|
Data Loss Prevention (DLP) with work-from-home SASE
secure edge 2021;
 Above: users on-premise or remote leverage a SASE
solution to access applications (click for full
size)
Data Loss Prevention (DLP) with work-from-home SASE
secure edge 2021;
Many companies entered a "transformation"
or transformed in 2020 to an environment where
users became work-from-home (WFH) while accessing a
mix of on-premise and cloud based resources. Companies found
themselves quickly adopting collaboration toolsets to
accommodate WFH. These toolsets, cloud
apps, and WFH devices are commonly used to share and store
secret data in these day-to-day activities with little
control, policy, or user training in place. Much of the
data falls within the scope of protected data and the need to be sure critical data is not exposed.
Visibility & control of secret data for cloud apps
and on user devices becomes a priority for most.
A good example are the many tools to
scan github
for exposed secrets (dorks) including api-keys that grant full
access to private data and worse.
VPNs have become
smarter, more robust, and flexible virtual networks, coined
"SASE" by analysts in 2019. SASE or "Secure Edge" for short, is
a client that allows access to corporate apps and application
environments while securing access to the public web. The SASE
client can have its own scanning and direction of traffic to secure
authentication and CASB solutions (shown below). DLP monitoring
can be put on the endpoint or within CASB. This can be used to
effectively manage data on managed endpoints and manage data
flow through managed cloud apps. This monitors and protects data
both at the endpoint and at the cloud application gateway in
advanced deployments.
Most startup companies have removed the VPN completely and are "Pure Cloud". Any device from
anywhere cloud based work environments. This allows data
management on unmanaged devices like phones, where adding a
client, or maintaining remote clients have become difficult.
Many companies have also adopted cloud development
operations (DevOps) to take advantage of IaaS architectures.
These applications are often public facing and access critical
data on the back-end. This provides another vector of data risk
that must be protected and monitored for data leakage. DevOps
should also implement one of the following DLP programs but not
necessarily the same DLP program that is used for internal
users.
The following articles discuss adding DLP to a secure user or
app edge; Edgeless-Cloud, CASB, and legacy on-premise DLP.
|
|
|
|
Data Loss Prevention (DLP) as a Cloud API, edgeless cloud infrastructure;
 Above (left to right): users access cloud applications
where the data is managed via API and finally, the
intelligence derives from cloud based analytics and
controls (click for full size)
Data Loss Prevention (DLP) as a Cloud API, edgeless cloud infrastructure;
For many companies this is the future of the workplace which maximizes productivity, availability, compliance, and lowest cost of business.
SaaS; Security and data management as a service is available for user environments as well as application development environments.
The cloud based API architecture for DLP allows advanced features never before available like artificial intelligence that finds data with alarming
accuracy and minimal setup. The companies that build API based DLP can plug into nearly any app with an external API including on-premise
apps.
These APIs can be accessed by AI to learn behaviors and apply accuracy to security and
automation. This is especially useful when monitoring any behavior for abnormalities or predictive outcomes based on
behaviors.
Web, data, email, and system security greatly benefit from cloud based AI and behavioral analysis when trained with massive global sample
sets.
Advantages
-Scalable
-fast time to value
-greatest level visibility
-best option when starting a business of any size
Disadvantages
-still requires expertise
-Cloud migrations are complicate
Get help with DLP for Cloud
|
|
|
|
Data Loss Prevention (DLP) in a CASB solution;

Above (left to right): SASE edge users are forced to a
proxy for certain applications (click for full size)
Data Loss Prevention (DLP) in a CASB solution;
Cloud Access Service Broker (CASB) is the step in transformation between
on-premise services and cloud DLP. A modern robust CASB solution
will have elements of on-prem and Cloud API integration. CASB
requires an endpoint or other redirection to proxy cloud
communication.
Advantages -a transitional step to
full cloud -Handles Shadow IT
Disadvantages
-Data inspection is hard for CASB proxy architectures -OCR
is not possible for CASB rather, this should be done by cloud
API -Difficult phones and BYOD
Get help with CASB
|
|
|
|
Traditional on-prem Data Loss Prevention (DLP);

Above: on-prem DLP with endpoint and proxy/ firewall
traffic inspection points
Traditional on-prem Data Loss Prevention (DLP);
Traditional on-premise DLP can consist of inspection
gateways and endpoint agents covering; local
applications, removable media, local app data controls,
print screen/ copy & paste, email, web data leaks.
Advantages -Most mature model
Disadvantages
-Requires DLP policy expertise for
effectiveness
-Requires in-house application support and maintenance
Get traditional DLP help
|
|
|
Please bear with us as we add content to the items below (work in
progress)
|