I have been studying the Cloud Security Alliance's Security Guidance and other resources for the past few weeks with a focus on placement of Data Loss Prevention (DLP) capabilities.
At this time, it seems that the typical position for DLP in public clouds is in conjunction with other resources in private or public Infrastructure as a Service (IaaS). Data-in-motion DLP systems in a cloud can be positioned logically adjacent to servers deployed in a cloud to monitor and protect information on those servers. Data-at-rest and data-in-use DLP agents can be deployed on servers in the cloud to catalog and protect data on those servers. However, there is nothing significantly new or better in these DLP implementation approaches than is currently available traditional servers.
What would be useful in cloud implementations is an API or specification to allow DLP interaction in all three major service models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). VMware's vShield family of products look like a step in this direction for the IaaS model: the vShield endpoint product looks like it potentially could enable data-at-rest DLP, but the network-oriented vShield products do not appear to provide direct access to network data streams to enable data-in-motion DLP.
I am looking forward to engaging with cloud computing vendors to see if we can create a generalized specification for access to cloud systems for DLP management and remove some of the fuzzy haze enveloping the data.
Updated: Christopher Hoff blogged about the lack of security functionality in cloud services (IDS/IDP, WAF, DLP, etc) about a year and a half ago. Do we dare hope that cloud providers are becoming any more interested in security than they were then?
No comments:
Post a Comment