Powered by

Tech Partners

Computing...




 

DLP Resources



DLP architecture explained: on-premise - CASB - Cloud - SSE

Data Loss Prevention (DLP) with work-from-home SASE secure edge;

SASE
Above: users on-premise or remote leverage a SASE solution
 to access applications (click for full size)

Data Loss Prevention (DLP) with work-from-home SASE secure edge; 

Many companies entered a "transformation" or transformed in 2020 to an environment where users became work-from-home (WFH) while accessing a mix of on-premise and cloud based resources. Companies found themselves quickly adopting collaboration toolsets to accommodate WFH. These toolsets, cloud apps, and WFH devices are commonly used to share and store secret data in these day-to-day activities with little control, policy, or user training in place. Much of the data falls within the scope of protected data and the need to be sure critical data is not exposed. Visibility & control of secret data for cloud apps and on user devices becomes a priority for most.

A good example are the many tools to scan github for exposed secrets (dorks) including api-keys that grant full access to private data and worse.

VPNs have become smarter, more robust, and flexible virtual networks, coined "SASE" by analysts in 2019. SASE or "Secure Edge" for short, is a client that allows access to corporate apps and application environments while securing access to the public web. The SASE client can have its own scanning and direction  of traffic to secure authentication and CASB solutions (shown below). DLP monitoring can be put on the endpoint or within CASB. This can be used to effectively manage data on managed endpoints and manage data flow through managed cloud apps. This monitors and protects data both at the endpoint and at the cloud application gateway in advanced deployments.

Most startup companies have removed the VPN completely and are "Pure Cloud".  Any device from anywhere cloud based work environments. This allows data management on unmanaged devices like phones, where adding a client, or maintaining remote clients have become difficult. 

Many companies have also adopted cloud development operations (DevOps) to take advantage of IaaS architectures. These applications are often public facing and access critical data on the back-end. This provides another vector of data risk that must be protected and monitored for data leakage. DevOps should also implement one of the following DLP programs but not necessarily the same DLP program that is used for internal users.

The following articles discuss adding DLP to a secure user or app edge;  Edgeless-Cloud, CASB, and legacy on-premise DLP.


Data Loss Prevention (DLP) as aCloud API, edgeless cloud infrastructure;
Cloud API
Above (left to right): users access cloud applications where the data is managed via API and finally,
the intelligence derives from cloud based analytics and controls (click for full size)

Data Loss Prevention (DLP) as a Cloud API, edgeless cloud infrastructure;

For many companies this is the future of the workplace which maximizes productivity, availability, compliance, and lowest cost of business.

SaaS; Security and data management as a service is available for user environments as well as application development environments.


The cloud based API architecture for DLP allows advanced features never before available like artificial intelligence that finds data with alarming
accuracy and minimal setup. The companies that build API based DLP can plug into nearly any app with an external API including on-premise apps.

These APIs can be accessed by AI to learn behaviors and apply accuracy to security and automation. This is especially useful when monitoring any behavior for abnormalities or predictive outcomes based on behaviors.

Web, data, email, and system security greatly benefit from cloud based AI and behavioral analysis when trained with massive global sample sets.


Advantages
-Scalable
-fast time to value
-greatest level visibility
-best option when starting a business of any size

Disadvantages  
-still requires expertise
-Cloud migrations are complicate




Data Loss Prevention (DLP) in a CASB solution;
CASB
Above (left to right): SASE edge users are forced to a proxy for certain applications (click for full size)


Data Loss Prevention (DLP) in a CASB solution;

Cloud Access Service Broker (CASB) is the step in transformation between on-premise services and cloud DLP. A modern robust CASB solution will have elements of on-prem and Cloud API integration. CASB requires an endpoint or other redirection to proxy cloud communication.

Advantages
-a transitional step to full cloud
-Handles Shadow IT


Disadvantages 
-Data inspection is hard for CASB proxy architectures
-OCR is not possible for CASB rather, this should be done by cloud API
-Difficult phones and BYOD





Traditional on-prem Data Loss Prevention (DLP); 
Legacy DLP
Above: on-prem DLP with endpoint and proxy/ firewall traffic inspection points


Traditional on-prem Data Loss Prevention (DLP);  

Traditional on-premise DLP can consist of inspection gateways and endpoint agents covering; local applications, removable media, local app data controls, print screen/ copy & paste, email, web data leaks.


Advantages
-Most mature model

Disadvantages
-Requires DLP policy expertise for effectiveness
-Requires in-house application support and maintenance










( Limited Access )



 

---ads by google---
 

---ads by google---
 

---ads by google---