Companies using cloud applications need new types of data loss prevention methods to secure sensitive information
Companies and organizations have been using a variety of data loss prevention methods over the decades to protect important and sensitive information from being lost or stolen. These methods took on an entirely new life when the use of computers, and soon thereafter, the internet became mainstream. Now, the migration to cloud computing is creating a new need to reinvent how to prevent data loss.
What is data loss prevention? Broadly speaking, it’s simply a strategy for ensuring the sensitive and protected information does not leave the company network. But today, when people talk about data loss prevention (or DLP) they’re often talking about the tools, software, and/or services used to enable it. But, the data loss prevention methods you deploy must include both human elements, such as training and reinforcement, as well as the processes and tools used.
The specific methods you use depend on your specific IT infrastructure. Companies that are using cloud applications, such as G Suite and Office 365 for example, really do need a CASB to enable best DLP practices in the cloud. Here, we’ll take a look at the top six data loss prevention methods you need to include in your DLP strategy for secure cloud computing.
1. Backup Your Data!
Automating your data backups is the first, and perhaps most effective, data loss prevention method you should employ. Because there are many ways that data can be lost—from accidental to malicious—automatic backups are about the closest thing you can get to a foolproof data loss prevention method.
Cloud computing has made data backups very easy. If your company is a G Suite or Office 365 customer, you should already have the ability to set up automatic data backups to Google Drive or OneDrive. There are also many 3rd party data backup solutions available on the market for those companies that either don’t already have a solution, or are extra vigilant in their data loss prevention backups and would like to use an additional resource.
2. Set Up Data Loss Prevention Policies
Setting up data loss prevention policies usually starts with classifying the different types of data you have and determining what level of protection each needs. For example, you may separate your data into two or three categories ranging from “open source” to “critical”.
Next, you will want to create policies around how information in each classification can be accessed and shared. For example, “critical” data may be that which only upper management in HR and financing can access. On the other hand “open source” contains files and information that, say, marketing and sales are creating to share outside of the organization.
Once you’ve classified your data types and set up policies around who can access them, and how they can be shared, you’ll want to monitor and audit each policy’s effectiveness. The rule of thumb when it comes to policy-driven data loss prevention methods is to start with very strict restrictions on access (particularly for those skewing toward the “critical” side of the spectrum), then open access slowly to those employees who really need access to them.
Auditing your DLP policies on a regular basis will also help you identify if there are certain types of data that you’ve missed or if you have misconfigured any rules in the process.
3. Use Data Loss Prevention Software
Software enables data loss prevention methods by allowing you to automate policies, monitor use, and detect risks. The right type of data loss prevention software for you will depend on the technology your team uses to store, access, and share data. There are three main types of data loss prevention software: endpoint, network, and cloud DLP.
Just about every organization should be using Endpoint DLP. This is because, well, everyone has at least one endpoint per employee—most have many, many more. Endpoints include laptops, desktops, on-prem servers, smartphones, tablets, and basically anything that connects to your network.
Most companies also know that they need some sort of software to control network DLP. Your network has long been the single access point between the internet and your internal information. However, that has fundamentally changed for most businesses and organizations in the last five to ten years or so. Now, employees bring their own devices to work and expect to be able to use them. SaaS applications have also become prolific in workplace productivity and communications. These changes are what have created the need for cloud DLP software.
When information is stored, access and sent or shared in cloud applications, traditional network and/or endpoint DLP technology doesn’t cover all the bases. It was developed to protect access to the information. But it doesn’t secure the actual data once authorized access is gained (whether it’s from an internal, actual authorized user or not). Cloud DLP software, often available in the form of a CASB solution, provides InfoSec teams with the ability to monitor and detect activity within cloud applications so that data, not just access to it, is secured.
4. Monitor for Improper Use of Data
Data loss stemming from employees are more common than external attacks (though they get far less attention). For the most part, these incidents are accidental. They can range from an employee spilling coffee on their laptop to having it stolen from their car. Most often, it’s from sharing information with someone that shouldn’t have access to it without realizing they’d made a mistake.
There are also instances of employees stealing information from a company. Because they have authorized access to data, it is notoriously difficult to detect these incidents until well after they’ve occurred. It could be a case of an employee who has been let go or quite who takes customer and/or company intellectual property information to bring to their next job or to sell to a competitor. There are also cases where employees take employee and/or customer information to steal their identities or sell the information on the dark web.
While the intent of internal data loss creates vastly different outcomes, both can be problematic for any company. Even accidental data loss can set an organization back in terms of cost spent creating the information (both financial and/or time), as well as the cost of trying to regain it. Accidental incidents can also create a vulnerability for malicious attacks if left unnoticed and un-remediated.
5. Monitor for Account Takeover Behavior
Monitoring for account takeovers is a next-level data loss prevention method that is difficult to accomplish without the right data loss prevention tools. But, it’s a critical capability in your data security strategy and relatively simple to accomplish with the right technology.
The majority of account takeover attempts (and successes) have the same basic “signatures”. The easiest way to identify one is by monitoring and controlling login locations. A simple example of this is: if all your employees are based in the U.S., you know that any logins coming from another are unauthorized. You can set up a DLP policy to reject any logins coming from other countries outside the United States.
Monitoring for account takeovers should also take into account the number of login attempts. If you’re able to see a sudden and suspicious spike in the number of login attempts over a few hours or a couple of days, you know that that account it being targeted. You can take proactive action in these cases by re-setting the account password and requiring a stronger one.
Finally, using a data loss prevention CASB allows you to detect other types of suspicious behavior, such as massive file downloads stemming from a particular user, abnormal sharing outside the domain behavior, and/or uploading files or sending emails containing malware or phishing links.
6. Regularly Audit Your Data Environment for Risks
One of the best data loss prevention methods available is to continually audit your data environment for new vulnerabilities and risks. These could come from an employee using a new, unsanctioned SaaS application, new patch updates in existing apps, new types of sensitive data entering the environment, and more. InfoSec teams are trained to see vulnerabilities everywhere. A good data loss prevention tool will help you and your team monitor and audit for new risks 24/7.
As you can see, there is a wide variety of data loss prevention methods available for IT and InfoSec teams. Choosing the right DLP solution (or solutions) largely depends on your company’s IT infrastructure, compliance requirements, and budget. For teams that are using popular cloud applications, such as Google G Suite, Microsoft Office 365, Slack, and more, using a reputable CASB with easy to use data loss prevention tools is no longer a luxury—it’s a must-have.