We’ve already explored the differences between endpoint Data Loss Prevention (DLP), network DLP, and cloud DLP in this recent blog post. But what about Cloud Access Security Brokers (CASB)?
CASBs are often conflated with cloud DLP; and while there are overlaps, the technologies are different enough to warrant some discussion.
CASBs typically combine multiple technologies to perform four key functions:
- Visibility: CASBs provide visibility into an organization’s use of cloud services. This includes discovering which cloud applications and services are in use, who is using them, and how they are being used.
- Data Security: CASBs help protect data in the cloud by enforcing data security policies and controls. This involves features such as encryption, access controls, and DLP to ensure that sensitive data is not exposed, shared inappropriately, or accessed by unauthorized users.
- Access Control: CASBs offer access control capabilities to manage and control user access to cloud applications and services. This includes features like single sign-on (SSO), multi-factor authentication (MFA), and session management. CASBs can enforce policies that dictate who can access specific cloud resources and under what conditions.
- Threat Protection: CASBs are equipped for malware detection and to identify and mitigate security threats in cloud environments. They often include features for detecting and responding to activities such as malware uploads, suspicious user behavior, and account compromise.
Can a CASB deliver the Data Loss Prevention I need to secure my sensitive data?
CASBs do have a role to play in DLP, and many CASB solutions augment their offers with cloud DLP capabilities. With this approach, sensitive data – such as PII, HIPAA, and PCI – that is stored in cloud apps and file stores can be identified, and policies built against it to define access rights, and to protect it from data breaches and egress to unapproved locations.
But this doesn’t answer the most important question that every enterprise security professional should be asking themselves; whether a DLP solution deployed at a cloud level even makes sense for their particular use case? And, if it does, is it enough to mitigate the risk of a data breach by end users?
It’s not about where your data resides, it’s about where it leaks from.
When considering a DLP strategy, we often hear security teams asking themselves, “Where does my sensitive data live?”.
Like most modern enterprises the answer is that it exists everywhere. Across endpoints and network locations, as well as cloud data. This inevitably leads them to conclude that they need endpoint, network, and cloud-level protection.
At CoSoSys we take a different philosophy and always challenge that question with a better one. “If your sensitive data were to end up in the wrong hands, how would it get there?”.
Essentially we flip the question away from where the data resides, to where (and how) a data breach is most likely to occur.
Looking at it from this perspective focuses attention on the exit points that could lead to accidental or, even, malicious data loss. Think Slack messages, Microsoft Teams conversations, email attachments, file uploads, removable media, and more.
That’s why regardless of an existing CASB or cloud DLP deployment, almost every company needs an endpoint-based DLP solution in place to fill the gaps in protection.
Even if the data started as cloud data, user activity will see it downloaded to the endpoint, worked on, saved, copied, and pushed out via an exit point from that very same endpoint. It’s why 70% of all data breach incidents originate at the endpoint.
If that’s the key scenario your security teams are looking to address, then only an endpoint DLP can deliver that level of protection – particularly if you need to maintain your DLP policies on an offline endpoint.
This approach frees up a lot of time for the security team. Oftentimes it is not important to ingest and make sense of data and reports of sensitive data moving between the company’s cloud assets. When implementing a DLP philosophy designed around exit points you can allow your security teams to focus on any event where an exfiltration attempt was blocked – that’s usually the most important data to monitor and it ensures you have a strong data security policy while maintaining a low noise to signal ratio.
Data Loss Prevention: Endpoint vs. Network vs. CASB
Of course, the choice of whether to implement endpoint DLP, network DLP, dedicated cloud DLP, or CASB DLP depends on your organization’s specific circumstances, need for offline policy enforcement, data storage practices, and compliance requirements.
In many cases, you may need multiple security solutions to deliver a robust data protection strategy that spans both cloud security and endpoint-based protection; particularly if you are looking to meet a defined set of compliance requirements (i.e., GDPR, NIST, PCI-DSS, HIPAA) and mitigate the risk of insider threats and accidental data leakage.
While each DLP solution has its merits, balancing security with practicality is key. A streamlined DLP strategy that focuses on exit points versus data location can provide robust real-time data protection without overwhelming your security team with false positives, or overcomplicating your data security approach. By understanding the nuances of your organization’s needs and risk factors, you can make informed decisions to protect your sensitive information.