Chapter 7 — Data Protection and Compliance: CASB, DLP, and Cloud App Control

Learning Objectives

1. CASB and Shadow IT

Pre-Quiz — Test Your Prior Knowledge

1. In Cisco Secure Access, which component supplies CASB's underlying app discovery, risk scoring, and SaaS API integrations?

Cisco Duo Cisco Umbrella Cisco Meraki Cisco ISE

2. What is "Shadow IT" as CASB addresses it?

Unsanctioned or unknown cloud apps users access outside the approved catalog On-premises servers running without patches Traffic that has been TLS-decrypted by the proxy A backup copy of policy logs kept for auditors

3. How does CASB let you drive policy against risky apps at scale rather than one app at a time?

By assigning each app a risk profile and grouping apps into categories By blocking every unrecognized domain by default By requiring users to email IT for each app By installing an agent on every SaaS server

4. A CASB "OAuth app control" for a Microsoft 365 tenant primarily lets you do what to a risky third-party add-on?

Rewrite the add-on's source code Discover it and revoke its OAuth token to cut off access Encrypt all mail the add-on has touched Move the add-on to a quarantine VLAN

5. What is the key trade-off of inline (proxy-based) CASB versus API-based CASB?

Inline sees data at rest; API sees only data in motion Inline blocks synchronously but needs traffic steering; API is out-of-band and asynchronous but sees all access paths Inline requires SaaS onboarding; API requires no permissions at all There is no functional difference; the names are interchangeable

Most of a user's day happens in the cloud — Microsoft 365, Salesforce, Slack, ServiceNow, generative-AI assistants, and a long tail of tools nobody in IT formally approved. Where the secure web gateway, ZTNA, and firewall-as-a-service decide whether a user or device may reach a resource, CASB and DLP govern what happens to the data once traffic is flowing. Cisco Secure Access is a cloud-delivered Security Service Edge (SSE) platform, and within it CASB is the policy enforcement point between users and cloud services — SaaS, web apps, and generative AI. The CASB component is powered by Cisco Umbrella, which supplies application discovery, risk scoring, and SaaS API integrations.

Think of CASB as a customs checkpoint at a busy international airport. Travelers (users) constantly cross a border into foreign territory (cloud apps). Without a checkpoint, anyone could carry anything across in either direction and no record would exist. CASB installs the checkpoint: it logs who crosses, into which country, and — with DLP — inspects what is in their bags.

Key Points

  • CASB is powered by Cisco Umbrella and turns the traffic Secure Access already carries into visibility, judgment, and control.
  • App Discovery classifies every DNS/HTTP(S) request into a specific app (Dropbox, Slack, ChatGPT) and attributes it to identities and departments via your IdP.
  • Risk scoring assigns each discovered app a profile from business risk, reputation, and usage type — letting you flag high-risk Shadow IT instead of eyeballing app names.
  • Control layers include app-access policies, risk-based policies, granular per-transaction controls (allow login but block upload), and OAuth token revocation inside SaaS tenants.
  • Two architectural modes: inline (real-time proxy, data in motion) and API-based (out-of-band, data at rest) — the strongest posture combines both.

Cloud app discovery and risk scoring

Every DNS query and HTTP/HTTPS request through Umbrella is logged and classified into a specific application, surfaced under views such as Reporting > App Discovery. Because Secure Access correlates that usage with identities and groups from your IdP, activity ties not just to an app but to specific users or departments. CASB addresses Shadow IT three ways: App Discovery dashboards reveal discovered and flagged apps by risk and category; risk-based classification assigns each app a profile from business risk, reputation, and usage type; and app groups and categories ("File storage," "Generative AI," "Social media") let policy apply per category or risk level.

Worked example. An analyst opens App Discovery and sees a spike to an unrecognized file-sharing domain: 34 Sales users, ~2 GB uploaded over the weekend, and a high risk score from poor reputation and a "consumer file storage" usage type. Rather than an all-hands email, the analyst adds the app to a high-risk group and attaches a policy — discovery, attribution, scoring, and decision all inside one console.

Animation 1 — Shadow-IT discovery: unknown apps surface, get risk-scored, then allowed or blocked
Umbrella / CASB classify · attribute · risk-score ? unknown file-share ? new AI writing tool ? approved M365 HIGH risk MED risk LOW risk BLOCK ALLOW + MONITOR ALLOW
CSS-only fallback: all stages are drawn statically if JavaScript is blocked.

