As companies store ever-greater volumes of data in the cloud, cloud data loss prevention (DLP) solutions--such as Google Cloud DLP, AWS Macie, Digital Guardian and Open Raven--are rising in popularity. Should your team add DLP for cloud to its software stack? Read on for a primer on what cloud DLP means and when to use it.
What is DLP for Cloud?
Cloud data loss prevention is the process of securing sensitive data in the cloud against unauthorized access. It can be applied to data at rest and in transit, and it can be used to secure data stored in virtually any format--from object storage and block storage to databases and data lakes and beyond.
Data loss prevention itself is not a new concept. DLP solutions have existed for years for conventional environments. However, it has only been in the past several years that DLP for the cloud has taken off. Amazon acquired the platform that would become Macie in 2017, for instance, and Google Cloud DLP debuted in 2019.
What Problem Does Cloud for DLP Solve?
DLP for cloud is designed to help organizations detect and address data security vulnerabilities before they turn into leaks or compliance violations.
Most cloud DLP tools work by scanning data and using AI to determine whether the data appears to contain sensitive information such as personal names, addresses and credit card numbers.
If such information is detected, the tools take the further step of assessing which protections are in place to secure the data, like access control policies and encryption rules. If they determine that the data is not sufficiently secure, they alert the IT team so it can rectify the issue. Some tools can also automatically take actions to help secure the data--for example, by performing data masking.
As an example use case, a cloud DLP solution could detect a document within an object storage bucket that contains a list of Social Security numbers. If the access control policy for the bucket allows anyone with the URL to access the bucket's contents, the tool would flag this as a data security vulnerability.
In these ways, cloud DLP tools help organizations keep their data secure even as their data grows ever greater in size and as the cloud environments that host that data become more and more complex.
When Should You Adopt DLP for Cloud?
If your organization stores or manages sensitive data in the cloud, adding a cloud DLP solution to your software stack is a smart way to reduce your risk of data leakage.
On the other hand, you don't need DLP for cloud if your organization works strictly with non-sensitive types of data, such as machine data. You may also be able to get away without using a DLP solution if you manage very small amounts of sensitive information and can keep track of them by hand.
Note that you don't need to store sensitive information deliberately in the cloud to benefit from DLP. DLP tools can help you find sensitive data that you inadvertently store in the cloud. Thus, having a policy in place that says sensitive data shouldn't be uploaded to the cloud doesn't mean you can't take advantage of cloud DLP. It's likely that sooner or later, someone will accidentally upload sensitive information to the cloud, and DLP tools will help you find it.
How Does DLP Impact Your Cloud Environment?
Most DLP solutions are designed to be flexible enough to work with any mainstream cloud environment and configuration. However, there are a couple potential limitations to keep in mind:
- Single-cloud only: Currently, most cloud DLP tools work only with a specific public cloud. That means if you store data on multiple clouds, or you store some data on-premises and other data in a public cloud, you can't protect it all with a single DLP tool.
- Data type limitations: Although most types of cloud storage are supported by cloud DLP, not every tool can handle every type of data. You may have trouble finding tools that can work with both object storage and the data stored inside containers, for example.
How Hard Is It to Implement DLP for Cloud?
The biggest factor in setting up a cloud DLP solution is writing data detection rules that effectively cover all the types of sensitive data you may store inside your company across all of your cloud environments and configurations. Although most cloud DLP tools come with fairly good detection engines out-of-the-box, you'll need to tailor them to your setup to get the best results.
You should also consider how you'll integrate DLP alerts into your workflows and how you will organize roles and responsibilities for responding to DLP issues. This is important for ensuring that you can handle DLP alerts efficiently on an ongoing basis.
Which Skills Does DLP Require?
Because cloud DLP tools use AI to identify sensitive information, you don't need a crack team of data security and compliance experts to operate them. Most competent IT engineers who understand the basics of cloud data architectures and access control can use the tools effectively.
That said, having at least some team members with deep expertise in data security and privacy may be helpful, especially in cases where the team needs to understand how different types of data security risks align with business priorities. Depending on your industry and which compliance regulations you face, some data risks may be of greater import than others, and cloud DLP tools alone won't necessarily know the difference.
The websites of the various cloud DLP vendors are a good starting point for learning more about how their solutions work. You can also check out Gartner's comparison of DLP solutions, but note that not all of these tools work with the cloud specifically.