Uncovering Hidden Risks 3.22.23
Ep 7 | 3.22.23

Cloud Native Data Loss Prevention: The Future of Data Security


Erica Toelle: Hello, and welcome to "Uncovering Hidden Risks," a new podcast from Microsoft where we explore how organizations can take a holistic approach to data protection and reduce their overall risk. I'm your host, Erica Toelle, senior product marketing manager on the Microsoft Purview team. And now, let's get into this week's episode.

Erica Toelle: Welcome to another episode of the "Uncovering Hidden Risks" podcast. In today's episode, we will discuss data loss prevention, which is a layer of an organization's data security strategy. Data loss prevention, or DLP, helps protect sensitive data by preventing users from inappropriately sharing it with people who shouldn't have it. In today's episode, we will review some recent DLP research and what's coming up in this space. Let's start by introducing today's guest host, who will join us for the discussion. Shilpa is a senior product marketing manager for the Microsoft Purview Data Loss Prevention team. Shilpa, would you like to share a little bit more about your background for our listeners? 

Shilpa Bothra: Thanks, Erica. I'm really excited to be here and discuss DLP. It is a topic that I think about all day, every day, but really grateful to have an opportunity to work in the data security space and help customers protect their data and adopt a comprehensive data protection strategy. 

Erica Toelle: Perfect. Thanks, Shilpa. Also joining us today is our guest, Maithili Dandige, partner group product manager for several Microsoft Purview products. Maithili's team is behind Microsoft Purview products, such as information protection, data loss prevention, data lifecycle management, records management, e-discovery and audit. Welcome Maithili. 

Maithili Dandige: Hi, Erica and Shilpa. I'm really excited to join the podcast today. I've been at Microsoft for 19 years, working across cloud services, collaboration and security, and I truly believe my team is doing some highly innovative and mission-critical work to help organizations classify their data, protect and govern it. So not only are we helping admins uncover the hidden risks around sensitive data, but also enabling them to remain compliant and productive. Glad to be here today. 

Erica Toelle: Perfect. So Maithili, to set the context for our listeners, can you share your views about the journey of DLP solutions and where the market is today? 

Maithili Dandige: It's a great question. One of the biggest trends happening is data is the new endpoint. It is the crown jewel for many organizations. What we're trying to protect has changed. Also, the way we work has drastically changed in the last years. Moving to a hybrid workplace is now a reality. There is just a huge lot of data that's proliferated, and it's flowing through devices accessed by users through various endpoints and locations. The other part that is happening is organizations are really starting to evolve their data security practices. What I mean by that is we see tremendous growth in how quickly organizations are moving their data to the cloud so that they can scale and consolidate their point solutions. Also, it is more critical that they take along both the security and the data admin as well as the information worker along their journey. 

Maithili Dandige: And last but not the least, the solutions that we have around data security, such as information protection, DLP, have also needed to evolve. It's only natural, and I would say that it is our responsibility that we evolve these DLP solutions, too, to meet the evolving landscape. And most customers really are looking for that cloud-first move. Data security solutions need to work at scale, be integrated for securing their data throughout its life cycle. What I mean by that is where the data is born, how it's getting used and how it's getting egressed out of their different and various endpoints. 

Shilpa Bothra: Maithili, I love that you're talking about this as a responsibility. Can you share a little bit more about what you're hearing from customers regarding this evolution? What are they really expecting from DLP solution providers? 

Maithili Dandige: Thanks, Shilpa. A few questions that I hear in all my conversations - the first is that traditional DLP offerings have been really hard to set up and get started with. Getting these agents to run on devices, endpoints, on-premise environment really comes at the cost of performance and productivity, both for the admin who is wanting to maintain and deploy this, but also for the end user. The second sort of big thing that I hear is the organizations really want a way to create a really good data protection strategy to cover all of their business data types as well as their intellectual property. And today, they can have various point solutions they need to stitch to get their data classified, but also protected. They may have something running on email, the other on a cloud or third-party apps. 

Maithili Dandige: The other challenge that organizations face today is really bringing that entire context around that data so that they know sort of where is the data located, who is handling the data, what device is it stored on, who the identity of the user is. So this zero-trust approach is something that they really seek for because that's going to give them that confidence as they deploy. And that's a real challenge today as they bring that. And then continuing on the theme of scaling, they really want to get started, but also maintain something that they can sustain and take forward, striking that balance across security and productivity. All in all, they want to do more with less - less cost, more automation, less manual interventions. 

Erica Toelle: Perfect. Thanks, Maithili. It sounds like there's a lot of really interesting challenges in this space. Shilpa, I think I saw you recently published some research in this area. What are some of your interesting findings from that research? 

Shilpa Bothra: Yeah. First of all, I'll acknowledge that this is the first "Uncovering Hidden Risks" podcast with all female guests and hosts - so, yay, even more excited to be here. But, Erica, to your question, I think we found a lot of interesting things. A couple things that I would love to share is we found that organizations that use cloud DLP solutions are twice as likely to say that the cloud DLP solution, A, is easier to scale and, B, also helps balance protection and productivity. Whereas, on the other side, 73% of organizations that actually use an on-premise DLP solution said that they struggle with data transformation challenges. And almost half of them said that they were struggling to maintain productivity. We also saw a lot of focus on educating employees to better handle sensitive data. So really honing in on this idea or thought that DLP is a combination of people, process and technology, right? Like, you could have the best technology exists, but unless you think about the people aspects of it and the process aspects of it, you probably will not get the most value out of your investment in the technology. 

Shilpa Bothra: But what I really found the most interesting in that research, Erica, was this idea of perception. So on the surface, a lot of organizations and respondents told us that they were very confident and satisfied with their DLP program. But when we probed them for specifics around what the program is, how they are implementing it, they couldn't really very clearly articulate it. So there was this sense of uncertainty of the unknowns and uncertainty of the risks. So even though, at the surface level, they were - we heard that, we are very confident and satisfied. But underlying that was this idea that, I really need to move to a solution that can give me more scale, that can give me more flexibility, that can give me more opportunities to educate my users and strike that balance between protection and productivity. So I personally found that tension between, I have something good, but at the same time, I want something that is better, really fascinating. And to that point, Maithili, you've been in this space for quite a few years now, right? What are your thoughts on why does this tension exist? 

Maithili Dandige: It's fascinating, isn't it? I think the tension exists because, you know, first and foremost, we are all humans, and we are naturally really comfortable with what we know. There is this big fear of the unknown. Stepping out of our comfort zone, even when we know it's going to benefit us, is at the core of how we, you know, approach things as humans. But it is no different for something like this move with DLP and the trends that we are seeing. There is this thought of, what if I change something and it doesn't work? Or what if my policies don't work in the same way that I used to work in an older system? What if I make a mistake? There's a real cost associated with change management, and we got to acknowledge that. And then in today's climate, we are also seeing all of us, including our security teams, wear multiple hats and prioritize. And what this means is that it's really important and critical - as you set up the program, it can be quite daunting to bring the different stakeholders and really get them together to take that first few steps. 

Maithili Dandige: And one of the other things that we see with this is that, as the security teams are approaching this move to DLP, they're really thinking holistically about the entire platform. Like, DLP is not in isolation. It needs to be taught in conjunction with how you're going to mitigate and remediate threats, post and pre-breach. So it has to work holistically with your security platform and be compatible with the rest of the solutions and the platform that you're taking a bet on. So moving to a new DLP solution can be challenging because there are a lot of nuances about not knowing where to start. The second big piece is - I would say, recreating the policies is a big hurdle. In fact, half of our survey said that this was one of the biggest hurdles in migration. And then the third is the cost - the cost it takes for the time and effort to re-engineer. And, let's face it, most security teams have a very short staff to get this sort of change management going. So I would say, like, those are some of the tensions that we see. 

Erica Toelle: Maithili, I love how you acknowledged both the technical and the people side of that tension. What would you recommend for people who are looking to solve these challenges? How should they get started, and what advice do you have for them? 

Maithili Dandige: I love this question. And I would say, to start with, really, one has to acknowledge, as humans, this tension and lean in with that growth mindset into approaching this problem. A lot of our DLP solutions in market today have started with an on-premise solution, and they've had to adapt to meet their customers, as they saw their customers move their data to the cloud. A cloud-native solution is built with that cloud-first mentality, and I think leaning into that approach is really a good place to start. The next is to build a practical, strategic and holistic approach to data security. You want to be intentional about where you're starting. What workloads are you onboarding - clouds, third-party apps, your on-premises where you're bringing your data? Taking that holistic look at all of the workloads, what are the different data types? What kinds of data do you really care about? And then what is the content within that data, as well as the context? 

