DLP Approach for The Cloud is Broken: Here's Why and How to Solve It

This blog was originally published by Polar Security here.

Written by Nimrod Iny, Polar Security.

Data Loss Prevention (DLP) is one of the long-standing and more traditional approaches to securing enterprise data. It can be either network or endpoint-based, each having their own unique benefits and challenges. DLP technologies have traditionally been prone to false positives, and as such, some of their best use-cases are for controlling very predictable and structured content in very specific situations.

In this post, we’ll put cloud DLP to the test of time and see whether it performs as expected in the modern cloud microservices days, where data is becoming more complex and challenging to protect.

Main Components of a Typical DLP Solution

• Sensitive Data Identification - in a DLP system, data can be defined as sensitive by manually applying rules and metadata.
• Securing Data-in-Motion - installed at the network edge analyzing traffic
• Securing data-at-Rest - applying access control, encryption and data retention policies
• Securing Endpoints - agents monitoring outbound data information transfer

Why DLP Solutions Fail In the Cloud?

While DLP provides value in certain cases, it does not solve the fundamental problem cloud organizations are facing – how to keep data secure in the real world, where data is being created at light speed and moves between accounts, data stores and even countries.

In addition, once data leaves the point of control, whether at the endpoint or the network, a cloud DLP solution no longer has control over that content.

In this section, we’ll review the top challenges DLP solutions are facing in modern cloud environments and how Data Security Posture Management (DSPM) solutions tackle them in comparison.

1. The Challenge: Knowing where data is stored

‍A DLP system will do your company no good if you don’t know where your data is stored. You’ll need to create an inventory of both classified and unclassified data, then list who has access to the classified data. This process is definitely not scalable and requires too many resources and manpower to implement.

The DSPM Approach: ‍

while some cloud data loss prevention solutions offer scanning and detection of sensitive data inside the corporate network, due to specific workflows and data types in each company, it is recommended to have an automated data store inventory in place which will not only allow your company to scale, but will also provide a much more accurate view into the company’s data assets.

2. The Challenge: Deploying a DLP solution is too cumbersome

‍In order for a DLP solution to fulfill its maximum potential, the system needs to learn what data is worth monitoring. This means, your IT department has a lot of work trying to classify the data and create a comprehensive overview of the data flows in your cloud environment.

The DSPM Approach:‍

in contrast to the manual and unscalable process cloud DLP requires to maximize its potential, a DSPM solution will automatically and continuously review and classify all company’s data stores to identify sensitive data and will track all potential and actual data flows to prevent sensitive data leakage and compliance violations.

3. The Challenge: Distinguish between different types of access

‍Users inside your cloud environment are assigned various access privileges. Your data and security teams will need to audit all privilege levels to make sure that a DLP solution is able to distinguish between a regular user and a privileged one.

‍The DSPM Approach:

‍once again, in this case, a DSPM solution will do the heavy lifting for you automatically. These solutions are capable of creating a live map of your company data flows while identifying any access-related data vulnerabilities, making it easier than ever to distinguish between rightfully privileged users and regular ones.

4. The Challenge: High ratio of false positives

‍The most frustrating aspect of working with cloud data loss prevention (DLP) is its lack of flexibility and the fact that false positives can be high. This happens because the software is rigid by design. DLP’s biggest strength is therefore also its key weakness.

The DSPM Approach:

‍a DSPM solution, on the other hand, takes a different approach.

Instead of relying on predefined rules and lexicons, DSPM solutions focus on the data itself

They provide security and compliance teams with the ability to see and manage all their data assets in real time, understand what information is critical and who can access it, and identify specific data-related vulnerabilities - regardless of the content residing within these data stores. This process eliminates the reliance on predefined rules and allows companies to operate freely and in scalable fashion.

Is DSPM The Only Way To Govern Cloud Data?

DSPM, as an approach, is a set of security measures that enable companies to gain extra visibility into their data. While DLP has been around for quite some time now, DSPM is only gaining its traction in the cloud-data market now, and rightfully so.

Data Security Posture Management (DSPM) automates data identification, classification and movement tracking in public cloud workloads, enabling companies to protect their data while maintaining compliance best-practices. Unlike DLP - DSPM is a data-centric solution which creates a common language for all the different data containerization technologies (databases, storage, warehouses, data pipelines, orchestration etc.), allowing data security mitigation and detection of compliance risks.

Typically, a DSPM solution would operate with the following process in place:

1. Discover: automatically detect all cloud native data stores to maintain continuous visibility across cloud accounts, regions, VPCs and subnets, and their shadow data, constantly created by R&D, often without documentation.
2. Custodianship: Identify data store’s custodian (application, service user)
3. Classify: automate data labeling, eliminating the manual effort to continuously highlight your most valuable and sensitive data (GDPR, CCPA, PCI, PIIs, HIPPA, etc.) to focus security resources where you need them most.
4. Follow: Polar maps your data flows to see potential and actual movement and access, enabling timely prevention of sensitive data leakage and regulatory exposure - data compliance.
5. Protect: automated enforcement of pre-emptive sensitive data security and compliance controls; Actionable recommendations to restore data security and mitigate data vulnerability and compliance violations before costly escalation.

In conclusion, while DLP solutions used to rule the legacy data security realm, they are no longer in the forefront as they fall short in some key criterias. The lack of automation, continuous adaptation, flexibility and scalability - all make these solutions simply irrelevant in the days of cloud computing. DSPM solutions, on the other hand, provide companies with a much needed agility, flexibility and automation, allowing them to manage and secure their data as fast as their developers create it.