Live Global Events: Secure, Simplify, and Transform Your Business.

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Products & Solutions

Cloud Data Protection: Six Critical Challenges To Tackle

RICH CAMPAGNA - SVP, Cloud Protection
February 23, 2021 - 4 min read

Data Loss Prevention (DLP) is the first term that comes to mind for most when thinking about data protection, but DLP is really just one piece of a broader cloud data protection strategy. DLP must build on a solid foundation of comprehensive visibility, a solid security posture, and a minimized attack surface. There are six critical challenges to laying this foundation. 

Six Critical Cloud Data Protection Challenges 

1: Lack of visibility into application usage.

You can’t protect what you don’t know about, so the first challenge to overcome is a lack of visibility into application usage. Visibility must extend across both your sanctioned IT landscape and your shadow IT landscape.

With sanctioned applications, you need insights into what applications are in use, and how they are being used. For example, insights into which AWS services your development team is using, or which third-party applications are connected to Office 365, will help you understand where they may be weaknesses in your data protection strategy.

With shadow IT applications, visibility provides the basis for deciding what to allow, what to restrict, and what to block altogether. Keep in mind that shadow IT doesn’t just mean SaaS applications - there are many PaaS/IaaS services now being used outside of IT’s purview. Protecting those applications is every bit as critical as getting a handle on shadow IT SaaS applications.

critical cloud 1

2: Insecure Configurations lead to exposure and breaches

Next up, the baseline configuration of your sanctioned applications must be properly secured. On this front, misconfiguration of cloud storage services has led to many high-profile exposures of sensitive data over the past few years, but these types of misconfigurations occur with all types of cloud applications. Overcoming this challenge means identifying and tackling identity, encryption, networking, third-party connections and sharing, and a whole host of other configurations that can result in loss of sensitive data if not appropriately secured.

critical cloud 2

3: Risky contexts require additional controls

A privileged user on a managed device that has been appropriately protected has a different risk profile than that same user on an unmanaged device, coming from a new location, and attempting to download sensitive data. Context is key to strong access control, ensuring that the level of access provided corresponds to the risk of data loss given that context.

critical cloud 3

4: Inherently risky apps have no legitimate business use

Shifting gears to focus on shadow IT, there are some inherently risk applications that have no legitimate business use. Applications that are known to host malware, apps with questionable data protection policies, previously unknown applications, and a broad range of undesirable categories of applications all should be blocked outright on corporate networks and devices. 

critical cloud 4

5: Less risky sanctioned apps tolerated but controlled

Not all shadow applications can be blocked. Today’s workers expect some ability to perform low-risk personal activities from their managed devices and from the corporate network. Sending personal emails, taking a break to check out The Gram, paying bills online. These are all applications that you are more than likely going to end up allowing but in a controlled fashion.

You might want to allow social media viewing but prohibit posting. Or perhaps you want to give employees the ability to read and send emails, but not upload attachments. These access control capabilities can help reduce risk, even before you apply DLP policies.

critical cloud 5

6: Sensitive data must remain protected

The final piece of the puzzle is protecting sensitive data. At this point, you’ve understood which cloud applications are in use and how, you’ve built a strong security posture for those applications, and you’ve used access control to further limit the risky contexts and behaviors that shouldn’t even be able to access sensitive data.

The final step is to leverage DLP, both inline and out-of-band, to control which data can be accessed and by whom.

critical cloud 6 

Solving the six cloud data protection challenges 

Taking all of this on at once might seem daunting. After all, who has the budget, team, and time to buy, implement, and maintain six separate tools from six different vendors?  

Fortunately, Zscaler has built all of the capabilities necessary for you to overcome all cloud data protection challenges, across the entire landscape of sanctioned and shadow IT applications. Comprehensive data protection, built on the Zero Trust Exchange platform that is already proven and deployed across thousands of enterprises. In fact, if you’re already a Zscaler customer, enabling these capabilities might be as easy as taking a few minutes to configure them. 

critical cloud 7


form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

Exceptional Customer Experiences Begin at Home
Exceptional Customer Experiences Begin at Home
Read Post
The Power of Zscaler Intelligence: Generative AI and Holistic View of Risk
The Power of Zscaler Intelligence: Generative AI and Holistic View of Risk
Read Post
Take Cloud Native Security to the Next Level with Integrated DLP and Threat Intel
Take Cloud Native Security to the Next Level with Integrated DLP and Threat Intel
Read Post
Cloud Compliance
The Impact of Public Cloud Across Your Organization
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.