Field
Embodiments presented herein generally relate to data loss prevention (DLP) in a computer system, and more specifically, to techniques for providing DLP in cloud synchronization applications.
Description of the Related Art
Data loss prevention (DLP) refers to a variety of techniques for protecting sensitive data. In endpoint DLP, a DLP agent can monitor and control activity occurring within a client computing system according to a policy, usually specified by an administrator (e.g., of an enterprise network). The DLP agent can block attempted transmissions of sensitive data and generate incident reports describing such attempts.
One issue that DLP addresses is preventing sensitive data from being leaked by a client computing system to a cloud storage service. Many enterprise networks rely on a cloud storage services (e.g., Box, Dropbox, Google Drive, etc.) to store data. Cloud storage services also facilitate online collaboration on documents. For example, an enterprise network may maintain a list of customer information on a cloud storage service. Users may collaborate to edit the list in real-time. Each user may download the list on a client computer, e.g., through a storage interface on the web, a cloud synchronization (“sync”) application, or a cloud storage-integrated productivity application. When a given user modifies the listing, the modifications can be saved to cloud storage via an enterprise account associated with the user on the service, e.g., through a cloud sync application on the client computer, a web interface on a browser, or a productivity application that is integrated with the cloud storage service.
However, using cloud services also risks leaking sensitive data to a user's personal account. Continuing the previous example, it is undesirable if a user saves the listing of customer information to a personal account (instead of the enterprise account) on the cloud storage service.