Data Loss Prevention (DLP) for AWS Storage
Identify and Protect PII at Scale
Automate sensitive data discovery, classification, and protection. Reduce development time and maintenance. Easily scale to meet usage requirements regardless of the number of AWS accounts or buckets you have.
Challenges We Help Solve
Visibility at Scale
You're unsure what sensitive data exists and where it exists. We provide insight into what restricted, sensitive and public data you have and where it resides.
Identify and protect hundreds of sensitive data types across over 25 regional localizations in all AWS accounts and regions with automated DLP at petabyte scale.
Control at Scale
Ensure proper management of sensitive data access. We assist in placing restricted, sensitive, and public data in appropriate locations with the correct permissions.
Our automated processes identify permissions policies and assess bucket attributes like accessibility and encryption status.
Operational Efficiency
As data volumes grow, supporting compliance and security mandates can become pricey, complicated and unwieldy.
Improve operational efficiencies by reducing costs by upwards of 40% for DLP services*.
DLP Made Easy
DLP in the cloud can be complicated, but our solution is packed with user-friendly features that save you time, money, and potential headaches.
Use Cases
Proactively Manage Data Security & Privacy Practices
We provide you with the intel needed to:
- Monitor where sensitive data resides
- Shape and ensure appropriate security controls including access and encryption
- Respond quickly via alerts when sensitive data is found or at risk
Establish & Maintain Regulatory Compliance
We provide you with the intel needed to:
- Know if you have data governed by HIPAA, PCI-DSS, GDPR and more
- Determine what data is business critical vs what data can be archived or eliminated
- Respond to customer deletion requests
- Ace audits via discovery logs and proof of data residency
Filter Data During Migrations & When It's Ingested
We provide you with the intel needed to:
- Determine what sensitive data is on hand and if it is needed
- Decide where data should ultimately be stored
- Set security controls
- Scale DLP and reduce risks
Know Your Data Inside & Out
Streamline discovery, enhance security, and ensure compliance with automated precision.
Quick & Easy Setup
Get started in under 15 minutes
A straightforward subscription process in AWS Marketplace, streamlined deployment via an AWS CloudFormation template, and an AWS Fargate Container means you are up and running in about 15 minutes. From there all it takes is a few clicks to initiate a scan that will autodetect all Amazon S3 buckets across all accounts and regions to classify and protect data.
Straightforward Classification and Protection
Customize scan type, location and frequency with ease
Process new or existing files on demand or on a schedule - we provide you with the flexibility to determine how to scan your data to allow you to meet compliance or infrastructure efficiencies and cost optimization goals. When you create your classification schedule, you choose which buckets to scan and which matching rule sets to apply.
Answer Security Questions with Confidence
Robust reporting comes standard
Once a scan is complete, a report of the files containing sensitive data is generated allowing you to see the type of data each file contains as well as the bucket and account in which it resides. Whether the file has been cleaned and moved or deleted, our reporting tells you if the file still exists and needs to be dealt with. A per-bucket configuration overview is available via a bucket settings report.
Architecture
The solution is container-based and utilizes an AWS Fargate task to host the console and execute scans. Findings are written to Amazon DynamoDB and Amazon CloudWatch.
Architecture OverviewFrequently Asked Questions
Is this a SaaS Solution?
No. DLP for Amazon S3 & EC2 is a cloud-based in-tenant solution. This means that it's installed directly into your AWS account and data never leaves that account, further supporting security and performance.
What comprises your classification engine?
DLP for Amazon S3 & EC2 is powered by the Sophos Antivirus Dynamic Interface engine, which identifies hundreds of sensitive data types across more than 25 regional localizations.
How do I access the product?
DLP for Amazon S3 & EC2 is is procured in AWS Marketplace, which means it has been rigorously vetted as secure and reliable.
Plus, AWS Marketplace provides centralized controls that allow you to manage your subscription, renewals, and consumption in one place.
What AWS services do you integrate with?
Amazon Simple Notification Service (Amazon SNS) is used for alerts and integrates with your existing notification systems (eg., Slack and email). Learn more about our Proactive Notifications.
Findings can be published to AWS Security Hub. Learn more about sending classification result findings to AWS Security Hub.
Amazon CloudWatch is leveraged for audit logging in order to track who did what in the console.