Roman Sakhno - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Cloud-based DLP offers risks, rewards

Cloud-based data loss prevention can be a worrisome option for some. Kevin Beaver explains how to measure the risk vs. reward of cloud-based DLP.

I'm evaluating cloud-based data loss prevention (DLP) products, and what concerns me is essentially having our sensitive data have any contact with the cloud. What's the best way to measure that risk vs. the benefits of what seems like a much easier way to implement DLP?

You're wise to be thinking about this, and cloud security is a completely legitimate concern. Over the past few years, I've come to see the real value in DLP technologies. If there ever was a Holy Grail of security controls, arguably DLP would be it. That said, data loss prevention can be very complicated to set up and tweak to an ideal state so it doesn't get in the way of doing business. The more complex your network, the more complex the DLP deployment will be. Plus, DLP can be very pricey if you do it well.

Given these in-house DLP challenges, I've been recommending cloud-based DLP products to my clients. They provide simple setup, simple management and less up-front costs -- benefits all security managers and IT directors are looking for these days.

But how do you evaluate cloud-based DLP vendors? It's really no different than any of the other due diligence you're doing with prospective cloud vendors. At a minimum, your enterprise needs to consider and ask potential service providers the following questions:

  1. What are you doing beyond vulnerability scans and high-level SSAE 16 SOC 2 audits to ensure your cloud environment is secure?
  2. How long does our enterprise data stay in your environment?
  3. How long will our data stay elsewhere in the cloud?
  4. How do you handle information classification, retention and destruction? How will these processes impact our data in your environment?
  5. Will our data co-mingle with other customers' data?
  6. What do you consider an incident?
  7. What tools do you have in place to detect security problems? What are your incident response procedures?
  8. Can we be involved in the response process for forensics, vulnerability analysis, etc. to ensure our data remains secure?

You need to be your own advocate with cloud security. There's too much to lose and there's no SOC 2 report, contract or handshake that's going to make up for deficiencies in this area.

Ask the Expert!
Perplexed about network security? Send Kevin Beaver your questions today! (All questions are anonymous.)

Next Steps

Data loss prevention tools for cloud security

Six DLP plans for the mobile environment

This was last published in October 2014

Dig Deeper on Data loss prevention technology

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.