Smart Cloud Security: Find and Protect Sensitive Data Embedded in Images

One of the biggest concerns around cloud and web usage with our customers is sensitive data loss. And data loss can happen in myriad ways. A major concern from customers is data loss and exfiltration from files that are image-based. This can be as simple as a screenshot of a Word document containing sensitive company information to patient data embedded in an x-ray image being uploaded to a personal cloud service.

With sensitive data hiding as images, it’s harder for DLP solutions to catch. Optical character recognition (OCR) in traditional DLP solutions is a more intensive operation and therefore used mostly for in endpoint or off-network DLP products. But with a CASB, as a cloud-based solution, OCR and its impact on users isn’t as much of a concern and can be much more scalable, even for large organizations.

Netskope customers have deployed our unified, cloud-native platform to enforce policies across SaaS, IaaS, and the web to secure sensitive data with OCR as well as other critical use cases. We have noted 20 of these use cases in our e-book, 20 Examples of Smart Cloud Security, and we’re highlighting each one in this blog.

Here’s one use case: Find and protect sensitive data embedded in images.

The main point for this use case is to prevent data from leaking out just because it’s in image format. This may be data hidden in images like engineering drawings all the way to PHI inadvertently left in an x-ray. You’ll need OCR capabilities in your security solution to catch this, with policies to cover all cloud services, sanctioned and unsanctioned, and web.

How can a CASB enable this use case? A CASB sits in between the user and the cloud service provider and monitors usage, secures data, and guards against threats. In the case of securing sensitive data in images, a CASB needs to be deployed in all modes to fully address this use case. Not only will an API-based deployment into sanctioned cloud services be needed to scan files resident in the cloud service, but reverse and forward proxy modes should be enabled as well to catch the data in real time and remediate. The forward proxy mode will be especially important as that will address unsanctioned cloud services as well.

Besides deployment choices, here are some functional requirements needed to achieve this use case:

• Cloud DLP with OCR (optical character recognition) capability
• Ability to scan IT-led cloud services with OCR-supported cloud DLP
• Ability to apply OCR to cloud traffic to and from business-led cloud services