Roman Sakhno - Fotolia
I'm evaluating cloud-based data loss prevention (DLP) products, and what concerns me is essentially having our sensitive data have any contact with the cloud. What's the best way to measure that risk vs. the benefits of what seems like a much easier way to implement DLP?
You're wise to be thinking about this, and cloud security is a completely legitimate concern. Over the past few years, I've come to see the real value in DLP technologies. If there ever was a Holy Grail of security controls, arguably DLP would be it. That said, data loss prevention can be very complicated to set up and tweak to an ideal state so it doesn't get in the way of doing business. The more complex your network, the more complex the DLP deployment will be. Plus, DLP can be very pricey if you do it well.
Given these in-house DLP challenges, I've been recommending cloud-based DLP products to my clients. They provide simple setup, simple management and less up-front costs -- benefits all security managers and IT directors are looking for these days.
But how do you evaluate cloud-based DLP vendors? It's really no different than any of the other due diligence you're doing with prospective cloud vendors. At a minimum, your enterprise needs to consider and ask potential service providers the following questions:
- What are you doing beyond vulnerability scans and high-level SSAE 16 SOC 2 audits to ensure your cloud environment is secure?
- How long does our enterprise data stay in your environment?
- How long will our data stay elsewhere in the cloud?
- How do you handle information classification, retention and destruction? How will these processes impact our data in your environment?
- Will our data co-mingle with other customers' data?
- What do you consider an incident?
- What tools do you have in place to detect security problems? What are your incident response procedures?
- Can we be involved in the response process for forensics, vulnerability analysis, etc. to ensure our data remains secure?
You need to be your own advocate with cloud security. There's too much to lose and there's no SOC 2 report, contract or handshake that's going to make up for deficiencies in this area.
Ask the Expert!
Perplexed about network security? Send Kevin Beaver your questions today! (All questions are anonymous.)
Data loss prevention tools for cloud security
Six DLP plans for the mobile environment
Dig Deeper on Data loss prevention technology
Related Q&A from Kevin Beaver
While most mobile platforms provide levels of security from mobile cryptojacking, IT must still be aware of the risks and procedures to address an ... Continue Reading
Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver ... Continue Reading
Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.