How To Protect Encrypt Data And Avoid Data Loss Prevention On

Cloud

Detect and remediate policy inconsistencies

Policy inconsistencies can occur in two ways. In the first type of inconsistency,there is a high-risk service that is allowed, while another, lower risk service is blocked.In this instance, make a policy decision to block both, allow both, or allow only thelower risk service. All three options would eliminate the inconstancy, but you willneed to determine which option makes the most sense for your business.The second type of inconsistency occurs when a service is partially blocked.Sometime there is a legitimate reason for this type of inconsistency (e.g. Marketingneeds access to Facebook but other departments do not. More often than not, thistype of inconsistency occurs because the infrastructure cannot keep up with thevelocity of new cloud services being introduced and used by employees and thereforemany service fall in the unclassified category. Using a cloud service managementproduct that has an extensive registry of services and automatically visualizes allowedvs. denied traffic will make identifying both types on inconsistencies simple and willallow you to easily monitor progress resolving the inconsistencies.

Search for anomalies in user behaviour

When working to reduce the risk of cloud services, much attention is paid to the riskprofile of the cloud services themselves. However, often times perfectly safe andsecure cloud services can be the source of a data leak if an internal employee is actingmaliciously. Unfortunately, no proxy, firewall, or SIEM can alert the organization ofmalicious use of a legitimate service. So, the best practice is to leverage a cloudservices management product that has the ability to identify usage anomalies that areindicative of malicious behaviour.

Conduct investigations into anomalous behaviours

While a cloud service anomaly, such as the Twitter example mentioned above, is avery good indicator of malicious behaviour, and investigation must be conducted inorder to determine the context and intent of the anomalous behaviour. For example,the user associated with the IP address that had 1M tweets may have simplycontracted a malware virus that had seized her Twitter account, or she could have

been intentionally leaking confidential data. In most cases, the best practices is tolook for a legitimate business use case, compare their activity to benchmarks, andthen contact the line of business manager and corporate security to alert them of theissue, monitor their activity, and intervene if needed.

Encrypt data going to key services

It is prudent to add another layer of security to the most critical cloud services in yourorganization. The first step is to identify services that are enterprise-critical, blessed,and procured, such as Salesforce, Box, Office365, and Google. Access to thoseservices should require that employees to use their corporate identity and then accessto your enterprise's account at the service. For example, their traffic would go toacme.salesforce.com, rather than directly to salesforce.com. This means that youcan then control who has access the account, and what happens to the data sent to thisservice.

The best practice is to leverage a reverse proxy to encrypt data sent to these serviceswith your enterprise managed encryption keys. In doing so, you guarantee that evenif the provider is compromised, your data will not be. Finally, you will need toensure that your control is enforced for on-premise to cloud accesses and for mobileto cloud access. This should be done without requiring the traffic from those devicesto be back-hauled (through a VPN) into your enterprise edge first to avoid introducinguser friction.

Doing this will provide 2 distinct advantages. The first obvious advantage is thateven if the service is compromised, your data will not be because you hold theencryption keys. The second advantage is that in this era of limited data privacy, thisencryption guards against a blind government subpoena. Microsoft, Google, andBox, for example, often receive subpoenas from the government asking forinformation for a particular company, with a gag order prohibiting them from alertingthat company. By encrypting the data that lives within the cloud, the company canensure that it is notified of any investigation, as it will need to provide the encryptionkeys to government investigators.

Implement Data Loss Prevention (DLP) guidelines to avoid compliance risk

Any enterprise that utilizes cloud services should be careful about sendingconfidential data to the cloud, but if you work in a regulated industry, such ashealthcare or financial services you must be extra vigilant. Within a regulated

industry, sending confidential client information to the cloud can result in a seriouscompliance violation that would damage the reputation of the company and result inserious financial penalties. Specifically, healthcare companies must comply withHIPPA regulations, banks and financial institutions must comply with PCI guidelinesand almost every company must comply with SOX regulations. Complying withthese regulations. Any company using the cloud must have a DLP strategy in orderto comply with these regulations.

Proxies and firewalls cannot protect against the incidental transmission of personalinformation, so your cloud data security management product should be able toprovide DLP functionality to help prevent sending confidential client information tothe cloud.

Track progress regularly

Managing the risk of cloud services is not a point in time exercise. You will need tocontinually monitor the use of cloud services since new services hit the market dailyand your employees will constantly seek the latest tools to help them do their jobs.In order to drive a successful and quantifiable risk management program you willneed to determine which metrics to track and develop a methodology for gathering thedata on a regular basis.