Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This research describes an approach to strategize and implement DLP solutions for cloud services.
Use this tool to identify and prioritize your data, then use that information to make decisions on DLP strategies based on classification and data environment.
Driven by reduced operational costs and improved agility, the migration to cloud services continues to grow at a steady rate. A recent report by Palo Alto Networks indicates workload in the cloud increased by 13% last year, and companies are expecting to move an additional 11% of their workload to the cloud in the next 24 months1.
However, moving to the cloud poses unique challenges for cyber security practitioners. Cloud services do not offer the same level of management and control over resources as traditional IT approaches. The result can be reduced visibility of data in cloud services and reduced ability to apply controls to that data, particularly data loss prevention (DLP) controls.
It’s not unusual for organizations to approach DLP as a point solution. Many DLP solutions are marketed as such. The truth is, DLP is a complex program that uses many different parts of an organization’s security program and architecture. To successfully implement DLP for data in the cloud, an organization should leverage existing security controls and integrate DLP tools, whether newly acquired or available in cloud services, with its existing security program.
Bob Wilson
CISSP
Research Director, Security and Privacy
Info-Tech Research Group
Your ChallengeOrganizations must prevent the misuse and leakage of data, especially sensitive data, regardless of where it’s stored. Organizations often have compliance obligations requiring protection of sensitive data. All stages of the data lifecycle exist in the cloud and all stages provide opportunity for data loss. Organizations must find ways to mitigate insider threats without impacting legitimate business access. |
Common ObstaclesMany organizations must handle a plethora of data in multiple varied environments. Organizations don’t know enough about the data they use or where it is located. Different systems offer differing visibility. Necessary privileges and access can be abused. |
Info-Tech’s ApproachThe path to data loss prevention is complex and should be taken in small and manageable steps. First, organizations must achieve data comprehension. Organizations must align DLP with their current security program and architecture. Organizations need to implement DLP with a distinct goal in mind. Once the components are in place it’s important to measure and improve. |
Data loss prevention is the outcome of a well-designed strategy that incorporates multiple, sometimes disparate, tools within your existing security program.
Data loss prevention doesn’t depend on a single tool. Many of the leading cloud service providers offer DLP controls with their services and these controls should be considered.
53%53% of a study’s respondents think it is more difficult to detect insider threats in the cloud. Source: "2023 Insider Threat Report," Cybersecurity Insiders, 2023 |
45%Only about 45% of organizations think native cloud app functionality is useful in detecting insider threats. Source: "2023 Insider Threat Report," Cybersecurity Insiders, 2023 |
An insider threat management (ITM) program focuses on the user. DLP programs focus on the data.
DLP is not just a single tool. It’s an additional layer of security that depends on different components of your security program, and it requires time and effort to mature.
Organizations should leverage existing security architecture with the DLP controls available in the cloud services they use.
Data loss prevention is the outcome of a well-designed strategy that incorporates multiple, sometimes disparate tools within your existing security program.
Start with the data that matters most to your organization.
Having a clearly defined objective will make implementing a DLP program much easier.
Data loss prevention is not foundational, and it depends on many other parts of a mature information security program.
Start your DLP implementation with a quick win in mind and build on small successes.
Your organization must be prepared to investigate alerts and respond to incidents.
Data loss prevention is not a point solution.
It’s the outcome of a well-designed strategy that incorporates multiple, sometimes disparate tools within your existing security program.
Leverage existing security tools where possible.
DLP is a set of technologies and processes that provides additional data protection by identifying, monitoring, and preventing data from being illicitly used or transmitted.
DLP depends on many components of a mature security program, including but not limited to:
DLP is achieved through some or all of the following tactics:
DLP is not foundational. Your information security program needs to be moderately mature to support a DLP strategy.
DLP uses a handful of techniques to achieve its tactics:
DLP has two primary approaches for applying techniques:
Some DLP tools use both approaches.
Different DLP products will support different methods. It is important to keep these in mind when choosing a DLP solution.
Who? Who owns the data? Who needs access? Who would be impacted if it was lost?
What? What data do you have? What type of data is it? In what format does it exist?
