Protect Data

How to Secure Sensitive Data in the Public Cloud with Integrated CNAPP and DLP

How to Secure Sensitive Data in the Public Cloud with Integrated CNAPP and DLP

Protecting critical business data requires two things:

  1. An understanding of where sensitive data resides.
  2. Comprehensive context of data, so you have knowledge of the  possible paths that allow access to this particular data.

However, cloud environments present a unique challenge to security teams. In the cloud, data can reside in any of the hundreds of cloud native data services such as databases, object storage, attached and detached disks (ebs-volumes), and more. In addition, access to critical data may be cleared in trivial and non-trivial forms, each presenting its own hurdle to detect and mitigate. 

For example, data can be found in S3 buckets, where a single configuration opens the bucket to the public. The data could also be in a cloud native DB service, such as AWS RDS, and access is cleared through IAM roles that may be over-permissive and over-privileged. 

As a result, data protection in the cloud requires the identification and classification of data; assessment of its exposure through access/attack path analysis, and continuous monitoring of such attempts by any bad actors. To achieve this, threat intelligence is required, along with a deep integration of solutions, including Data Loss Protection (DLP) and a Cloud Native Application Protection Platform (CNAPP). These solutions must all speak the cloud language, be aware of all the cloud-specific data stores, and be able to prioritize exposure based on true risk derived from the data.


In the following section, we describe the journey of a security admin responding to a malicious actor scanning a cloud asset. We demonstrate how through the combination of cloud-focused DLP, vulnerability scanning, and permission analysis, the security team is able to identify a real “show stopper” and mitigate what could have been a compromise of business-critical PII data.

 

PII data leakage through vulnerable instance and detached disk

In the following use case, we describe how Zscaler Posture Control, our CNAPP solution, —integrated with DLP and ThreatLabz threat intelligence—empowers the security admin to respond and mitigate a critical attack that could have resulted in theft of sensitive PII data, residing on a stale disk inside an AWS account.