Cloud DLP: Understanding how DLP works in virtual, cloud environments

Applying DLP technology to virtual machines can enable cloud computing with enhanced security and compliance.

Most organizations have already moved data to a virtual machine or the cloud, but many are still reluctant to move...

mission-critical applications due to security and compliance concerns. Reasons for moving to a virtualized environment are often related to flexibility and cost, but the latest security controls for virtual machines may also give you the confidence you need to move business-critical apps. Have you investigated cloud-aware data loss prevention (DLP) tools, such as VMware vShield App with Data Security, and are you aware how they address unique requirements of virtual environments? This tip will examine how cloud DLP works and how it can actually enhance security and compliance beyond DLP solutions for physical environments.

Discovery is not enough on its own, a cloud DLP also has to provide the capability to prevent loss of data.

Cloud DLP requires shift in focus
When data shifted from a central storage model to a distributed model (e.g. from mainframe/midrange to client-server), it forced security management to also shift. The risk of data on workstations and personal devices led to a rise in data loss prevention tools that could  monitor mobile and distributed systems. Security management had to find and follow where data was being stored and the new paths of transmission. Likewise, a shift from physical machines to virtual ones forces another shift; the virtual environment introduces many interesting issues related to the powerful capability of hypervisors and the automation of cloud environments. Resource pools, clusters, virtual machines, hypervisors and data centers are just some of the new concepts that must be recognized and interpreted properly in order for sensitive data to be controlled effectively.

Consequently, a good question to ask of cloud providers is whether they have the ability to identify sensitive data and, if so, can they see into personal computers, servers and storage systems. Privacy trade-offs and controls (i.e. encryption) have to be considered when a service provider offers to look into a virtual machine and report on sensitive data. A follow-up question then is to ask for granularity in role-based access and reporting. In other words, must privileged or high-level access be given to a provider, or can it set workloads to be accessible only by their owner? Because of the shared storage, network and compute spaces, a report should be available with awareness of the latest logical containers used to separate data in virtual environments, such as resource pools, data centers, clusters and virtual machines. Then, last but not least, a provider should be asked if the performance impact of finding sensitive data can be managed easily (e.g. isolate, start/stop and pause).

Special Report: Data Security in the Cloud

This article is part of SearchCloudSecurity.com and Information Security magazine's special report on how to protect data in the cloud. See below for more.

Video presentation: David Navetta talks about key differences between cloud computing contracts and other types of outsourcing contracts.

Information Security magazine feature story: learn four DLP best practices to help ensure your organization’s data loss prevention initiative is a success.

Although data loss prevention (DLP) has remained the same in concept -- find and block the loss of sensitive data -- the management of DLP technology in cloud environments brings with it some specific technical hurdles to find and control all that data. Discovery is not enough on its own, a cloud DLP also has to provide the capability to prevent loss of data. 

Cloud DLP advantages
Consider, for example, in a cloud environment that a virtual machine could be started to run a security engine in order to manage all the other virtual machines on a designated set of virtual servers, based on hypervisor technology to host virtual machines. The virtual machines run client software with a DLP engine that is able to scan, identify and block transmission of sensitive data. The hypervisor can even glue these two together and consolidate into a single virtual appliance, which means a DLP engine is not only able to monitor and manage all the virtual machines that run a client, but also may be able to see data at rest from the hypervisor view. This redefines how scope for compliance requirements such as PCI DSS may be performed for sensitive data environments. It becomes easier than ever to include systems because they already are running on a DLP-capable infrastructure. Also, virtual machines that are in standby or that have been powered down are not invisible to security managers like a physical machine. In essence, DLP runs as a service, where it can be enabled/disabled for virtual machines running in the cloud data center.

The dynamic nature of cloud environments means a DLP service also can be extensible and automated. A DLP solution like the one described above can be programmed using APIs to automate controls, such as creating a rule that would automatically move a virtual machine with sensitive data behind a firewall or move it into a lock-down zone pending further review.

Prevent data loss in
the cloud

Learn how DLP solves three business problems related to cloud computing.

Utilize encryption to ensure confidential data is protected in the cloud.

The flexibility and control in the cloud makes control of virtual machines far more feasible than in the physical world. A rule could require a virtual machine found with credit card data, for example, should have its network connectivity isolated at the application level (e.g. restrict certain protocols) to block leaks, and send an email  alert to administrators. Another example is an assessment of a full virtual data center; cloud DLP can find systems with sensitive data and move them from a cluster of insecure systems to one assigned to business-critical applications with sensitive data.

About the author:
Davi Ottenheimer is president of security consultancy flyingpenguin and author of the new book Securing the Virtual Environment: How to Defend the Enterprise Against Attack. He is a QSA and PA-QSA for K3DES with more than 17 years of experience in security operations and assessments, including a decade of leading incident response and digital forensics. Davi formerly was global communication security manager at Barclays Global Investors and a “Dedicated Paranoid” at Yahoo! responsible for digital home, broadband and mobile security.

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices