Data Security for the Future: DLP and Secure Access Service Edge

Applications and data moving to the cloud and increased user mobility are changing the way networking and network security services must be delivered. Palo Alto Networks founder and CTO Nir Zuk believes that the future of network security is in the cloud, and has been driving this change for the past few years with Prisma Access, the industry’s most comprehensive SASE. In this ongoing series, Palo Alto Networks thought leaders explore the core tenets of an integrated, effective SASE solution, and more broadly, its implementation and implications.

Data Protection Challenges

No organization wants to experience a data breach. The devastating consequences of a data breach can include reputational damage, costly class-action lawsuits, and high fines for non-compliance with regulations such as HIPAA and GDPR. A prime concern for any organization is the protection of sensitive corporate data, including personally identifiable information (PII), intellectual property and customer information. Safeguarding that data in the cloud can be an even more complex challenge. 

Many organizations have invested money and countless hours in various information protection and data protection technologies in the past decade. However, with the rise in cloud adoption, in part to accommodate branch and mobile users, more sophisticated threats and new privacy regulations have raised the stakes on data security. Legacy protection strategies and technologies have become too complex to manage, struggle to extend to modern data channels and keep up with newer risks and leave too many gaps in data protection. These legacy solutions no longer fit all the data protection requirements organizations need. 

Enter Data Loss Prevention

Data loss prevention (DLP) is the technology best tailored for the protection of data. DLP provides visibility across all sensitive information, everywhere and at all times, enabling strong protective actions to safeguard data from threats and violations of corporate policies. But legacy standalone DLP technologies are not efficient for today’s cloud-driven world. Built on old core engines specifically for on-premises, the technology has not changed significantly in the last decade. 

To adjust to cloud initiatives, legacy DLP providers are simply extending their existing solutions to cloud environments, which creates a gap in visibility and management and minimizes policy control. Organizations that have spent enormous amounts of time and money to build a custom DLP architecture to fit their network environments are now struggling with complexity and poor usability as they try to “add” in their cloud apps, data and public cloud instances.  

Additionally, security teams face the challenge of using effective but complex DLP technologies while balancing the constant work that comes with them – from ongoing policy tuning to exhausting incident triage cycles and incident response decisions. These teams are drowning in too many alerts – most of which turn out to be false positives – and often respond to a data incident too late. 

New Era of Cloud Data Protection: SASE 

The cloud and digital transformation demands a fresh approach to data protection. Modern infrastructures are perimeter-less and data is constantly on the move, being shared on clouds, crossing networks and devices, and so on. Consequently, DLP solutions must be agile and adapt to new data sharing models and unmanaged cloud environments.

In today’s cloud-evolved world, data protection needs to be unified, consistent and delivered from the cloud. We are confident that, to that end, DLP best suits the security model that Gartner has defined as the “secure access service edge,” or SASE (pronounced “sassy”). We believe Gartner is stating in the report that a SASE offering combines comprehensive WAN capabilities with comprehensive network security functions (such as SWG, DLP, CASB, FWaaS and ZTNA) to support the dynamic secure access needs of digital enterprises.

With a SASE solution, DLP becomes a part of one cloud-delivered solution centered around the data itself, everywhere. The same policies are consistently applied to sensitive data, at-rest and in-motion, regardless of its location. By incorporating cloud DLP as a security service into a SASE architecture, a DLP standalone solution is no longer needed. This way, DLP is embedded into the organization's existing control points, thus eliminating the need to deploy and maintain multiple tools. 

Prisma Access, by Palo Alto Networks, delivers a single, comprehensive solution that provides all the networking and security services, including cloud DLP, that organizations need in a SASE architecture designed for all traffic, all applications and all users.

Prisma SaaS, by Palo Alto Networks, provides cloud data protection, governance and compliance to safely adopt SaaS applications. Integrated with cloud DLP, organizations can automatically discover sensitive files and emails residing in cloud apps, uncover data loss blind spots and minimize data loss risk by enabling rich protective actions. 

Learn more about Overcoming Cloud Data Protection Challenges in our ebook.

This post was written by Mario Espinoza, VP of SaaS and Data Protection.

Gartner, The Future of Network Security Is in the Cloud, Neil MacDonald, Lawrence Orans, Joe Skorupa, 30 August 2019

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.