ℹ️ DLP + CASB to protect data at-rest
Presented by: Alex Dunbrack, Noelle Gotthardt
Originally aired on June 30 @ 5:00 AM - 5:30 AM EDT
Welcome to Cloudflare CIO Week 2023!
This CIO Week we’ll demonstrate how Cloudflare is helping CIOs keep data, devices and employees both safe and fast across hybrid and remote environments. We’ll show how Cloudflare accelerates digital transformation and modernizes networking and security towards a Zero Trust model.
In this episode, tune in for a conversation with Cloudflare's Alex Dunbrack, and Noelle Gotthardt.
Tune in all week for more news, announcements, and thought-provoking discussions!
Read the blog posts:
For more, don't miss the Cloudflare CIO Week Hub
English
CIO Week
Transcript (Beta)
Hello and welcome back to Cloudflare TV and to CIO Week. We're happy that everyone has joined us for all the exciting announcements already, and we're even more excited to talk about some more today.
So in this segment, we're going to talk about how two products will be working together to solve more customer problems.
I'm Noelle Gotthardt, the Product Manager for Data Loss Prevention, and I'm joined today by Alex Dunbrack, our Product Manager for our Cloud Access Security Broker, or CASB.
Today we announced that CASB and DLP will work together to start protecting data at rest, which is super exciting for us.
To kick us off, let's do a refresh on DLP, CASB, the problems they solve.
So Alex, do you want to start us off with an overview? Yeah, for sure.
So let's talk a little bit about the problem at hand for organizations, really around the world, and primarily their security and IT teams.
You know, the corporate environment in general is really evolving on a day-to-day basis, and over the last couple of years, we've seen a lot of this evolution take place, from remote workforces becoming a standard, bring your own device policies being expected at organizations, and really that transition from on-prem systems and resources to a more hybrid workspace that involves SaaS apps as well.
And really what this session will cover today, and what we're most excited to speak about, is how data in general has become so strewn everywhere, and it's become even harder to identify where it is.
Access to resources and this exact kind of data is becoming harder, and just more difficult in general to validate and manage.
And really, visibility into these aspects and areas is becoming increasingly difficult.
Yeah, I totally understand that. And from the data loss prevention side, right, customers have so much trouble understanding where their data is, who should have access to it, you know, like if it's thoroughly protected, and making sure that they feel like, you know, the applications that are storing the data are the ones they want to be storing the data, you know, like if a customer uses a certain file repository, they don't want, you know, some of their employees, you know, maybe using another, you know, some shadow IT, a different file repository, maybe they like it a little better.
So just getting that visibility into where is my sensitive data, how are my employees using it, and really making sure that it doesn't go to the wrong places can be a huge challenge.
And then, even so, for the corporate file repositories, like they become massive, there's tons of data in there, whether it be, you know, like really old projects, or upcoming projects that really shouldn't sneak out the door or customer information, there's so much information in there.
How does an IT team start to get visibility into what's our most sensitive data in here?
How do I prioritize things? So it's a huge challenge for customers.
And as we start to talk about the solutions that we get into to help solve these problems, let's talk a little bit about Zero Trust, because our products live in the Zero Trust world.
And, you know, like that's, that's the product set that we offer.
So I'm going to ask you, Alex, can you talk a little bit more about what does Zero Trust really mean?
Yeah, yeah. So Zero Trust at its core, conceptually, is not necessarily about specific products or specific features, but instead, it's an approach or a mindset or, you know, in a general security strategy.
And so as a starting point, we can we can reference in a sense, what this used to look like in the past, and where we're moving today and tomorrow.
And so in the past, you know, you'll hear this phrase used a lot, castle and moat doctrine, where essentially, once ever anyone was within the corporate network accessing resources, they were trusted by default.
In some cases, you could see that as a user or an employee connecting via a VPN to to internal resources.
And while you know, maybe that worked at one point, the problem is all that lateral movement within a network or with as as employees are accessing resources is not a trusted way by default to be leveraging a corporate network.
And so really what a Zero Trust posture in a sense assumes is that every connection, every request to access resources to to traverse a network could lead to the next data breaches is not trusted by default.
And so really, what Zero Trust today as a concept is bringing to the table is that every single connection, every single request made needs to be validated to ensure the person that's making the request is who they say they are, that the resources that they're accessing are appropriate for them to access.
And so when we start to think about that concept of Zero Trust in a more tangible way, what are those products and features that that do encompass this methodology, we can see it in a few different ways in action.
