DLP: Hoppin’ on the cloud bandwagon


As IT operations and applications continue to shift from on-premises to the cloud, it necessarily follows that files and sensitive data are moving to the cloud as well.  Judging by the rapid adoption of cloud apps like Office 365, Dropbox, and Google Apps, it’s fair to say that IT departments know they must take steps to protect their highly valuable corporate data sitting in these apps.  There’s even a high probability that this corporate data is subject to regulations like PCI, SOX, and HIPAA that require organizations to meet certain security and compliance standards.

Throw into the mix the proliferation of personal devices (BYOD) for work-related purposes and you’ve got a potential tinderbox on your hands when it comes to preventing the leakage of sensitive data.  Compounding matters is that many (perhaps most) of these personal devices are unmanaged, in that IT either doesn’t even know about them or doesn’t have policies in place to manage what folks are doing work-wise on these devices.

Consider the following scenarios and see if any hit close to home:

  • “How can I tell what personally identifiable information (PII) data is stored on OneDrive and how can I automate a clean-up procedure?”
  • “Was it Tom, the guy we fired last week, who just now tried to share from his Dropbox account our presentation with lots of competitive information in it with his new colleagues?”
  • “Which of the finance guys downloaded the Word file that had our customers’ banking information and account numbers to his personal iPad last night? He wasn’t supposed to do that.”

Nowadays, organizations usually have some kind of on-premise data leak prevention (DLP) solution already in place.  Problem is they don’t handle cloud app traffic very well, if at all. The inherent benefits of cloud apps – namely their ready accessibility from anywhere, anytime, from any device (trusted or untrusted) – quickly exposes the limitations of on-prem DLP systems. On-prem DLP systems simply can’t prevent sensitive files from being downloaded to untrusted (i.e., unmanaged) devices. The reverse is also true: they can’t prevent uploads of sensitive files to cloud apps from untrusted devices.

Additionally, cloud storage and collaboration services like Dropbox and Box allow users to share files with external parties in a way that on-prem DLP systems can’t track.  The files are already stored in the cloud long before the sharing operation is carried out, and therefore, when a user does share a specific piece of content, it won’t trigger a DLP policy. In essence, legacy DLP systems don’t know when a sharing action took place with an external party because they don’t understand the underlying protocols.

Imperva Skyfence, however, does understand when such an action takes place since it realizes that today’s DLP must also address the cloud and mobile use cases. To do this though requires fundamental changes in how best to secure data that’s sitting in cloud apps. Today, we announced the release of our latest version (v4.5) of the Imperva Skyfence Cloud Gateway, enabling IT to gain more control over their data.

This includes classifying data, stopping data proliferation to unmanaged devices, monitoring high-risk user behavior, and looking for anomalous activity. Skyfence offers much flexibility in policy setting through its support for hundreds of data types out of the box while allowing customers to define their own data types, too, to meet their specific requirements.

Examples of pre-defined data types include support for the most common regulations in effect today, such as SOX, HIPAA, PCI DSS, PII, PHI, and more.  Skyfence scans content in real-time, looking for policy violations. Polices can be established based on keywords, regular expressions, dictionaries, and Luhn verifications, to name a few criteria.


dlp-post-061415-2Example of a custom policy to block downloads of financial documents to unmanaged devices

In this release, Skyfence also extends traditional DLP to the cloud and mobile arenas by enabling you to leverage your existing DLP infrastructure and policies. Specifically, it integrates with external DLP solutions through the ICAP interface. In effect, Skyfence becomes the policy enforcement point for your cloud apps by applying your existing policies to the cloud app scenarios outlined above.

With all the valuable data stored in the cloud these days, it thus makes sense to extend your existing DLP policies to the cloud. The party’s happening in the cloud and Skyfence is along for the ride, too, except we’re not party-crashers. Think of us as the security detail to make sure everyone and everything stays safe.