Tenant controls and app blocking

Once apps are discovered and scored, CASB acts as an intermediary enforcing usage policy through three broad types: app access policies (detect, report on, and block selected apps including generative AI); risk-based policies (attach risk profiles so you can express "block all apps with risk score ≥ X"); and OAuth app controls (discover, block, and revoke risky third-party plug-ins inside Microsoft 365 and Google Workspace by revoking their OAuth tokens). Enforcement happens at several layers — DNS/SWG inline blocking, per-transaction controls (allow login but block file upload; allow view but block download/share), and token revocation reaching directly into the SaaS tenant.

Inline vs. API CASB

CASB is delivered in two architectural modes, and this split is the single most important concept in the chapter because DLP inherits it. Inline (proxy-based) CASB reroutes traffic through a proxy between users and cloud apps, inspecting data in motion and enforcing policy synchronously — so a prohibited action can be stopped before it completes. The trade-off: traffic steering is mandatory, and anything that bypasses the proxy (a native mobile app, a thick client, an unmanaged home device) is invisible to it. API-based (out-of-band) CASB integrates directly with sanctioned SaaS tenants via their APIs, reading events, files, and configuration inside the tenant without being on the network path. It sees all access paths plus historic data at rest, but enforcement is asynchronous — arriving seconds after an action. Cisco packages the combined dual approach as "multimode DLP."

Figure 7.1: Shadow-IT discovery-to-control workflow

flowchart TD A["User traffic through Umbrella
(DNS + HTTP/HTTPS)"] --> B["Classify into a specific app
(App Discovery)"] B --> C["Attribute to identity / department
(via IdP)"] C --> D["Assign risk score
(business risk · reputation · usage type)"] D --> E["Group into app category
(File storage · Generative AI · Social)"] E --> F{"Decision"} F -->|"Low risk"| G["Allow"] F -->|"Medium risk"| H["Allow but monitor / restrict"] F -->|"High risk"| I["Block or revoke access"]

Figure 7.2: Inline (proxy) vs. API-based CASB/DLP interception paths

flowchart LR U["User
(browser, proxied)"] -->|"HTTP(S)"| P["Inline CASB / DLP
proxy · data in motion
synchronous block"] P -->|"allowed traffic"| S["Sanctioned SaaS
(M365 · Slack · ServiceNow)"] M["Mobile app / sync client
(bypasses proxy)"] --> S S -.->|"events · files · sharing state"| API["API CASB / DLP
out-of-band · data at rest
async remediate"] subgraph SSE["Cisco Secure Access (SSE cloud)"] P API end
Animation 2 — Inline proxy DLP (synchronous, data in motion) vs. out-of-band API DLP (async, data at rest)
Cisco Secure Access (SSE cloud) INLINE CASB / DLP proxy · data in motion synchronous block API CASB / DLP out-of-band · at rest async remediate User (browser) proxied Mobile / sync bypasses proxy Sanctioned SaaS tenant DATA events · files · sharing state ⏺ real-time ⏳ seconds later
Inline stops actions synchronously in-path; API sees every path (mobile, sync) but remediates out-of-band, a short delay after the action.

Key Takeaway

  • CASB, powered by Cisco Umbrella, turns carried traffic into visibility (App Discovery), judgment (risk scoring), and control (app blocking, per-transaction controls, OAuth token revocation) — operating in inline and API-based modes whose combination gives the strongest posture.
Post-Quiz — Check What You Learned

1. In Cisco Secure Access, which component supplies CASB's underlying app discovery, risk scoring, and SaaS API integrations?

Cisco Duo Cisco Umbrella Cisco Meraki Cisco ISE

2. What is "Shadow IT" as CASB addresses it?

Unsanctioned or unknown cloud apps users access outside the approved catalog On-premises servers running without patches Traffic that has been TLS-decrypted by the proxy A backup copy of policy logs kept for auditors

3. How does CASB let you drive policy against risky apps at scale rather than one app at a time?

By assigning each app a risk profile and grouping apps into categories By blocking every unrecognized domain by default By requiring users to email IT for each app By installing an agent on every SaaS server

4. A CASB "OAuth app control" for a Microsoft 365 tenant primarily lets you do what to a risky third-party add-on?

Rewrite the add-on's source code Discover it and revoke its OAuth token to cut off access Encrypt all mail the add-on has touched Move the add-on to a quarantine VLAN