And so starting with the concept of just least privilege, which I'm sure many of you are familiar with, making sure that access to to those resources to the different areas of a network are locked down and are only accessible by the people who need access to them, that they're on the right team, that they're in the right geography.
That's one aspect of how a product can address a Zero Trust challenge.
Another is leveraging identity providers as requests are made to those resources or areas of a network where let's make sure that they are on that team.
Let's make sure they are in that geo when they are trying to access that resource.
Don't just rely necessarily on a VPN saying I am this person, I have these credentials, allow me access to everything behind it, but go a step further.
And then one other area as well is being able to apply granular rule sets in how those people are accessing those resources.
And actually, I'll go one step further too. And that's really what I think our conversation, Noel, today we'll focus around is those resources that aren't managed by your organization.
And what we're talking about there are those SaaS applications that you don't necessarily have the ability to configure or run yourself.
And the data within those unmanaged applications that you don't have the ability to control yourself.
That's one other aspect or area where SaaS security, and that's again what we'll talk about, is another frontier of Zero Trust and a very important aspect to consider.
Awesome. Great rundown, great explanation. I really appreciate that.
One of the best summaries I've heard of Zero Trust is, hey, you don't just want to lock on the front of the apartment building and anyone who gets in the apartment building can go walk around to any apartment.
You want to put a lock on every apartment door and make sure you really validate each and every entry into your own apartment.
So, great summary. I really appreciate you taking the time.
That was good. So, let's dive in a little bit more as you alluded to.
Let's talk about CASB and DLP and how they fit into the Zero Trust model. So, how does that CASB resource tie into Zero Trust specifically?
Yeah. Let's start with cloud access security broker, as Noel mentioned.
And we'll quickly delineate how this concept or term CASB has been used in the past and what we're talking about today.
So, in the past, you may have heard of this concept, cloud access security broker, before.
And traditionally, that has referred to the inline form of a CASB, where every single request made to access a resource is checked against some parameters, who they are, where they are in the world, and then granted access based on, are they on the right team?
Are they who they said they are? And what we're talking about now in the concept of CASB is our out of band or API driven CASB.
And really, I can just say in a one line sentence what this is. We connect to SaaS applications and scan them for misconfigurations and file exposure.
So, via API, we're able to pull down metadata in any kind of connected SaaS app.
So, we're talking about Google Workspace, Microsoft 365, Salesforce, Box, GitHub, Slack, the list goes on and on and on.
I'm sure some of you are using some of those exact SaaS apps that I just mentioned.
And then being able to understand what is conceptually, from a security perspective, wrong or going wrong within these SaaS apps.
And then being able to provide immediate visibility into these areas and provide next steps on how do we triage these problems.
Users that aren't using two factor authentication, files that have been shared publicly to anyone that has the link.
These are aspects of security that maybe traditionally haven't been considered, but are really becoming the forefront of how we lock down data and ensure the privacy of whether it's customer data, employee data, or just business data in general.
These are important aspects to consider. And so, like I mentioned, next steps into triaging really come down to what you identify using a product like CASB.
And so, we've been learning a lot since we went GA back in September and have really come to understand that data exposure, data security within the SaaS apps are really the crown jewels at the end of the day.
We can talk about misconfigurations of settings, but ultimately, what do those misconfigurations lead to if compromised?
The security of the data being exposed. So, that's really where CASB has positioned itself and we're excited about this next evolution.
But maybe next, Noelle, you can tell us about the DLP product and what you are accomplishing over there.
Yeah, absolutely. Thank you. So, we mentioned earlier about Zero Trust is really centered around validating every request and validating that everyone should properly have access.
Then there's that next level deeper of maybe not everyone within one organization should have access to the same data.
There are lots of people in HR who should have access to specific employee data that someone over in engineering or product should never really have any reasonable access to.
So, it's that same idea of we're not just going to validate the identity, we're going to keep going and give as many signals as we can to our customers.
How do we validate that this transaction is supposed to be happening?
How do I validate that the person in my organization is supposed to be getting access to this data?
And that can be a huge challenge for customers.
There's so much moving around throughout the company. There's business going on every day.
The last thing you want to do is affect productivity.
So, there's a huge factor in how do I understand the data? How do I make sure I understand where it is?
Who has access? So, that's really where it ties into Zero Trust is giving that next level of detail.
Because again, as you mentioned, all of this we're ever protecting, we add all these security layers together.
At the end of the day, it's the data that we're trying to protect.
So, adding that signal is really important. And historically, for how this has worked so far in our gateway product, which is our inline DLP capabilities, is that customers can go in and build rule sets around their sensitive data and determine where it should be and shouldn't be able to go.
