Data loss prevention and compliance are critical functions for any company, especially when more employees than ever are working from home and creating unstructured, unsecured data without the traditional safeguards. Here we cover the essential questions to ask when choosing a SaaS solution for your organization.
Data Loss Prevention (DLP) & compliance for SaaS applications: buyer’s framework
Data loss prevention and compliance are critical functions for any company, especially when more employees than ever are working from home and creating unstructured, unsecured data without the traditional safeguards. Here we cover the essential questions to ask when choosing a SaaS solution for your organization.
1. Do you think SaaS platforms are a data breach risk?
- Most Security & Privacy offices are running blind on what kind of data is being trafficked in their SaaS software.
- Historically, antivirus software or perhaps a CASB or DLP type solution would suffice to get a handle on outgoing and incoming traffic.
- This protection pattern falls apart in software environments where anyone can create & share information.
- The ease of downloading documents locally or using other SaaS plug-ins to transmit also create a gaping security hole from an enterprise perspective.
- A new paradigm is needed to think about what Data Loss Protection means for the Cloud.
2. How do we calculate risk of breach to our organization?
a. Risk scoring via Bayesian Methods
b. Historic risk analysis
3. Whose budget is this coming from?
- The management of SaaS is a problem that generally falls in the cracks between Privacy, Security, and CIO teams.
- Since the problem is an ‘internal-facing’ issue in many cases, the responsibilities are not quite with one team.
- Defining “good” from an operational perspective is important and can come either straight from the C-Suite or from the Board.
- Compliance debt is the easiest to take on and the hardest to fix once the organization size grows.
- Problems for a 20-person operation are obviously much different for a 200- or 2000-person shop.
4. How do you account for false positives?
Historically CASBs and DLP software have been marred by frequency of false positives. Some typical recognition traps we see are:
Managing these false positives can overwhelm small security and compliance teams. However understanding the ‘false positive ratio’ itself can be a moving target with unspecific metrics. Standard test data can be one worthwhile investment in testing across platforms.
5. Is ease of on-boarding an important consideration?
- The difficulty in rolling out a security or compliance product is by itself challenging, but add to that the complexity of a live production environment with the entire organization as users is exponentially more so.
- Any extra time spent on installing a CASB/DLP solution is a time taken away from running the day to day of a business.
- We have seen the friction of installation as the single most important driver in delaying buying decisions.
6. Is DLP worth it?
Not necessarily !
- For small and relatively static organization sizes, we have seen operational controls can be put in place where employees are generally well-versed on data hygiene.
- In high turnover, large distributed teams or fast growth companies, the risk of a sensitive data leaving an enterprise are generally unacceptable risk parameters.
- The Risk framework shown above is just one way to extrapolate the ROI for a DLP software.
- Some might argue that CCPA affects companies with revenues of > 25MM so why bother. Others have taken the view to be deliberate on building a security/privacy-aware operational foundation.
- It also depends on the industry. For non-healthcare or non-finserv companies a breach of a customer name and email address might not be enough of a brand-risk to move the needle.
7. How does your DLP product scale in a fast-growing company?
- Cloud, in theory, allows for unlimited scalability. DLP solutions generally fail not so much on the computing overhead of a growing organization, but the amount of noise that it can generate.
- A 10% increase in documents in a Dropbox folder can increase the ‘alerts’ by 30%.
- How does the system adopt to abstraction with an ever-growing dataset and what can be plotted from historics to reduce the reporting overhead for a functioning team.
- Also, if we take the example of SOC2, a company that gets SOC or ISO certified early saves time and $ in the long run vs conducting this certification at a later date with a bigger org size.
8. Why does a provider’s product roadmap matter?
- All SaaS platforms are constantly evolving with more features and workflows. It’s imperative to understand how the product team for any DLP solution is looking to evolve the product and what’s coming next.
- Cross-connectivity is creating more ways for data sharing to occur within and outside of organisations.
- For example, Slack is going to allow cross-business communication in its platform early next year. Zapier is another example of a product that is constantly adding connectors to tie together various platforms. This kind of holistic knowledge and forethought are critical measures of any provider’s ability to ensure data loss prevention in the long term.
In summary, SaaS platforms by themselves can be as secure as they can be but how they are used within an organization should be the overriding feature on deciding whether the risk of leaving sensitive data is worth its. We have covered 3rd-Party Risk or sub-processor risk in other publications. Hosted cloud policies from AWS/GCP/Azure do not cover these risks.
Suffice to say your company’s security policy is probably explicitly calling out this 3rd Party Risks and a sound. DLP solution can certainly satisfy that requirement for SaaS products.