When? When is the data generated? When is it used? When is it destroyed?
Where? Where is the data stored? Where is it generated? Where is it used?
Why? Why is the data needed?
Use what you discover about your data to create a data inventory!
Compliance requirements often dictate what must be done to manage and protect data and vary from industry to industry.
Some examples of compliance requirements to consider:
Why is especially important. If you don’t need a specific piece of data, dispose of it to reduce risk and administrative overhead related to maintaining or protecting data.
Data classification is a process by which data is categorized.
Refer to our Discover and Classify Your Data blueprint for guidance on data classification.
Label |
Category |
Top Secret | Data that is mission critical and highly likely to negatively impact the organization if breached. The “crown jewels.” Examples: Trade secrets, military secrets |
Confidential | Data that must not be disclosed, either because of a contractual or regulatory requirement or because of its value to the organization. Examples: Payment card data, private health information, personally identifiable information, passwords |
Internal | Data that is intended for organizational use, which should be kept private. Examples: Internal memos, sales reports |
Limited | Data that isn’t generally intended for public consumption but may be made public. Examples: Employee handbooks, internal policies |
Public | Data that is meant for public consumption and anonymous access. Examples: Press releases, job listings, marketing material |
Data classification should be implemented as a continuous program, not a one-time project.
Data exists in three states, and each state presents different opportunities for risk. Different DLP methodologies will be appropriate for different states.
Data states
In use
In motion
At rest
The most common causes of data loss can be categorized by people, processes, and technology.
Check out our Combine Security Risk Management Components Into One Program blueprint for guidance on risk management, including how to do a full risk assessment.
Prioritizing the data that most needs protection will help define your DLP goals.
The prioritization of your data should be a business decision based on your comprehension of the data. Drivers for prioritizing data can include:
It’s not feasible for most organizations to apply DLP to all their data. Start with the most important data.
Input: Lists of data, data types, and data environments
Output: A list of data types with an estimated priority
Materials: Data Loss Prevention Strategy Planner worksheet
Participants: Security leader, Data owners
For this activity, you will use the Data Loss Prevention Strategy Planner workbook to prioritize your data.
Click to download the Data Loss Prevention Strategy Planner
In the Data Loss Prevention Strategy Planner tool, start with tab “2. Setup.”
Next, move to tab “3. Data Prioritization.”
Click to download the Data Loss Prevention Strategy Planner
DLP objectives should achieve one or more of the following:
Example objectives:
Most common DLP use cases:
Having a clear idea of your objectives will make implementing a DLP program easier.
1. Data handling standards or guidelines: These specify how your organization will handle data, usually based on its classification. Your data handling standards will inform the development of DLP rules, and your employees will have a clear idea of data handling expectations.
2. Identity and access management (IAM): IAM will control the access users have to various resources and data and is integral to DLP processes.
3. Incident response policy or plan: Be sure to consider your existing incident handling processes when implementing DLP. Modifying your incident response processes to accommodate alerts from DLP tools will help you efficiently process and respond to incidents.
4. Existing security tools: Firewalls, email gateways, security information and event management (SIEM), and other controls should be considered or leveraged when implementing a DLP solution.
5. Acceptable use policy: An organization must set expectations for acceptable/unacceptable use of data and IT resources.
6. User education and awareness: Aside from baseline security awareness training, organizations should educate users about policies and communicate the risks of data leakage to reduce risk caused by user error.
Consider DLP as a secondary layer of protection; a safety net. Your existing security program should do most of the work to prevent data misuse.
A fundamental challenge with implementing DLP with cloud services is the reduced flexibility that comes with managing less of the technology stack. Each cloud model offers varying levels of abstraction and control to the user.
Infrastructure as a service (IaaS): This service model provides customers with virtualized technology resources, such as servers and networking infrastructure. IaaS allows users to have complete control over their virtualized infrastructure without needing to purchase and maintain hardware resources or server space. Popular examples include Amazon Web Servers, Google Cloud Engine, and Microsoft Azure.
