CASB and DLP – It’s all the same. Or is it?
While DLP Experts focus is on data loss prevention technologies, questions around DLP in the cloud invariably bring up discussions on CASB (Cloud Access Security Broker) solutions. These questions are becoming more and more frequent from our customers – pretty much daily – underscoring the importance of protecting sensitive data in the cloud.
We often have companies approach us to discuss a DLP initiative and when we get to the topic of available technologies, they throw out the name of one of the CASB vendors for consideration. After all, CASB solutions are also DLP solutions, right? Or are they?
To answer this question for one of our customers, we put together the thoughts below for consideration. Please note that we don’t argue in favor of one solution and against another. We believe each organization’s unique data protection requirements should be considered to ensure adequate coverage. More than likely, both DLP and CASB technologies will provide significant benefits.
- What are your goals? Is your company’s DLP need limited to the cloud? Or do you see this need extending beyond the cloud to endpoint coverage, discovery and other network protocols? Most companies want to protect their sensitive data from leaking, not just via the cloud, but from anywhere! Whether that’s via the network or endpoint, stored in file shares or on workstations.
- Network, Discovery, Endpoint – and Cloud. Times have changed. It’s no longer safe to assume that traditional DLP coverage – network, discover and endpoint – will effectively prevent sensitive data loss. With the widespread use of cloud storage in so many environments today, cloud coverage is now an absolute necessity.
- Not mutually-exclusive. DLP solutions do not typically provide the best cloud coverage. CASB solutions do not provide comprehensive DLP coverage. There is certainly some overlap between DLP and CASB solutions, but not enough to rely on one and not the other. Complete DLP coverage is likely to be obtained only by employing both solutions. This is precisely the reason why leading DLP and CASB tools have developed integrations between their solutions.
- Data detection capabilities. DLP vendors have been honing the sensitive data detection capabilities of their solutions for over a decade and have developed extensive, flexible methods that can be layered for more accurate and effective detection of sensitive data. Many CASB solutions (but not all) still rely on rudimentary detection methods, such as regular expression pattern matching, which often prove to be false-positive prone. In our experience, DLP solutions provide much more accurate sensitive data detection. All the more reason for CASB solutions to leverage integration partnerships with the DLP vendors.