May 2020 Summit #3: SASE for Data - Data Protection with Cloud DLP

Data context is a core principle of SASE architecture and it requires visibility to data-at-rest and data-in-motion for data loss protection (DLP) policies and rules. Intersect these objectives with the overwhelming use of cloud apps freely adopted by business units and users, and you need cloud DLP. Legacy SWG solutions using ICAP for file-based DLP analysis are blind to cloud apps and the majority of data movement and use. While traditional cloud access security broker (CASB) deployments use API protection into several dozen managed cloud apps, it is the inline deployment that provides granular control for thousands of cloud apps in use, plus web traffic. Here are five areas to consider when updating your blueprint for data loss protection. 1. First, your users are in the cloud and are now working remote. Plus, the majority of your data now resides in the cloud with wide SaaS adoption, so your DLP needs to be in the cloud. SASE involves a single pass design for data and threat protection, meaning your cloud SWG requires strong DLP for cloud and web traffic. 2. Allow/block faces the same challenges for DLP, it needs to mature to ‘allow’ with granular policy controls for data protection. The cloud brings boundary crossings between company and personal instances, managed and unmanaged cloud apps, activity and context, plus app risk factors to recommend safer alternatives. 3. While inline cloud SWG provides the foundation for cloud DLP, the benefit of SASE architecture is using the same DLP policies and rules for data-at-rest in managed apps with CASB, public cloud environments with cloud security posture management (CSPM), plus securing private access with ZTNA.