The Aptible platform does not provide a DLP service, and Apps running on Aptible do not have the elevated host- or network-level permissions required for you to run your own DLP solution. Aptible does not plan to implement DLP for the Aptible ecosystem. For the reasons explored below, we consider DLP to be out-of-scope for our service. We believe the threats addressed by DLP are sufficiently mitigated by existing controls and policies in Aptible.
It is useful here to consider threats grouped by whether the actor is malicious or non-malicious, and whether their access to a PHI-containing Aptible Stack is authorized or unauthorized. We’ll exclude non-malicious unauthorized users, as they pose no threat. For those groups:
Unauthorized malicious: outside attackers.
DLP systems do not offer significant protections against a malicious actor who manages to gain access to a PHI-containing system. Even low-skilled attackers can bypass DLP protections easily by encrypting data before exfiltration, rendering it opaque to a DLP system. Aptible addresses this risk in other ways, including a managed Host-based Intrusion Detection System (HIDS) which ensures all connections to production systems are recorded and accounted for. Aptible staff rapidly respond to potential unauthorized access, which is flagged automatically for review.
One threat category, ex-employees (or compromised credentials of an ex-employee), is worth considering in this section. The protections listed above don’t apply to connections with valid credentials. For this reason, Aptible recommends customers ensure their offboarding procedures include access revocation, and practice regular access control review to ensure stale credentials aren’t left active.
Authorized malicious: insider risk.
As in the last category, DLP systems provide little protection against knowledgeable malicious actors. Aptible limits the potential damage a malicious insider can do by restricting access and exposing activity logs for authorized access. Ephemeral SSH Sessions provide authorized access to the production environment without allowing access to actual production containers - this prevents malicious developers from altering files on prod-facing servers without making the code change through your development lifecycle.SSH Session Logs enable you to configure your monitoring and alerting to flag unusual activity in authorized sessions. Ultimately, mitigating insider risk requires strong access control policies and vetting of employees with trusted access.
Authorized non-malicious: accidental PHI exposure.
This category is what DLP systems address best. Examples include accidentally attaching PHI-containing files to an email, or copying files to a USB drive. For hosted application environments like Aptible the exposure to this type of risk is very low, because very few people are manually interacting with the production environment and they are knowledgeable and well-trained. Aptible also limits your exposure to accidental PHI disclosure by restricting customer access, and providing secure Database Tunnels for transport of PHI data.
If you are looking to leverage DLP as an additional safeguard for your data, the best place to implement DLP is on systems where end-users regularly interact with PHI. Office workstations, laptops, phones, and other high-interaction devices generate the highest likelihood of unintentional mishandling of data. Thus they benefit the most from the protections of DLP.