your traditional infrastructure. The vast majority of cloud computing services rely on HTTP as their main out-of-the box communications protocol (albeit often through custom APIs). Thus, if you monitor HTTP (and HTTPS), you'll catch many potential data migrations across the spectrum of cloud service models.
All network DLP tools can monitor HTTP traffic, and I strongly suggest you stick with options that also support HTTPS monitoring natively or via Web gateway integration. Then ask your DLP vendor if they are "cloud aware" for major cloud services and destinations, which will reduce the need for custom rule writing. You can then apply any of your existing DLP content rules on a per-cloud-service basis, or merely set up generic alerts anytime the cloud is a destination for your data.
Tracking data in the cloud
Once data is in the cloud, you might want to keep track of where it's located. Or maybe you want to track your existing cloud infrastructure for displaced sensitive data. This is where content discovery comes into play as you use your DLP to scan known repositories for sensitive data.
If you use Infrastructure as a Service, you may be able to use your existing DLP tool to scan just as if it was in your traditional data center, although you might need to add a VPN connection to let it see the storage repositories. You can also look at deploying DLP virtual appliances in the cloud, if your product supports that. For Platform as a Service or Software as a Service, you will need a way for the DLP tool to access the data (e.g. API-based access to file storage), and a DLP tool that supports the communications method. This isn't always a given, and we are seeing some vendors starting to release support for major cloud storage services like Amazon S3 or Rackspace Cloud Files.
Finally, you can use DLP tools to monitor network traffic within the cloud at choke points. There are three ways to do this: Via an endpoint agent embedded in the cloud instance or the hypervisor, by routing traffic through a dedicated DLP server or appliance outside the cloud, or by running a cloud instance of a DLP server and routing traffic through it.
If you are on public cloud, the odds are high you can't necessarily restrict network routing to the degree where DLP offers much value, and will need to rely more on an agent-based approach. But once you move to private or virtual private clouds, you gain enough control to lock down traffic and can monitor with DLP.
Cloud DLP limitations
One big limitation to keep in mind is your public cloud platform may only support a single network interface per instance, which means you'll need a virtual DLP version that can monitor and forward traffic with this restriction. Keep in mind most of you don't use DLP to monitor data center-based applications as it is, and it's usually not the first technology I recommend for protecting servers.
Altogether, I see a lot of value in using DLP to monitor data migrating to the cloud and for content discovery on cloud-based storage, but I see little value in deploying DLP within a public cloud. (It may make sense in private cloud, depending on what you are using it for). Over time this will change as technology evolves and we deploy a wider variety of services in the cloud, but any cloud deployment we can protect inline with DLP is probably an application infrastructure, where we should rely more on things like application security and encryption.
DLP can be an excellent tool to enhance data security in the cloud. Use it to track data migrating to the cloud, discover sensitive data stored in your cloud, and perhaps to protect services running in the cloud. But, as with any technology, make sure it's tuned for the environment, and don't waste your time deploying it where the benefits are minimal.
About the author:
Rich Mogull has nearly 20 years experience in information security, physical security, and risk management. Prior to founding independent information security consulting firm Securosis, he spent seven years at Gartner Inc., most recently as a vice president, where he advised thousands of clients, authored dozens of reports and was consistently rated as one of Gartner's top international speakers. He is one of the world's premier authorities on data security technologies, including DLP, and has covered issues ranging from vulnerabilities and threats, to risk management frameworks, to major application security.