What Is Cloud DLP (Data Loss Prevention)?

Why Is Cloud DLP Important?

In the era when sensitive information was printed on paper, loss prevention could be as simple as a locked file cabinet. Now, data races between data centers, cloud providers, and endpoint devices, potentially subject to myriad vulnerabilities along the way. To protect it against unauthorized access, you need to implement a comprehensive data loss prevention (DLP) strategy.

Your DLP strategy should bring your business and IT leaders together to identify what constitutes “sensitive data” for your organization, agree on how this data should be used, and delineate what a violation looks like. These information security guidelines, including data classification, data privacy and compliance information, and remediation procedures, can then be translated into DLP policy.

Various compliance standards (e.g., GDPR, HIPAA, PCI DSS) might require your organization to deploy DLP to avoid fines or restrictions to your operations, but data breaches can also expose end users' personal data, putting your organization at risk of losing customers, incurring brand damage, or facing legal consequences. With a well-defined DLP policy bolstered by well-managed supporting technology, you can significantly reduce these risks.

Cloud Data Loss Prevention Benefits

Cloud-based DLP offers several advantages to any organization, providing:

• Easy scalability to meet the needs of growing data volumes and changing information ecosystems
• Lower infrastructure costs due to eliminating on-premises hardware and related refresh/maintenance expense
• Protection for users and branches anywhere without the need to backhaul to your data center
• Faster deployment and configuration than on-premises DLP, with no boxes to manage
• Automatic updates from the cloud, providing the latest intel and new features without downtime

Cloud Data Loss Prevention Techniques

In the simplest terms, DLP technology, including cloud-based DLP, works by identifying sensitive data in need of protection, and then protecting it. A DLP solution may be designed to identify data in use, data in motion, or data at rest (or any combination) and determine whether it is sensitive. To do this, DLP agents may use many different techniques, such as:

• Rule-based matching or "regular expressions": This technique identifies sensitive data based on prewritten rules (e.g., 16-digit numbers are often credit card numbers). Because of a high false positive rate, rule-based matching is often only a first pass before deeper inspection.
• Exact data matching (database fingerprinting): This technique identifies data that exactly matches other sensitive data already fingerprinted, usually from a provided database.
• Exact file matching: This technique works essentially like exact data matching, except it identifies matching file hashes without analyzing the file's contents.
• Partial document matching: This technique pinpoints sensitive data by matching it to established patterns or templates (e.g., the format of a standard patient form in an urgent care facility).
• Machine learning, statistical analysis, etc.: This family of techniques relies on feeding a learning model a large volume of data in order to "train" it to recognize when a given data string is likely to be sensitive. This is particularly useful for identifying unstructured data.
• Custom rules: Many organizations have unique types of data to identify and protect, and most modern DLP solutions allow them to build their own rules to run alongside the others.

Once the sensitive data is identified, it's up to your DLP policy to determine how the data is protected. In turn, how you protect it has a lot to do with why you want to protect it.

Main Use Cases for Cloud DLP

As we've already covered, securing sensitive data protects your organization against other forms of loss—of customers, of revenue, of reputation—and helps you comply with industry and legal regulations. Protecting this data naturally requires being able to identify what and where it is, which constitutes another key use case: data visibility.

So, in short, the main use cases for a DLP solution are:

• Protect sensitive data in motion and at rest: DLP protects data as it moves among or is stored within multiple endpoints, networks, and clouds by providing encryption, enforcing access controls, and monitoring for suspicious activities.
• Stay compliant with regulations: DLP policies and technologies help you enforce access controls, monitor usage, and conduct audits to ensure you handle sensitive data in alignment with regulations like GDPR, HIPAA, and PCI DSS.
• Get visibility into your data: DLP provides data visibility—insights into where sensitive information resides and moves, who has access, and how it is used—to help you identify vulnerabilities, detect risky activity, and ultimately remediate and stop data breaches.

5 Types of Cloud DLP Solutions

Because no single technology can cover every use case or account for every way data can be lost, today’s effective data protection offerings integrate multiple functions. Let’s look at some of the most common and crucial cloud DLP technologies.

1. Cloud access security brokers (CASBs) monitor and control user activity and data transfers between endpoints and cloud apps, enforcing security policies to prevent unauthorized access, data leaks, and compliance violations. CASB offers visibility into user behavior, app usage, and data storage in cloud environments.
2. DLP software protects sensitive data against data leakage across endpoints, email, cloud services, and other channels. By monitoring data and enforcing policies in real time, DLP software identifies and prevents potential breaches.
3. User and entity behavior analytics (UEBA) monitor, analyze, and correlate user behavior, access patterns, system events, and more to detect anomalies and potential threats, such as malicious insider threats, compromised accounts, and lateral movement.
4. SaaS security posture management (SSPM) helps organizations assess and manage security configurations, permissions, and vulnerabilities across different SaaS apps to address security gaps and mitigate risks associated with data exposure and unauthorized access.
5. Browser isolation executes web content in a secure environment, preventing potentially malicious web content (e.g., drive-by downloads, malware, phishing) from directly accessing or affecting the user's endpoint, network, or sensitive data.

Cloud DLP and the Need for Data Visibility

DLP can’t prevent data loss if it’s blind to traffic. This is crucial as organizations continue to move more and more data in the cloud, where three key challenges leave traditional network-based DLP unable to see the traffic it’s supposed to inspect:

• Remote users: With network DLP, the levels of visibility and protection depend on where users are. They can easily bypass inspection when off-network, connecting directly to cloud apps. Effective DLP and security policies must follow users wherever they connect, and on whatever devices they may be using.
• Encryption: The incredible growth of TLS/SSL-encrypted traffic has created a significant blind spot for network-based DLP incapable of decrypting it for inspection.
• Performance limitations: Appliance-based DLP solutions have finite resources that constrain them from scaling effectively to inspect the constantly growing amount of internet traffic inline.

Cloud DLP in a Cloud- and Mobile-First World

To address the data protection challenges that accompany digital transformation and overcome the weaknesses of traditional enterprise DLP, you need a new mindset and new technology. Reconfiguring a traditional hardware stack for the cloud isn’t enough—it's inefficient and lacks the protection and services of a cloud-built DLP solution, including:

• Identical protection for all users on- or off-network, ensuring comprehensive data protection for all users, wherever they are—at HQ, a branch, an airport, or a home office.
• Native inspection of TLS/SSL-encrypted traffic, giving the organization crucial visibility into the traffic where more than 85% of today’s attacks hide.
• Elastic scalability for inline inspection, preventing data loss by inspecting all traffic as it comes and quarantining suspicious or unknown files—not relying on damage control after a compromise.

Exact Data Match for Cloud DLP

Data loss prevention solutions have long used pattern-matching to identify credit card numbers, Social Security numbers, and more. This technique is imprecise, however. Safe traffic can still be blocked simply because it includes a pattern selected for protection, bombarding security teams with false positives.

Exact data match (EDM) is a powerful innovation in DLP technology that increases detection accuracy and nearly eliminates false positives. Instead of matching patterns, EDM “fingerprints” sensitive data, and then watches for attempts to move the fingerprinted data in order to stop it from being shared or transferred inappropriately.

Cloud DLP Best Practices

The perfect DLP strategy depends on your organization’s data and its needs, so the best practices will vary—but that’s a subject for an entire article. Here, we’ll look at some broader DLP best practices that apply in any situation:

• Start in monitor-only mode when you first deploy to get a sense of the data flow across your organization to inform you on the best policies.
• Keep employees in the loop with user notifications so that policies aren't executed without their knowledge, as this can disrupt workflows and frustrate them.
• Ensure your users can submit feedback on notifications (to justify their actions or flag broken policies), which you can use to refine your policies.
• Leverage advanced classification measures like EDM to reduce false positives.
• Use a solution that can decrypt TLS/SSL-encrypted traffic, since the vast majority of web traffic is now encrypted.

Get Started with Zscaler Cloud Data Loss Prevention

With increasing risks and expanding regulations for data protection, your organization needs to close security gaps created by the cloud and mobility, whether they stem from vulnerabilities or misconfigurations.

In the past, that would have meant adding more appliances to already complex stacks. Today, there’s 100% cloud-delivered Zscaler Data Loss Prevention, part of the Zscaler Data Protection suite. Zscaler DLP empowers you to close your data protection gaps no matter where your users or applications are—while simultaneously reducing IT cost and complexity.

Zscaler DLP provides:

• Identical protection for users and data anywhere
• Protection across internet, endpoint, email, SaaS, private apps, and cloud posture
• Scalable TLS/SSL inspection from the world’s largest inline security cloud
• Streamlined workflows and operations with innovative ML-powered data discovery