Data Loss Prevention Is an Essential Building Block for the Secure Access Service Edge

Securing the Modern Workforce

Ever wonder why phishing and all its variants never go out of style? It’s because, to a bad actor, a compromised end user is worth their weight in gold, opening the door to troves of personally identifiable information (PII) and intellectual property (IP). That’s why data loss prevention (DLP) is an essential weapon in the defensive arsenal of cyber security.

However, the prevention of end-user data loss is undergoing profound change. The prevalence of mobile users and the increasing reliance on cloud-based services has rendered traditional cyber security strategies obsolete. Formerly, if the network perimeter was protected, the interior was presumed to be safe. No more.

It’s not possible to trust an end-user once he or she has gained access to the corporate network. In our opinion, to address this new reality now and in the future, leveraging what Gartner has developed as cloud-delivered cyber security architecture called Secure Access Service Edge (SASE) will be that solution. For a look at SASE and how we are embracing it, please see this blog entry by Rees Johnson, Sr. Director of Product management for the Symantec Enterprise Network Group.

SASE addresses the shortfalls of traditional hub-and-spoke architectures by moving traffic inspection and policy enforcement to where modern users, applications and data reside - outside of the enterprise rather than inside. By applying SASE principles, organizations can address data loss by identifying sensitive data across any connection, regardless of where the user or device is located, what they are accessing, and where the resource being accessed is located. In other words, security goes to the traffic rather than traffic going to the security.

The SASE Approach to Data Loss Prevention

Here at Symantec, we’re pursuing a data-centric approach to cloud security - one that puts data loss prevention everywhere the users, devices, applications and data live. By converging DLP with our cloud and web security services such as Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA), we can intelligently inspect content at the secure access service edge without backhauling traffic bound for SaaS, IaaS or the Internet to a centralized data center. One of the benefits of this approach is that it allows security teams to readily detect sensitive data movement and consistently apply data protection policies logically closer to the resources being accessed while eliminating unnecessary latency. It also allows them to quickly remediate exposed data at the point of creation or use through inline and API-based controls. 

A SASE security provider should effectively identify and classify sensitive data in encrypted traffic streams, apply a consistent set of policies to data-at-rest and data-in-motion across cloud and web services, and deliver a single-pass content inspection architecture from the cloud. SASE addresses the limitations of legacy security architectures that are fragmented between on-premises and cloud resources, and shifts security controls to wherever the users, devices, applications and data need to be.

How do you get there from here?

We believe SASE is poised to transform security and warrants consideration by enterprises because it can enable security teams to support the needs of digital business transformation and mobile workforces.

The adoption of SASE can build on many of your existing security investments, such as DLP, Cloud Access Security Broker, and Secure Web Gateway. Gartner recommends that organizations “avoid SASE offerings that are stitched together” and “evaluate the integration of the services to be orchestrated as a single experience from a single console, with a single method for setting policy.”

With that goal in mind, I’ll point out that we offer the core technologies needed to enable SASE:

• Data Loss Prevention (DLP) monitors sensitive data movement across an organization and prevents accidental or malicious exfiltration of data in motion, data at rest and data in use. 
• Cloud Access Security Broker (CASB) is a policy enforcement point that sits between cloud consumers and cloud service providers, applying security policies as cloud resources and data are accessed.  
• Zero Trust Network Access (ZTNA), also known as a software-defined perimeter, limits access and grants least privilege rights to users for both cloud resources as well as on-premises resources through a trust broker. 
• Secure Web Gateway (SWG) inspects web traffic flowing from remote users to the internet, and enforces network security policies to filter malicious websites and content.
• User and Entity Behavior Analytics (UEBA) monitors behavior during sessions and identifies anomalies and excessive risk.

Integrating these technologies so they complement each other under the SASE umbrella means you gain a firm foundation for your organization’s cyber security now and in the years ahead. Keep an eye out for future posts on these and other technologies as we continue our discussion of SASE and what it means to you.