Next Gen SWG Use Case #5 – Advanced Data Protection


This is a series of articles focused on Next Gen SWG use cases. This is the fifth in a series of six use cases.

In my recent blog about advanced threat protection, I covered how the threat landscape has evolved and how the SWG (secure web gateway) needs to also evolve to be effective in defending against new and emerging threats. The next use case is centered around advanced data protection. While there are distinct capabilities tied to data protection vs. threat protection, they both ultimately aim to achieve the same goal and that is to protect your data. Data protection requirements have also evolved and SWGs also need to evolve their data protection capabilities to be effective in today’s digitally transforming world.

Let’s take a look at five advanced data protection requirements that a Next Gen SWG should support.

1. Improve visibility and stop sensitive data moving between managed and unmanaged cloud apps

Netskope Threat Labs recently reported that the majority of data policy violations occur in cloud storage, collaboration, and webmail apps. This makes sense given that these apps are known to be data-heavy given that they are used to collaborate. What is interesting is that 20% of users move data laterally, including between managed and unmanaged cloud services and between company and personal instances. 

This is a challenge because traditional SWGs do not have the capability to differentiate between corporate-managed, partner, or unmanaged instances of cloud apps, so the result is they have to whitelist them so employees can continue to collaborate, uninterrupted. This provides red carpet entry for both external bad actors and malicious insiders to use this gaping hole to steal data. 

A Next Gen SWG needs to be instance-aware to differentiate between corporate-managed, partner, and unmanaged instances of cloud apps. It also needs to be able to apply granular policies to block sensitive data going to unmanaged instances, while allowing the data to go to the managed versions. This is critical for safely enabling collaboration without disrupting the employee’s ability to collaborate.

2. Stop data leaking in web forums, blog comments, and social media with inline inspection

The web is more dynamic than ever with more and more data being uploaded and posted versus just accessed as static pages for viewing. Whether it is health records, financial data, intellectual property, or trade secrets, today’s modern web makes it easy to post and share data for public consumption.

A Next Gen SWG needs to be able to perform inline inspection and blocking of not only files being uploaded, but also content that is being posted in forums, blog comments, and social media.

3. Improve DLP inline inspection efficacy with deep context

Simply inspecting all web traffic and looking for DLP violations can result in an overwhelmingly high amount of false positives. High false positives are the leading cause of alert fatigue and ultimately, a failure of the DLP initiative.  

A Next Gen SWG should incorporate smart inspection with the ability to bring in the surrounding context about the target user, device, location, web category, cloud app, cloud app risk score, cloud app instance, activity, and data. The result is improved efficacy with fewer false positives.

4. Further improve DLP inline inspection efficacy with fingerprinting and Exact Match 

Content formats like medical records, coupon codes, and forms that contain sensitive data are difficult to inspect and can result in both false negatives and false positives when using basic DLP systems.  

A Next Gen SWG should support advanced DLP capabilities like Exact Match, where you can compare the inspection target with a provided reference, as well as fingerprinting with similarity matching, where you can fingerprint content such as blank form data and generate a match when data from the form is filled in and posted to the cloud and web.

5. Perform one-pass inline DLP inspection across cloud and web

A number of SWG vendors have evolved their DLP capabilities by acquiring and bolting on different technologies to cover both cloud and web. The result is multiple DLP engines and multiple consoles resulting in a lot of complexity and inefficiencies.

A Next Gen SWG should be built from the start with the ability to perform one-pass DLP inspection across cloud and web. One DLP engine, one console, and the same compliance templates applied across cloud and web.

Data protection requirements have evolved far beyond what legacy SWG and legacy cloud-delivered SWG products can provide. You can learn more about this Next Gen SWG use case and watch a demo here. Don’t forget to also consider the other use cases and associated requirements covered in this blog series. Stay tuned for my final blog post in this series, which is covering users going direct-to-net.