And they can create rules based on domains or URLs or applications, device posture, lots of different things that they want to create and say, hey, like in these circumstances, the data is allowed to go there.
In other circumstances, it's not. And then DLP can inspect that HTTP traffic compared to the rule set and then either allow it or block it based on what's found.
So, that's a huge piece of how we built it right now is to give customers that ability to define the data that they want, whether it be predefined detections that we offer, custom detections that they build themselves, and then build the rules around it.
So, they can say, this is allowed to go here, but maybe not allowed to go there.
So, that's really where we're going with DLP as far as our inline coverage.
But part of the fun part about today is that we're not just talking about the inline coverage.
We get to talk a little bit more about the expansion and talking about data at rest.
So, I'm going to pitch it back to you.
Do you want to give an overview? So, how we're going to tackle data at rest with CASB and DLP?
Yeah. Yeah, absolutely. And I think maybe an even better genesis and starting point in this part of the conversation is to speak to the customer problem that I know you're just as familiar with, Noel.
In dozens of conversations with customers and prospects, I feel like we've gotten a really good grasp over the previous six or so months into how data at rest is really the major consideration for operators that are in a security or IT role.
And so, speaking to the customer problem again, organizations around the world, everyone interacts with data in some form all the time.
And what we see that in is in different forms, different use cases where sometimes the data being interacted with is from a customer, sometimes it's employee information.
And like I mentioned earlier, sometimes it's just business information as well or intel.
But at the end of the day, being able to secure this information for an IT or security operator is part of their key responsibilities in their job description where let's make sure that data that is supposed to be just our own and for our eyes only is really limited to that and that we don't see it elsewhere.
We hear about security incidents all around the world all the time that in one form or another have led to access to sensitive internal information.
And so, I think from our conversations and Noel, feel free to jump in if you have heard this in other ways, but operators really have a hard time understanding where their data is.
And then not only where is it living within our applications, whether it's self-hosted or on-prem or in our SaaS applications, where is it insecure?
Where is it exposed to the world?
Where is it accessible by employees that are not on the appropriate team to be accessing that information?
And really those concerns lead to this just enormous risk of, if we don't know where these crown jewels are, where do we even start?
And so, where we've recognized primary use cases to fall, at least to start, is invisibility of this information.
Where is our data? Where is it exposed?
And then how can we go triage it? And then one step further as well from a use case perspective, we've really heard the need for this visibility span many use cases, both just practical security.
I'm a security operator, and my job is to keep our company and its assets secure.
This is an area that is of concern for us, and we want to go fix it, put in the tooling in place to know where it is.
And then all the way to the other end of the spectrum, from a compliance standpoint, where the compliance obligations we have require us to know exactly where data is, who has access to it.
This goes one step further and really provides visibility into this sensitive information.
And maybe just a recap on what we mean by sensitive information, because this really can mean a lot of different things to a lot of people.
We're talking about social security numbers, personal identifiers, credit card numbers, and then one step further too, not sure if you mentioned this, Noelle, but just our ability to provide custom regex rules as well, being able to specify the patterns that are of concern for your organization.
That's one other area that we want to provide that extensibility or flexibility for.
And let's get to the point of this conversation is how are we solving this with these two products that we're so excited to announce during CIO week?
And what we're going to do is use the DLP side and all of the strengths of its engine and detection capabilities of identifying strings in any format that are problematic by in nature from within CASB, which is connecting to our SAS apps or scanning them and then pulling down all of the relevant information from them.
And so what this will look like is in today's format of CASB, we provide what we call CASB findings, which are essentially just the identified security issues across your integrated SAS applications.
What would this look like? In the world of Google Workspace, for example, this can range from users that have signed into a third -party service with that friendly little sign in with Google button.
It can include Google Docs and spreadsheets that have been shared to anyone that has the link.
Sometimes operators don't necessarily have the visibility into who is doing just that.
And so what we're able to provide from within the product is this exhaustive list of these problems identified just by scanning your environment.
And we're going to go one step further where our existing findings that pertain to documents and how they have been exposed, whether it's to anyone with a link, whether it's been shared with domains outside of your organization, we're going to go one step further and scan them for the exact kind of DLP profiles that Noel mentioned earlier, scanning them for social security numbers, for credit card numbers, and then flagging them as their own security issues from within the CASB product.
So being able to see that you have 100 files that contain social security numbers within them stored within Google Drive, we've learned that that's really what security operators and IT operators at the end of the day are looking for as a starting point to eventually go triage them and potentially even lock those files down where you're not able to share them in insecure ways.
