By Anand Ramanathan
Chief Product Officer, Skyhigh Security


Welcome to our first blog in the monthly Skyhigh Security “Ask Me Anything” series! We invite your audience to submit burning security-related questions on LinkedIn or Twitter through direct message or as a comment on our post.

This time, the topic is Data Loss Prevention (DLP). We put two questions on DLP to the vote:

  1. Is DLP really needed in a non-regulated environment? (46%)
  2. Why Does DLP in the cloud matter? (54%)

The majority of our audience selected “Why Does DLP in the Cloud matter?” Let’s dive in.

In today’s work-from-anywhere world, your organization is doing more and more with data in the cloud—whether it’s in Software-as-a-Service business applications, like Microsoft 365, Dropbox, or Slack, on a daily basis or in proprietary software residing on public cloud platforms like Amazon Web Services (AWS). Because data is no longer secured within the four walls of the corporate network perimeter, it’s vulnerable to misuse, theft, and accidental loss.

Protecting your data in motion and at rest with the right cloud Data Loss Prevention (DLP) solution is essential. To secure your cloud environment, you have probably considered Security Service Edge (SSE) solutions. As you review available cloud-delivered security services, ask about DLP capabilities. You’ll want to make sure your chosen solution provides consistent, unified data protection, with the same corporate policies across all devices and across all SSE components.

Here’s why you need a comprehensive DLP solution built into your cloud security infrastructure.

  • Sensitive data can be uploaded to or exfiltrated from a Shadow IT application.
    There’s nothing wrong with having a flexible policy that allows your users to access cloud applications or services that are unauthorized by IT in order to collaborate with peers or stay productive. But you want to make sure you protect your valuable corporate data.

    The best way to do this is by applying your corporate policies to your Secure Web Gateway (SWG), which operates inline at the network level and monitors sensitive data as it flows through traffic.
  • Not all data should be shared across all cloud applications, even if they are sanctioned.
    Your users access trusted sanctioned cloud services nearly every day, but you may not necessarily want all users to share sensitive data across all applications. For example, you probably would not want the accounting department to share sensitive financial information in a Microsoft 365 Excel with other business units.

    That is where a robust Cloud Access Security Broker (CASB) comes in. It detects sensitive data stored, in use, or in motion in the cloud and blocks sharing guided by policy. A CASB has controls based on user identity, service, application, activity, location, or endpoint and can detect cloud-based threats like ransomware and malware.
  • In-house applications developed on public cloud platforms often lack data controls within the application and in the development environment.
    More than likely, your internal DevOps create and deploy applications in public cloud platforms like AWS or Microsoft Azure, among others. Don’t fall into the trap of thinking these cloud applications are secure. The problem is developers are prone to leaving their S3 bucket in rewritable format. That means any sensitive data used by these applications is exposed and exploitable. If your valuable data gets into the wrong hands, ultimately your organization is accountable for the breach.

    How do you prevent this? Cloud-Native Application Protection (CNAPP) provides visibility into sensitive data stored in the public cloud or any multi-cloud environment. It identifies vulnerabilities, potentially risky behaviors, and malware in these applications and remediates threats automatically. To fully harden applications, CNAPP helps developers integrate and maintain security in cloud applications and workloads by discovering, classifying, and prioritizing risk across public cloud providers, applications, and data.
  • Remote connectivity puts data at risk, even when corporate-issued devices access approved applications.
    If your organization supports a remote or hybrid workforce, you’ve already come to the realization that VPN was never meant to provide efficient and safe connectivity for thousands of offsite employees. VPN is also deficient in data protection, not to mention costly.

    Many organizations are embracing zero trust network access (ZTNA) solutions, which operate on the principal of “Never trust. Always verify.” ZTNA connects users to private applications by first determining the trust attributes of users, their devices, and their connections before allowing access.

    But when it comes to data protection, not all ZTNA solutions look at context. Let’s say one of your people wants to access an authorized application but their corporate laptop lacks the latest antivirus updates. With a DLP engine integrated into ZTNA, you don’t have to block access for these users. Instead, you can route them to a Remote Browser Isolation (RBI) session, where they can view the application but cannot download sensitive data until their laptop has been updated.

DLP technology is a must-have for a truly robust SSE solution. Skyhigh Security’s approach to DLP in the cloud checks off all the boxes:

  • Cloud-native, unified policies integrated across all data exfiltration vectors and all SSE components: SWG, CASB, ZTNA, and RBI
  • Built-in intelligence that applies policies and security controls to prevent data exfiltration
  • A single, centralized management and reporting platform
  • Multi-layered security technologies that address every possible use at your organization

To find out more, click here.