lions, tigers, and phi, oh my! the latest in data loss prevention in the cloud

Netskope RoadmapLions, Tigers, and PHI, Oh My!A webinar about the latest in data loss prevention in the cloud

John KindervagVice President & Principal Analyst

Forrester

Rajneesh ChopraVice President, Product

ManagementNetskope

2© 2015 Netskope. Company Confidential

Leader in cloud security and governance• Find, understand and secure

all cloud apps. Sanctioned by IT or not

• Surgical visibility and control + noise-cancelling DLP

• Working with Fortune 500 enterprises from financial services, healthcare and retail

About Netskope

© 2015 Forrester Research, Inc. Reproduction Prohibited 3

Yesterday’s data


Today’s data


And sometimes you store big data in the cloud


Selling (Worldwide Cvvs, Worldwide Fullz, UK, Usa Logins Worldwide Dumps, UK, Usa Paypal, Ebay Accounts...)

Everything else2. . . they won’t steal it.

Two types of data

1Data that someone wants to steal

Remember the four P’s

• PCI• PHI• PII• IP

3P + IP = TD

Two Effective Metrics

1. Have your networks or systems been infiltrated by malicious actors?

2. Has your toxic data been exfiltrated from your networks or systems into the hands of malicious actors?

Intrusion

Breach

10© 2015 Netskope. All Rights Reserved.

Data access patterns have evolved – almost completely

The Perimeter is GONE!

Transactions Use Multiple Platforms

June 2014 “Three Forcing Functions That Will Extend Your Data Center’s Network Services Beyond Its Walls”


DLP solutions have been tuned over and over again


DLP inspection remains firmly on-premises

WE NEED A NEW WAY OF THINKING

We need a newway of thinking about trust and

DLP

Data security and control framework

DissectData intelligence Data analytics

DefineData discovery Data classification

DefendAccess Inspect Dispose KillZero Trust


Zero Trust is . . .

A new model of information security that identifies the fundamental problem as a broken trust model where users and traffic inside the network are trusted, and those external to the network are untrusted.

Core concepts of Zero Trust

Verify and secure all resources regardless of location



Limit and strictly enforce access control



Limit and strictly enforce access control

Inspect and log all traffic

Two Effective Metrics

1. Have your networks or systems been infiltrated by malicious actors?

2. Has your toxic data been exfiltrated from your networks or systems into the hands of malicious actors?

Intrusion

Breach

Stop Data Exfil



DefendAccess


Inspect Dispose Kill

The DLP Maturity Grid

Discover Classify Consolidate Design Enforce

Cloud



DefendAccess


Inspect Dispose Kill

Killing Data = Abstracting Data via

Data Masking• Test Data

Tokenization• Credit Cards

• SSNEncryption

• Toxic Data

• Intellectual Property

CORP

SaaS

D

IaaS

DPaaS

D

D

SP

D

Private

D

INTERNET

›Use Zero Trust Network Architectural concepts in your cloud

›Stop Data Exfil›Killing Data is Effective DLP

Zero Trust Cloud Protection


Purpose-built apps

Most cloudapps

© 2015 Netskope. All Rights Reserved. Confidential 28

All cloud apps (800+ per enterprise)

All users have access

Any content

Data Loss Any activity

• Restrict to risky apps• Restrict to app category

• Restrict to users/groups• Restrict to location• Restrict to device

• Restrict to certain activities

• Restrict to content type• Restrict to fingerprinted

or exact match

Take a layered approach to address problem

© 2015 Netskope. All Rights Reserved. Confidential 29

All cloud apps (800+ per enterprise)

All users have access

Any content

Data Loss Any activity

Result: Much lower surface area for risk

Reduced content footprint

Reduced app

footprint

Reduced user

footprint

Reduced activity footprint‘Quarantine

PII data uploadedby finance team in NYC to risky cloud

storage apps’

Result• Fewer false positives • Improved accuracy• More reliable Cloud DLP

© 2015 Netskope. All Rights Reserved. 30

Fingerprinting and Exact Match

Benefits• Full coverage. Apply policies for data in motion or data at rest

• Improved accuracy. Detect even if excerpts of the sensitive data leaks with minimal misclassifications.

• Easy policy enforcement. No policy tuning needed – use the original content to translate into the policy.

Organize sensitive data in a CSV

Generate an Exact Match

hash

Augment any DLP Rule with Exact

match

Fingerprinting

Exact Match

Identify sensitive documents

Fingerprint the assets

Apply Fingerprint

policy


Fingerprinting Use Case

1. Bob wants to steal a company confidential design document

2. So, Bob copy pastes parts of this

design document into Gmail and sends it out.


Through DLP file fingerprinting organizations can detect confidential information leak even if it is copy pasted.

• Can be applied to any file type: • Zip files• Encrypted files• Password protected• Renamed files• Extension changes • ... It doesn’t matter


Exact Match Use Case

• General DLP rule looking for SSNs is generating a large number of false positives

• Apply an Exact Match to ensure coupon codes as defined are not detected

• Result is more accurate detection with fewer false positives

SSN# 578049324Coupon Code 123456789


Fingerprinting and Exact Match - DLP landscape

• All enterprise class DLP vendors boast fingerprinting and exact match capabilities. But they do not see cloud application context

• Only CASB vendors see cloud application context – most often for sanctioned apps only

• Netskope is the only CASB vendor that supports Fingerprinting and Exact Match across all cloud applications complete with deep, contextual data

35© 2015 Netskope. Company Confidential

Summary

• Much has changed since we started doing DLP

• The cloud is the perhaps the most disruptive change

• DLP in the cloud requires a different approach, but many of our previous learnings still apply

• Use of contextual information and techniques like fingerprinting and exact match make DLP for cloud targeted and less onerous from an administrative point of view.

Questions? Thank you!

lions, tigers, and phi, oh my! the latest in data loss prevention in the cloud

Technology