DLP Solutions to Protect the Data on Your AWS Infrastructure

The recent COVID-19 pandemic accelerated the adoption of remote work. Companies are increasingly moving away from earlier remote work solutions, such as establishing VPN tunnels for remote workers to connect securely to the companies on-premise systems, in favor of cloud solutions, like AWS Workspaces.

AWS Workspaces offers virtual desktops-as-a-service, an easy, familiar way for employees to work from home. Employees connect to AWS Workspaces from their own devices, and login to your company’s active directory user. Your on-premises group policies are automatically applied to the AWS Workspace, so your users have the same access and privileges through AWS Workspaces as they would have if they were logged into a company device in the office.

Amazon Workspaces is a virtual workspace that employees can access using their own, or company-provided devices, over the internet. If the company uses Amazon Virtual Private Cloud (VPC) infrastructure, they can connect their VPC(s) directly to their Workspace. If the company has on-premise infrastructure in their offices, they can establish a VPN to connect their on-premise network to their Workspace network.

The connection from a user’s endpoint - usually a laptop or desktop, whether it is owned by the user or by the company - uses the PC over Internet Protocol (PCoIP). The virtual workstation sends an image of a desktop to the user’s endpoint, and receives mouse and keyboard events from the user’s device. The user can view and modify data, but the data itself is not downloaded to the user’s device. This reduces the company’s exposure to vulnerabilities or malware that may be present on a user’s device.

Together with more mature cloud offerings like Amazon Elastic Compute Cloud (EC2) and Amazon Secure Storage Service (S3 buckets) infrastructure-as-a-service offerings, Workspaces is accelerating the movement to the cloud.

Shared Responsibility

Regardless of how you use the cloud, whether VPC or Workspaces, you must remember that security is a shared responsibility in the cloud. Generally speaking, Amazon is responsible for the security of the cloud infrastructure - the hardware, software, networking, and facilities that run AWS cloud services, and the customer is responsible for security in the cloud. If your company uses cloud storage, compute or workspace solutions, you are responsible for making sure that the data hosted on the cloud infrastructures is not lost, misused or accessed by unauthorized users. Cloud-based DLP Services, like Symantec DLP, will discover sensitive data stored on your cloud infrastructure, monitor traffic to, from and between your cloud endpoints, and take action to prevent the loss, misuse or exposure of that data based on policies your company defines.

This paper will tell you how DLP solutions prevent data loss and how Aurora can work with you to secure sensitive data within AWS EC2, S3, or Workspaces resources, using Symantec DLP. We chose Symantec DLP because it is the market leading solution. Symantec DLP protects data in use on endpoints, like virtual desktops and printers, as well as data in motion over the network, data at rest in storage repositories, and content that may be extracted from cloud apps, such as Office 365 or G-Suite, and web traffic like email. It is capable of monitoring the broadest range of applications and data formats, detects and responds to incidents more quickly than its competitors.

Extending Symantec DLP to AWS Workspaces and VPC

Products: Symantec DLP Enforce, DAR, DIM, Network Discover, Web Prevent, Network Prevent, ICA, Endpoint Prevent

Leveraging our Symantec DLP expertise and understanding of AWS, Aurora can extend your Symantec DLP capabilities to protect cloud based solutions like AWS workspaces and cloud infrastructure solutions like VPC, EC2 and S3. Thus, being flexible to allow desktop scalability while protecting sensitive data.

To successfully extend your DLP policies to within AWS VPC, a dedicated detection server would be deployed with integration of the Transit Gateway technology to fully protect any servers and remote virtual desktops. A fully deployed detection server can be setup to scan resources such as data repositories (Data at Rest), SQL databases and even monitor Linux shares to detect sensitive data.

Detection servers within Amazon VPC can also be used to protect sensitive data from being leaked to the Web. A proxy component can be set up on endpoints as needed to route traffic, allowing Network Prevent to inspect all of the network traffic to and from the end users.

Additionally, Web Prevent and Endpoint protection can discover sensitive data, and monitor user activity to prevent accidental or deliberate unauthorized sharing of sensitive data.

To protect data within the Amazon S3/EC2 Buckets, Symantec CloudSOC service can be leveraged to gain access to data within these buckets. In these scenarios, a detection server is not required but has full integration capabilities to the Symantec Enforce server. Thus expanding DLP policies seamlessly.

We also can implement Symantec Information Centric Analytics (ICA) to the Symantec Enforce Server to analyze the data. This combination of Symantec’s DLP and ICA provides revolutionary protection against cyber-attacks to every component of a complex cloud environment.

Aurora is an established premier partner of Broadcom/Symantec with deep knowledge and experience within their security portfolio. Our goal is to tailor Symantec’s broad security solution sets to align with our clients’ own needs and maximize their return on investment. We can help you protect data in Amazon cloud environments in new and innovative ways. Contact us if you are considering implementing Symantec solutions into your AWS environment.

Symantec DLP Overview

Aurora uses Symantec Data Loss Prevention(DLP) to help clients prevent data breaches by discovering sensitive data wherever it is moving or stored, monitoring how it is being used, and providing real-time protection to prevent exposure or theft of the data.

Protecting Data in Use on Endpoints

Symantec’s Endpoint DLP is a single lightweight agent installed on endpoints that scans. The agent has two modules: Endpoint Discover and Endpoint Prevent. Endpoint Discover scans local hard drives to find sensitive data stored on local laptops or desktops. It can take a wide range of actions to protect that data, including quarantining local and remote files and applying policy-based encryption and digital rights management. Endpoint Prevent monitors and controls users’ activities. It can alert users to security concerns and take some actions, including enforcing encryption and digital rights management of data transferred to USB devices, to prevent accidental data exposure.

Protecting Data in Motion over the Network

Symantec DLP for Network monitors data in motion over networks and prevents it from being leaked. DLP Network Monitor looks for sensitive content and metadata in outbound traffic on your network. Network Prevent for Email analyzes corporate email traffic and can be configured to modify, redirect or block messages containing sensitive content. Network Prevent for web performs a similar service by monitoring corporate web traffic; it can be configured to remove sensitive HTML content and block requests.

Protecting Data at Rest

Symantec DLP for storage discovers and secures sensitive data stored on file servers, endpoints, cloud storage, network file shares, databases and other repositories. Symantec DLP Network Discover is capable of high-speed scanning over large, distributed environments and can recognize and scan over 330 different file types, including custom file types. Symantec DLP Network Protec can automatically clean up and secure exposed files detected by Network Discover. It can take a range of remediation actions including quarantine or moving files, and enforcing encryption and digital rights management policies.

Protecting Data in the Cloud

The Symantec DLP Cloud Detection Service protects data in motion and data at rest across more than 100 sanctioned and unsanctioned cloud apps, including Office 365, G-Suite, Box, Dropbox, and Salesforce. It extends existing policies and detection capabilities to cloud applications, and can take actions to prevent exposure of sensitive files including, un-sharing, quarantining, and blocking them from leaving. It can also enforce encryption and digital rights management policies. Symantec DLP Cloud Service for Email performs the same function for corporate email traffic.