As organizations navigate the digital landscape, protecting sensitive data from breaches and insider threats, while adhering to regulatory compliance, has become a paramount concern. As more and more data is migrated to the cloud, the challenges of maintaining visibility, security, and governance over that data have become increasingly complex.
In this blog, we will delve into three of the top challenges organizations face as they strive to protect their data, and how Zscaler can help reduce risk while also increasing productivity.
Challenges:
1. Enabling cloud app productivity while reducing risk
In today’s digital world, there is an increasing emphasis on user productivity and collaboration. This means users can work from anywhere and have the ability to access and share data as needed.
This presents a big challenge to IT teams: how to enable the best user experience without compromising security. With data widely distributed and accessible over the internet, legacy data center security just can’t keep up. They need a more modern way to secure these connections and data. Data protection technologies like DLP or CASB are an important ingredient to this challenge.
2. Preventing accidental data exfiltration
Accidental data exfiltration is another big challenge when it comes to data protection. Users often forget security best practices and cause accidental data exfiltration.
One of the biggest examples is the GitHub credential exposure problem. There have been numerous cases where developers inadvertently include sensitive information—such as passwords, API keys, and other credentials—to a GitHub repository. Once the sensitive information is on GitHub, it can be easily discovered by bad actors using automated tools, who can then use the credentials for malicious purposes such as accessing sensitive data, stealing identities, or launching attacks on other systems.
Another issue is collaboration on SaaS applications. SaaS data can be easily shared with unauthorized users. It takes literally two clicks to share SaaS data at rest, which can cause users to accidentally share sensitive data.
3. Protecting data from insider threats
Insider threats can pose a significant risk to organizations, as insiders (employees, partners, contractors, etc.) have authorized access to company systems and may have knowledge of the organization's policies and procedures. Insider threats can come from malicious users who want to steal the “secret sauce,” but are often simply due to user error.
Here is an example of a user error that recently exposed sensitive patient information:
In one large breach, a global organization blamed user error for leaving a list of credentials online for more than a year that exposed access to sensitive patient data. The developer left the credentials for an internal server on GitHub in 2021. The credentials allowed access to a Salesforce cloud environment containing sensitive patient data.
Another example, where the exposure happened due to a malicious insider:
In July 2020, it was revealed that an employee of another large organization had stolen valuable proprietary data and trade secrets over a period of eight years. This employee, who was seeking to use the information for their own professional gain and to start a rival company, gradually exfiltrated more than 8,000 sensitive files from the company's systems. It was discovered that the employee had convinced an IT administrator to grant them access to the files and had emailed commercially sensitive calculations to a co-conspirator.
How do we solve these challenges?
Solving all three of these challenges starts with the right security architecture, which revolves around a unified cloud platform, as defined by Gartner’s Security Service Edge. Let's explore the key steps needed to transform your data security with this transformative architecture.
Visibility
Visibility is the starting point of any data protection plan. Unless you have visibility into the “what, where, and how” of your applications and data, you cannot implement a strong data protection program. Visibility covers a big spectrum of use cases to make sure you do not have any blind spots.
Visibility into applications
With thousands of cloud applications being used—many of which are not IT approved—the first challenge is to efficiently get visibility into all the applications that are being used in the organization and review their potential for risk.
Visibility into application instances
You also need visibility into different application instances (e.g. determining whether an application is being used is a personal or corporate instance). Can you see across different tenants? So for example, due to an M&A you may have multiple corporate instances of the same application across the parent and acquired company.
Visibility into data
Organizations need visibility into what kind of data is being uploaded on SaaS applications. Often, organizations don’t want to block every single application, but want to have control over the data being uploaded. For eg: if sensitive data is being uploaded on sanctioned applications or malware is downloaded from the applications.
Organizations also need visibility into what kind of data exists on corporate applications, and ensure that they are appropriately classified, not overshared, and are in compliance with various regulations like GDPR, CCPA, and HIPAA.
