Melpomene - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

The risks of cloud data loss prevention

Cloud data loss prevention offers many advantages to enterprises today, but it is not without challenges. Expert Rob Shapland discusses the issues to be aware of.

Data loss prevention is a hot topic in the enterprise. Although it has been around for a number years, many organizations are only now approaching the security program maturity level where they can consider implementing the technology successfully.

What's even more advantageous for enterprises is the advent of numerous cloud-based data loss prevention (DLP) options. Not only does cloud-based DLP give organizations more opportunities to deploy the technology than ever before, but it also is critical for helping enterprises extend corporate DLP policies to the cloud.

However, enterprises must consider their cloud data loss prevention options closely to avoid deployment problems and even increasing the risks to their environments. That's what we'll discuss in this tip.

Top cloud data loss prevention issues facing enterprises today

Some DLP services offered today are completely cloud-based. In these offerings, companies pay a per-user subscription fee, and all data transmissions are monitored by the cloud provider. The main issue with this service is that sensitive data is therefore being handled in the cloud; many organizations are not willing to let their most sensitive data leave their networks.

In order to be effective, DLP must cover all outbound Internet traffic, on all devices -- this includes even the files uploaded to Microsoft OneDrive, Google Drive, Box, Dropbox, and so on. Fortunately, many cloud-based DLP services offer scanning of all files that are uploaded to such file-sharing sites. The DLP service will normally have three responses if a user attempts to send or upload sensitive data: Send an alert to an administrator, encrypt the data before sending or prevent the data from being sent.

While DLP is great in theory, in practice it is difficult to implement successfully, and an enterprise's expectations of what it can do must be tempered. DLP is only as strong as the rules that are defined by the organization as well as the services that it can scan. For example, it's not very useful to have a DLP service that scans corporate email and cloud services if users can simply remove data from the network on a USB stick.

One main problem with cloud-based DLP is the same issue that DLP has always had: How do you define rules that block content that should not be sent out of the network but also limit false positives? DLP needs to be transparent to business users and only step in when a user makes a mistake or intentionally attempts to send data out of the network.

While DLP is great in theory, in practice it is very difficult to implement successfully and an enterprise's expectations of what it can do must be tempered.

Another major problem with cloud data loss prevention and DLP overall is that in many cases, it's easy to bypass. For example, users are easily able to do all of these things in order to bypass DLP protections:

  • Send data in an encrypted zip file
  • Screenshot the data and put it into a Microsoft Word document
  • Use large file sizes that the DLP cannot scan
  • Change the font of the data to wingdings

While these scenarios assume that the user is actively trying to avoid the DLP rules, it is a valid assumption. A large proportion of attacks have at least some elements of insider involvement or alternatively, an outside attacker may have compromised a real staff member's credentials in order to exfiltrate data. If the employee trying to bypass the DLP rules has knowledge of how the rules function, it becomes easy to design an email that bypasses them.

A final issue with DLP surrounds rules management. In the initial phase, rules need to be defined and tested. Responsibility for DLP management needs to be assigned to a staff member (or group of staff members) in order to constantly review the policies. The balance is ensuring that sensitive and confidential data is blocked from being sent or uploaded to the cloud without blocking legitimate business traffic. In many organizations this can be a difficult balance to achieve and requires constant evaluation of the rules, and will almost certainly lead to legitimate emails being blocked with the additional overhead that entails.

Overall, cloud data loss prevention -- and indeed all DLP products -- should be seen as one layer in a defense-in-depth strategy. The prevention part of the name suggests that DLP can thwart sensitive data from leaking out of your organization, but this is far from the truth. It should be considered an aid in this process, and the return on investment of such a product or service needs to be carefully judged against the benefit it brings.

About the author:
Rob Shapland is a penetration tester at First Base Technologies, where he specializes in Web application security. He has used his skills to test the websites of companies that range from large corporations to small businesses using a wide variety of Web technologies. He is a firm believer that all penetration testing should have manual techniques at their core, using automated tools to support these skills. He is also involved in network testing and social engineering.

Next Steps

Learn more about using DLP tools for cloud computing security.

Get help understanding how DLP works in the cloud.

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Does your organization use cloud data loss prevention?
Currently, my place of employment uses CipherCloud to back up and secure data stored in the cloud. CipherCloud is one of the leaders in cloud protection, and the business has not had a problem with security since.


You make a bunch of great points here especially regarding the limitations of "traditional" DLP systems that rely on only content inspection and fingerprinting. However all four of those items that you say users can bypass can be addressed out of the box by a solution like Digital Guardian.

Regarding the cloud, there are many popular protection approaches that are founded on Access and Encryption (like Cipher Cloud) that protect who can get it and also when it is in the cloud it is protected. However the big question not being addressed is how is that data protected once it is on that iPad, phone or laptop that is authorized and accessing many ways those cloud DLP products are like an encrypted Ironkeys drive....if you lose it the data is safe, and if you are authorized you can decrypt it and use it, but more importantly what are you putting on that drive and what are you doing with it once you have it?

I back up data on physical solutions as well as the cloud. I think a smart plan for redundant solutions should be the way every company moves. Belt and suspenders baby!
Good article, well thought out. DLP does serve a good purpose of stopping data when good people make mistakes, or don't potentially know that what they are doing is against policy. Another problem occurs with DLP because, in order to be effective, SSL essentially needs to be hijacked, packets open and reviewed, before they go over to most of the cloud providers. In doing this, you might also be opening sensitive information, like an employee's healthcare information, that shouldn't be viewed by an employer. It's important to lay out explicitly what the expectation of privacy should be.
Rob, you make some good points here about the limitations of "traditional" DLP products that rely on just content inspection and fingerprinting, however products like Digital Guardian can address all 4 of those "bypass" use cases out of the box. Most of the cloud protection products available today rely on access and ensuring anything in the cloud is encrypted...this is akin to an encrypted drive that if loss no one gets the data, but more importantly what is that authorized user (or someone with his credentials) doing with the data once it is on his iPad, iPhone or laptop?
Are we manufacturing another opportunity for companies to sell us stuff? If the cloud worked as advertised when it comes to backups - the way we were told the cloud works five or more years ago - then there shouldn't be a need for newer software, support and data-loss add-ons. Am I right?