And so like Noel mentioned earlier, we're going to leverage essentially DLP profiles the same way where if you have them configured from within DLP, you'll be able to leverage them just within CASB as let's scan our Google Workspace integration for that, let's scan our Salesforce integration for that, let's scan GitHub and Slack for that as well, and in two different formats as well.
And this is one of my favorite parts, Noel, that I'll talk to are the predefined profiles that already have existed that are just out of the box, ready to go.
I know one of the ones that we have in there for credit card information where you're able to enable and disable based on your wishes which credit cards you're going to look for out of, let's say, a Google Doc, for example, and then the additional aspect of custom regex rules.
So if your organization has a certain text pattern that you want to identify because it shouldn't just be plain text in a Google Doc, you have the ability to write those patterns in regex and then we'll scan for them and flag them from within CASB.
So as a takeaway here, we really want to frame this as DLP for data at rest, DLP for your SaaS applications.
Know where the sensitive information is, how it is flowing, and get ahead of it.
Understand patterns of who are our problematic employees that are uploading CSV files into OneDrive that contain 200,000 social security numbers.
We want to know about that as operators. And then one step further than there, triage these issues as well.
Lock these files down.
Delete them where they include the sensitive information. We really see visibility as the starting point with a greater evolution to come over time as we continue to develop and speak with customers and understand what more than visibility do they want when we identify that sensitive information across their environments.
But I know we're looking forward to this, Noel. It's been a lot of hard work and we're going to continue to build out support for this as time goes on.
Yeah, yeah, it's super exciting. And I remember talking to one customer who sort of walked me through, you know, hey, like as a security person, I don't want my employees emailing out documents.
Like then I lose visibility. Then I lose any sort of control.
I can't revoke that. I can't really audit it as well. Like I want them to be using my file repository because it gives me that flexibility that you can share, you know, without being able to download.
You can ensure that they use their watermarking properly.
Like you get the security features, but then if I have all these shares going on, how do I know when it's a problem?
How do I know when this one they've done correctly and maybe this one I haven't done correctly?
So giving that next context of this is the data that's inside really helps drive the needs that these customers have to find their sensitive data, protect their sensitive data.
But thank you so much for giving that awesome walkthrough. I super appreciate it.
You know, like all of our Zero Trust products here, our solutions are always about being better together.
We're always thinking about how do we build a structure to make it so that each product builds on the next one and partners well with the next one to give customers better solutions that aren't point-based.
We don't want to create something that solves this problem and doesn't solve or work with another product over here to solve a different problem.
We're always looking for how do we build one control plane?
How do we configure security policies with DLP in a centralized place, whether it be upload or download or in data at rest?
So we're always looking to strive towards how do we make it better together?
How do we make it synchronized? How do we give one control plane to control all of the data protection that we have?
And that's our expectation that customers have at this point.
They've been spending time with Cloudflare.
They've built the expectations. They want it to work together across our product lines.
So that's a really big goal for us. And we really want Zero Trust solutions to be easily adopted by any of our customers.
We want them feeling like Zero Trust isn't a scary new thing.
We want them feeling like this is a better security posture.
This is better for protecting lateral movement and ensuring that doesn't happen and better for data security.
So for those who aren't yet using Cloudflare's Zero Trust solution, you can totally get started right now for free for teams of 50 or less.
And you can check out Cloudflare.com slash Cloudflare1 to get started.
That's our Zero Trust product line. And then if you're also just interested in getting to learn about Zero Trust, how do I get started with Zero Trust?
You can just go to zerotrustroadmap.org and we'll give you a rundown of how do I get started.
This is a journey that I want to learn more about. Is there anything else, Alex, that you want to highlight before we sort of wrap up here?
No, I'll just say for those listening that maybe have hesitation about getting this kind of effort underway, we've seen organizations of all sizes, from the smallest of the small to the biggest of the big, take iterative approaches to Zero Trust.
It's not all or nothing. There are, I think, as you just outlined, Noel, step-by-step approaches, whether it's the CASB product, the DLP product, or Access or Gateway.
Judging by your organization's context, we really recognize that it's not one size fits all.
And we cherish that too. And so if you have any questions about this, like Noel mentioned, those resources, they're great starting points.
And that zerotrustroadmap .org resource is product agnostic as well. So don't just take it from us trying to communicate the Cloudflare way, but understand how Zero Trust works as a concept and then inform yourself on how to take those next steps in a practical way.
So that's what I would leave this with, Noel.
Awesome. Thank you so much. And thank you so much for joining us to learn here more about CASB and DLP.
Stick around for more introductions into other CIO Week announcements.
Thank you and have a wonderful day.