¿Le preocupan los recientes CVE de PAN-OS y otros cortafuegos/VPN? Aproveche hoy mismo la oferta especial de Zscaler

Blog de Zscaler

Reciba en su bandeja de entrada las últimas actualizaciones del blog de Zscaler

Suscríbase
Productos y soluciones

The Top Data Protection Challenges for an Enterprise

image
MEGHA BINDAL
febrero 23, 2023 - 9 Min de lectura

As organizations navigate the digital landscape, protecting sensitive data from breaches and insider threats, while adhering to regulatory compliance, has become a paramount concern. As more and more data is migrated to the cloud, the challenges of maintaining visibility, security, and governance over that data have become increasingly complex.

In this blog, we will delve into three of the top challenges organizations face as they strive to protect their data, and how Zscaler can help reduce risk while also increasing productivity.

 

Challenges:

1. Enabling cloud app productivity while reducing risk

In today’s digital world, there is an increasing emphasis on user productivity and collaboration. This means users can work from anywhere and have the ability to access and share data as needed. 

This presents a big challenge to IT teams: how to enable the best user experience without compromising security. With data widely distributed and accessible over the internet, legacy data center security just can’t keep up. They need a more modern way to secure these connections and data.   Data protection technologies like DLP or CASB are an important ingredient to this challenge. 

 

2. Preventing accidental data exfiltration

Accidental data exfiltration is another big challenge when it comes to data protection. Users often forget security best practices and cause accidental data exfiltration. 

One of the biggest examples is the GitHub credential exposure problem. There have been numerous cases where developers inadvertently include sensitive information—such as passwords, API keys, and other credentials—to a GitHub repository. Once the sensitive information is on GitHub, it can be easily discovered by bad actors using automated tools, who can then use the credentials for malicious purposes such as accessing sensitive data, stealing identities, or launching attacks on other systems.

Another issue is collaboration on SaaS applications. SaaS data can be easily shared with unauthorized users. It takes literally two clicks to share SaaS data at rest, which can cause users to accidentally share sensitive data.

 

3. Protecting data from insider threats

Insider threats can pose a significant risk to organizations, as insiders (employees, partners, contractors, etc.) have authorized access to company systems and may have knowledge of the organization's policies and procedures. Insider threats can come from malicious users who want to steal the “secret sauce,” but are often simply due to user error.

Here is an example of a user error that recently exposed sensitive patient information:

In one large breach, a global organization blamed user error for leaving a list of credentials online for more than a year that exposed access to sensitive patient data. The developer left the credentials for an internal server on GitHub in 2021. The credentials allowed access to a Salesforce cloud environment containing sensitive patient data.

Another example, where the exposure happened due to a malicious insider:

In July 2020, it was revealed that an employee of another large organization had stolen valuable proprietary data and trade secrets over a period of eight years. This employee, who was seeking to use the information for their own professional gain and to start a rival company, gradually exfiltrated more than 8,000 sensitive files from the company's systems. It was discovered that the employee had convinced an IT administrator to grant them access to the files and had emailed commercially sensitive calculations to a co-conspirator.

 

How do we solve these challenges?

Solving all three of these challenges starts with the right security architecture, which revolves around a unified cloud platform, as defined by Gartner’s Security Service Edge. Let's explore the key steps needed to transform your data security with this transformative architecture.

 

Visibility

Visibility is the starting point of any data protection plan. Unless you have visibility into the “what, where, and how” of your applications and data, you cannot implement a strong data protection program. Visibility covers a big spectrum of use cases to make sure you do not have any blind spots.

 

Visibility into applications

With thousands of cloud applications being used—many of which are not IT approved—the first challenge is to efficiently get visibility into all the applications that are being used in the organization and review their potential for risk.

 

Visibility into application instances

You also need visibility into different application instances (e.g. determining whether an application is being used is a personal or corporate instance). Can you see across different tenants?  So for example, due to an M&A you may have multiple corporate instances of the same application across the parent and acquired company.    

 

Visibility into data

Organizations need visibility into what kind of data is being uploaded on SaaS applications. Often, organizations don’t want to block every single application, but want to have control over the data being uploaded. For eg: if sensitive data is being uploaded on sanctioned applications or malware is downloaded from the applications. 

Organizations also need visibility into what kind of data exists on corporate applications, and ensure that they are appropriately classified, not overshared, and are in compliance with various regulations like GDPR, CCPA, and HIPAA.

In 2018, a healthcare center reported a data breach in which the threat actor managed to access the PHI of more than 300,000 patients. To prevent such incidents, an organization needs to first understand where their most sensitive data is stored and the risks associated with it, then put appropriate controls in place to safeguard the data. This is easily implemented by data discovery and DLP classification to identify, classify, and secure sensitive data across your organization.

 

Visibility into user activity

Another important element of visibility is understanding user activity (e.g. are there sudden download spikes from a particular user?). Visibility into user activities can help companies gain insight into potential threats or breaches.

 

Visibility to application settings

Visibility into application settings is another important aspect of data protection. Some of the key elements of application settings that you might want visibility into are:

 

1. SaaS application posture

It’s imperative to understand the posture of all the SaaS applications being used in your organization and ensure all security configurations are up to the latest compliance frameworks. For example, a weak password policy or disabled MFA for some users can make the application vulnerable to attacks. Manually doing assessments of hundreds of corporate applications in an organization is a challenging and lengthy process.

