Data loss prevention (DLP) has traditionally been considered an on-premise activity. Software as a Service (SaaS), by definition, is not. However, DLP and SaaS represent major trends in email security with high visibility, and they are often driven by corporate initiatives and senior level decision makers.
Similar to the discovery that peanut butter and chocolate go well together when accidentally mixed, when major trends occur in the same space at the same time, interesting new opportunities arise. We now see the emergence of a new market: DLP as a Service.
Monitoring content, detecting potential information violations, keeping critical data from leaving the company, and taking appropriate action when violations occur are at the heart of DLP.
DLP can have multiple components, including DIM (data in motion), DAR (data at rest), and end point data. DIM, predominantly email and attachments, accounts for 80 percent of company DLP violations. Adding the wrong email recipient from an address book, attaching a file to an email that unknowingly contains personally identifiable information embedded in it, or trying to send confidential work home because you are trying to catch up by working late are just a few examples of how good intentions can lead to the loss of sensitive data.
Protecting this escape method means protecting a single and most important source — the gateway. If a company is looking to mitigate its DLP risk, the simplest, least expensive and most effective step is to protect this channel.
A deeper look at the other DLP components helps confirm this. DAR can be found in multiple places, rather than at a single point of departure. Data stored on devices changes over time as new content is added or modified. Policies about what should be stored on servers are often ambiguous and leave much discretion to the information owners. This results in incomplete data and a high number of false positives (incorrectly flagged as violations). DAR still leaks out through other channels — such as lost or stolen backup tapes, or emails containing proprietary information.
End point data leakage is a nightmare — and, frankly, unsolvable in many instances. Devices including printers and USB drives — or even a simple camera phone capable of taking a screen shot — represent unlimited opportunities to lose valuable information.
Well-intentioned people are always looking for ways to do their jobs better. People with criminal intent will always look for holes in security coverage. Luckily, most DLP violations are accidental, and a company demonstrating a proactive approach to DIM can eliminate most of the actual and legal risk.
The SaaS Age
SaaS has rapidly matured into a viable and strategic business alternative for many enterprise applications. Rather than purchase software or appliances, a company opts to pay an annual or monthly service fee, often on a per user basis. This model allows a company to smooth out capital expenditures, scale on demand, and free up IT from performing ongoing management of the system.
One of the most compelling aspects of SaaS is its lower total cost of ownership (TCO). Companies realize a 30 percent lower TCO when using a SaaS-based solution instead of an on-premise solution, according to McKinsey & Company. This value results from several factors: reduced deployment time; no requirement for supporting infrastructure; no need for application testing; lower training requirements; no ongoing business process change management; high visibility of costs in the service fee; and no unscheduled downtime.
Companies free up scarce IT resources to focus on more core business projects, deliver a higher quality of service, and gain from the collective experience of the SaaS vendor, which has visibility across hundreds or thousands of customers.
Specific to email security, SaaS delivers several additional benefits. Filtering email in the cloud relieves huge network congestion, cutting network loads by 60 to 90 percent. Filtering email for spam and viruses is the most basic aspect of email security. However, it remains one of the most challenging tasks. Spam and malware volumes are growing by hundreds of percent a year, and the rate of change in new attack techniques is accelerating. Pushing email filtering into the cloud so that only the valid, clean email is sent to the company dramatically reduces load, enabling other applications to work much faster. Also, it reduces the amount of bandwidth required, further reducing costs.
SaaS also delivers built-in business continuity, as two data centers are used. This redundancy at the data center level — if they’re located in different geographies — provides resiliency throughout the entire service delivery model. Finally, SaaS comes with service level agreements (SLAs) that provide a set of guarantees on the quality of service with financial remedies in the event of poor service.
Why have DLP and SaaS not crossed paths before? In a word, fear.
Previously, there was a perceived lack of security, control, trust and knowledge. The widely held belief that a company had to physically stop sensitive data within corporate walls prevented most people from even considering a hosted DLP offering. Correspondingly, there were no real hosted solutions available. Security and compliance executives did not have the basis or context for understanding security issues in the cloud, because cloud computing was a relatively new concept and rapidly evolving. Time and experience had not yet afforded a comfort level with the types and quality of security and encryption that connected a corporate network with a SaaS vendor. Accordingly, there was a general lack of trust in SaaS, as no one wanted to bet their job on being an early adopter with such a sensitive and highly visible business function.
As organizations began to outsource and adopt SaaS, a new level of knowledge and trust developed. The merits of SaaS became better understood and the benefits realized.
Recently, companies started adopting SaaS-based email security solutions at a rapidly growing rate. At the same time, leading email security vendors began offering true DLP capabilities as part of the SaaS offering. Some companies, as part of a more comprehensive solution, included DLP components in their purchase. Without much fanfare, a boundary had been broken.
The rapid growth in SaaS adoption, combined with new public awareness, built the necessary trust and knowledge in the model. The major concern about data security is starting to become better understood. Connections between companies and SaaS vendors are encrypted using TLS (transport layer security) or a similar technique so that all data between the organizations is protected. The SaaS vendor can now be considered a virtual extension of the corporate network.
Additionally, the business logic that controls whether data is flagged and blocked from being transmitted to other recipients is the critical element. Proper controls will block the data at the point of detection; incomplete logic will allow data to pass or inappropriately block valid data. The location of the service or software doing the processing is less important, as long as it remains within the extended, protected network.
Further SaaS advancements enforce other aspects of corporate security policy. For example, a dedicated environment instead of a shared or multitenant environment meets the needs of customers that do not want their data or processing commingled with that of other companies. A dedicated environment meets the more stringent security requirements of many larger companies, allowing them to make a SaaS purchase.
For companies that still seek the benefits of cloud computing but for whom deploying a DLP solution on premise is still necessary or desired, a related alternative exists, called “hybrid computing.” Hybrid combines both SaaS and on-premise solutions. One hybrid use case is to deploy a SaaS solution for inbound email security — gaining many of the benefits of SaaS — and combine it with the DLP solution on premise to address security or other concerns.
The concept of DLP in the cloud, while still new, has demonstrated not only viability, but also a value proposition beyond what can be realized with a solely on-premise solution. Overcoming the previous objections around security and trust, SaaS and DLP can now not only coexist, but also deliver additional SaaS value — such as 30 percent lower TCO, improved IT resource utilization and manageability, and business continuity.
If an organization wants the benefits of SaaS, while efficiently and effectively solving DLP risks, a SaaS-based DLP offering is worth exploring.
Paul LaPorte is the Global Solutions Manager for Proofpoint, a provider of unified email security, archiving and data loss prevention solutions.