Polymer Data Exposure Prevention for SaaS: Our DLP Approach and How it Differs from Current Solutions

In our early days at PolymerHQ, we would often get CISOs and security professionals who would roll their eyes when they heard we are tackling the data loss prevention problem for SaaS. DLP and it's close cousin CASB are probably one of the most over-hyped, under-delivered segment in the information security stack. The reason why DLP has not worked so far, especially in the cloud era, can be summarized as follows:

1. Noisy-Too many False positives.
2. Manual-Manually remediate 'quarantined' items
3. Not Situationally Aware-Bogus alerts with low efficacy

In this article, we will attempt to describe the problem of solving data security in the cloud or SaaS world. Then layout a case for a new approach, Data Exposure Prevention that seeks to tackle and provide a more complete DLP solution.

First for some historic context of what IT data security looked like in the good old days.

Legacy Tech: IT Governance for On-premises Application

IT governance in on-prem IT architecture is provisioned centrally. A designated person or team is in charge of provisioning access in conjunction with business units. We see this to be a common pattern in the financial services, healthcare and government. In Sharepoint, for example, a common pattern was to allow specific individuals access to a folder based on their group or project. If the scope of the project has changed or an employee moves to a new project requiring new datasets, they will request access to the specific database/tables or Sharepoint folders. The admin will typically be a manager or on the project management side

Modern Tech: IT Governance in the Cloud

As enterprise workflows move to the cloud, procurement is no longer a single department’s job. Any employee with a credit card can provision online databases, cloud infrastructure components, CRMs, Chats, Ticketing systems - pretty much any kind of service on the fly - and be the admin of that product.

As organizations become more cloud native, the old method of having centrally provisioned access controls is quickly becoming archaic. Frankly the notion of an admin who puts access controls and guardrails is no longer even possible and even counterproductive, due to the collaborative focus on most modern applications.

SaaS makes Cloud adoption Efficient

Modern SaaS platforms benefit from ease of use, great UI and frictionless collaboration within and outside an organization. The nature of how business operations are run has evolved due to this shift. Instead of sharing copies of Word documents for comment and review, now the document link can be shared and worked on by multiple parties.

..But SaaS Applications have Minimal Data Security Controls

The convenience of easy collaboration in SaaS is not without its downside. Ease of use also means less data control. Without centrally provisioned access controls, it’s easier more than ever to have sensitive data leak or be misused. Remote work is adding even more stress with many insecure end points and teams that are sharing and collaborating more than ever without regard to the ultimate consumer of that information (whether that entity is authorized to even access or view that information). Many tools were added quickly under duress. Now is the time to bring control and governance to those tools.

SaaS is key to Future of Work: Implications on Data Governance

Applying a legacy data loss prevention approach to the modern application stack is futile. What worked for on-prem environments does not work for SaaS due to the highly distributed and decentralized nature of SaaS applications.

What’s different about online workflows on SaaS vs on-prem applications:

1) ? ? Nature of how work is done is evolving

2) ? ? Unstructured data is the primary form of data traffic for SaaS

3) ? ? Role of the ‘IT Admin’ has become diffused with multiple owners based on business units

4) ? ? New collaboration methods (i.e. real-time) on SaaS that were never possible for on-prem systems

Why legacy DLP techniques fail for SaaS Data Security

1) ? ? Historic focus on outward bound threats has led to legacy tech stacks that are single dimensional in how data leak risks are handled. A sensitive file shared with an internal resource should be handled differently than an external party.

2) ? ? Regular expressions have been proven not to work well with unstructured data in detecting sensitive elements. This leads to noisy and inaccurate detection capability with many false positives requiring human intervention.

3)? ? This DLP operator in the loop process is expensive and does not scale with increasing amounts of data traffic for online workflows

4) ? ? SaaS applications make business processes simpler with their intuitive and modern UX. They allow for higher productivity and collaboration within an organization. Removing barriers of knowledge sharing makes it easier to share information. Legacy DLP solutions do not integrate natively with these collaboration workflows and are ill equipped to stop data exfiltration when it’s occurring.

New Approach to Data Loss Prevention

SaaS is built for collaboration, and it's important to maintain control over SaaS applications without sacrificing speed. In designing a modern DLP approach, we looked at 3 core areas:

i.? Autonomous

Safest way to secure an organization is to lock down all applications and stop all shares. Inhibiting collaboration can make information security easier but might be hugely counter-productive to how business is run. Current DLP solutions do just that by quarantining items considered to be a ‘risky’ data share. The users then have to either flag the admin to unlock the contents or (mostly) find another way to share the piece of content. The overhead involved in administrative access management nullifies all efficiencies that a SaaS application seeks to offer. We have designed a platform that does not slow down business interaction while still enforcing strong data controls.

?? ii. Value can be Quantifiable

??????????? Data Exposure Risk Score is a function of sensitive data exposed ‘publicly’ either in domains that are either internal or external. The amount of risk is higher for external facing objects, such as a patient file that is shared with an external contractor vs an internal salesperson who is not authorized to see it. Success criteria can be easily built on top of this where data loss prevention can finally be quantitatively measured to lead to an accurate ROI calculation.

iii. Granular Permissions

??????????? A granular IAM policy allowing groups within the organization to access certain types of sensitive data vs others who cannot. For example, a billing department personnel should be able to view “patient record files” while an IT contractor should not. Applying this level of permissions that applies data access policies differently for individuals across all SaaS platforms has been made possible with Polymer’s dynamic access controls. This leads to a more effective and contextual set of controls as opposed to “one-size-fits-all” and ill-fitting “off the shelf” controls.

Features of Polymer Data Exposure Prevention

1) ? ? Very high fidelity of detecting sensitive data. Low false positive rate and high true positive ratios by using Natural Language Processing in addition to regular expressions.

2) ? ? Ease of use where most installations are 1-click and a non-technical policy wizard.

3) ? ? Reducing overall exposure of sensitive data sitting ‘exposed’ in any given SaaS platform

4) ? ? Automatically stopping and prohibiting sensitive data misuse or unauthorized sharing

5) ? ? DLP operator is optional. Various remediation methods can automate data protection including but not limited to real time redaction, archiving and a self-serve model to allow authorized individuals access to content-all within a given SaaS platform.

6) ? ? Employees are the single biggest threat surface. Timely ‘nudges’ when a user violates a data sharing policy improves the overall data security risk profile dramatically, as well as educates the user in real time as to the importance of data security.

7) ? ? Measure outcomes with a Data Exposure Risk Score

8) ? ? Data map of all assets and sensitive data within SaaS

In making Risk Score a central pillar of measuring the amount of sensitive data exposure, our goal is to move beyond sound bites to delivering concrete value to customers.

Happy to discuss any kind of data security use cases. We love spitballing ideas, let’s chat. Email: [email protected]?| https://www.polymerhq.io