What Is AWS DLP?

Definition

When corporations store data in Amazon Web Services (AWS), they need a way to ensure that sensitive data is safe from theft, disclosure, and corruption. Data loss prevention (DLP) is a tool used by administrators to classify data and determine authorization rules and policies to access that data. Organizations generally use DLP in environments where compliance regulations oversee how data is accessed and stored and where data access must be strictly enforced and monitored. Since AWS is in the cloud, it offers protections to safeguard data and follow general DLP standards.

How Does AWS DLP Work?

As an enterprise grows and extends its IT environment to the cloud, data must be audited and tracked. The first step in AWS DLP is to take inventory of all data (e.g., files and assets) and categorize it. Categorizing data in groups enables administrators to classify heavily monitored data and tag assets. This step also audits the environment for any devices and resources that must access data in the AWS cloud.

After data is categorized, administrators can then develop authorization policies. These policies are manufactured from risk assessment, a process carried out by professional security teams. The risk assessment determines the severity of the data so that administrators can craft policies based on the data’s categories. Categories generally include “High,” “Medium,” or “Low” risk. “High” risk is considered the most sensitive data like credit card numbers or social security numbers. “Low” risk is data that should be protected but would not pose a threat to customers or the company should it be disclosed. For example, “Low” risk data are the user's first name or their demographics. It’s data that should be protected, but it’s not critical information that could be used in corporate espionage, fraud, or identity theft.

In DLP, you'll see data assessed using three qualifiers: Confidentiality, Integrity, and Availability. These three tags determine the way data must be stored and protected. Only authorized individuals can access confidential data. Data tagged with an Integrity marker is critical to business productivity and must be protected from corruption. The Availability tag ensures data will always be stored to make it easily accessible to authorized users who need it.

How Does AWS DLP Help with Compliance?

Enterprise administrators often look to AWS DLP to help with compliance. The compliance regulations overseeing data depend on the organization’s industry; typically, at least one compliance standard applies to an organization. Examples of compliance governance bodies that determine how data is accessed and stored include HIPAA, PCI-DSS, GDPR, FISMA, and FERPA. Before an organization designs a storage policy, administrators should consult experts who determine the compliance regulations that must be followed. Failure to follow regulations can result in hefty fines and, in some cases, millions of dollars in penalties.

Compliance regulations consist of strict rules for the way data is stored at-rest and in-motion. At-rest data represent any file or asset stored on the network. It’s “at-rest” because the data is not transferred or moved to any other location. This data must be protected from a breach, and in some cases, stored data should be encrypted.

Data in-motion is any information transferred across the network or the Internet. This data may be a file transferred from one location to another or an attachment sent from a corporate email to an external user. Databases move data from the server’s local storage to an application requesting data. This data is also in-motion as it moves across the network.

Both data at-rest and in-motion must follow compliance standards. For example, DLP requires data in-motion to be encrypted. Data transferred across the Internet should always be encrypted, but data at-rest can be stored without encryption, depending on its sensitivity and confidentiality level.

AWS DLP Best Practices

Every organization has its own standards and methods for protecting data, but following general standards will streamline the process, especially if the organization is creating a new policy.

A few general standards to follow:

  • Audit data and classify it. This step will determine the importance of the data that needs protection and authorization rules.
  • Determine the right AWS architecture. AWS offers several security tools and policies in place to help corporations protect data at-rest and in-motion.
  • Map out roles and authorization rules. These roles and policies will determine the data that users can access.
  • Document procedures. By documenting procedures, every employee, including new hires, will follow a specific repeatable process.

Example of Tools in AWS DLP

Because DLP in AWS targets the cloud environment specifically, administrators can use AWS tools to perform DLP or use third-party tools that safeguard data. AWS has its own tools, but many organizations choose to work with tools tailored to their specific business requirements.

When choosing an AWS DLP tool, organizations need to find one that offers methods that adhere to industry compliance regulations. For example, if the organization is a healthcare business, the DLP tool must offer HIPAA compliance rulesets. Tools that have compliance standards built into their software make it much easier for organizations to categorize data and follow policies specific to the compliance requirements.

AWS DLP tools include:

  • Dashboards for administrators to get a quick review of the current and previous status of the system
  • Analytics that provide statistics and general guidance
  • Tools to gather intelligence on data and the status of your data
  • Visibility into data and the environment where it’s stored