Data loss prevention is a monumental task, and today’s outdated tools make it worse. We’ve written before about the limits of the “outside-in” approach to email security. (See our post: Email is too important to protect like a TSA checkpoint). Unfortunately, that analogy extends to most DLP solutions. They offer the equivalent of a TSA checkpoint as if it was part of a well-defined, “impenetrable” perimeter.
This approach doesn’t account for changes in how organizations and individuals use technology. We have countless ways to share information (we all carry network-connected cameras 24/7), we require access to data from anywhere, and how we use email resembles a filing cabinet more than a mailbox.
Preventing data loss by monitoring checkpoints is outdated. A better approach is to protect data at rest where it lives using solutions that don’t create alert spam for Security and headaches for users.
What is Data at Rest?
Data at rest is when data is stored in a particular location—whether locally on a device or in the cloud—rather than moving between locations. A PDF on your laptop is data at rest and becomes data in transit while syncing to a file-sharing service. An email in your inbox is data at rest and becomes data in transit while moving to another mailbox or being downloaded.
Why should organizations focus on Data at Rest?
While traditional DLP tools are primarily focused on data in transit, data at rest presents a much larger attack surface for modern organizations.
First, the volume of data at rest massively outweighs data in transit. The vast majority of data generated by customers, employees and tools sits at rest within content repositories like email, cloud file storage, CRM, and more. Unlike data in transit that only risks the data being shared, an attack on data at rest exposes everything. If someone gains unauthorized access to an email account, for example, they would gain unchecked access to the thousands of messages archived in the mailbox. For IT and security teams, this is a significantly worse incident than a single user sharing a subset of messages externally.
And second, data at rest is accessible via countless access points, a consequence of SaaS and remote work. Users can store data locally on a laptop, phone, or tablet or in one of the dozens of SaaS products. Each access point represents a potential attack vector, with the bad guys finding a way through by acquiring the credentials for an account, frequently via phishing or spear phishing, or connecting to a service via API or other open protocol. For example, attackers will use IMAP to access a mailbox and bypass MFA.
Protecting Data at Rest vs Data in Transit
Protecting data in transit made sense when it was part of solid perimeter defense. Attackers had few ways of reaching data at rest without compromising the perimeter, mainly because users also had few ways of getting that data. Tight network security, sometimes even tied to restricted physical access, hampered attackers. But it also hampered users.
The approach to user access to data has shifted (begrudgingly, in some places) after recognizing the benefits of easy access from anywhere. But our security tools haven’t kept up. The well-defined perimeter is gone, yet many security tools still sell TSA checkpoints. It’s time for that to change.
Security tools need to consider several significant trends:
- Storage is cheap, and the amount of data in a single individual service (like email) is enough to be an attractive target and severely damage an organization.
- End users now have access to data anywhere, across devices and physical locations.
- Data is often stored in cloud applications with powerful APIs that allow accessing and manipulating data at the source.
The best way to address these shifts is by switching focus from protecting data in transit to protecting data at rest. Add controls around access to the content instead of chasing the endless ways users can share content with others. This approach benefits from:
- Audit logs: keep a record of who accessed what data and when.
- Rate limiting: limit how much sensitive data a user can access over a given time to reduce the severity of a data loss event.
- Protection across channels: protect sensitive data no matter how it’s shared by controlling access at the source.
Protecting data at rest isn’t a new idea, but past solutions usually relied on encryption, and anyone interacting with email IRM/DRM knows the headache it created for both administrators and users. The prevalence of Identity Providers and just-in-time authentication now enables a new approach that achieves the right balance between security and IT/user experience.
How to Secure Data at Rest
Securing data at rest can’t limit user access to data in ways that damage productivity. Instead, the right solution must apply the appropriate access restriction for the content, meaning it:
- Identifies sensitive content
- Adds a strong authentication layer for any access to that content
- Makes authorized access seamless
By automatically restricting access based on the content, you gain control over who is accessing that content and when. You can vary access based on sensitivity, and sensitive content is still protected even in the event of a breached account or service.
Protect Data at Rest with Material
Material’s Leak Prevention helps protect data at rest by finding sensitive content in email archives, redacting messages within mailboxes based on fine-grained policies, and prompting users to complete step-up authentication in order to access the message on demand.
The solution balances security and end-user productivity:
- Only sensitive messages are protected, and product settings allow further adjustments to protect only the right content.
- Users leverage familiar multi-factor authentication apps and flows.
- Users can still access everything directly within their existing email clients—there is no special “secure” mailbox.
Instead of chasing after every sharing mechanism, use a tool like Material’s Leak Prevention to find and protect sensitive content at its source automatically.