Cloud Is Cool, but DLP Is a Sticky Wicket
Using the cloud has become second nature for today’s organizations, and in most cases, cloud enthusiasts report an overall security improvement. However, data loss prevention (DLP) remains an issue. The issue is that while cloud providers have bolstered security in recent years (which helped lead to widespread adoption of cloud technology), they have very little power to govern what end users actually use the cloud for, like sharing sensitive information.
In reality, only 30% of cloud-using organizations have DLP policies that extend “across employee devices, the corporate network, and the cloud.” Meaning that in 70% of cases, organizations have little to no oversight of end-user cloud usage. Ironically, this lack of oversight is largely due to the improvements made to cloud security (by the providers), as it has created a tendency for customers to think that cloud security is not their concern. What we are now learning is that the cost of this security smugness is lost data.
Our Take
Most of the time DLP issues are actually data classification issues, and when they’re not, they’re usually privacy-related issues. The good news is that both can be solved with a simple prioritization exercise: get a group together to brainstorm which data repositories hold the most sensitive information and then proceed to evaluate just how sensitive that data is and what kind of protections it needs. For example, if sensitive data is stored on a cloud-based file sharing platform, make sure to configure that platform to prevent unauthorized sharing or downloads.