Strengthen your cyber defenses with a data-centric approach to cloud security

In today’s hybrid work reality, security teams are fighting a daily battle against data loss. Threat actors are doubling down on attacks targeting remote workers as increases in SaaS applications and traffic going to public cloud services make it harder to identify users and devices, apply policy-based security, and ensure secure access to applications and data.

So, what can you do to protect your organization when users and data are everywhere?

Identify sensitive data across any connection, regardless of where the user or device is, what they are accessing, or where that resource is located. Data Loss Prevention (DLP) is an integral part of this effort, enabling a data-centric approach to security designed to protect sensitive data across networks, clouds and users.

What Is DLP and Why Is It Important?

DLP technology identifies, monitors and protects data in use, data in motion, and data at rest. Through deep content inspection and contextual analysis of transactions, DLP solutions act as enforcers of data security policies, preventing the unauthorized use and transmission of sensitive information. DLP helps protect against mistakes that lead to data leaks and intentional misuse by insiders, as well as external attacks on your information infrastructure.

DLP helps you classify the data that is most important for your business and ensure that your security policies comply with regulatory requirements such as GDPR, PCI, HIPAA and SOX. Well-designed DLP simplifies and streamlines reporting, so you can meet compliance and auditing requirements.

Legacy Solutions Fall Short

Traditional DLP solutions can be costly, require a lot of customization, and have difficulty enforcing data protection policies in the cloud. Additionally, embedded solutions from cloud service providers (CSPs) protect just one channel or repository at a time, prompting investment in multiple products to ensure adequate security.

Next-generation cloud DLP offers a simpler, more comprehensive solution for safeguarding sensitive data on-premises and in the cloud. Cloud DLP reduces implementation complexity, unifies data policies and provides greater visibility to data once it is out of the corporate network, making it a better fit for distributed work environments.

The SASE Approach to DLP

Secure Access Service Edge (SASE) brings together networking and security, delivering both to the source of connections as a single cloud service. SASE architecture enhances network performance and ensures security for users who access corporate data and applications—no matter where the users are located. Software-defined wide areas networking (SD-WAN) is combined with security services such as cloud DLP, secure web gateway (SWG), cloud access security broker (CASB), next-generation firewall (NGFW), zero trust network access (ZTNA) and more.

Image source: Broadcom

When you implement SASE, DLP becomes one part of a comprehensive cloud-delivered solution focused on your data—wherever it lives or moves. By integrating DLP with complementary services within a SASE framework, it is embedded into your current control points, and you will not need to deploy, manage or maintain separate solutions. You can inspect content at the secure access service edge without backhauling traffic bound for SaaS, IaaS or the Internet to a centralized data center. This allows your security team to detect sensitive data movement and consistently apply data protection policies closer to the resources being accessed, while eliminating unnecessary latency. It also allows them to quickly remediate exposed data at the point of creation or use through inline and API-based controls.

Getting There

Successfully addressing data loss with SASE requires careful planning, including the development of clear and achievable goals and the establishment of expectations among executives and business unit leaders. While there are numerous considerations, it is important not to overlook the following best practices:

1. Conduct a data risk assessment:
   You can’t protect what you don’t know. A vendor-independent data risk assessment can help you identify, locate, and classify sensitive data, as well as the flow of data into and out of the organization. It can also facilitate a clear understanding of your regulatory and contractual privacy and confidentiality requirements.
2. Find a trustworthy SASE provider:
   As a cybersecurity professional, you have good reason to feel apprehensive about SASE—the entire fabric of your network will be up in the cloud and part of a service. What happens if that service goes down, even for a second? You need a high level of trust that it will always be there. It’s important to choose providers carefully, avoiding offerings that are stitched together. The Integration of DLP and other core technologies needed to enable SASE—including CASB, ZTNA, and SWG—should be considered. Conduct a PoC to identify solutions that address current use cases and requirements, as well as future needs.

   You may want to ask the vendors you’re evaluating the following questions:

   • What is your approach to SASE, and what’s on your roadmap?
   • Does your solution integrate with my existing tools?
   • What will you do to help make our implementation successful?
   • Do you have testimonials, case studies or examples from companies in my industry where you have helped them achieve SASE success?
3. Put a transition team in place:
   There is a learning curve with SASE, similar to transitioning your P&L to be more OPEX-friendly vs. CAPEX. It’s simply a different way of doing things. Your IT staff will need to learn that DLP and other services will not be delivered in the same way. It is a small adjustment, but worth mentioning. The disciplines and levels of security may change. Your policies may need to shift. People may not be able to access something they once could. Therefore, it is helpful to have a trained team in place, ready to field questions and concerns during your transition period.
4. Do your prep work:
   As with anything else, SASE is 80% preparation and 20% execution. It is important to plan for SASE in a secure way. Engage all relevant business stakeholders for insight into everything that needs to be protected. In addition to conducting a data risk assessment, you will need to address the following:
   • Implement user-based models
   • Adopt a least privilege model (zero trust)
   • Develop a disaster recovery plan
   • Test your plan
5. Once it’s built, test it again:
   After you have turned on the SASE switch, conduct ongoing vulnerability assessments and penetration tests to evaluate your virtual network and make sure everything is the way it should be. Penetration testing will emulate the various paths a malicious adversary would pursue. Look for a third-party advisor with a non-intrusive by “any means possible” (AMP) approach that focuses on the assets that are most critical to your operations and viability.

Forward-Thinking Data Security

Cybercriminals are ramping up attacks in pursuit of payouts, and disconnected point solutions can’t keep up. The number of data records exposed in 2020 skyrocketed to 37 billion—a 141% increase compared to 2019. Integrating key technologies such as DLP in an efficient, as-a-service model reduces operational complexity and provides a solid foundation for cyber defense as your business continues to evolve. Adopting a SASE framework can help you address data loss now, and in the future by identifying sensitive data across any connection and applying security where and when you need It.

References

1. Verizon 2021 Data Breach Investigations Report
2. IDG Research Cybersecurity at a Crossroads: The Insight 2021 Report
3. Egress 2021 Data Loss Prevention Report
4. RiskBased Security 2020 Year End Data Breach Report