As security perimeters continue to blur and IT consumerization keeps fueling workforce mobilization, it is clear that security needs to be applied to the data throughout its lifecycle, rather than just to network assets. This makes it essential for virtualization and cloud computing efforts to adopt an information-centric security strategy from the very start. Following are some quick thoughts on how data loss prevention (DLP) solutions can help organization with transitioning to virtualization and cloud:
Planning the Move
We all know that not all data is created equal and some data types are more sensitive than others. One common dilemma businesses face in virtualization and cloud projects today, in an effort to minimize their risk profile, is prioritizing which assets should be transitioned first -- starting out down the virtualization and cloud path by moving the most critical system that holds the most sensitive information might not be the wisest thing to do. An increasing number of leading organizations are now leveraging DLP solutions to plan such a move. DLP tools enable businesses to identify where sensitive data is located and understand how it is classified. In turn, businesses are able to carry out risk vs value assessments and prioritize the most suitable candidates that maximize the value and minimize the risk of their transitioning efforts.
Unless controlled properly, data sprawl can cause a serious headache in a virtual or cloud set up. This makes regulated data particularly harder to move over to the new model. For example, service providers will find that meeting each customer's particular compliance requirements takes away some of the economies of scale that allow them to offer more competitively priced and attractive services. However, it's a capability they must offer if they need to capture large, heavily regulated customers. Also, it's the enterprise, not the cloud provider, that is ultimately accountable for data compliance; all legal and regulatory obligations are the same as if the data were stored on its own premises. Enterprises must ensure the protection and compliance of their data no matter where it physically resides. Data location can be quite tricky, especially when it spans international borders. This is particularly true in Europe, where the European Union privacy directives do not allow movement and cross-border access of certain data types. Again, DLP plays a central role in identifying and classifying regulated data to enable building a corporate information map that helps rationalize these compliance efforts.
Actually, DLP tools are essential for enabling organizations to map their data landscape into different information zones and, in turn, each zone can be assigned to a risk category (naturally, mapping data into information zones is a continuous job rather than a one-off exercise - new data types are introduced all the time and risk postures easily change). For example, highly sensitive data might be restricted to virtual servers managed behind the corporate firewall (i.e., possibly private clouds) and only data of low sensitivity is allowed on shared infrastructure from a cloud service provider (i.e., public cloud). This approach also helps organizations better understand the most suitable contracts and service level agreements they need to negotiate with their cloud providers. Since not all data is created equal, not all should be treated equal. This gives scope to have various agreements with cloud providers that offer varying levels of costs, transparency and availability (etc) that are tailored and optimized for the characteristics of each information zone.
In my next blog post, I'll continue to touch on how DLP can help with "Enforcing Information Control" and "Monitoring and Verifying" corporate policies in virtual and cloud environments.
Interested in summary of recent DLP research?
My previous blog summarizes the results of a European study entitled "You sent what? - Linking identity and data loss prevention to avoid damage to brand, reputation and competitiveness."