Data is every organization’s most valuable asset. The innovative enterprises pushing the boundaries of their industries are built on data, including pioneering research, strategic plans, trade secrets, and intellectual property. 

Unfortunately, data security today is incomplete and fractured, exposing organizations to more risk, higher costs, and jeopardized market positions. Current data security tools have gaps created by their siloed approach and need more context of where data came from and its use.

In this post, we’ll describe the challenges with the current data loss prevention (DLP) approach and show why organizations need a unified platform approach to data security.

Understanding data’s journey

Let’s start by looking at the journey a piece of data might take.

Imagine a business that wants to analyze recent customer wins. Allison, a sales operations manager, exports product usage data from Snowflake  for all new customers in Q4 of the prior fiscal year. She downloads the report as a CSV file to her laptop and attaches it in an email to two colleagues, Liam and Emma. Emma downloads the file to review the data and adds it to a shared Google Drive folder to analyze it in Google Sheets. Ashley in Finance wants to review the data in Excel, for which she knows all the keyboard shortcuts, so she downloads it as an XLSX file to her laptop. One of the sales leaders, Bill, is also interested in the data, as he wants to see how product usage at his customers stacks up against other territories. Unfortunately, Bill is also starting to interview for a new job, so he decides to save a copy of that data to his personal Dropbox, “just in case.”

In this simple example, the data on Q4 customer wins has interacted with:

• 5 different people (Allison, Liam, Emma, Ashley, and Bill)
• 3 different departments (sales operations, finance, and sales)
• 3 different SaaS applications (Gmail, Google Drive/Sheets, and Dropbox)
• 1 IaaS service (Snowflake)
• 2 desktop applications (web browser and Excel)
• 5 different devices (endpoints)

Those numbers can quickly grow exponentially when we consider mobile devices with access, groups that can access the same shared folder or members of internal email distribution lists, endpoints where copies or derivative works could be stored, and more.

The challenges with traditional data security approaches

How would traditional data security solutions be used to secure this simple workflow?

Most security organizations would leverage: 

• A cloud access security broker (CASB) / secure service edge (SSE) tool for cloud applications
• A data security posture management (DSPM) tool for their data in cloud infrastructure
• A network DLP for web applications  
• An email gateway DLP for email
• Finally, endpoint DLP for users' devices, like laptops.

This piecemeal approach creates several challenges, including:

• Excessive overhead from multiple policy engines, each with different policy definitions
• No data lineage makes effective blocking and alerting impossible
• Disconnected systems hamper investigations

Let’s take a deeper look at each challenge.

Excessive overhead from multiple policy engines, each with different policy definitions

Each of these different tools will have a separate policy engine with its own particular way of defining and expressing policies. Some have user-friendly interfaces, while others require teams to practically learn new programming languages. Thus, a security team might define a robust set of policies in one system and have to recreate them – often by translating them – into other systems. As the needs of the business change, each system will need to be updated. That’s a lot of management overhead to run the systems before an incident is detected.

No data lineage makes effective blocking and alerting impossible

‍In the example above, there are five different data security tools, none of which can follow the flow of data through the organization. While each of these systems can be incredibly useful, they provide only a siloed view of how the data is accessed and used. For example, email DLP won’t see how data is manipulated after being downloaded, network DLP won’t see how data is used on a desktop, DSPM won’t see how data is used or manipulated outside of the cloud, and endpoint DLP on another person’s machine won’t know that it was initially downloaded from a SaaS application. 

Without data lineage, those disconnected data security tools can’t understand the full significance of data, including how sensitive it is. The result is data classification and security policies that rely entirely on content inspection, resulting in a huge number of false positives, and requiring significant management overhead as noted above.

Disconnected systems hamper investigations

‍Unfortunately, these separate systems also make incident investigation much more difficult. While a properly configured policy might correctly raise an alert and send it to a SIEM, overworked security analysts still need to draw connections between alerts themselves. In other words, they’re trying to recreate data lineage to understand if it was used in risky ways or exfiltrated against policy, who else may have been involved and if there was collusion, and what steps the user may have taken to obfuscate their activity which can signal malicious intent.

The false promise of most “platforms”

It’s no surprise that security teams want to consolidate their number of tools, and many vendors have responded by acquiring other companies and bundling products, such as endpoint and email DLP, in a single contract. Some vendors attempted to create “policy orchestration” software to try and centralize policy management, but the results have often been mixed. Codebases are rarely merged or products fully integrated, and orchestration software adds another layer of complexity. Finally, ongoing mergers and acquisitions have combined multiple products and consolidated contracts, only to have divestitures and reorganizations separate the products again.

While all this can simplify procurement and allow a vendor to say they satisfy more requirements, the reality for security teams is no better: it doesn’t fix the fundamental problem of multiple tools, policy engines, and policy “languages.”

A better way: one unified data security platform

Instead of a fractured set of tools that don’t connect the dots of data usage, security teams need:

• One platform.
• One code base.
• One policy engine.
• One complete history of data.

A single platform that combines the advantages of each tool mentioned above in one product and code base is dramatically easier to manage and provides complete coverage, unlike the piecemeal approach. Most importantly, instead of storing disconnected events and hoping that security analysts can recreate data’s lineage later, a better solution would build the complete data lineage from the first time it’s seen, no matter where it goes or how it’s used.

We call this better approach Data Detection and Response (DDR), and that’s exactly why we built Cyberhaven. We combine the functionality of traditional data security tools in one experience that not only outperforms in each category, but is more effective than the sum of its parts. We developed an architecture that achieves complete visibility of your data, including as it transits unmanaged cloud apps and unmanaged devices.

More technically, the platform approach combines different deployment models in one solution to provide complete coverage. For example, some behavior only happens at the endpoint, so lighweight endpoints are used for visibility in that domain. To connect activity across endpoints (and identify unmanaged endpoints), email DLP and cloud DLP deployments are employed via APIs. All of the events affecting data – including creation, modification, copy/pasting, duplication, derivative works, and more – are then assembled in one data lineage model to create an authoritative record of data’s journey.

That’s also why we say the magic behind Cyberhaven is data lineage. As data moves throughout your company, from person to person and application to application, it fragments and gets combined with other data. We calculate the lineage for every piece of data, starting with its origin through every step it takes.

The result is data security that’s both more complete and easier to manage. With one policy engine and complete data lineage, your security teams can understand how data flows, detect and stop risky behavior, accelerate internal investigations, and stop exfiltration anywhere.

‍