Platform as a service (PaaS): This service model provides users with an environment to develop and manage their own applications without needing to manage an underlying infrastructure. Popular examples include Google Cloud Engine, OpenShift, and SAP Cloud.
Software as a service (SaaS): This service model provides customers with access to software that is hosted and maintained by the cloud provider. SaaS offers the least flexibility and control over the environment. Popular examples include Salesforce, Microsoft Office, and Google Workspace.
Cloud service providers may include DLP controls and functionality for their environments with the subscription. These tools are usually well suited for DLP functions on that platform.
DLP products often fall into general categories defined by where those tools provide protection. Some tools fit into more than one category.
Cloud DLP refers to DLP products that are designed to protect data in cloud environments.
Endpoint DLP: This DLP solution runs on an endpoint computing device and is suited to detecting and controlling data at rest on a computer as well as data being uploaded or downloaded. Endpoint DLP would be feasible for IaaS.
Network DLP: Network DLP, deployed on-premises or as a cloud service, enforces policies on network flows between local infrastructure and the internet.
DLP solution types that are better suited for SaaS: CASB and Integrated Tools
DLP solution types that are better suited for PaaS: CASB, Integrated Tools, Network DLP
DLP solution types that are better suited for IaaS: CASB, Integrated Tools, Network DLP, and Endpoint DLP
Click to download the Data Loss Prevention Strategy Planner
Check the tab labeled “6. DLP Features Reference” for a list of common DLP features.
Input: Knowledge of data states for data types
Output: A set of technical DLP policy rules for each data type by environment
Materials: The same Data Loss Prevention Strategy Planner worksheet from the earlier activity
Participants: Security leader, Data owners
Continue with the same workbook used in the previous activity.
Click to download the Data Loss Prevention Strategy Planner
Use tab “4. DLP Methods” to plan DLP rules and technical policies.
See tab “5. Results” for a summary of your DLP policies.
Click to download the Data Loss Prevention Strategy Planner
After a DLP program is implemented, alerts will need to be investigated and incidents will need a response. Be prepared for DLP to be a work multiplier!
DLP attempts to tackle the challenge of promptly detecting and responding to an incident.
To measure the effectiveness of your DLP program, compare the number of events, number of incidents, and mean time to respond to incidents from before and after DLP implementation.
A high number of false positives and rule exceptions may indicate that the rules are not working well and may be interfering with legitimate use.
It’s important to address these issues as the frustration felt by employees can undermine the DLP program.
Establish a process for routinely using metrics to tune rules.
This will improve performance and reduce friction.
Aside from performance-based tuning, it’s important to evaluate your DLP program periodically and after major system or business changes to maintain an awareness of your data environment.
|
Discover and Classify Your DataUnderstand where your data lives and who has access to it. This blueprint will help you develop an appropriate data classification system by conducting interviews with data owners and by incorporating vendor solutions to make the process more manageable and end-user friendly. |
|
Identify the Components of Your Cloud Security ArchitectureThis blueprint and associated tools are scalable for all types of organizations within various industry sectors. It allows them to know what types of risk they are facing and what security services are strongly recommended to mitigate those risks. |
|
Data Loss Prevention on SoftwareReviewsQuickly evaluate top vendors in the category using our comprehensive market report. Compare product features, vendor strengths, user-satisfaction, and more. Don’t settle for just any vendor – find the one you can trust. Use the Emotional Footprint report to see which vendors treat their customers right. |
Andrew Amaro
CSO and Founder
Klavan Physical and Cyber Security Services
Arshad Momin
Cyber Security Architect
Unicom Engineering, Inc.
James Bishop
Information Security Officer
StructureFlow
Michael Mitchell
Information Security and Privacy Compliance Manager
Unicom Engineering, Inc.
