In our latest global study on cloud adoption and risk, 83% of the 1,000 enterprises we spoke to told us they store their sensitive data in the cloud. From our own real-world analysis of billions of anonymized cloud events, we can see that 66% of sensitive data lives in cloud applications sanctioned by IT and used for business and collaboration purposes, with 31% of all cloud sensitive data in Office 365 alone.
Take Office 365 as an example. Much of today’s workforce collaboration takes place via email, document sharing, and chat-based communication which are all available in Office 365. With that data synched to the cloud, we now have a significant quantity of our overall data held outside of the network perimeter. Many enterprise organizations have mature, well-developed data loss prevention (DLP) programs in place to protect against data loss at their endpoints and throughout the network. But in our global study, only 36% told us they could enforce DLP in the cloud.
The context of how data is handled in the cloud adds a new layer of requirements for enterprise DLP. When a file is uploaded to the cloud from a managed endpoint, most existing DLP technology can see and control that activity. When that document enters the cloud and is shared with another cloud user, there are no traces on the endpoint or network that on-premises DLP would catch. The activity goes unnoticed, and if the document is sensitive and shared with a third-party, you introduce the risk of non-compliance or loss of IP. You may be thinking – why don’t I just stop everything at my endpoint and network from entering the cloud? Unfortunately, that isn’t a complete solution, since data can be created within a cloud service itself, and unmanaged devices may be able to access cloud accounts, bypassing endpoint and network control.
To solve the challenge of implementing DLP in the cloud, many large enterprises such as Boeing, US Bank, and many more have adopted Cloud Access Security Broker (CASB) technology, which establishes a direct connection to cloud services via API to gain visibility and control over data within a full cloud context. In the past, implementing CASB required re-building the content rules you created for device and network DLP, such as how your own intellectual property (IP) is classified, again in the cloud. If you have different DLP engines running at your endpoint and in the cloud, your detections may also be inconsistent, and you end up managing two workflows for handling incidents.
Customers of McAfee DLP, managed by our ePO platform, can completely skip these steps and avoid the extra work. Now, the DLP content rules you build in ePO for your devices and network can be pushed to MVISION Cloud, where they can be applied to any cloud service and any cloud-native traffic that bypasses your network, with full context of collaboration and sharing. All DLP incidents from endpoint, network, and cloud are routed to ePO, so you have a single location for incident management and a consistent workflow.
Figure 1. Diagram of Device and Cloud DLP integration
One of our largest customers recently implemented this integration, which I’ll recap here. The multi-national food services company was using McAfee DLP to prevent data loss on their endpoints and network file shares, then began an initiative to discover where their data was going in the cloud and develop a strategy to protect it.
They started by assessing where their users were going in the cloud, using McAfee Web Gateway to analyze destinations and data in transit. They discovered that the vast majority of their cloud data was actually in Microsoft Office 365. This kicked off the process of setting requirements for their cloud DLP practice, which included the ability to scan Office 365 on-demand, and also enforce their DLP rules for data moving in and out of the cloud to third parties.
They determined the best solution for cloud DLP was a CASB, and after evaluating several vendors, chose McAfee MVISION Cloud. As an ePO user for endpoint and network DLP, they were able to immediately push their on-premises data classifications to MVISION Cloud, and then wrote policies for Office 365 using those classifications, giving them consistent data protection from device to cloud. Now in ePO, they are managing their data classifications for device, network, and cloud environments, and have a single location for DLP incident management and reporting, including data on web traffic from McAfee Web Gateway.
If you would like to discuss implementing device-to-cloud DLP in your organization, please reach out to us for a discussion and demonstration of these capabilities.