Data Loss Prevention for Development Workspaces

Data Loss Prevention is a Mission-Critical Function For Global Companies

Source code and data are the main IP assets consumed and generated throughout development processes today. From a security standpoint, a Data Loss Prevention (DLP) mechanism is one of the key features of a Virtual Workspace Infrastructure (VWI). It allows companies to give access to source code and data without the risk of exfiltration. Using DLP, companies might not be required to anonymize their data anymore before sharing it.

Recall that, because workspaces are based on Cloud-based Integrated Development Environments (IDE), no data ever "lands" on the physical device used by the developer, i.e. contrary to the use of a machine with a locally-installed IDE, there is no copy of the data or source code on the local device storage. While being a good thing for security, this does not prevent exfiltration of the data through other means, e.g. clipboard or network operations. To prevent this, the DLP function allows the protection of data against exfiltration while in use in a workspace, as shown in the diagram below.

Diagram: Using a Virutal Workspace Infrastructure, all data stays in the cloud and inherits the physical location of the server. The DLP function protects against exfiltration from the developer's terminal running the workspace's user interface.

How Data Loss Prevention Fosters Collaboration

The DLP function is an important enabler when collaboration involves the need to share sensitive data. For example, when internal or remote developers need to access sensitive data to perform their job, whether it's coding or data science exploration. The DLP function does not only protect the data but also the source code that is created with the workspaces. Hence, companies can increase the size of their workforce easily by getting help from temporary, probably remote development teams and avoid sharing their intellectual property assets, i.e. source code and data. In addition, companies might not be required to anonymize data before making it available in for their code development or Data Science process. prize.

A cool application is the participation in Crowd-based innovation tournaments. Innovation tournaments are routinely run today on several platforms such as Kaggle, AICrowd and others. These platforms allow companies to publish competitions and invite any individual (i.e. the Crowd) to participate in the challenge. Companies can then get an external perspective on an internal research problem. The output often takes the form of a trained model for Artificial Intelligence (AI) applications that can be put into production to support the function of a product or service. In return, the company pays the winning team a monetary

Scope of the Data Loss Prevention Mechanism

As explained above, workspaces have access to a set of whitelisted project resources, with some that might be of confidential nature. These resources are copied on a storage attached to the workspace (see previous diagram) and the aim of the DLP mechanism is to ensure that the copied data cannot leave the volume unintentionally or maliciously.

The platform's DLP mechanism is securing several functions of the developers workbench such as the network, the IDE's clipboard and others. This process is illustrated in the diagram below.

The DLP function is an important enabler when collaboration involves the need to share sensitive data. For example, when internal or remote developers need to access sensitive data to perform their job, whether it's coding or data science exploration. The DLP function does not only protect the data but also the source code that is created with the workspaces. Hence, companies can increase the size of their workforce easily by getting help from temporary, probably remote development teams and avoid sharing their intellectual property assets, i.e. source code and data. In addition, companies might not be required to anonymize data before making it available in for their code development or Data Science process. prize.

Diagram: The scope of the Data Loss Prevention mechanism is the protection of all the workspace's functions that can serve to the exfiltration of data, for example the IDE's clipboard and the network connection.

The VWI platform allows companies to have a complete control of the network operations performed from workspaces and can enforce granular security policies using the Zero-Trust Architecture implemented by the platform. The clipboard in workspaces is equally well monitored such that exfiltration through it is not possible.

In addition, as explained on the VWI page, the platform uses an Attributes-Based Access Control (ABAC) model as part of the Zero Trust Architecture. Dyamically-assessed policies using attributes to manage the DLP function are based on requirements from the ISO 27001 information security standard.

The platforms Audit Dashboard provides live logs of the workspace's operations such that data exfiltration can be easily detected and the creation of security reviews automated. This capability provides companies with an easy way to improve their DevSecOps maturity. For companies that need to show compliance with security standards, e.g. ISO 27001, generating a compliance report that covers the scope of applicability is trivial with the VWI platform.