In 2018, a healthcare center reported a data breach in which the threat actor managed to access the PHI of more than 300,000 patients. To prevent such incidents, an organization needs to first understand where their most sensitive data is stored and the risks associated with it, then put appropriate controls in place to safeguard the data. This is easily implemented by data discovery and DLP classification to identify, classify, and secure sensitive data across your organization.
Visibility into user activity
Another important element of visibility is understanding user activity (e.g. are there sudden download spikes from a particular user?). Visibility into user activities can help companies gain insight into potential threats or breaches.
Visibility to application settings
Visibility into application settings is another important aspect of data protection. Some of the key elements of application settings that you might want visibility into are:
1. SaaS application posture
It’s imperative to understand the posture of all the SaaS applications being used in your organization and ensure all security configurations are up to the latest compliance frameworks. For example, a weak password policy or disabled MFA for some users can make the application vulnerable to attacks. Manually doing assessments of hundreds of corporate applications in an organization is a challenging and lengthy process.
2. Third-party applications
Organizations need visibility into all the third-party applications that have been enabled using corporate credentials. This is important because when an employee is logging in, the third-party application asks for permission to access data (e.g. Read Access to Google Drive, Gmail, etc.). When the employee grants these permissions, the application now has access to their corporate Google Workspace account and the IT department doesn’t know about it. This creates issues because your employees can use a number of applications using their corporate account, and some applications are not safe (e.g., if granted access to Gmail, an application can send rogue emails).
At-scale inspection of all traffic.
In addition to ensuring visibility, organizations should be able to inspect SSL traffic at scale; without that, organizations would still have blind spots. In addition, all ports and protocols should be covered by the inspection to gain full visibility.
Granular Controls
Another important prerequisite for solving these challenges is the ability to have granular controls in each of these areas:
1. Integrated shadow IT visibility and control
- View usage of all cloud applications based on the risk score
- Identify risky apps with high volumes
- Consider blocking high-risk apps for file sharing and webmail categories
- Restrict access to corporate applications using tenancy restrictions where possible
2. Data classification and remediation
- Data protection without content inspection
- Data protection with content inspection for data in motion
- Data discovery and exposure for data at rest in sanctioned apps
3. Application Settings
- SaaS security posture management controls
- Third-party OAuth control
4. Bring your own device (BYOD) controls
Now, that’s quite a list. So, the question is, how does someone start? We recommend a crawl, walk, and run strategy to implement data protection in your organization. Let’s go over how can you implement this strategy successfully and overcome the various challenges discussed earlier.
Challenge |
Crawl PhaseUnderstand your environment |
Walk PhasePrevent dangerous events |
Run PhaseImplement advanced controls |
Enabling Cloud App Productivity while reducing risk |
|
|
|
Prevent accidental data exfiltration |
|
|
|
Protecting Data from Insider Threats |
|
|
|
The Zscaler Data Protection Solution is a simple but powerful way to secure all channels, ensuring the protection of all users anywhere and controlling data in SaaS and public cloud, all backed by a robust and intuitive data discovery engine.
With Zscaler’s data protection solution, you get an integrated platform providing you with:
- Cloud Data Loss Prevention - Prevents data loss to the internet that can inspect all internet and SSL traffic for all ports and protocols. The Zscaler DLP solution is backed by an advanced data classification engine that supports advanced classification techniques like machine learning, EDM, IDM, and OCR.
- Cloud Access Security Broker (CASB) - With Zscaler integrated CASB, organizations can restore SaaS app control without the cost and complexity of third-party overlays. Get complete shadow IT visibility, block risky apps, and quickly identify dangerous data sharing—all with a single, unified DLP policy.
- Security Posture Management - Zscaler Cloud Security Posture Management (CSPM) and SaaS Security Posture Management (SSPM) scan public and SaaS clouds for risky settings or compliance violations and enable rapid remediation.
- Cloud Browser Isolation - Zscaler Cloud Browser Isolation restores data control over BYOD without requiring a problematic reverse proxy deployment. With Cloud Browser Isolation, you can stream data to BYOD as pixels only, enabling safe access and viewing while preventing download, copy, and printing.