Maithili Dandige: So really starting to assess that risk around the data holistically so that you can start onboarding some of the policies that you have. Now, by adopting a cloud-native solution, a lot of aspects simplify. The first thing that we see is a lot of these cloud solutions are really powering intelligence from the cloud. We can use a lot of intelligence with built-in in classifiers understanding the business parameters for an organization and really start to help admins understand where their data is located. What are the biggest risk vectors so that they can build a practical plan and also have a confident start? 

Maithili Dandige: We also see more and more emergence of assistive and intelligence technologies that help admins really deploy these policies more confidently. But really, the end game is to really enforce these granular controls. We know that several organizations struggle with either overindexing on security - and then that comes at the cost of productivity - or else you're keeping your risk open by not moving all of your policies from audit to enforce mode. So this - really, that piece that you need to understand and an approach from the get-go that can help is to be proactive, really taking that proactive approach and leveraging the intelligence from the cloud. And by correlating all the signals around the user data and device, you can take a more flexible and adaptive approach where you can keep the end user at the center, helping them, educating them as you're restricting policies and enforcing them but then also looking at behaviors that are less benign and allowing them to remain productive and keep going with their work. So this really proactive and adaptive approach to DLP is really at the heart of the cloud solutions. And I think it's really smart for organizations to embrace this from the get-go. 

Shilpa Bothra: Maithili, that's a really interesting idea. And I love the way that you put it. Solutions that started as an on-premise solutions trying to adapt to where our customers' reality is today versus solutions that were built with this cloud-first mentality that can provide all of these benefits that you talked about. Could you elaborate a little bit more on specifically, like, the benefits of these cloud-native solutions? 

Maithili Dandige: Thanks, Shilpa. So, well, to begin with, one of the biggest savings that you're going to see is the cost it takes in deploying these solutions because there's - in the traditional solutions, there was a lot of cost associated with running multiple agents, getting them to talk to each other and then really kind of bringing the stitching together - multiple-point solutions to get your DLP working. But in a cloud-native solution, you can get onboarded from the get-go. There is no cost in getting agents set up. On day zero, you can get your insights and start to really go and start to deploy and test your policies. So that's kind of the first benefit. 

Maithili Dandige: The second benefit is that it really gets you closer to where the risk is, which is when I was talking about data is the new endpoint, cloud-native solutions focus on really the data security aspects well because you can start by deploying the right kind of controls right where the data is created, as it's egressed. And what this does is that as new data is born or new regulations come up, you can really be adaptive and comply with your regulatory requirements quicker than you could do before because you have the insights going. You can start to modify your policies or create new policies and deploy them easily and across a whole set of workloads which are integrated with the solution. 

Maithili Dandige: And then the third part is really the benefit to the end user, because at the end of the day, DLP - as Shilpa said, it's a marriage between process, people and technology. And you really want to bring the users along the journey and make sure that they are being productive. And one of the benefits that we see with most cloud-native solutions is that the productivity and the controls are built into the apps - so what we call as built in. And this way, where the user is, they can continue doing their jobs with the right experiences, whether it's in-built policy tips, experiences surface to keep them compliant yet productive. So here are some of the benefits. 

Erica Toelle: I love that idea of empowering the users to make the right decisions. I mean, at the end of the day, most people want to do the right thing. And it seems like a really great way to scale. Shilpa, do you have any ideas about how customers could get started with that approach? 

Shilpa Bothra: Yeah, I think the key is to start simple and then build from there, identifying the most important data in the organization. So what is, like, really critical to you that you want to protect? Leveraging the pre-built templates to then create policies that can protect that data. And as you create policies, you can add in tips for your users. So, for example, if I'm sharing something super confidential to Erica, which might be really important to Microsoft, I could get notified to say, hey, this is really important. Make sure you're taking the right steps, right actions. That's really how you can start to train your users to better handle sensitive data. And research shows that such endpoint training actually means that you retain that information a lot longer, and it almost becomes like a second nature. And over time, I would know, and I would be informed of my organizational policy of what I can and cannot share with Erica in this example. 

