Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Products & Solutions

An Integrated Solution to Distributed Data Protection

MOINUL KHAN, SALAH NASSAR
July 07, 2023 - 7 min read

When I talk to customers about the IT Initiatives they have in place, most of them point to their ransomware strategy. However, when I ask them what they’re doing for data protection in particular, I often hear, “we don’t have anything yet”, or, “we’re still evaluating”. Why is it that cyberthreat protection always takes a front seat, but protecting data is only a phase 2 or phase 3 matter?

In my eyes, data is your most valuable asset, and I believe you’d be hard-pressed to find many who disagree. So why is it that data protection always gets pushed down priority lists? One reason is that many businesses have been forced to deal with the complexity and failures that come with having used various point products over the last 20 years. Network DLP, endpoint DLP, email DLP, and CASB (with DLP) all had their days in the sun as the next great point product designed to enhance data protection. Today, new solutions like cloud native application protection platforms (CNAPPs) and SaaS security posture management (SSPM) have taken hold across the industry, and while they’re extremely effective against today’s most pertinent data threats, the presence of legacy point products in their shadows only serves to increase complexity. This is not to say that network, endpoint, and email DLP, as well as CASB, aren’t important, but they only serve to cause problems when consumed as point products. Additionally, any data protection program worth its salt will need daily operations management—consisting of investigation, response, and optimization.  

With the emergence of Gartner’s Security Service Edge (SSE), data protection is in the midst of a transformation, with the goal of replacing point product complexity with integrated simplicity. Let's explore the changes being made, and uncover why an integrated approach makes the most sense for modern data protection. Remember, our sole focus is securing your data no matter where it lives, and to this end, we’ll highlight some latest innovations that are helping drive both data protection and CNAPPs alike.

 

Understanding Integrated Data Protection

Gartner's idea of an SSE is squarely focused on delivering security services through a high-performance cloud, with everything you need in one place, not spread out. By combining a Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA), you get all the protection you need, easily integrated in one location. We will, however, need to understand the CASB aspect, as there’s more to it than meets the eye.

Since data is widely distributed across endpoints and cloud apps, you need much more than just a CASB for adequate data protection. Namely, there are multiple channels that data can be lost through, and a solution built on integration will address all these channels through one cohesive platform. There are two main channels that need securing—data in motion and data at rest.   

 

Protecting Data In Motion

One of the main drivers of SSE adoption is the increase in organizations transporting sensitive data over the most untrusted network in the world: the internet. You don’t own this network, and more importantly, your data center security appliances are completely in the dark to its activity. Enter SSE and integrated Data Protection.

The top data protection use case is preventing sensitive data from leaking to the internet or via email. This is where Inline DLP comes in. Paired with capable SSL inspection (most data hides in SSL traffic), you’ll be able to find and classify sensitive data headed to the internet or email and enforce policy to control and block threats.   

Equally important is controlling cloud apps inline. Finding and blocking risky cloud app activity, like ChatGPT, is a hot data protection trend. The inline visibility you get from a CASB helps solve this use case. That said, many organizations only want to protect sensitive data, not block ChatGPT outright. To this end, look for solutions that can marry DLP with the cloud application visibility offered by a CASB, so you can enable ChatGPT while blocking any sensitive data headed to it. 

The last important component of data in motion is solving the BYOD use cases. Many organizations have contractors or users who opt to use their own unmanaged devices. Since you don’t have corporate control over these devices, you can’t ensure their security or patch levels, or even wipe the device remotely, if you so desire. Enter Browser Isolation, which allows you to enable data access without letting said data land on a BYOD device and walk away. Instead, these BYOD devices will interact with data in an isolated browser session (hosted by the SSE cloud), which prevents cutting, pasting, downloading, and printing.  This is a smart, eloquent way to solve the BYOD data protection challenge while maintaining productivity.

 

Securing Data at Rest

Another big focal point for SSE and integrated data protection is securing data at rest.  This can be a rather large category, as there are a lot of places data can go, and forms it can take, in this category. The primary point of focus for securing data at rest should be SaaS data, as users can easily share such data, much of it sensitive, in dangerous ways—either outside the company, or with open internet links. By using a CASB and leveraging the same DLP policy you created for data in motion, you can prevent this from happening by scanning data at rest in SaaS, finding dangerous shares, and easily revoking them.  

Another key area of focus for data at rest is Posture Control. Controlling your cloud posture stipulates multiple practices with the overall goal of ensuring the environments or devices holding your data aren’t exposed, misconfigured, or vulnerable.. To this end, there are a few key technologies you want to focus on:

SaaS Security Posture Management (SSPM): Built to identify dangerous misconfigurations in SaaS platforms, this approach helps close exploitable holes in apps like Microsoft 365 or Google Cloud Platform. For example, SSPM can help you ensure multifactor authentication is enabled, or that risky open shares are closed. Look for SSPM platforms that categorize risks against common compliance frameworks like NIST or SOC2, so that establishing and maintaining your required compliance posture is a snap.

Cloud Native Application Protection Platform (CNAPP): Building, deploying, and running cloud native applications in public clouds can be very complex. At any stage in the development process, vulnerabilities can be introduced that may end up exposing your data and workloads in dangerous ways. Remember that developers are not security experts and need a simple and integrated security solution that does not disrupt their productivity and agility as such. A CNAPP is designed to help discover and remediate misconfigurations and vulnerabilities across the entire application development lifecycle. Look for a CNAPP that’s integrated with solutions like data loss prevention (DLP), as more intelligent policy decisions require context that only can be provided by a unified architecture.   

Third-Party App Security: One of the biggest blind spots is the transfer of third-party data. Third-party app security scans your SaaS platforms for risky connections from third-party applications.  These applications often have known vulnerabilities or get unfettered access to your SaaS platform data. What’s more, most of them are connected to by users once, and then never used again. Finding and revoking these backdoor connections is a key to great data hygiene.

Endpoint DLP:  If your sensitive data isn’t being stored in the cloud, it’s most likely being stored on an endpoint. Many organizations want control over removable media, bluetooth, and other endpoint channels that can leak data. Additionally, there’s always a risk of short-term employees taking data with them to their next job. This is where endpoint DLP comes in. To keep these devices secure, you’ll want a unified agent that works in concert with its parent SSE platform and leverages a unified DLP policy across inline inspection.  
 

Bringing it all together

When it comes to securing data, many organizations find themselves in a non-ideal point product situation. These environments were built over years and years of organic growth, but as time goes on, they only introduce complexity and added cost, and moreover, they’re simply not sustainable. This is why forward looking organizations are embracing an integrated data protection approach that helps streamline the process of securing sensitive data. If done right, a truly integrated platform drives up efficacy, improves protection of your intellectual property, no matter where it lives, and enables IT teams to do more with less.

If you’re ready to transform your approach to data protection, or simply want to understand how it all comes together, we’re here to help. Read about our Data Protection Solution, book a demo, or dive deep into all the new innovations we announced at our latest user conference around Data Protection and CNAPPs.  

 

form submtited
Thank you for reading

Was this post useful?

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.