Netskope, the leading cloud access security broker, announced a new reference architecture for data loss prevention (DLP) in the cloud, a framework designed to help organisations more accurately find sensitive content in the cloud and integrate more efficiently with on-premises DLP solutions. Through the Cloud DLP Reference Architecture, Netskope aims to spark a collaborative approach with industry-leading cloud app, data classification, on-premises DLP, incident response and identity management providers on how existing DLP should be done when data finds its way to the cloud.
Enterprise assets are increasingly moving from applications deployed in private data centres to public cloud services. Matched with this trend is a shift in data access patterns as access locations change from campus locations to nearly everywhere, in part due to the proliferation of smartphones and tablets. As enterprise assets continue to move from applications deployed in private data centres to public cloud services, organisations need a way to extend DLP frameworks to include cloud services and accommodate these new access patterns to effectively protect corporate intellectual property and sensitive data.
Netskope was prompted to lead the development of the Cloud DLP Reference Architecture by customers in the healthcare, financial services, retail and manufacturing industries. These customers shared a common requirement in that they had invested considerable amounts in building best-in-class DLP systems for traditional network traffic, but needed to find a way to extend their efforts to the cloud.
“With the rise in ‘bring your own device’ and ‘cloud’ trends, enterprises increasingly require a solution that can monitor and protect sensitive data regardless of a user’s physical location and also provide the rich user experience expected of cloud apps,” said Krishna Narayanaswamy, co-founder and chief scientist, Netskope. “It was with that in mind that we wanted to provide guidance for IT leaders who have invested considerable resources in tuning on-premises DLP, data classification and incident response tools and workflows, yet need to extend their scope of protection to the cloud. We see our Cloud DLP Reference Architecture as a path forward for enterprise IT and the start of a conversation with the vendor community.”
In developing the Cloud DLP Reference Architecture, Netskope outlined six key tenets, which include:
- Derive context from cloud service transactions and set policy based on it before moving to the next stage of data identification: Reduce the scope of content you inspect en route to or from, or at rest in, the cloud by using cloud service transaction context such as identity, location, device, or activity. Specifically, stop activities (regardless of data type) that are non-conforming (e.g., you may have a policy that states that unmanaged devices downloading any content from a sanctioned app are disallowed).
- Use a classification framework to identify or categorise sensitive content: Use a classification framework to identify or categorise sensitive content. Apply persistent metadata to maintain that data identity as content moves to and from cloud services.
- Apply data classification to discover sensitive content in the cloud: Inspect content en route to or from, or at rest in, cloud services in order to determine if that content is sensitive. Allow conforming content to remain or pass by unencumbered.
- Quarantine and redirect potentially sensitive content to an on-premises DLP solution: To ensure a high quality user experience, quarantine remaining content and notify the user. Redirect content to an on-premises DLP solution via secure Internet Content Adaptation Protocol (ICAP) to evaluate against highly-tuned policies in order to determine violations.
- Enforce policies and initiate incident response: Enforce policy actions and initiate incident response workflows in applicable solutions, whether they are on-premises and/or in the cloud, based on ICAP responses from on-premises DLP solutions, together with the context derived from the cloud service transactions.
- Ensure user accountability: Ensure user accountability by coaching users on potential violations and allowing them to provide feedback (e.g., report a false positive or provide a justification).
Netskope™ is the leading cloud access security broker (CASB). Only the Netskope Active PlatformTM provides discovery, deep visibility, and granular control of sanctioned and unsanctioned cloud apps. With Netskope, IT can direct usage, protect sensitive data, and ensure compliance in real-time, on any device, including native apps on mobile devices and whether on-premises or remote, and with the broadest range of deployment options in the market. With Netskope, businesses can move fast, with confidence. Serving a broad customer base including leading healthcare, financial services, high technology, and retail enterprises, Netskope has been named to CIO Magazine’s top 10 cloud security startups and featured in such business media as CBS News, Wall Street Journal, and Forbes. Netskope is headquartered in Los Altos, California.