5. What is the key trade-off of inline (proxy-based) CASB versus API-based CASB?

Inline sees data at rest; API sees only data in motion Inline blocks synchronously but needs traffic steering; API is out-of-band and asynchronous but sees all access paths Inline requires SaaS onboarding; API requires no permissions at all There is no functional difference; the names are interchangeable

2. Data Loss Prevention

Pre-Quiz — Test Your Prior Knowledge

1. If CASB decides which apps users may touch, what does DLP decide?

Which data may move Which VPN tunnel to use Which DNS resolver answers a query Which user gets MFA prompts

2. What is an "exact data match / fingerprint" data identifier best used for?

Detecting any 16-digit number regardless of context Protecting a specific proprietary dataset (e.g., your customer list) with precision Encrypting files at rest inside a SaaS tenant Blocking apps by category rather than by content

3. Which technique confirms a 16-digit string is a mathematically valid payment card number rather than a random number?

The Luhn algorithm (checksum validation) TLS handshake verification OAuth token revocation DNS reputation scoring

4. Inline DLP protects data in motion by performing what kind of inspection at upload time?

Metadata-only inspection of file names Full file content inspection, synchronously, so it can block before the transfer completes A delayed scan hours after the upload finishes No inspection; it only logs the destination domain

5. What is the recommended way to begin a DLP rollout?

Block and quarantine everything immediately on day one Start in monitor-only mode, tune thresholds, then promote to block Disable all predefined identifiers and write only custom regex Apply policies only to data at rest, never in motion

If CASB decides which apps users may touch, DLP decides which data may move. Cisco integrates DLP with CASB and SWG to inspect content and files for sensitive data both in motion (inline) and at rest via SaaS APIs. In the airport analogy: CASB is the passport-control officer deciding who may cross; DLP is the baggage scanner looking inside every bag — recognizing contraband using templates and fingerprints called data identifiers.

Key Points

  • Data identifiers come in three kinds: predefined templates (credit cards, SSNs, national IDs), pattern-based regex + context rules, and exact-match fingerprints of your own datasets.
  • Detection toolkit: regex/pattern matching, Luhn checksum validation for card numbers, contextual keyword rules ("CVV," "diagnosis"), and dictionaries of medical/other terminology.
  • Every DLP policy follows the same three steps: identify → classify & score (who, where, which app) → enforce (block, restrict sharing, quarantine, alert).
  • Inline DLP does full file content inspection synchronously and blocks exfiltration before it completes; API-based DLP scans data at rest and remediates out-of-band (monitor, quarantine, revoke access).
  • Start in monitor-only mode. Pattern detection produces false positives/negatives; tune before flipping to block.

Predefined data identifiers

A DLP engine cannot block "sensitive data" in the abstract; it needs a precise definition. Predefined identifiers and templates cover common regulatory/PII patterns and industry-specific templates. Pattern-based identifiers use regex plus context (a 16-digit number preceded by "Visa" and followed by an expiry date). Exact data match / fingerprinting generates a fingerprint of a specific dataset and uses it as an identifier — how you protect a customer list or pricing table with precision. Under the hood: regex, Luhn checksum validation, contextual keyword rules, and dictionaries.

Worked example. Your team exports the customer database; DLP fingerprints it. Later an employee tries to upload a matching CSV to personal cloud storage or paste it into a generative-AI tool. DLP flags the fingerprint match and CASB blocks the upload — the fingerprint matches your data specifically, where a generic PII pattern might miss a de-identified export or over-match an unrelated spreadsheet.

Figure 7.3: DLP inspection and enforcement decision flow

flowchart TD A["Content in motion or at rest"] --> B{"Match a data identifier?
(template · regex+context · fingerprint)"} B -->|"No match"| C["Allow · no action"] B -->|"Match"| D{"True violation?
(classify + score: who · where · which app)"} D -->|"Below threshold"| E["Log only
(monitor mode)"] D -->|"Above threshold"| F{"Enforcement action"} F --> G["Block upload"] F --> H["Restrict sharing"] F --> I["Quarantine file"] F --> J["Alert / trigger workflow"]
Animation 3 — A sensitive record hits a DLP identifier and is blocked / quarantined
upload.csv PAN 4111 1111 ... CVV · expiry DLP scanner regex + context Luhn checksum fingerprint match PAN ⚠ IDENTIFIER MATCH unsanctioned cloud storage BLOCKED + QUARANTINED
The Luhn-valid PAN plus context fires the identifier; the transfer to the cloud is blocked and the file quarantined — the data never leaves.

