SOLUTIONS FOR AWS

Data Loss Prevention (DLP) for AWS Storage

Identify and Protect PII at Scale

Automate sensitive data discovery, classification, and protection. Reduce development time and maintenance. Easily scale to meet usage requirements regardless of the number of AWS accounts or buckets you have.

Man working on computer

Challenges We Help Solve

investigate

Visibility at Scale

You're unsure what sensitive data exists and where it exists. We provide insight into what restricted, sensitive and public data you have and where it resides.

Identify and protect hundreds of sensitive data types across over 25 regional localizations in all AWS accounts and regions with automated DLP at petabyte scale.

control-scale

Control at Scale

Ensure proper management of sensitive data access. We assist in placing restricted, sensitive, and public data in appropriate locations with the correct permissions.

Our automated processes identify permissions policies and assess bucket attributes like accessibility and encryption status.

operational

Operational Efficiency

As data volumes grow, supporting compliance and security mandates can become pricey, complicated and unwieldy.

Improve operational efficiencies by reducing costs by upwards of 40% for DLP services*.

Pictures of DLP solution summary stacked over each other.

DLP Made Easy

DLP in the cloud can be complicated, but our solution is packed with user-friendly features that save you time, money, and potential headaches.

Use Cases

01

Proactively Manage Data Security & Privacy Practices

We provide you with the intel needed to:
orange-check

Monitor where sensitive data resides

orange-check

Shape and ensure appropriate security controls including access and encryption

orange-check

Respond quickly via alerts when sensitive data is found or at risk

02

Establish & Maintain Regulatory Compliance

We provide you with the intel needed to:
orange-check

Know if you have data governed by HIPAA, PCI-DSS, GDPR and more

orange-check

Determine what data is business critical vs what data can be archived or eliminated

orange-check

Respond to customer deletion requests

orange-check

Ace audits via discovery logs and proof of data residency

03

Filter Data During Migrations & When It's Ingested

We provide you with the intel needed to:
orange-check

Determine what sensitive data is on hand and if it is needed

orange-check

Decide where data should ultimately be stored

orange-check

Set security controls

orange-check

Scale DLP and reduce risks

Know Your Data Inside & Out

Streamline discovery, enhance security, and ensure compliance with automated precision.

Computer showing DLP schedule

Quick & Easy Setup

Get started in under 15 minutes

A straightforward subscription process in AWS Marketplace, streamlined deployment via an AWS CloudFormation template, and an AWS Fargate Container means you are up and running in about 15 minutes. From there all it takes is a few clicks to initiate a scan that will autodetect all Amazon S3 buckets across all accounts and regions to classify and protect data.

Computer showing classification schedule

Straightforward Classification and Protection

Customize scan type, location and frequency with ease

Process new or existing files on demand or on a schedule - we provide you with the flexibility to determine how to scan your data to allow you to meet compliance or infrastructure efficiencies and cost optimization goals. When you create your classification schedule, you choose which buckets to scan and which matching rule sets to apply.

Device - Macbook Pro (2)

Answer Security Questions with Confidence

Robust reporting comes standard

Once a scan is complete, a report of the files containing sensitive data is generated allowing you to see the type of data each file contains as well as the bucket and account in which it resides. Whether the file has been cleaned and moved or deleted, our reporting tells you if the file still exists and needs to be dealt with. A per-bucket configuration overview is available via a bucket settings report.

DC_SingleRegion_Architecture

Architecture

The solution is container-based and utilizes an AWS Fargate task to host the console and execute scans. Findings are written to Amazon DynamoDB and Amazon CloudWatch.

Architecture Overview

Frequently Asked Questions

clouds

Is this a SaaS Solution?down-arrow

No. DLP for Amazon S3 & EC2 is a cloud-based in-tenant solution. This means that it's installed directly into your AWS account and data never leaves that account, further supporting security and performance.

What comprises your classification engine?down-arrow

DLP for Amazon S3 & EC2 is powered by the Sophos Antivirus Dynamic Interface engine, which identifies hundreds of sensitive data types across more than 25 regional localizations.

How do I access the product?down-arrow

DLP for Amazon S3 & EC2 is is procured in AWS Marketplace, which means it has been rigorously vetted as secure and reliable.

 

Plus, AWS Marketplace provides centralized controls that allow you to manage your subscription, renewals, and consumption in one place.

What AWS services do you integrate with?down-arrow

Amazon Simple Notification Service (Amazon SNS) is used for alerts and integrates with your existing notification systems (eg., Slack and email). Learn more about our Proactive Notifications.


Findings can be published to AWS Security Hub. Learn more about sending classification result findings to AWS Security Hub.

 

Amazon CloudWatch is leveraged for audit logging in order to track who did what in the console.

Website_Freetrial_CTA_Graphic (2)

Get Started with a Free Trial Today

Classify unlimited data for 90 days

 

*For illustrative purposes. Based on an AWS account with 15 Amazon S3 buckets and 100 GB of standard storage data that was scanned for sensitive data. Does not account for Amazon S3 or infrastructure costs.