Data Loss Prevention (DLP) is a set of tools and protocols your organization can use to protect itself from theft, inadvertent or malicious loss, or unauthorized access and manipulation. As you plan your AWS high availability strategy, DLP should be a primary consideration. There are several proven approaches to DLP on AWS, and a number of tools that can help you implement them. Read on to learn about tools and strategies for DLP, including a unique data protection strategy by NetApp Cloud Volumes ONTAP.
In this article, you will learn:
There are multiple approaches that can be taken to secure data but all of them require continuous security monitoring and correct set-up to be effective. In order to implement these approaches, you need to understand general security patterns and apply them to your cloud security controls and services.
Amazon S3 will automatically encrypt data as it is written to disk and decrypt it when accessed provided the setting is enabled. To accomplish this, Amazon offers multiple options:
The best way to monitor your cloud and your S3 buckets is through the use of a security information and event management (SIEM) system. SIEMs can enable you to manage alerts and view security information from a centralized dashboard.
Built-in S3 notifications, set to alert you when buckets or their contents are modified or accessed, for example, can be sent to your SIEM and handled appropriately. Setting notification rules to cover permissions changes and limiting who has access to modify configuration settings will allow you to ensure that your data stays protected.
You should establish policies to control access and modification rights based on permissions or criteria you set. These can be managed, stand-alone policies attached to users, groups or roles in AWS, or inline policies implemented on a case-by-case basis. Managed policies are generally preferred as they can be more easily adapted and assigned.
Two key types of policies for managing your cloud security are:
You can classify data to help you determine appropriate security measures and reduce the stumbling blocks to an agile work environment. Classification of data should go beyond simple public or private descriptions into levels of data sensitivity and should be applied to both preventive and detective tools.
Machine learning tools like user behavior analysis (UBA) enable the automatic detection of suspicious activity based on assigned or learned classifications. It can be combined with alert functionalities according to thresholds you determine.
Swim-lane isolation is the grouping of microservices into domains that mirror your business model. For example, you can use it to differentiate access allowed to payment tools from that allowed to marketing tools.
This isolation allows you to create a data-access pattern that ensures only specified APIs are authorized to view or modify data. It also prevents leakage from one microservice domain through less secure domains. Swim-lane isolation can be achieved by applying a combination of IAM controls and ACLs that differ according to domain.
The tools that you implement in your DLP strategy play a significant role in how effectively you can identify, protect, and restore data. In AWS, there are a wide range of native tools to select from as well as partner solutions and third-party integrations. Below are a few of these tools you may want to consider.
Security Hub is a service that you can use to comprehensively view your security posture and alerts. It is designed to centralize your security operations, enabling you to more quickly identify vulnerabilities and threats, and more effectively respond to incidents.
Security Hub includes a variety of native AWS security services including GuardDuty, Inspector, and Firewall Manager. Through these and partner integrations, you can automatically audit the security of your environments and apply recommendations for improvement.
Macie is a fully managed service you can use to manage data privacy and security. It incorporates pattern matching and machine learning technologies to help you discover sensitive data and apply appropriate protections.
You can use Macie to automate data discovery and generate an inventory of your exposed or shared storage locations. The service can also identify if sensitive data, such as payment data or personal information is added to insecure storage.
Symantec DLP is an enterprise-oriented solution that uses AI technologies. These technologies can help you identify unstructured data, detect data embedded in forms and images such as scanned documents or screenshots, and detect full or partial data matching based on fingerprinting.
This solution includes prepackaged policies (HIPAA, GDPR, etc.) to ensure regulatory compliance and includes both on and offline functionality. Cloud apps such as Dropbox, Google Suite, Salesforce and Office 365 are also supported.
Total Protection is a platform that specializes in forensic analysis of data loss. It enables you to monitor breaches or leaks in the context of security policies. It also provides feedback useful for the creation of new compliance rules or the modification of existing ones.
Total Protection operates via a centralized dashboard. From this dashboard, you can use manual and third-party classification to prioritize sensitive data, including contexts such as location or application usage.
Endpoint Protector is a platform that you can use for data discovery, monitoring, and protection. It offers features for device controls including the ability to manage and monitor periphery devices and ports. You can use it to automatically encrypt USB devices and data transfers through email, cloud solutions, or applications.
Endpoint Protector enables manual and automatic scanning of data for purposes of identification, management, and encryption. You can also use it to manage, encrypt, and locate Android or iOS devices.
Cloud Volumes ONTAP provides data protection technology which can help prevent data loss. NetApp Snapshot™ technology requires no additional storage and does not impact application performance.
In many failure scenarios, an AWS high availability configuration can be a major factor in preventing data loss. But that doesn’t mean that it is the most efficient way to protect your data, both in terms of costs and flexibility.
NetApp Cloud Volumes ONTAP provides data protection in the form of instant, cost-effective NetApp Snapshot™ copies. These incremental backups are completely space-efficient thanks to the signature WAFL layout and because of the application of storage efficiencies such as deduplication, compaction, and compression. That means copies are faster to create, so there is even less chance of data ever being lost.