DLP in the Cloud

At this point in date, there are two distinct technologies addressing threats represented by data leak; encryption and data loss prevention (DLP).
Encryption can protect data while being transfered and stored, however encryption policy cannot really be enforced based on the content itself, rather relatively to a context; meaning that encryption does not trigger accordingly to the level of sensitivity or confidentiality of the data.
DLP can prevent leakage within an organizational deployment - basically providing barriers of protection on the network security perimeter and end-point devices - but the technology is ineffective in a cloud infrastructure and unfit for client-less roaming devices.
Considering the fast-pace migration trend toward distributed services/infrastructures/platforms and the increased adoption of mobile devices as business tools, there is indeed an surging need to analyse and protect data while transported, store and manipulated in the cloud.


Unfortunately, there is no straightforward solution that would cover all cloud data protection strategies, however both encryption and DLP technologies can be combined to provide the principals.
First off, data classification should be enforced before the data reach the cloud, which will consist of establishing the level of sensitivity, criticality and value of the content.
Additionally, discovery should be run on company's data stored in the distributed environment. DLP agents can certainly not be installed on SaaS or PaaS delivery models, yet most hosted solutions provide extended management privileges for corporate-wise administrative access, which would make remote crawling possible.
Email encryption should be enforced relatively to the content of the message. Since there is no such thing as universal public key infrastructure, the use of traditional email encryption (e.g. S/MIME or PGP) is not suitable to the cloud. However, a web-based email delivery method might be a solution; it would involve a web portal where the protected content is securely disposed, and published to the recipient after providing a preliminary agreed passcode.
If the organisation has multiple egress points, a hosted web security gateway solution would probably be the most flexible way to analyse outbound web traffic and enforce DLP controls preventing secure content from leaking out.

Pushing the reasoning further on feasible adaptations, a hosted web security gateway technology could be featured to front hosted services, as a hosted reverse proxy, and provide real time content analysis, SSL encryption/decryption and even authentication.

In fact, considering that most outsourced applications hosted in the cloud are web based, a reverse-proxy-as-a-service would be a safe way to systematically secure and control corporate traffic toward chosen hosted services.

Finally, employees remaining the major potential source of data leakage, focus should be sustained on user awareness. Unintentional leaks still represent 85% of all data loss.





Quentin Authelet
Risk consultant, KPMG