The Next Cloud Security Frontier: DLP for the Cloud

While there is a growing consensus that security is the keystone to successfully leveraging Cloud Services and Composite Applications, filtering and securing the data being exchanged is a BIG problem facing us ahead.


Viruses and Malware are the STD's of the Internet and Identity Theft is the equivalent of virtual counterfeiting so as with every other issue/requirement that faces user interactions, SOA interactions face the same challenges.

Existing Cloud Security solutions have focused on authentication, entitlements, which is where Identity & Access Management for users started. However the next generation will need to address the “STD's” and Counterfeiting risks as well like Symantec, McAfee, Sophos, and others have done with DLP and desktop security.

Vordel has recognized this emerging requirement and started addressing it with DLP functionality in their recently announced Cloud Service Broker product that will allow customers to analyze content and act on it whether it is flowing into or out of their environment.

There are already legal precedents and implications which, if called into play, could have substantially negative financial and reputation effects on Cloud Service provides like SalesForce.com, Google Apps, and Oracle On-Demand as well as their clients. One example outlined in this article outlines how storage as a service introduces legal implications based on unchecked content within a packet containing personally identifiable information (PII) or other regulated data creates a liability for organizations that receive it.

Network World even references this as part of a likely growth trend for Enterprise Security in 2010


So how do we get ahead of the 8-Ball on this one?

What is the risk?

• All content sent to Cloud services must be analyzed for leaked data, in order to enable Data Loss Prevention.
• Content-level threats (viruses, malware, PII, MIIA, etc.) need to be identified and blocked, including application-level attacks at the API and payload level.
• It is not enough to know “Who has access to what?”; Enterprises need to know, and be able to demonstrate, what they are doing with it? Leaking PII or any regulated data creates a substantial risk to the enterprise.
• Receiving PII, ranging from social security numbers or unencrypted credit card accounts to child pornography creates just as much liability as leaking that data.

How should we address it?

• Architecture - Look for flexible SOA Security solutions and XML Gateway's that allow for seamless integration with content filtering and protection services.
• Don't spread STD's i.e. Viruses/Malware – Leverage proven tools for content inspection connected to active research labs to analyze the content of packets while it is open to minimize risk AND latency.
• Stop Counterfeiting i.e. Data Protection – Leverage the content analysis tools found in proven DLP solutions to review, quarantine, delete, protect, or stop information during the same packet inspection.
• Protect against Internal Threat with IRM – The same risks that exist with users are shared here for services. Lock it down with IRM to seal sensitive or regulated data before it goes out the door but still allowing business processes and services to function effectively.

As enterprises host and share data via software-as-a-service (SaaS) and Composite Applications with Public/Private Cloud services, they need to \consider the use of DLP, AV, and IRM technologies to protect themselves and the information being exchanged.