How Data Detection and Response (DDR) Fits into a Cloud Data Security Platform?  

Josh Breaker-Rolfe 

The cloud is one of the great business enablers of our era. It facilitates scale-up projects, allows for greater flexibility, and cuts costs. Recent estimates suggest that around 60% of data is stored in the cloud, a figure that is only likely to rise.  

However, using the cloud without an effective cloud data security platform is a disaster waiting to happen. Cybercriminals launch countless attacks on cloud infrastructure daily – cloud data breaches are a matter of when not if. But what makes for an effective cloud data security platform? What should buyers look for when purchasing a solution? And what are the red flags to look out for?   

Core Components of a Cloud Data Security solution

Before we discuss what makes a superior cloud security tool, it’s worth establishing the absolute non-negotiables. If you encounter a solution that lacks any of the capabilities below, don’t even consider buying it.   

• Shared link protection – Prevents users from creating shared links with excessively broad permissions.  
• Collaboration control – Allows security teams to manage data access by setting permissions for external, internal, or any other group.  
• Inline data protection – Continuously scans data as it transfers to and from cloud applications, ensuring immediate threat detection and response.   
• Out-of-the-box policy templates – Provides ready-made policies for everyday use cases and industry-specific requirements.   
• Standard and custom content identifiers – Includes content identifiers for common PII, PCI, and PHI patterns, standard keyword lists, or create your identifier with custom RegEx.  
• User directory integration – Supports granular user group and department-based policies by integrating with on-premises and cloud-based directory services.   
• Role-based access control – Provides out-of-the-box roles or allows you to create your own custom roles.  
• Reporting analytics – Provides pre-prepared dashboards and a fully customizable reporting engine.   
• SIEM integration and APIs – Easily integrates with SIEM tools and exposes security incidents through an API.  

Look for solutions that go above and beyond  

In today’s threat landscape, purchasing a bog-standard cloud security solution is insufficient. It’s important to understand that not all threats are external or intentional – insider threats and accidental exposure pose as much risk to an organization as cybercriminals.  

This is where Data Detection and Response (DDR) comes in. DDR solutions combine elements of multiple data security solutions to provide comprehensive cloud data security. They perform the following functions:   

• Data discovery – DDR solutions log and classify organizational data and user behavior to build a complete picture of the cloud environment and establish a baseline of normal user behavior.  
• Anomaly detection – With data logged and normal behavior established, the solution detects anomalous behaviors that could indicate a security incident.   
• Response and remediation – When the DDR solution detects a potential security incident, it will alert the organization’s security team. The best DDR solutions will automatically respond to the incident.   
• Investigation – In the wake of a security incident, DDR solutions will provide security teams with a workflow that maps out the relevant piece of data’s history, from creation to exfiltration, so they can establish user intent, take necessary disciplinary action, and prevent the incident from happening again.   

But it’s crucial to remember that not all DDR solutions are equal. Make sure to look for DDR solutions that:   

• Classify data by content and lineage – Solutions that scan data by content alone cannot tell whether data is sensitive, which can result in false positives. Look for a tool that classifies both.  
• Focus on data in motion—Data at rest poses little security risk and is expensive to scan; look for solutions that focus on data in motion.   
• Follow data across all assets – Just because data has left the cloud doesn’t mean it’s no longer a security risk. Look for solutions that follow data everywhere.   
• Take real-time action – This is only applicable if the solution classifies data by content and lineage, but look for DDR tools that automatically respond to security threats.   

Avoid network-based cloud security products  

Outdated, network-based cloud data security tools like Cloud Access Security Brokers (CASB) and Security Service Edge (SSE) products cannot protect modern cloud environments. This is because they:   

• Don’t work with modern forms of encryption – Modern cloud platforms typically employ end-to-end encryption and certificate pinning, meaning that network-based tools cannot see the data that goes to them.   
• Can’t protect data outside the cloud – Although cloud security tools do safeguard data on the cloud, it’s equally essential that they protect data that leaves it. Network-based solutions lose sight of data once it leaves the cloud to a device, meaning they can’t prevent users from exfiltrating it.   
• Don’t use the same policies as other data security tools – Seamless integration with other tools is essential to an effective cloud data security solution. Network-based solutions were designed to solve cloud use cases, so they rarely integrate well with data loss prevention products.   

Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He’s written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.