 

2. Third-party applications

Organizations need visibility into all the third-party applications that have been enabled using corporate credentials. This is important because when an employee is logging in, the third-party application asks for permission to access data (e.g. Read Access to Google Drive, Gmail, etc.). When the employee grants these permissions, the application now has access to their corporate Google Workspace account and the IT department doesn’t know about it. This creates issues because your employees can use a number of applications using their corporate account, and some applications are not safe (e.g., if granted access to Gmail, an application can send rogue emails).

 

 At-scale inspection of all traffic.

In addition to ensuring visibility, organizations should be able to inspect SSL traffic at scale; without that, organizations would still have blind spots. In addition, all ports and protocols should be covered by the inspection to gain full visibility.

 

Granular Controls

Another important prerequisite for solving these challenges is the ability to have granular controls in each of these areas: 

1. Integrated shadow IT visibility and control

  • View usage of all cloud applications based on the risk score
  • Identify risky apps with high volumes 
  • Consider blocking high-risk apps for file sharing and webmail categories
  • Restrict access to corporate applications using tenancy restrictions where possible

2. Data classification and remediation

  • Data protection without content inspection
  • Data protection with content inspection for data in motion
  • Data discovery and exposure for data at rest in sanctioned apps 

3. Application Settings

  • SaaS security posture management controls
  • Third-party OAuth control

4. Bring your own device (BYOD) controls

Now, that’s quite a list. So, the question is, how does someone start? We recommend a crawl, walk, and run strategy to implement data protection in your organization. Let’s go over how can you implement this strategy successfully and overcome the various challenges discussed earlier.

 

Challenge

Crawl Phase

 

Understand your environment

Walk Phase

 

Prevent dangerous events

Run Phase

 

Implement advanced controls

Enabling Cloud App Productivity while reducing risk

  • Monitor applications being used by employees with risk scores and security attributes  to assess the risk exposure and identify necessary controls
  • Identify top unsanctioned applications that have the most file uploads
  • Generate a report on visibility into applications’ admin settings and misconfigurations
  • Implement policies to block complete access to apps based on risk score
  • Block access to applications based on certain risk attributes such as poor terms and conditions, suspicious locations, allow anonymous access, etc. 
  • Use tenant restrictions to block access to personal instances of SaaS and IaaS apps where business-sensitive data can be copied
  • Admins assign misconfigurations to respective owners for manual fix
  • Implement granular cloud application controls such as allowing  & viewing, but blocking uploads, posts, etc.
  • Restrict data access from BYOD/unmanaged devices for sanctioned applications
  • Prevent download, copy, or print of data when sanctioned apps are accessed via unmanaged devices
  • Block access for anomalous users and devices

Prevent accidental data exfiltration

  • Scan your most critical applications
  • Identify sensitive data that is externally or publicly shared
  • Monitor for any malware in your environment
  • Identify all corporate code repositories 
  • Identify all personal code repositories
  • Scan corporate repositories for hardcoded AWS, Azure, GCP, SSH, and other keys
  • Make sure there are no public repositories
  • third-party application discovery
  • Notify and coach your end users on violations
  • Identify bulk downloads of data
  • Manually remediate high-risk violations
  • Quarantine malware
  • Create exclusions for executives and highly-sensitive data
  • Scan all of your applications
  • Automatically remediate sharing violations
  • Identify third-party OAuth access and block rogue applications

Protecting Data from Insider Threats

  • Monitor applications in use and which users access each app
  • Identify which unsanctioned applications have the most file uploads
  • Monitor sensitive data types being uploaded (can vary by industry)
  • Look for tagged files being uploaded (AIP/MIP)
  • Look for password protected files
  • Identify bulk downloads of data
  • Create an incident management program to monitor files
  • Block high-risk exfiltration to unsanctioned applications
  • Educate and coach end users to use sanctioned applications
  • Recalibrate your rules
  • Gain better detection through EDM, IDM, and OCR
  • Automate and recalibrate your rules
  • Create a honeypot of sensitive data and match if anyone is trying to steal it
  • Create a user group for departing employees and enforce tighter controls


The Zscaler Data Protection Solution is a simple but powerful way to secure all channels, ensuring the protection of all users anywhere and controlling data in SaaS and public cloud, all backed by a robust and intuitive data discovery engine.

With Zscaler’s data protection solution, you get an integrated platform providing you with:

  1. Cloud Data Loss Prevention - Prevents data loss to the internet that can inspect all internet and SSL traffic for all ports and protocols. The Zscaler DLP solution is backed by an advanced data classification engine that supports advanced classification techniques like machine learning, EDM, IDM, and OCR.
  2. Cloud Access Security Broker (CASB) - With Zscaler integrated CASB, organizations can restore SaaS app control without the cost and complexity of third-party overlays. Get complete shadow IT visibility, block risky apps, and quickly identify dangerous data sharing—all with a single, unified DLP policy.
  3. Security Posture Management - Zscaler Cloud Security Posture Management (CSPM) and SaaS Security Posture Management (SSPM) scan public and SaaS clouds for risky settings or compliance violations and enable rapid remediation.
  4. Cloud Browser Isolation - Zscaler Cloud Browser Isolation restores data control over BYOD without requiring a problematic reverse proxy deployment. With Cloud Browser Isolation, you can stream data to BYOD as pixels only, enabling safe access and viewing while preventing download, copy, and printing.
form submtited
Gracias por leer

¿Este post ha sido útil?

dots pattern

Reciba en su bandeja de entrada las últimas actualizaciones del blog de Zscaler

Al enviar el formulario, acepta nuestra política de privacidad.