Data Loss Prevention for Cloud Applications
What is Cloud DLP?
With 47% of enterprises losing data in the cloud at one time or another, it’s clear that the time for Data Loss Prevention (DLP) solutions that can secure SaaS app usage has come.
As organizations move towards storing sensitive data on a SaaS provider’s servers, traditional DLP solutions begin to lack visibility into that usage and we need to look at cloud DLP solutions purpose-built for SaaS apps and services.
There are six ways in which traditional DLP solutions fall short of protecting data associated with SaaS file sharing applications:
- Lack of basic visibility: They can only monitor traffic on enterprise controlled assets (e.g., networks/endpoints). However, traffic to and/from a SaaS application might not go over an enterprise network at all.
- Inability to handle encrypted traffic: Traffic to and from SaaS applications is typically encrypted (e.g., transmitted over SSL/TLS). Therefore, even if a traditional DLP solution managed to gain network-level visibility into the traffic, it might not be able to interpret the underlying content.
- Interpreting links versus raw data: Data is never being directly shared in SaaS file sharing applications. Instead what is being shared is some type of link (e.g., a URL) to the content. The link itself reveals little to no useful information about the content being shared. What must be done, therefore, is to analyze the content being pointed to by the link, which is not something that traditional DLP solutions do.
- Different sharing semantics: In the context of traditional enterprise environments, data loss or leakage had a well-defined meaning — namely the crossing of data across the enterprise perimeter. For SaaS file sharing applications, the definition of leakage or loss is fundamentally different as data resides outside the enterprise network. Moreover, it can be shared with third parties who are also outside the network. Traditional DLP solutions do not understand these sharing semantics, and so cannot assess if data is being “lost” or leaked.
- Different data model: Traditional DLP technologies might make different assumptions regarding the data they have to process. For example, they may assume that data is transmitted in a stream and has to be processed as such. When dealing with SaaS based file sharing applications, the data model generally involves being able to access entire files containing sensitive data. Algorithms that are designed for streaming data might not perform well on file-based data (and vice versa). As a result, it is important to develop algorithms that designed to take advantage of full-file content.
- Dependence on regular expression and pattern matching: Traditional DLP technologies rely primarily on basic pattern matching and regular expressions for identifying sensitive content, which can lead to incorrect classification. To address this concern, it is important to apply techniques from natural language processing and machine learning. These approaches go beyond simply trying to understand the raw content, and instead focus on being able to understand the underlying context.
It is clear, therefore, that data loss prevention in the context of SaaS applications (Cloud DLP) is starkly different from what you would do for traditional on-premises enterprise applications.
Want to learn more? Download the Cloud DLP whitepaper.