One of the biggest disasters that could befall an organisation is the loss of sensitive data. All it takes is a document shared—intentionally or unintentionally—with the wrong audience, a misconfiguration, or a small network or device vulnerability to put data, and the entire organisation, at risk. As the increased movement of sensitive data from on-premises into the cloud intensifies concerns around data loss, organisations have begun to implement data loss prevention (DLP) strategies.
However, DLP doesn’t need to be reinvented to meet the challenges of the cloud era. Rather, it needs to follow in the footsteps of other processes and procedures that have undergone digital transformation. The biggest change for DLP involves its location and its inspection of data streams.
Traditionally, appliances in data centres have protected critical company data as part of a well-known, on-premises strategy. All of a company's internet connections flow into one single data centre, where expensive security modules are stacked together and filter the network traffic. Once the data streams have been screened for sensitive data, traffic is permitted to continue to its destination.
We need a rethink
Today, the cloud plays a major role within organisations. Not only have applications been moved to it, but comprehensive cloud-ready infrastructures have also been created. With this shift, firms are responding to increasing levels of employee mobility, while also improving their agility and flexibility to maintain competitiveness.
However, an increase in employee mobility can be detrimental to organisations. As employees increasingly use their devices, laptops, tablets, and mobiles remotely they also increase the number of potential internet breakout points.
Backhauling traffic for inspection to the data centre, with its expensive security appliances housed there, causes a bottleneck for the ever-increasing data streams required in today’s cloud era. A hardware appliance can’t adequately handle the volume of requests from the huge number of internet connections, neither from an administrative nor from a performance perspective.
Just as data has moved out of the data centre, so must your DLP solution. With relocation to the cloud, a DLP solution will be in the right location to access data and data streams directly so it can prevent confidential information from inadvertently being lost. A cloud-based DLP solution can easily be scaled up thanks to the flexibility offered by the cloud. It can manage the large volume of internet interfaces, and it can protect users when they are on the move and using mobile devices to process data.
What companies should bear in mind when choosing a cloud-based DLP solution
Thanks to its scalability, the cloud is the ideal response to the demands of digital transformation. Companies would also do well to bear performance in mind when choosing a solution. Alternative concepts that use other technologies, such as Internet Content Adaptation Protocol (ICAP), to try to connect the online and offline worlds fall short due to the limited speeds they can achieve.
What's more, the DLP solution should not be viewed in isolation, but as a building block in a concept where all security modules integrate with each other seamlessly and interact intelligently. Firms with several branches and mobile employees are in a particularly strong position to benefit from a holistic cloud-based platform solution. A highly integrated platform offers state-of-the-art technology, starting with the cloud proxy, moving on to the cloud firewall and beyond to the cloud sandbox, with SSL scanning or DLP in the cloud. A solution of this type can reliably protect every user wherever they may be. The advantage for the IT department is that user authentication, traffic forwarding, and security policies only have to be set up once for this type of highly integrated platform-based solution, and the security functions can be managed from a single console.
When evaluating DLP solutions, companies should consider the following criteria:
- 1.Identical protection for all users on- or off-network
The level of visibility and protection that an appliance-based solution anchored in the data centre can provide depends on where the users who are transferring data are located. Remote users can easily bypass inspection and thus pose a risk. To provide comprehensive protection, a DLP solution should provide the same level of security to all users with policies that follow users wherever they go.
2.Inspection of SSL-encrypted data traffic
It’s a fact that the vast majority of today’s network traffic is encrypted. By allowing SSL traffic to go uninspected, organisations lose visibility into over 70 per cent of their web-bound traffic. Whether users inadvertently share sensitive information or attackers use the encryption to allow data to leak undetected, the only way to regain visibility into the majority of traffic is to choose a DLP solution that natively inspects SSL. So, the question that security experts need to ask themselves is whether they can afford not to inspect SSL-encrypted traffic for sensitive information.
Inspecting encrypted traffic requires a lot of processing power, which only highly scalable solutions can provide. A cloud-based DLP solution can perform this task well. When making their choice, companies should ensure it meets the provisions contained in the prevailing EU data protection laws.
3. Elastic scalability for inline inspection
A DLP solution able to handle the ever-increasing amount of web traffic must inspect all traffic inline. Appliances quickly run out of inspection capacity, especially when inspecting encrypted traffic. A cloud-based solution easily scales to inspect encrypted traffic and supports even compute-intensive inspection techniques, such as Exact Data Match (EDM), regardless of where employees are connecting, increasing the detection accuracy of data loss incidents and eliminating false positives. When inspecting and blocking traffic inline, organisations make data loss prevention, not remediation of compromised data, their number-one priority and increase their security posture.
Cloud-based DLP solutions are becoming more important given the demands of digital transformation. Cloud-based DLP offers extremely high performance and can make available the required processing power for today’s digital activities, such as SSL inspections. Today, it is no longer appropriate just to protect your company’s perimeter whilst ignoring the mobile devices on which the modern world of work is so reliant. In fact, with the proliferation of branch offices and mobile devices, there truly is no more company perimeter to protect.
Mathias Widler, Regional Vice President & General Manager, Central EMEA, Zscaler