Data in The Cloud – Are you Relying on DLP to watch your back?
Cloud Data Protection
As enterprises move their data assets to the cloud, they are increasingly having to ask the question – “what’s safe to put in the cloud” vs “what’s not”. CIOs and IT managers ask themselves these questions every day and make decisions. Every organization draws this line in a different place – but there is a line; and when there’s a line, there’s the need to enforce it.
Most enforcement seems to take the form of Data Leak Prevention (DLP) policies. In fact, many CASB solutions take such an approach to protect enterprise file data, and will even offer to integrate with existing DLP policies an enterprise may have.
I’d like to test this line of thinking a bit and ask – is DLP the right approach?
DLP security policies, by nature, tend to be exclusionary. So, with such an approach, when a file matches the policy, it is simply disallowed from being transferred to the cloud. DLP security policies are exclusionary, because they were designed to be so. Such solutions assume that if the data is leaving your premises, it is most likely going to an undesirable destination. Sure, you can build in exceptions and whitelists, but at the end of the day DLP is geared to ‘prevent’ data from leaving your network. When your users are increasingly using cloud hosted solutions, is ‘preventing’ data from going to the cloud the stance you want to take as an IT administrator? And an approach that involves continuous management of exceptions and whitelists?
I got thinking about this recently when speaking with the IT staff of a large enterprise customer of ours. A senior employee was attempting to upload a file into a cloud hosted file storage service. An enterprise sanctioned service – so this wasn’t really a Shadow IT situation. This file he was uploading happened to contain the words “IP Address”. Keep in mind, he hadn’t actually placed an actual IP address in the file. He was just using the term in a sentence. The DLP security policy they have in effect, blocked the file and prevented it from being uploaded. The employee spent a good part of the day exchanging testy emails with his IT team. After a frustrating day for both him and his organization’s IT staff, he headed home, opened his gmail account and sent the file out anyway.
Employees need to get their jobs done. And a security policy which stands in the way or prevents them from doing so, is usually ill conceived. Perhaps there could have been a slightly more sophisticated approach some CASBs offer than in the above example. Perhaps policies may be authored to do selective encryption of data for certain portions of the file. While this may sound better than blocking the whole file from being transferred, the protection at the end of the day is only as good as the policy. The reality is that policies are never perfect and administrators keep tightening and loosening them on an ongoing basis in their quest to attain perfection. For example, in the case above, after the recent incident, I wouldn’t be surprised if the organization went ahead and added in “IP Address” into their whitelist. It is also very likely, that a few months down the line, another incident will cause them to tighten the policy and remove it from the list again.
A policy based approach also relies on being able to scan documents and look into their contents before making a yes/no decision. If the document is an unsupported type which the DLP security solution can’t scan, then the administrator is stuck with a choice of having to allow/disallow all such documents. Also, for a geographically spread out organization – and data privacy laws can differ widely by country and location – DLP policies only get increasingly complex.
A Better way
My submission here is:
- DLP is exclusionary in nature – when something doesn’t satisfy the policy, it is simply prevented from going out to the cloud. It disrupts business.
- Policies are never perfect – they’re either too tight (disrupting user workflow) or too loose (putting the organization at risk)
- While administrators struggle with tightening/loosening policies every day – damage continues to occur – either in the form of data leaks or loss of customer goodwill.
Make no mistake – I am not bashing DLP solutions here. I am only taking exception to their use for cloud data protection.
If you’re an IT administrator faced with the problem of protecting your organization’s data in the cloud, I would encourage you to take a look at solutions which provide protection without relying on polices or exclusions. For instance, at Parablu, we happen to believe that an enterprise should feel safe putting *anything* in the cloud. The approach we use relies neither on DLP or the administrator authoring policies. Our philosophy allows any file to go to the cloud, but before we let it, we obfuscate the data completely by using an innovative approach which transforms files and folders completely – even to the point where their names are not recognizable on the cloud storage target. We use encryption in combination with a number of methods to accomplish this.
No disrupted workflows or frustrated users. And you be sure your assets in the cloud are decipherable only by your enterprise and nobody else.
We’d be interested in hearing what you think. Do write back and let us know. Please feel free to comment here or write in to firstname.lastname@example.org.