Data loss prevention is a hot topic in the enterprise. Although it has been around for a number years, many organizations...
are only now approaching the security program maturity level where they can consider implementing the technology successfully.
What's even more advantageous for enterprises is the advent of numerous cloud-based data loss prevention (DLP) options. Not only does cloud-based DLP give organizations more opportunities to deploy the technology than ever before, but it also is critical for helping enterprises extend corporate DLP policies to the cloud.
However, enterprises must consider their cloud data loss prevention options closely to avoid deployment problems and even increasing the risks to their environments. That's what we'll discuss in this tip.
Top cloud data loss prevention issues facing enterprises today
Some DLP services offered today are completely cloud-based. In these offerings, companies pay a per-user subscription fee, and all data transmissions are monitored by the cloud provider. The main issue with this service is that sensitive data is therefore being handled in the cloud; many organizations are not willing to let their most sensitive data leave their networks.
In order to be effective, DLP must cover all outbound Internet traffic, on all devices -- this includes even the files uploaded to Microsoft OneDrive, Google Drive, Box, Dropbox, and so on. Fortunately, many cloud-based DLP services offer scanning of all files that are uploaded to such file-sharing sites. The DLP service will normally have three responses if a user attempts to send or upload sensitive data: Send an alert to an administrator, encrypt the data before sending or prevent the data from being sent.
While DLP is great in theory, in practice it is difficult to implement successfully, and an enterprise's expectations of what it can do must be tempered. DLP is only as strong as the rules that are defined by the organization as well as the services that it can scan. For example, it's not very useful to have a DLP service that scans corporate email and cloud services if users can simply remove data from the network on a USB stick.
One main problem with cloud-based DLP is the same issue that DLP has always had: How do you define rules that block content that should not be sent out of the network but also limit false positives? DLP needs to be transparent to business users and only step in when a user makes a mistake or intentionally attempts to send data out of the network.
Another major problem with cloud data loss prevention and DLP overall is that in many cases, it's easy to bypass. For example, users are easily able to do all of these things in order to bypass DLP protections:
- Send data in an encrypted zip file
- Screenshot the data and put it into a Microsoft Word document
- Use large file sizes that the DLP cannot scan
- Change the font of the data to wingdings
While these scenarios assume that the user is actively trying to avoid the DLP rules, it is a valid assumption. A large proportion of attacks have at least some elements of insider involvement or alternatively, an outside attacker may have compromised a real staff member's credentials in order to exfiltrate data. If the employee trying to bypass the DLP rules has knowledge of how the rules function, it becomes easy to design an email that bypasses them.
A final issue with DLP surrounds rules management. In the initial phase, rules need to be defined and tested. Responsibility for DLP management needs to be assigned to a staff member (or group of staff members) in order to constantly review the policies. The balance is ensuring that sensitive and confidential data is blocked from being sent or uploaded to the cloud without blocking legitimate business traffic. In many organizations this can be a difficult balance to achieve and requires constant evaluation of the rules, and will almost certainly lead to legitimate emails being blocked with the additional overhead that entails.
Overall, cloud data loss prevention -- and indeed all DLP products -- should be seen as one layer in a defense-in-depth strategy. The prevention part of the name suggests that DLP can thwart sensitive data from leaking out of your organization, but this is far from the truth. It should be considered an aid in this process, and the return on investment of such a product or service needs to be carefully judged against the benefit it brings.
About the author:
Rob Shapland is a penetration tester at First Base Technologies, where he specializes in Web application security. He has used his skills to test the websites of companies that range from large corporations to small businesses using a wide variety of Web technologies. He is a firm believer that all penetration testing should have manual techniques at their core, using automated tools to support these skills. He is also involved in network testing and social engineering.
Learn more about using DLP tools for cloud computing security.
Get help understanding how DLP works in the cloud.