Inline DLP policy enforcement

Inline DLP works with the SWG/CASB proxy to protect data in motion. When users upload files or submit forms, traffic is inspected for PII, PCI, or confidential documents via full file content inspection at upload time. A violating transaction can be blocked, allowed-but-logged, or made to require justification — all synchronously. Because inline DLP applies to essentially any web app where a user can input, download, share, or move data, it is the primary tool for controlling unsanctioned Shadow IT.

Worked example. A user tries to upload a spreadsheet with 50 credit-card numbers to an unsanctioned file-sharing app. Inline DLP inspects the upload, detects Luhn-valid PANs plus context, and blocks the transfer — the data never left the organization. Meanwhile API-based DLP handles data already at rest: after being granted API permissions to a tenant, it scans files and finds violations such as an HR-records folder shared publicly on OneDrive, then changes sharing to internal-only or quarantines the files (monitor, quarantine, or revoke access).

Inline vs. API-based DLP — side by side

Dimension Inline (real-time proxy) DLP API-based (out-of-band) DLP
Deployment pointIn the network path as a proxy / SWG / ZTNAInside SaaS tenant via APIs, out of the traffic path
Data type focusData in motion (requests/responses)Data at rest + activity/events in SaaS
Enforcement timingSynchronous, real-time at user actionAsynchronous, short delay after action
App coverageAny web app proxied (sanctioned or unsanctioned)Sanctioned SaaS with supported APIs
Client coveragePrimarily browser and proxied trafficBrowser, mobile, sync clients, integrations
DLP strengthsPrevent exfiltration before it happensContinuous scanning & remediation of stored data
VisibilityLive traffic; limited historic viewFull tenant data, sharing state, configuration
Operational dependencyTraffic steering, TLS decryption, proxy policiesSaaS app onboarding, API permissions, rate limits
Cisco namingInline DLP / proxy-based DLPAPI-based / out-of-band DLP

Favor inline DLP when you must prevent exfiltration at the moment of action or need broad coverage across many web apps without onboarding each API. Favor API-based DLP for compliance-grade governance of a sanctioned tenant's entire content store, including access paths (mobile, sync clients) that never touch the proxy.

Handling regulated data (PII, PCI, PHI)

The three categories map to three detection strategies. PII (GDPR "personal data") — pattern-based identifiers for emails, phones, and national IDs, reinforced by context ("customer ID," "passport"). PCI cardholder data — regex for 13–19 digit numbers, Luhn validation, card-brand prefixes, plus context ("PAN," "CVV") and composite rules requiring N valid PANs. PHI/ePHI — hardest, lives in free text; relies on medical-terminology dictionaries, HIPAA's 18 identifiers, and heuristics ("diagnosis," "discharge summary"). Across all three: start in monitor-only mode and tune before promoting to block.

Key Takeaway

  • DLP recognizes data through identifiers — templates, contextual regex, and exact-match fingerprints — then enforces in whichever mode fits: inline blocks data in motion synchronously across any proxied app, while API-based scans and remediates data at rest inside sanctioned SaaS. PII, PCI, and PHI each need a matched detection strategy, and every rollout begins in monitor-only mode.
Post-Quiz — Check What You Learned

1. If CASB decides which apps users may touch, what does DLP decide?

Which data may move Which VPN tunnel to use Which DNS resolver answers a query Which user gets MFA prompts

2. What is an "exact data match / fingerprint" data identifier best used for?

Detecting any 16-digit number regardless of context Protecting a specific proprietary dataset (e.g., your customer list) with precision Encrypting files at rest inside a SaaS tenant Blocking apps by category rather than by content

3. Which technique confirms a 16-digit string is a mathematically valid payment card number rather than a random number?

The Luhn algorithm (checksum validation) TLS handshake verification OAuth token revocation DNS reputation scoring

4. Inline DLP protects data in motion by performing what kind of inspection at upload time?

Metadata-only inspection of file names Full file content inspection, synchronously, so it can block before the transfer completes A delayed scan hours after the upload finishes No inspection; it only logs the destination domain

5. What is the recommended way to begin a DLP rollout?

Block and quarantine everything immediately on day one Start in monitor-only mode, tune thresholds, then promote to block Disable all predefined identifiers and write only custom regex Apply policies only to data at rest, never in motion

