Data Leakage Prevention and Cloud Computing

An Oxymoron?

Recent Articles

Careless Talk Costs Revenue India Makes Stready Progress Security Trends in Mobile Devices Cloud Computing Effects of Data Loss Information Theft Warning Signs Staff Vetting Portable Media Legal Developments

In recent years, there has been considerable organizational interest in the use of data leakage prevention (DLP) products to protect sensitive information, notably for regulatory compliance purposes (e.g., HIPAA and PCI DSS). With the advent of cloud computing, and especially the use of public clouds, what does that mean for DLP use by organizations? Are DLP and public cloud computing effectively an oxymoron? As your auditor says, it depends.

First, remember that DLP products predate the advent of cloud computing. These products were, and are, intended to help with data confidentiality when deployed within an organization. DLP products are intended to help prevent (and detect) the unauthorized disclosure of data, whether that data is sensitive, regulated, or perhaps classified. DLP products are not intended to help with assuring the integrity or availability of data when deployed within an organization.

Because DLP products were never intended to help with assuring the integrity or availability of data when deployed within an organization, do not expect these products to address integrity or availability of data in any cloud deployment model (public, private, hybrid, or community). Therefore, the issue of DLP efficacy in cloud computing is around confidentiality only. Can DLP products help to prevent the unauthorized disclosure of data in any cloud deployment model (public, private, hybrid, or community)?

Let's start with a public cloud model and the use of DLP. What was true previously with organizational use of DLP products remains true with public cloud computing: DLP can and should be a data classification policy enforcement tool. Where DLP use within an organization is intended to prevent the exfiltration of data from an organization, the use case with public cloud computing is the same. That is, prevent the exfiltration of data from an organization to a public cloud. What that means in practice is probably ensuring that any anonymization of data (i.e., the removal of sensitive or regulated information) is in fact being conducted according to your organizational data classification policy - before such data otherwise gets uploaded into a public cloud.

Once data is in a public cloud, your organizational deployment of DLP is of no value in helping to protect the confidentiality of that data. And, your organization has no direct control over the confidentiality of your data in a public cloud in either software-as-a-service (SaaS) or platform-as-a-service (PaaS) delivery models. However, it is possible that your organization could embed DLP agents into machine images with infrastructure-as-a-service (IaaS) for some control over data associated with such machine images. Similarly, discovery of your data with DLP agents by your organization is not possible with SaaS or PaaS since your organization has no direct control over security controls used by a provider. And, to my knowledge, no SaaS or PaaS provider has deployed DLP for the benefit of its customers.

So what about the other cloud computing deployment models? What is the efficacy of DLP in private, hybrid, and community clouds? With private clouds, since your organization has direct control over the entire infrastructure, it is not a policy issue whether DLP agents are deployed in connection with SaaS, PaaS, or IaaS services. However, it may very well be a technical issue whether DLP agents inter-operate with your SaaS or PaaS services as architected. Since the hybrid cloud deployment model is applicable only to IaaS (at this time), it is possible that your organization could embed DLP agents into machine images with infrastructure-as-a-service (IaaS) for some control over data associated with such machine images. Similarly, since (currently) the only example of a community cloud¹ provides IaaS services to its customer, it is possible that your organization could embed DLP agents into machine images with infrastructure-as-a-service (IaaS) for some control over data associated with such machine images.

In summary, while DLP and cloud computing are not exactly an oxymoron, your organization should not make an assumption that what is good about DLP in your organizational deployment is good for the cloud. The efficacy of DLP with respect to the cloud is limited at best.

¹The Defense Information Systems Agency (DISA) operates a community cloud, the Rapid Access Computing Environment (RACE) for the U.S. Department of Defense.

By Tim Mather, I-4. First published in the July edition of the I-4 members newsletter (www.i4online.com)

© 2012 KPMG International Cooperative ("KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.