CHEAT SHEET

Cloud Data Loss Prevention

In an earlier era, most sharing and collaboration occurred via email and file servers. Today,
organizations use a wide variety of cloud-based applications that facilitate sharing of data.
These systems make it very easy to share vast amounts of corporate data with others,
both inside and outside the company, with a few clicks. While organizations generally aren’t
concerned about sensitive corporate data being stored in enterprise-grade cloud services,
they are worried about where this data may be shared. That’s why data loss prevention
(DLP) efforts have been expanded from email to include anywhere corporate data lives
in the cloud. This document will distill cloud DLP best practices to ensure that your
organization meets internal and external compliance requirements.

Inventory Existing Policies
Many organizations looking to apply DLP policies to the
cloud have some form of DLP for their on-premises
systems, including DLP for data in email and on endpoint
devices. The first thing to do is examine the policies and
the remediation actions and identify the ones that will
also apply to the cloud. This exercise will both ensure
that data in the cloud will be protected to the same
degree it is in on-premises systems and reveal any policy
gaps, such as new policies needed for the cloud.
If an organization doesn’t have a DLP solution for their
on-premises systems, but need one for data going to the
cloud, they must first identify sensitive data intended
for the cloud, including regulated and restricted data,
across the organization. To do this, one should develop
a system to classify and map sensitive data against
relevant internal policies and government regulations.
From here, you can implement a solution to begin
enforcing policies across this information.

Connect With Us

1 Cloud Data Loss Prevention

 CHEAT SHEET

Understand How a Cloud Service Is Being Used Gain Visibility into Collaboration
If an organization has already deployed a cloud service, Employees love to collaborate via the cloud, but
such as Box or Microsoft Office 365, a key first step is inadvertent sharing of data is one way for it to get lost.
understanding how that service is being used. No action An organization should know how many files are being
needs to be taken at this point. Instead, focus on getting shared with internal employees, how many with external
granular visibility into how a cloud service is being partners, and how many with personal email accounts
utilized, including: (Gmail, Yahoo! Mail), so that they can educate employees
on acceptable collaboration policies. This will also allow
■■ The number of files containing sensitive data
them to create and enforce sharing policies based
■■ The number of files being shared outside the on domain whitelist/blacklist and revoke untraceable
organization shared links for files containing sensitive content.
■■ Anomalous usage events indicative of threats such as
Know about Potential Insider/Outsider Threats
compromised accounts
Not all anomalies are a threat, but certain activity
Types of Sensitive Data to Look for patterns should be a cause for concern and could be
■■ Salaries indicative of a real threat. Though making numerous
failed login attempts to a cloud service might not
■■ Passports
necessarily be a sign of a compromised account, a user
■■ Social Security numbers who successfully logs into a service and then logs in
■■ Account numbers again from a faraway location within a short period of
■■ Credit card number time is likely a case of stolen credentials. Understanding
the frequency and the timing of these types of
■■ Spreadsheets with IP addresses
anomalous behaviors will lead to better DLP policies.
■■ File names containing “passwords”
Define Cloud-Centric and Cloud Service
■■ Outlook offline files (PST, MSG)
Provider-Centric Policies
■■ Draft press release announcements
The average enterprise uses 1,154 different cloud
■■ Source code services, 90% of which are unknown to the IT
■■ Encrypted files (ZIP, PDF, XLS) department. Employees store all kinds of sensitive and
■■ Health records and other personal health information regulated data in the cloud—which accounts for 15.8%
(PHI) of all data stored in the cloud. This, however, poses the
types of data loss risk that are unique to the cloud and
the cloud service provider.

2 Cloud Data Loss Prevention

 CHEAT SHEET

It’s also important to keep in mind that some policies will

7.6%
Confidential Data
1.6% Payment Data
2.3% Health Data
4.3% Personal Data
15.8%
of files in the cloud
contain sensitive data
Figure 1. Sensitive and regulated data accounts for 15.8% of all data
stored in the cloud.
One of the advantages of the cloud is the way it enables
seamless collaboration both within an organization and
between multiple organizations. However, the ease of
sharing can also lead to inappropriate sharing of data,
especially with business partners.
Reviewing the results of the previous steps—including
how much sensitive data is stored in a cloud service,
who has access to it, and who it’s being shared with—will
now help in defining and enforcing cloud collaboration
policies. Moreover, DLP policy enforcement should be
done in real time for it to be effective. If it isn’t real time,
then it’s not serving its intended purpose.
need to be created for individual cloud services, while
some may apply to the cloud in general. A file-sharing
service, such as Box, may require unique policies around
collaboration and file sharing, which likely wouldn’t apply
to a service like Salesforce. At the same time, you’ll have
to create policies that are unique to the cloud but would
apply to all cloud services, such as device access control.
Once policies are defined, an organization should
monitor (without taking any action) the instances of a
policy violation being triggered. This is a triage phase
that is intended to identify and remove all the false
positives. This provides an opportunity to fine-tune your
DLP policies so that they capture actual violations before
you turn on automatic enforcement of policies.
Define Remediation Actions
Now that policies have been fine-tuned and false
positives minimized, organizations should look at what
the appropriate remediation actions should be if a
DLP policy violation is triggered. Common automated
remediation actions can include blocking an upload,
deleting a file, tombstoning, quarantining, modifying
sharing permissions, revoking a shared link, or
encrypting the data or the file while retaining a complete
audit trail for forensics investigation. Policies should be
enforceable on data in motion as well as data at rest to
ensure complete data protection.

2821 Mission College Blvd. McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other
Santa Clara, CA 95054 marks and brands may be claimed as the property of others. Copyright © 2018 McAfee, LLC. 3845_0418
888.847.8766 APRIL 2018
www.mcafee.com

3 Cloud Data Loss Prevention