3. Compliance Alignment

Pre-Quiz — Test Your Prior Knowledge

1. Which three compliance frameworks does this chapter map Secure Access controls onto?

SOX, FedRAMP, ISO 9001 PCI-DSS, HIPAA, GDPR COBIT, NIST 800-53, CMMC FISMA, GLBA, CCPA

2. Which Secure Access capability most directly satisfies PCI-DSS Requirement 8 (identify and authenticate access)?

DLP fingerprinting of pricing tables Integration with Duo MFA and identity providers App Discovery risk scoring OAuth token revocation

3. Under HIPAA's Security Rule, which technical safeguard does detailed logging of app usage and DLP events most directly support?

Audit controls (§164.312(b)) Physical facility access controls Contingency planning Business Associate Agreements

4. GDPR Article 25 ("data protection by design and by default") is supported by which Secure Access contribution?

A policy-driven SSE architecture where personal-data flows are controlled by default and DLP prevents oversharing Physically shredding backup tapes Requiring users to accept cookies Disabling all logging to minimize data collection

5. What is the chapter's most important compliance caveat?

A product alone certifies an organization as fully compliant Tools enable compliance but do not guarantee it; BAAs, training, process, and residency remain the organization's job DLP replaces the need for encryption and access control GDPR does not apply to cloud SaaS data

The technical controls of the previous sections exist because regulators demand them. Cisco Secure Access supports PCI-DSS, HIPAA, and GDPR by combining zero-trust access, CASB, and DLP/data classification to discover and control regulated data (PII, PCI, PHI) and to enforce the access, monitoring, and protection controls those regulations require. Across all three, a small set of obligations recurs: identify and classify sensitive data, limit access via least privilege and strong authentication, protect data in transit and at rest, monitor and log access, and detect and prevent exfiltration.

Key Points

  • Recurring obligations across frameworks: classify data, least-privilege access + strong auth, protect data in transit/at rest, monitor/log, and prevent exfiltration.
  • PCI-DSS maps to Reqs. 3/4 (protect data), 7 (restrict access), 8 (MFA via Duo), 10 (logging), 11 (threat inspection), 12 (policy engine).
  • HIPAA Security Rule technical safeguards (§164.312) map to access control, transmission security, audit controls, and integrity/authentication.
  • GDPR maps to Art. 25 (by design/default), Art. 32 (security of processing), records of processing, and Arts. 33–34 (breach detection/reporting).
  • Evidence is the common thread — centralized logs turn everyday enforcement into audit-ready reports. But tools enable compliance; they do not guarantee it.

PCI-DSS mapping

PCI-DSS organizes into 12 requirement areas emphasizing access control, encryption, logging, and data protection for cardholder data.

PCI-DSS Focus AreaRelevant Capability in Cisco Secure AccessHow It Helps Compliance
Protect stored / transmitted cardholder data (Req. 3 & 4)Secure web gateway/TLS inspection + DLP identifiers for PAN/cardholder dataDetects and blocks cardholder data being exfiltrated to unauthorized SaaS targets or websites
Restrict access to cardholder data (Req. 7)Zero-trust access policies / CASB app access controlLimits who can access payment applications and card-processing SaaS, enforcing least privilege
Identify and authenticate access (Req. 8)Integration with Duo MFA and identity providersPCI-DSS 4.0 requires MFA for access to the CDE; Duo supports PCI-DSS MFA requirements
Track and monitor all access (Req. 10)Centralized logging and reporting from CASB, SWG, and access brokersGenerates logs of who accessed which app, what data type was involved, and what policy action occurred
Regularly test and secure systems (Req. 11)Threat inspection/IPS via secure web gateway / TLS proxyInspects traffic for attacks and malware against card-related apps and APIs
Maintain information security policy (Req. 12)Central policy engine for access and DLPLets you codify rules like "no cardholder data to unsanctioned cloud apps" as enforceable policy

A critical nuance: PCI-DSS does not certify a product alone as "PCI compliant" for a merchant. Secure Access provides controls and evidence that form part of a broader posture.

HIPAA mapping

The Security Rule defines administrative, physical, and technical safeguards for ePHI; several technical safeguards map directly to SSE/CASB/DLP controls.

