Alex - stock.adobe.com
Organizations have traditionally employed a castle-and-moat cybersecurity model to protect sensitive data. Users can only access apps and data from within the castle, with the perimeter of protection defined by the moat.
The cloud breaks this model. It becomes difficult to extend the traditional IT perimeter to include cloud apps and services, as well as data stored outside on-premises corporate IT infrastructure.
Cloud adoption is ubiquitous, and many organizations have adopted a cloud-first deployment policy. However, organizations continue to use on-premises infrastructure. Thus, the new normal IT infrastructure is hybrid multi-cloud. In such an environment, the perimeter becomes amorphous and dynamic, changing rapidly as organizations spin up new applications.
The perimeter becomes even more nebulous as organizations enable third parties to access data, apps and infrastructure to accelerate the business and improve operational efficiencies.
The COVID-19 pandemic-induced shift to remote work is also here to stay, with the majority of organizations adopting a hybrid workforce model, supporting both in-office and remote knowledge workers. The always-on, always-available workforce needs to access data from anywhere at any time using any network and any device. With organizations embracing BYOD, more employees and contractors are using their own laptops, tablets and cellphones to conduct business.
All of these factors combined make data security a difficult task to address.
Data loss prevention to the rescue?
Organizations need visibility into sensitive data access that accounts for the expansion of data silos, access locations and devices, exfiltration points and use cases that comes from the modern IT cloud-based architecture and the hybrid workforce.
One-third of respondents to "The State of Data Privacy and Compliance" survey from Enterprise Strategy Group (ESG), a division of TechTarget, said they have lost cloud-resident data. More concerning is that an additional 28% of organizations suspect they have lost cloud-resident data but don't know for sure because they lack data observability.
Among those that have lost cloud-resident data, remote users were the most common culprit. Other causes of data loss included personal and mobile devices, misconfigured and unsanctioned cloud services, malicious insiders and sensitive data sharing -- both corporate data exposure and sensitive data from third parties and competitors being uploaded to the organization's cloud services.
Organizations can observe, detect and prevent data use, misuse and exfiltration by using the following data loss prevention (DLP) capabilities:
- Data at rest. Detecting and preventing unauthorized access or encrypting the data and rendering it unusable for extortion by hostage takers.
- Data in motion. Detecting and preventing exfiltration of data across the network or detecting ransomware encryption in the backup stream.
- Data in use. Detecting and preventing misuse of data -- for example, copying sensitive data to an unapproved location -- or tokenizing sensitive data, such as Social Security numbers or credit card numbers, to increase privacy.
Vendors package these DLP capabilities into different types of products. Traditionally, dedicated DLP tools combine all three capabilities into a single tool that may also include data access governance, data activity monitoring or data risk analytics. Many of these dedicated tools are pre-cloud era, however, and lack visibility into cloud storage and cloud apps. They may also lack advanced AI and machine learning automation, classification and protection capabilities.
As a result, many organizations have deployed DLP tools for on-premises, cloud or endpoint deployments. These tools combine DLP capabilities as a feature of a tool suite focused on a broader use case. For example, many vendors are adding DLP capabilities into email, network and cloud security tools, which already have visibility into data in motion. Some email security tools have been expanded to detect and prevent the sharing of sensitive files or automatically mask Social Security numbers and other personal information.
DLP features are also often included as part of Secure Access Service Edge (SASE) and cloud-native application platform protection product portfolios, detecting sensitive information moving across the network. SASE products can inspect content at the secure edge without backhauling traffic to a centralized data center for inspection, which enables organizations to detect sensitive data movement and apply data protection policies closer to the data being accessed, reducing latency.
Endpoint security tools have also been enhanced to detect and prevent misuse of data in use, such as disabling the ability to print or copy sensitive files to thumb drives.
Data protection and backup tools are in a unique position in the IT infrastructure with visibility into most of the organization's sensitive data, enabling organizations to discover suspicious behavior anywhere in the history of data, so that they can investigate and contain potential attacks. DLP features in these products include identifying anomalous behavior and using metadata to determine if files have been added or deleted, if permissions have been tampered with or if other suspicious actions have taken place. Because these backup tools have visibility into the history of data, they can identify and recover the last known-good copy of the data, mitigating the effects of ransomware or inadvertent or malicious data destruction.
Significant investment in protecting data at rest has also been made. In addition to encrypting data to prevent misuse when exfiltrated, new products are being designed to protect the privacy of personal information, especially for big data analytics, where organizations need encryption and tokenization that can operate at speed and scale.
Piecing all these tools together, however, has created a major problem for security teams.
It's time to consolidate DLP platforms
The resulting DLP tool sprawl has led many organizations to deploy multiple DLP tools, both as part of a defense-in-depth strategy and to ensure complete security coverage and control of all sensitive data scattered throughout the organization. To deliver effective security, however, these tools need to cooperate and work in harmony.
Excessive numbers of redundant DLP tools can lead to the following:
- multiple owners of DLP capabilities;
- unnecessary or overlapping policies;
- holes in data visibility and coverage; and
- a decrease in operational efficiency and security.
It's no surprise then that 48% of respondents to the ESG survey said consolidating DLP tools was a critical priority, and another 36% said consolidation is important.
Forty-three percent of organizations said they expect to improve visibility into data movement through DLP platform convergence, and 39% said they expect improvements in automation and protection techniques without human supervision. These enhancements can help organizations normalize risk scores across the many data silos and tools.
Organizations are also looking for consistent policy definition, management and enforcement across the entire IT environment. With consistency will come the ability to consolidate DLP responsibility into a single team.
Organizations need converged DLP to protect data at rest, data in motion and data in use for the hybrid multi-cloud environment and the anywhere, anytime, any device workforce. Vendors that provide a converged DLP platform with complete data visibility, consistent policies and operational efficiency will enable organizations to reduce risk, realize cost savings and, most importantly, have confidence in the security of their data.