Why You Need Symantec DLP Endpoint to Protect Data in the Cloud

In the early days of corporate computing, the saying went, a CIO would not be fired for putting all of their eggs in one large basket. Truth be told, the “one-throat-to-choke” approach has never disappeared, but these days most enterprises have multiple go-to vendors because they seek best-of-breed solutions and they built this out over time.

Likewise, in the cyber security realm, there’s a tremendous push to deploy Secure Access Service Edge (SASE) for its cloud-native and comprehensive enterprise protections, but there’s no one-size-fits-every-use-case solution in the market. And while SASE is a rapidly maturing category, many enterprises overlook the key endpoint use cases that are critical to protect their data-in-use. After all, every interaction with the cloud involves an endpoint.

Consider this important endpoint DLP scenario. A growing number of cloud services are implementing TLS with certificate pinning to secure communication with their users. As a result, traditional network-based security enforcement points (secure web gateways, firewalls, IPS systems, etc.) can no longer decrypt and scan traffic to these cloud services, rendering them effectively opaque. This means such enforcement points are unable to prevent users from uploading sensitive content to these cloud services, including content containing PII covered by various regulatory regimes.

That’s a noteworthy loophole for organizations concerned about issues such as losing control of their intellectual property, potential breaches of regulatory compliance or adherence to privacy laws.

Symantec DLP on the Endpoint

In past years, the rapid shift of enterprise apps from on-premises systems to cloud-based services has caused more sensitive data to become vulnerable to misplacement or accidental exposure by inexperienced cloud users. No doubt the cloud is now the most important data loss vector. Discovery can happen in several ways, but cloud services that implement certificate pinning prevent that discovery from occurring while data is in transit.

DLP enforcement often happens with data in motion—passing through a proxy or another network component, which sends it to DLP for scanning. While Symantec technologies support this workflow, we also believe it’s important to have an option to perform deep content inspection of all network communications to capture, analyze and if necessary block sensitive content at network egress points. In SASE architectures a lot of that enforcement and scanning is performed in transit as data moves from one location to another. Without an endpoint presence to augment inspections, however, some options are unavailable to SASE. 

Symantec DLP provides comprehensive coverage from a single control point. It can monitor all activities and it knows the context and content of the file. It does not matter whether an application is using encryption or certificate pinning, because the DLP endpoint agent can comprehensively inspect the content before it is handed over to the application.

You Can’t Protect What You Can’t See

Symantec DLP has excellent content-aware detection capabilities, both on the endpoint and in the cloud, and this is a strength that cannot be overemphasized. This powerful detection enables the discovery of sensitive data—structured or unstructured—in virtually any location or file format.  Content matching, which employs keywords, patterns and properties, along with exact data matching, (the detection of data through fingerprinting or indexing structured data sources) further enhance our leading detection capabilities.

As our customers' way of working have evolved, so has Symantec DLP.  Smart devices make it so convenient to send images and PDFs, and Symantec DLP detects text embedded in images or PDFs.  Of course, a key litmus test for these DLP capabilities is whether they can protect sensitive data without impacting the workflow of busy business users. Symantec enables organizations to extend DLP detection, policies and workflows to cloud apps through integration with Symantec CloudSOC (CASB).

Data-Centric SASE is the Future

SASE is predicted to grow “by more than a factor of five between 2020 and 2025,” reports Dark Reading. It is the new paradigm for cyber defenses. The article cites Chris DePuy, 650 Group founder and analyst, in a passage that states, “It’s difficult to go to a single vendor and get a full SASE system that works in conjunction with your existing security and networking systems.”

We are proud to offer customers an Integrated Cyber Defense strategy that helps them implement many aspects of a SASE system that provides enterprise grade network and data security controls.  Armed with this intelligence, appropriate monitoring and data protection controls can be put in place, reducing the risk of sensitive data loss bypassing cloud based detection systems, and ultimately reducing your overall risk.

It may be tempting to believe that a SASE strategy is as simple as deploying a cloud secure web proxy—or even just a cloud firewall.  However, as you consider the data protection risks, you realize you need a robust, encompassing solution to deliver on a data-centric SASE outcome.