HIPAA Safeguard AreaCisco Secure Access ContributionHow It Helps
Access control (§164.312(a))Zero-trust policies controlling which users/devices reach cloud apps holding ePHILimits ePHI access to authorized workforce members and contexts
Transmission security (§164.312(e))Encrypted channels (HTTPS), TLS inspection, and DLP to prevent unapproved transmissionsHelps ensure ePHI is protected in transmission and not sent to non-compliant destinations
Audit controls (§164.312(b))Detailed logging of app usage and DLP eventsProvides logs of who accessed which SaaS app, when, from where, and whether PHI was involved
Integrity & person/entity authentication (§164.312(c),(d))Strong identity integration and MFA (via Duo) plus inspection for tamperingConfirms user identity and protects against unauthorized alteration or handling of ePHI
Risk analysis & management (Administrative safeguards)CASB visibility into where PHI is used across SaaSSupports identifying where PHI is stored, received, maintained, or transmitted

GDPR mapping

GDPR emphasizes data protection by design and by default, data minimization, secure processing, and accountability.

GDPR ThemeCisco Secure Access ContributionRegulatory Link
Data protection by design & by default (Art. 25)Policy-driven SSE architecture where personal-data flows are controlled by default; DLP prevents oversharing to unmanaged appsEmbeds data protection into processing by design and minimizes exposure by default
Security of processing (Art. 32)Encrypted connections, strong access control, monitoring for exfiltration of personal dataAligns with GDPR security measures such as encryption and ensuring confidentiality and integrity
Records of processing / data inventoryCASB discovery of which SaaS apps process personal data + DLP identification of personal-data typesSupports GDPR's need for data inventories and records of processing activities
Breach detection & reporting (Arts. 33–34)DLP alerts when personal data is sent to unauthorized destinations; logging for investigationsHelps detect potential incidents and provide evidence for breach assessment and reporting

Audit, reporting, residency, and the caveat

The common thread is evidence. Auditors do not accept "we have DLP" — they want to see the control operated. Secure Access centralizes CASB and DLP logs so you can build framework-aligned reports ("all blocked transfers of cardholder data to non-PCI apps," "all PHI transfer attempts to non-BAA cloud services"). A repeatable deployment pattern: (1) define regulatory scope and data types; (2) discover cloud usage and tag in-scope apps; (3) enable and tune DLP identifiers; (4) create compliance-driven policies; (5) integrate identity and MFA via Duo; (6) centralize logging and build auditor-facing reports; (7) iterate.

Two edge considerations: data residency (the SSE deployment itself must meet residency/cross-border obligations, including where inspection logs live) and scope beyond web/SaaS (databases and on-prem EHR need complementary controls like segmentation and encryption). This leads to the most important caveat in the chapter: tools enable compliance; they do not guarantee it. BAAs, staff training, process controls, and residency handling remain the organization's responsibility — Secure Access is a major part of the architecture, not the whole of it.

Key Takeaway

  • Secure Access maps concretely onto PCI-DSS (Req. 3/4/7/8/10/11/12), HIPAA Security Rule technical safeguards (§164.312), and GDPR (Arts. 25, 32, 33–34), and its centralized logs turn enforcement into audit evidence — but it enables compliance rather than guaranteeing it: BAAs, training, process, residency, and complementary on-prem controls remain the organization's job.
Post-Quiz — Check What You Learned

1. Which three compliance frameworks does this chapter map Secure Access controls onto?

SOX, FedRAMP, ISO 9001 PCI-DSS, HIPAA, GDPR COBIT, NIST 800-53, CMMC FISMA, GLBA, CCPA

2. Which Secure Access capability most directly satisfies PCI-DSS Requirement 8 (identify and authenticate access)?

DLP fingerprinting of pricing tables Integration with Duo MFA and identity providers App Discovery risk scoring OAuth token revocation

3. Under HIPAA's Security Rule, which technical safeguard does detailed logging of app usage and DLP events most directly support?

Audit controls (§164.312(b)) Physical facility access controls Contingency planning Business Associate Agreements

4. GDPR Article 25 ("data protection by design and by default") is supported by which Secure Access contribution?

A policy-driven SSE architecture where personal-data flows are controlled by default and DLP prevents oversharing Physically shredding backup tapes Requiring users to accept cookies Disabling all logging to minimize data collection

5. What is the chapter's most important compliance caveat?

A product alone certifies an organization as fully compliant Tools enable compliance but do not guarantee it; BAAs, training, process, and residency remain the organization's job DLP replaces the need for encryption and access control GDPR does not apply to cloud SaaS data

Your Progress

Answer Explanations