September 1, 2022

Importance of ‘real’ DLP policies in SASE/ SSE

Corey Kiesewetter

Security Service Edge (SSE), or the security half of Secure Access Service Edge (SASE), can’t treat data security and Data Loss Prevention (DLP) as an afterthought.  That belief drives Forcepoint’s data-first SASE approach.

In our view, the most effective SASE solutions are the ones that remove complexity from the management of security. A good portion of that complexity comes from the data security piece. 

Start by identifying sensitive data

First you have the tall order of identifying all the various types of sensitive data that need to be protected across the organization, and then figuring out how to implement effective controls around all this data without introducing friction to the organization.  That means identifying all personally identifiable information (PII) for your employees as well as customers and partners, and any other sensitive information that is controlled by regulatory compliance in your industry and region.

 In addition to regulatory compliance though, you also have proprietary business data or intellectual property (IP) that gives your business a competitive advantage.  Whereas customer PII can often be found as structured data, IP is often unstructured data such as source code or blueprints that can be more difficult to inventory and control. 


Consistency and flexibility matter

Having an array of advanced DLP capabilities at the core of the SSE platform is critical.  A core and common DLP service in the SSE platform can then provide consistent DLP security across multiple channels, including data at rest and data in motion. 

SSE platforms need to offer flexibility when it comes to DLP patterns and classifiers to be more than just superficially useful.  There are many different types of data that need to be controlled, with different formats-like structured or unstructured data, different channels that data flows through, different places data can reside, and different ways of enforcing control.  Each of these considerations adds to the complexity of data security. For a converged security platform to be useful and effective, it must simplify this complexity.  It should also include options to address as much of these as possible, with work done by the vendor experts to not only make different classifiers and predefined policies as effective as possible, but also as intuitive and easy to use as possible. 


Bringing it all together with Forcepoint ONE

With the current shortage of security and risk management professionals, it is unfeasible to think that the average organization has the expertise necessary to create highly effective DLP patterns from scratch.  Yes, large enterprise organizations that can fund a team dedicated to this effort will likely have the necessary expertise here, but most businesses and organizations are smaller than these large enterprises or multinational conglomerates. And of course, it is completely unreasonable to believe that only the largest corporations should be able to protect their customer data and company data.  To make real cybersecurity and data security useful for everyone, we need to make it much easier to use.

That is why Forcepoint has always been focused on DLP and has been a recognized leader in DLP for over a decade.  That’s also why we employ a diverse team of legal experts, psychologists, and other professionals to develop highly effective and easy to use predefined DLP patterns to map to numerous legal compliance regulations for regions around the world.  This is also why we embedded that valuable work into our SSE platform, Forcepoint ONE.

Further, Forcepoint ONE is built on a multi-mode CASB too.  This means it has both sides of the enforcement picture, in-line protection via reverse proxy to cover any user connecting to a cloud app, whether on a managed device or not, as well as API enforcement to cover changes in the app such as publicly sharing a folder.

Forcepoint ONE, as an SSE platform, can protect use of the web, cloud apps, and private apps; but a unique value of Forcepoint ONE is the robust DLP engine that is built into the core of the platform that provides consistent enforcement everywhere.  This allows admins to select predefined policies (such as PII info for several countries) or build their own custom policies, and cover more users, with inline DLP protection for cloud apps and private apps, even for access from unmanaged devices.

To find out more about the wealth of predefined classifiers available in Forcepoint ONE, check out the following video:

Corey Kiesewetter

Corey Kiesewetter is Forcepoint’s Product Marketing Manager for cloud security products, with a focus on SASE and Zero Trust applications.  Corey has been directly helping IT practitioners realize best practices in datacenter operations the past decade and holds a degree in...

Read more articles by Corey Kiesewetter

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.