Shilpa Bothra: And then the third thing is really test your policies before you enforce them. So make sure it's doing the right thing. Make sure it's giving users the right kind of notifications before you actually roll it out for your entire organization. And once you've done this for the most important data in your organizations, you can then start to think about, OK, what are other granular restrictions can I apply to the policy? So that would be the next stage, where you can start thinking about, OK, maybe it makes sense for Shilpa to send Erica certain documents 'cause they are collaborating on this project together, but maybe not others where they might not be working together. So those are, like, next-step granular information and granular conditions that you can start to apply to your policies. But, really, start simple and then build from there. And if customers are using Symantec DLP today, Microsoft has built tools that can help them migrate their policies over. As Maithili has - had mentioned earlier, that a really big hurdle is to re-engineer your policies whenever you adopt a new DLP solution. So with this tool, those policies can move over automatically and help remove that hurdle. 

Shilpa Bothra: So, Maithili, I would love to ask you a question. What do you see as the future of the DLP space? What areas are we investing in? What keeps you excited? 

Maithili Dandige: Such a great question, and I touched a little bit earlier on this, but let me elaborate. There's so much potential, and this is, like, really one of the things that really excites me about the job that we're doing here at Microsoft with building this kind of modern DLP cloud-first approach. And drawing back to what I mentioned earlier, the mission is to really make it simple for customers to onboard to this new DLP approach. And I think at the heart of it is what we call as dynamic and protective prevention - really focusing on that prevention in data loss prevention stands out for me so that what we do to help customers identify the most important risks and take actions proactively and automatically. 

Maithili Dandige: And this is really at the core of our cloud solution because we can correlate and bring intelligence to really bring this adaptive approach. We recently announced adaptive protection. The idea there is to allow customers to automatically add users with risky activities to stricter DLP policies and adjust the restrictions as the risks changes. So organizations no longer have to be on this spectrum of either too restrictive or too open. They can really take the advantage of this dynamic approach so that you are helping save time, but also maintain productivity and really manage that risk. And so this is what the dynamic and proactive prevention approach is. 

Maithili Dandige: And then the second theme - all of this is powered through leveraging machine learning and AI because there is just tons of data and signals. And what our models can do is reason over this data, bring in that context of the user in context of the data that they are handling and really help predict better risks, pinpoint where that risk is, how is it happening so that we can really put that admin at the center and help him set up those right controls, as well. Those are really sort of what keeps me excited is our proactive approach for data loss prevention. 

Erica Toelle: Well, Maithili and Shilpa, I'm sad to say I think that might be about all the time we have for today. This has been a great conversation. I certainly learned a lot. And then before we go, we always have a tradition of asking a question of all of our guests and co-hosts. So I would love to know from each of you, what is your personal motto or words that you live by? 

Maithili Dandige: Thank you for that question. One of my personal mottos - and this is something that has really shaped up - is focusing on really moving from that stuck phase to the unstuck phase. And I call it work-life unstuck. And I actually do have a newsletter on Substack - worklifeunstuck.substack.com - where I share a little bit of my thoughts there. But the idea is to accept that we are humans, first and foremost, and we are going to find ourselves stuck. No harm there. But being very curious about the emotions that keep us stuck - whether it's self-doubt, fear, shame - bringing awareness to them, and then really kind of practicing moving to that unstuck phase. So really this approach of tackling situations across work and life with a positive and growth mindset is something that I try to practice. 

Shilpa Bothra: That's a great one. I love that - stuck to unstuck. I would say my personal motto is to continue to lead with kindness. I think, building on what Maithili said, we are humans and we all have moments where we are feeling low or frustrated with things. But if we continue to lead with kindness, we can bring out the good in others and work better together as a team to solve challenging problems. So that's something that I try to embrace in both work and personal life. 

Erica Toelle: Wow, those were really good. I'm personally very moved. Thank you both for sharing that. So, again, yeah, so grateful you could join us on the podcast today. Thanks for sharing your insights with us, Maithili and Shilpa. 

Maithili Dandige: Thank you for the opportunity, Erica. It was lovely talking to all of you. 

Shilpa Bothra: Yeah, likewise. Thank you for having us. Goodbye. 

Erica Toelle: We had a great time uncovering hidden risks with you today. Keep an eye out for our next episode, and don't forget to tweet us @msftsecurity or email us at uhr@microsoft.com. We want to know the topics you'd like to hear on a future episode. Be sure to subscribe to "Uncovering Hidden Risks" on your favorite podcast platform, and you can catch up on past episodes on our website, uncoveringhiddenrisks.com. Until then, remember that opportunity and risk come in pairs and it's up to you where to focus.