Field of the Invention
The present disclosure relates to data leakage protection, and more specifically, to a system for data leakage protection in cloud applications.
Description of the Related Art
With the popularization of electronic processing of information, the storage and transmission of data are becoming very convenient and speedy, but at the same time, this increases risks in data security. Particularly for most enterprises, the internet is making the boundary of an enterprise network and an external network fuzzier, and email and instant messengers closely connect the enterprise network to the external network. To protect the confidential and sensitive data of enterprises, many enterprises have employed data leakage protection techniques to ensure data security.
DLP (Data Leakage Protection) is a computer security term referring to systems that identify, monitor, and protect various data through deep content inspection and contextual security analysis on transaction data with a centralized management framework. Data to be protected may include data in use (e.g., endpoint actions), data in motion (e.g., network actions), and data at rest (e.g., data storage). DLP systems are generally designed to detect and prevent the unauthorized use and transmission of confidential information, especially focusing on the unintentional leakage of data.
Traditional DLP solutions can be mainly categorized into Desktop DLP solutions and Network DLP solution. Desktop DLP solutions run on end-user workstations or servers in the organization to provide interceptors to mainly monitor physical devices and I/O operations in OS level, for example, to monitor the writing to USB devices or CD/DVD, and the operations like cut, copy or print. Network DLP solutions have dedicated hardware/software platforms, typically installed on a company's Internet gateway, which analyze network traffic according to the protocols employed in the data transmission. However, in a widespread cloud scenario, traditional DLP solutions have many disadvantages.
In a cloud application scenario, the network providing computing resources is referred to as a “cloud.” Generally speaking, the “cloud.” is some virtual computing resources with the capacity of self-maintenance and self-management, and is usually a large-scale server cluster, including computing servers, storage servers, broadband resources, and the like. Cloud computing centralizes all computing resources, and manages them automatically by software, without the need of manual operation. From the perspective of users, the “cloud” contains unlimited resources, is accessible anytime, is usable when needed, and is extendable anytime. As a result of the above mentioned advantages associated with cloud computing, more and more enterprises and individuals and employing various cloud applications.
In a cloud application scenario, traditional DLP solutions have difficulties meeting the requirements of protecting data security. In particular, Desktop DLP solutions work on the underlying instructions of the operating system by monitoring the events on the operating system level. Not only does Desktop DLP solutions not deal with events on the application level, this particular solution does not capture and understand operations in cloud applications. Network DLP solutions focus on the data transmission on the network transport protocol level, and cannot acquire the contents that have been stored in the “cloud.” Furthermore, traditional Network DLP do not provide intuitive interactions with users, which is a very important aspect for DLP.
To provide data leakage protection in cloud applications, an alternative solution may be proposed, which is to provide a unique DLP framework. In this solution, the cloud application providers would have to revise their own cloud applications and introduce the function of data protection into cloud applications. However, such a solution is highly dependent on the attention and expertise of cloud application providers on data security and, thus, cannot guarantee the reliability. In addition, as the enterprises have different data security strategies, constructing a unique DLP framework that is compatible with various DLP strategies on the market will be difficult. Therefore, such an alternative DLP solution would have difficulties in both practice and promotion.