One Anonymous Contributor
Alhindi, Hanan, Issa Traore, and Isaac Woungang. "Preventing Data Loss by Harnessing Semantic Similarity and Relevance." jisis.org Journal of Internet Services and Information Security, 31 May 2021. Accessed 2 March 2023. https://jisis.org/wp-content/uploads/2022/11/jisis-2021-vol11-no2-05.pdf
Cash, Lauryn. "Why Modern DLP is More Important Than Ever." Armorblox, 10 June 2022. Accessed 10 February 2023. https://www.armorblox.com/blog/modern-dlp-use-cases/
Chavali, Sai. "The Top 4 Use Cases for a Modern Approach to DLP." Proofpoint, 17 June 2021. Accessed 7 February 2023. https://www.proofpoint.com/us/blog/information-protection/top-4-use-cases-modern-approach-dlp
Crowdstrike. "What is Data Loss Prevention?" Crowdstrike, 27 Sept. 2022. Accessed 6 Feb. 2023. https://www.crowdstrike.com/cybersecurity-101/data-loss-prevention-dlp/
De Groot, Juliana. "What is Data Loss Prevention (DLP)? Definition, Types, and Tips." Digital Guardian, 8 February 2023. Accessed 9 Feb. 2023. https://digitalguardian.com/blog/what-data-loss-prevention-dlp-definition-data-loss-prevention
Denise. "Learn More About DLP Key Use Cases." CISO Platform, 28 Nov. 2019. Accessed 10 February 2023. https://www.cisoplatform.com/profiles/blogs/learn-more-about-dlp-key-use-cases
Google. "Cloud Data Loss Prevention." Google Cloud Google, n.d. Accessed 7 Feb. 2023. https://cloud.google.com/dlp#section-6
Gurucul. "2023 Insider Threat Report." Cybersecurity Insiders, 13 Jan. 2023. Accessed 23 Feb. 2023. https://gurucul.com/2023-insider-threat-report
IBM Security. "Cost of a Data Breach 2022." IBM Security, 1 Aug. 2022. Accessed 13 Feb. 2023. https://www.ibm.com/downloads/cas/3R8N1DZJ
Mell, Peter & Grance, Tim. "The NIST Definition of Cloud Computing." NIST CSRC NIST, Sept. 2011. Accessed 7 Feb. 2023. https://csrc.nist.gov/publications/detail/sp/800-145/final
Microsoft. "Plan for Data Loss Prevention (DLP)." Microsoft 365 Solutions and Architecture Microsoft, 6 Feb. 2023. Accessed 14 Feb. 2023. https://learn.microsoft.com/en-us/microsoft-365/compliance/dlp-overview-plan-for-dlp
Nanchengwa, Christopher. "The Four Questions for Successful DLP Implementation." ISACA Journal ISACA, 1 Jan. 2019. Accessed 6 Feb. 2023. https://www.isaca.org/resources/isaca-journal/issues/2019/volume-1/the-four-questions-for-successful-dlp-implementation
Palo Alto Networks. "The State of Cloud Native Security 2023." Palo Alto Networks, 2 March 2023. Accessed 23 March 2023. https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/state-of-cloud-native-security-2023.pdf
Pritha. "Top Six Metrics for your Data Loss Prevention Program." CISO Platform, 27 Nov. 2019. Accessed 10 Feb. 2023. https://www.cisoplatform.com/profiles/blogs/top-6-metrics-for-your-data-loss-prevention-program
Raghavarapu, Mounika. "Understand DLP Key Use Cases." Cymune, 12 June 2021. Accessed 7 Feb. 2023. https://www.cymune.com/blog-details/DLP-key-use-cases
Sheela, G. P., & Kumar, N. "Data Leakage Prevention System: A Systematic Report." International Journal of Recent Technology and Engineering BEIESP, 30 Nov. 2019. Accessed 2 March 2023. https://www.ijrte.org/wp-content/uploads/papers/v8i4/D6904118419.pdf
Sujir, Shiv. "What is Data Loss Prevention? Complete Guide [2022]." Pathlock, 15 Sep. 2022. Accessed 7 February 2023. https://pathlock.com/learn/what-is-data-loss-prevention-complete-guide-2022/
Wlosinski, Larry G. "Data Loss Prevention - Next Steps." ISACA Journal, 16 Feb. 2018. Accessed 21 Feb. 2023. https://www.isaca.org/resources/isaca-journal/issues/2018/volume-1/data-loss-preventionnext-steps