One of the most urgent tasks for the IT security industry today is to develop a consistent, yet practical information security model for the corporate cloud. It is all the more critical because users of the cloud effectively share the same computing and storage resources not only in public and hybrid clouds, but also in corporate private clouds which might be used by several business units.
The fact that data resides beyond the confines of the physical corporate IT infrastructure makes it impossible to precisely identify where it is at any given time, and – as a consequence – apply conventional security solutions, such as network security appliances, to protect static perimeters and control access to data. Threat profiles for the various types of cloud services therefore vary significantly from those of in-house IT computing models.
Cloud adoption means firms must now focus on the data-centric security model, making data leak prevention (DLP) solutions increasingly important to corporate IT security strategy. Conventional security solutions control access to data based on contextual parameters, such as the credentials and permissions of the person attempting to access the data, as well as the device they are using. They don’t control data use based on the content and sensitivity of information it contains.
As a result, with the lack of physical and network borders in a shared cloud infrastructure, context-based security technologies alone cannot prevent the leakage of sensitive data. Conversely, information-centric DLP technology features inherent ‘content-awareness’ based on intelligent data analysis and enforcement of policies that link security controls directly to the value of the information contained within.
DLP can be used to improve data security across the entire organisation, including both cloud infrastructure and corporate endpoints. It is vital however, to identify the specific areas to which various DLP components will be applied. Endpoint DLP agents alone cannot offer total protection against endpoint data leaks because of the creation of ‘virtual’ endpoint clients in the cloud.
Such clients do not require the transfer of data to and from the end user computer because the application runs in the cloud, meaning all data operations are local to the cloud. At the same time, virtual DLP appliances residing in the cloud are unable to provide a complete DLP solution, since there are many data leak scenarios where employees access and transfer data to destinations out of the reach of the cloud DLP.
Clearly, for the cloud IT model, both cloud-resident and endpoint DLP components are required to protect against the various data leak scenarios. It is worth bearing in mind that endpoint DLP agents must now protect data being accessed through traditional desktops and laptops, as well as tablets and smartphones.
As the most information-centric security technology, DLP remains an indispensable part of any cloud-based corporate IT security architecture. Whether the cloud DLP solutions are enabled by the cloud provider or by the client organisation, it is crucial that they are effective, and are able to integrate endpoint DLP components. Otherwise, an organisation will continue to be vulnerable to data leak threats resulting from insider mistakes, negligence, and misconduct.