hamburger icon close icon
AWS High Availability

AWS Data Loss Prevention: 5 Strategies and 5 Tools You Can Use

What is AWS Data Loss Prevention?

Data Loss Prevention (DLP) is a set of tools and protocols your organization can use to protect itself from theft, inadvertent or malicious loss, or unauthorized access and manipulation. As you plan your AWS high availability strategy, DLP should be a primary consideration. There are several proven approaches to DLP on AWS, and a number of tools that can help you implement them.  Read on to learn about tools and strategies for DLP, including a unique data protection strategy by NetApp Cloud Volumes ONTAP.  

In this article, you will learn:

5 AWS DLP Strategies

There are multiple approaches that can be taken to secure data but all of them require continuous security monitoring and correct set-up to be effective. In order to implement these approaches, you need to understand general security patterns and apply them to your cloud security controls and services.

Encrypting AWS S3 Data

Amazon S3 will automatically encrypt data as it is written to disk and decrypt it when accessed provided the setting is enabled. To accomplish this, Amazon offers multiple options:

  • AWS Managed Keys (SSE-S3)—objects are encrypted with unique keys using multi-factor encryption. Encryption is done server-side with 256-bit Advanced Encryption Standard (AES-256).
  • AWS KMS-Managed Keys (SSE-KMS)—provides an audit trail of key use in addition to standard managed keys service. Keys can be generated and managed through this service and can also be used for client-side encryption.
  • Customer-Provided Keys (SSE-C)—you can create your own keys or use a third-party service to supply keys to Amazon. With this method, Amazon only takes care of the server-side encryption part, not the access management or client-side encryption.

Monitoring S3 Buckets

The best way to monitor your cloud and your S3 buckets is through the use of a security information and event management (SIEM) system. SIEMs can enable you to manage alerts and view security information from a centralized dashboard. 

Built-in S3 notifications, set to alert you when buckets or their contents are modified or accessed, for example, can be sent to your SIEM and handled appropriately. Setting notification rules to cover permissions changes and limiting who has access to modify configuration settings will allow you to ensure that your data stays protected.

Protecting AWS S3-Based Data Through Policies

You should establish policies to control access and modification rights based on permissions or criteria you set. These can be managed, stand-alone policies attached to users, groups or roles in AWS, or inline policies implemented on a case-by-case basis. Managed policies are generally preferred as they can be more easily adapted and assigned.

Two key types of policies for managing your cloud security are:

  • Identity and Access Management (IAM)━IAM allows for flexible authentication by separating management flow, such as database administration tasks, from application flow, such as application access to data.
  • Access Control Lists (ACLs)━ACLs determine who can access specified resources, buckets and objects. By restricting network traffic and what specific rights traffic is allowed in regard to a resource, ACLs are able to reduce attack vectors and allow finer control over data security.

Data Classification

You can classify data to help you determine appropriate security measures and reduce the stumbling blocks to an agile work environment. Classification of data should go beyond simple public or private descriptions into levels of data sensitivity and should be applied to both preventive and detective tools. 

Machine learning tools like user behavior analysis (UBA) enable the automatic detection of suspicious activity based on assigned or learned classifications. It can be combined with alert functionalities according to thresholds you determine.

Swim-lane Isolation

Swim-lane isolation is the grouping of microservices into domains that mirror your business model. For example, you can use it to differentiate access allowed to payment tools from that allowed to marketing tools. 

This isolation allows you to create a data-access pattern that ensures only specified APIs are authorized to view or modify data. It also prevents leakage from one microservice domain through less secure domains. Swim-lane isolation can be achieved by applying a combination of IAM controls and ACLs that differ according to domain.

5 AWS DLP Tools

The tools that you implement in your DLP strategy play a significant role in how effectively you can identify, protect, and restore data. In AWS, there are a wide range of native tools to select from as well as partner solutions and third-party integrations. Below are a few of these tools you may want to consider. 

AWS Security Hub

Security Hub is a service that you can use to comprehensively view your security posture and alerts. It is designed to centralize your security operations, enabling you to more quickly identify vulnerabilities and threats, and more effectively respond to incidents. 

Security Hub includes a variety of native AWS security services including GuardDuty, Inspector, and Firewall Manager. Through these and partner integrations, you can automatically audit the security of your environments and apply recommendations for improvement.

Amazon Macie

Macie is a fully managed service you can use to manage data privacy and security. It incorporates pattern matching and machine learning technologies to help you discover sensitive data and apply appropriate protections. 

You can use Macie to automate data discovery and generate an inventory of your exposed or shared storage locations. The service can also identify if sensitive data, such as payment data or personal information is added to insecure storage.

Symantec Data Loss Protection

Symantec DLP is an enterprise-oriented solution that uses AI technologies. These technologies can help you identify unstructured data, detect data embedded in forms and images such as scanned documents or screenshots, and detect full or partial data matching based on fingerprinting. 

This solution includes prepackaged policies (HIPAA, GDPR, etc.) to ensure regulatory compliance and includes both on and offline functionality. Cloud apps such as Dropbox, Google Suite, Salesforce and Office 365 are also supported.

McAfee Total Protection for DLP

Total Protection is a platform that specializes in forensic analysis of data loss. It enables you to monitor breaches or leaks in the context of security policies. It also provides feedback useful for the creation of new compliance rules or the modification of existing ones. 

Total Protection operates via a centralized dashboard. From this dashboard, you can use manual and third-party classification to prioritize sensitive data, including contexts such as location or application usage.

Endpoint Protector by CoSoSys

Endpoint Protector is a platform that you can use for data discovery, monitoring, and protection. It offers features for device controls including the ability to manage and monitor periphery devices and ports. You can use it to automatically encrypt USB devices and data transfers through email, cloud solutions, or applications. 

Endpoint Protector enables manual and automatic scanning of data for purposes of identification, management, and encryption. You can also use it to manage, encrypt, and locate Android or iOS devices. 

AWS Data Loss Prevention with Cloud Volumes ONTAP

Cloud Volumes ONTAP provides data protection technology which can help prevent data loss. NetApp Snapshot™ technology requires no additional storage and does not impact application performance.

In many failure scenarios, an AWS high availability configuration can be a major factor in preventing data loss. But that doesn’t mean that it is the most efficient way to protect your data, both in terms of costs and flexibility.

NetApp Cloud Volumes ONTAP provides data protection in the form of instant, cost-effective NetApp Snapshot™ copies. These incremental backups are completely space-efficient thanks to the signature WAFL layout and because of the application of storage efficiencies such as deduplication, compaction, and compression. That means copies are faster to create, so there is even less chance of data ever being lost.

New call-to-action
Yifat Perry, Technical Content Manager

Technical Content Manager