Data loss prevention (DLP) tools protect data onpremises on endpoints (when in use), during transit (network) or at rest (on storage). DLP can be integrated with a CASB to ensure the same DLP policies are applied to cloud-hosted data. User entity behavior analysis (UEBA) capabilities in CASB can be used to provide role-based access control to applications or cloud-hosted data and detect suspicious user access activity. Anomalies and incidents are logged and available for audit and better decision-making.
Further, DLP detection capabilities can be augmented with data classification solutions. These solutions can add metadata fields to sensitive documents and emails, which can help DLP tools identify sensitive information faster with fewer false positives and fewer rules. The classification tools can also call various encryption applications like Information Rights Management (IRM) for protecting files and emails containing sensitive information, especially when sent outside the organization.
All these data protection technologies must further integrate with SIEM tools for correlation and incident detection so that the central security operations team can act as needed.
Infosys helped a Switzerland-based agro trading company define and implement an integrated data protection strategy to protect their intellectual property and sensitive information. After a holistic assessment, multiple data protection tools, including Symantec DLP, O365 DLP with AIP data classification, IRM and an MCAS solution, were implemented. These were integrated with the Azure Sentinel SIEM for centralized event co-relation and SNOW, an online ticketing system. A Power BI-based solution was also implemented for analytics and reporting.
Encrypting all sensitive data in the cloud helps prevent inadvertent access to other tenants or CSPs. However, key control needs to be with the organization. Key management-as-a-service (KMAAS) is a best practice wherein keys from vendors such as Thales can be used along with cloud-native encryption capabilities. There are three benefits KMAAS provides: local encryption key management in Thales, the segregation of duties for better data protection hosted in the cloud and, lastly, the ability to shred the keys, which destroys the data at the end of life. Currently, Microsoft Azure employs Thales e-Security HSM, while Amazon Web Services uses Cavium HSM.
For protecting data on SaaS applications, CASBs are used. This technology provides a combination of data protection in transit with proxy integration and data at rest with API integration. CASB audit capabilities help discover a shadow IT environment to support standard governance policies implementation. Most industry-leading CASB solutions can be integrated with on-premise DLP solutions to extend current protection policies to the cloud. This combination extends the enterprise’s own IT governance policies and government regulations to third-party software and storage in the cloud between the cloud service consumers and cloud service providers.
A global investment company headquartered in Singapore began a cloud-first strategy that included public cloud, private cloud and multiple SaaS applications. Infosys designed and implemented their end-to-end data protection using a Symantec DLP for on-premises and integrated it with a CASB solution to extend similar protection to SaaS and IaaS. A CASB audit helped discover a shadow IT environment, while an AI-based UEBA helped identify access anomalies and prevent security incidents.
To keep yourself updated on the latest technology and industry trends subscribe to the Infosys Knowledge Institute’s publicationsCount me in!