Working remotely during the global pandemic crisis has been quite the boon for knowledge workers but in many ways the rapid shift to a work-from-home model has increased data security risks in organizations and unlocked new opportunities for data loss.
Data protection has become an issue in the new normal because employees are no longer bound within the supervised environment of their corporate network, and freely access data and cloud applications from their personal home network or from a third-party network elsewhere.
As companies continue to remodel their culture for a remote working environment, a data protection strategy based solely upon a controlled office-based network environment no longer makes sense.
Remote Employee User Behavior is Hard to Control
As organizations adopt SaaS applications such as Microsoft 365, Box, Salesforce, Workday and Slack, more and more data is uploaded, stored, and shared in the cloud. In this scenario, monitoring remote employee behavior that can pose a risk to sensitive data is difficult. Moreover, managing the employee’s authorized IT devices is not always enough because many times remote employees don’t connect to their employer’s virtual private network (VPN) and instead choose to connect directly to both corporate applications and to a number of unsanctioned SaaS applications. An even bigger challenge occurs if the devices used by remote users to access corporate SaaS applications happen to be their unmanaged personal devices that IT has no knowledge of. In such instances, organizations have little to no visibility or control over what sensitive data is transferred by the employees through cloud applications.
Shadow IT is a Problem
A countless number of SaaS-based cloud applications are available today to get any task done. These can range from note taking apps to file sharing apps to social media, collaboration tools and many others. When these unsanctioned applications get used or managed by an organization’s workforce without the explicit vetting and approval of the IT department, they get classified under the broad umbrella term of “Shadow IT”.
Many employees feel comfortable downloading any application or accessing any cloud service as long as it makes their jobs easier. But relying on shadow IT applications that enable the transfer and sharing of sensitive data creates security gaps that put organizations at high risk of data loss. This is because IT departments have no visibility into exactly which applications are used and what sensitive data is uploaded or downloaded.
And So are Non-Compliant Transfers of Data
Organizations are responsible for ensuring compliance and data privacy throughout the entire enterprise, including sanctioned SaaS applications, cloud infrastructures and across remote users given that regulated data can be now stored and shared anywhere outside corporate premises. For example it is incumbent upon organizations to make sure data is not overshared, is not overexposed in the cloud, or is not transferred through unsanctioned SaaS apps. But the growing reliance on cloud apps, whether sanctioned or unsanctioned, makes it harder for IT teams to monitor non-compliant data transfers made by employees working remotely. A good example of this is when an employee tries to edit a confidential document containing payment card data using a document editing app in the public cloud, and unwittingly transfers out a file containing private information that is subject to GDPR.
Help Your Remote Employees Keep Sensitive Data Secure
At Palo Alto Networks, we think implementing a cloud-delivered security platform and enterprise data protection designed for the remote workforce is the winning formula to success that best enables:
- Remote employees to work securely without breaking company policy.
- Organizations from being safeguarded from losing sensitive data and risking accidental exposure or malicious insider behavior.
Cloud-delivered enterprise data loss prevention (DLP) is unique in that it discovers data both at rest and in motion across public cloud services such as corporate SaaS applications and IaaS, throughout the corporate network and across the entire remote workforce. To deliver a complete Secure Access Service Edge (SASE) solution, it natively integrates with our cloud-delivered security services like Prisma Access and our SaaS security, providing a comprehensive security approach that is purposefully designed to view and secure all users, all data and all traffic, even the one generated by remote users who choose not to connect to the corporate VPN.
When it comes to the question of remote users accessing unsanctioned shadow IT apps and uploading sensitive information through those, Enterprise DLP, as a fundamental part of our Palo Alto Networks SASE solution, provides the necessary visibility and control to the corporate security teams. As well for compliance, we think data protection should encompass every location where sensitive data can be found—be it the cloud, remote users, or any physical location, such as a data center. Our view is that data protection and compliance initiatives should be data-centric. Having visibility into sensitive information—whether at rest or in motion—found at any given location makes it successful for IT departments to enforce protective actions that monitor, govern and prevent unsafe transfers and corporate policy violations.
Peruse through our new ebook "Overcoming Enterprise Data Protection Challenges” to learn how a modern enterprise DLP solution can help you unleash the right enterprise data security strategy for your organization’s remote workforce.