What Is AWS DLP?

Many organizations store their sensitive data in the cloud using Amazon Web Services (AWS). Data loss prevention (DLP) is a tool for keeping that data safe from theft, leaks and fraud. With DLP, administrators classify data, set rules for who can access it and strictly monitor that access. Typically, organizations use DLP in environments where compliance regulations require strict data security controls. Because AWS is in the cloud, it offers data protection tools that follow DLP standards.

As an organization extends its IT environment to the cloud, data must be audited and tracked. The first step in AWS DLP is to take inventory of all files and assets. Then, everything is tagged, categorized and grouped. And any devices and resources that access data in the AWS cloud are identified.

Next, administrators develop authorization policies based on guidance in a risk assessment. Conducted by a security team, a risk assessment determines what data is sensitive. Administrators craft user access policies based on the data’s level of sensitivity and risk factor. “High” risk is the most sensitive data like credit card numbers or social security numbers. “Low” risk is the least sensitive data like a customer’s first name or demographics. It’s data that should be protected, but it’s not critical information that could be used in corporate espionage, fraud or identity theft.

In DLP, data is tagged with one of three qualifiers: confidentiality, integrity and availability. These tags determine how data is stored and protected. Confidential data is only accessible by authorized users. Data tagged “integrity” is critical to business productivity and must be protected from corruption. “Availability” indicates data should be stored in a way that’s easily accessible to authorized users.

Administrators often rely on AWS DLP to help with compliance. Compliance regulations for how data is accessed and stored are typically industry specific. Examples of compliance governance bodies include HIPAA, PCI-DSS, GDPR, FISMA and FERPA. Before administrators design storage policies, they should consult experts about any relevant compliance regulations. Failure to follow regulations can result in hefty fines and, in some cases, millions of dollars in penalties.

Compliance regulations are strict rules for how data is stored at rest and in motion. At rest data is any file or asset that’s stored on the network. It’s “at rest” because it is not meant to be transferred or moved to any other location. This data must be protected from a breach and may even need to be encrypted.

Data in motion is any information transferred over the network or internet. This data might be a file transferred from one storage location to another. Or it could be an attachment sent via email to an external user. Databases move data from local storage to applications requesting data, which means this data is also in motion as it moves across the network.

Strict compliance standards apply to both data at rest and in motion. For example, DLP requires data in motion to be encrypted. But data at rest can be stored without encryption depending on its sensitivity and confidentiality level.

Every organization has its own practices for protecting data. When creating new policies from scratch, it helps to follow general standards. Here are a few:

• Audit and classify data. During this step, you set the data’s importance and its level of protection.
• Choose the right AWS architecture. AWS offers several levels of data management and security controls to protect data at rest and in motion.
• Define roles and authorization rules. With these policies you control who’s allowed to access to data.
• Write down every procedure. This way, every employee and new hire can follow specific repeatable processes.

AWS has its own built-in DLP tools. But many organizations choose to work with DLP tools tailored to their specific business requirements. There are also many third-party DLP tools to protect data.

Organizations that need an AWS DLP tool should look for a solution that streamlines adherence to industry regulations. For example, if the firm specializes in healthcare, the DLP tool should include HIPAA compliance rulesets. Solutions with built-in compliance standards make it much easier to categorize data and follow compliance requirements.

Examples of AWS DLP tools:

• Dashboards for a quick view of past and present system status
• Analytics for statistics and general guidance
• Tools for data intelligence and visibility into the environment