Blog

Many organizations have moved to a hybrid workplace and found there are new ways for employees and contractors to compromise their secure information.  How do you ask?

Computer screens.

The screen is drawing attention again as a new blind spot as many people work from home, use virtualized desktops and access a lot of applications in a browser.

There are two ways to protect sensitive data viewed on screens.

  1. Add a dynamic visible watermark that discourages taking screenshots with a phone or computer and sharing them with unauthorized people.
  2. Block computer screen capture tools from taking a screenshot.

 

Dynamic Watermarks

Adding a watermark to your sensitive data is a simple way to protect it.  It can show company and user information that deters leaking or misusing the data since it’s easily traced back to the data owner or company.  You can show your company logo, the user’s name, and email, a timestamp, and other information that meets company security requirements.

If you collaborate with partners and customers, it helps maintain the security of your intellectual property and other sensitive data.  It is critical to keep that data secure when accessing it in different applications or browsers.

While adding a watermark to increase security, you don’t want to prevent someone from reading the information.  If the watermark is too intrusive and hides the critical details in a document or on the screen, it’s not useable.

Of course, the perfect security is to make it unreadable, but that will stop your business in its tracks.

 

Block Screen Capture Attempts

If someone works with sensitive data in an application, what’s to stop them from using a screen capture tool on the computer to grab an image of the data and send it anywhere?

Not much.

Sometimes a watermark may not be enough to protect your sensitive data.  You may want to block the Print Screen key, snipping tools, remote control, or any other screen capture applications that let users take an image of your data and share it.  This gives you more control to prevent a user from maliciously or accidentally sharing this data with the wrong person.

 

Screen Security in Action

The finance department in a large company has a lot of employees working from home.  Each person uses a number of applications to manage customer and vendor orders, payments, and contracts.

Mary needs to update some payment terms and banking information for one of her vendors.  She opens a browser and logs into the vendor finance portal.  Stan in vendor management sent her a document with the details to update.  She copies the details from the document and updates the information in the portal.  While updating, she is reminded to change some contact information, so she clicks into the CRM application to complete that.

While Mary is working on these applications, a faint watermark appears in the background with her name, the time, and a company logo.  It doesn’t prevent her from working and after a while she barely notices it.

When Mary goes downstairs to grab a bite for lunch, her son comes into her office to use his computer.  He sees some vendor information on Mary’s screen and is curious, so he picks up his phone and takes a picture of the screen.  Opening the image, he notices there is some writing on it and sees his mom’s name and the time.  He doesn’t want to get his mom in trouble by keeping the picture, so he deletes it from his phone.

Mary comes into her office after lunch and goes back to work.  She opens a customer portal that shows orders for their largest customer.  She runs a report showing orders for the last year because she needs to let the sales reps know the most popular items.  They want to give major customers year-end incentives to boost revenue.

It’s late in the day and she decides to send a screenshot of the report to the account executive so he can see it on his phone.  Mary uses an image capture tool to take a picture of the screen but sees a mask over the image.  She remembers she can’t do that since this is very sensitive data and the company prevents users from taking screenshots of these pages.  She decides to send the rep the link to the report, so he can access it in the portal.

 

How Does It Help?

The dynamic watermark on the screen is a deterrent to data leaks using a phone or camera.  When Mary’s son took a picture of the screen with his phone, he noticed his mom’s name and other identifying information in the image.  If he sent that anywhere, he not only could compromise company security but cause his mom a lot of problems.

When Mary tried to share a screenshot of customer data with her sales reps, she couldn’t because any attempts at screen capture are blocked.  This not only reminds Mary of the sensitivity of the data but also protects it in case she forgets or if she or someone else decides to be malicious and share it with unauthorized people.

As a result, your sensitive data is secure throughout its lifecycle, and there is no compromise on its usability.  The dynamic watermarks do not disrupt business processes and you prevent people from taking screenshots and sharing them with unauthorized people.

 

Learn more about Fasoo’s Screen Security solution

 

Download this Forrester report to see how Fasoo meets your data protection needs for zero trustConfused about Zero Trust?  Who isn’t.

Forrester Research, the creator of the Zero Trust Model more than a decade ago, looks to clear up the matter. Marketing hype has co-opted the term, creating confusion and misunderstanding about the actual definition of Zero Trust, and driving skepticism about its practical, real-world implementation.

In its report The Definition of Modern Zero Trust, Forrester recounts the evolution of Zero Trust from 2009’s focus on network segmentation to today’s view that “data protection is the heart of Zero Trust”. The report provides a clear, concise definition of Zero Trust so security teams can cut through the noise to define what Zero Trust is, what it’s not, and what you can do to implement Zero Trust in your organization.

So, what can security teams take away from the report to guide their 2023 Zero Trust journey? Here are a few highlights.

 

From Network to Data

Make data protection a 2023 Zero Trust priority.

It’s no longer about the network, but more about data. Forrester goes so far as to state “data protection is the heart of Zero Trust.”

Data is often the real value of businesses today. By focusing on data and its movement across the digital ecosystem, Forrester creates an extended Zero Trust framework.

Data intersects with all other pillars of the Zero Trust Model – network, workloads, applications, and people. Building a framework to implement Zero Trust around data covers a broad range of use cases and makes sense in today’s hybrid workplace.

Network security is typically in the background and invisible to users. As the focus moves from networks to data, it’s important to present as little friction as possible, so that security is an easy choice for users.

Fasoo’s methods for safeguarding sensitive files enforce encryption, control over data-in-use, and access management, all implemented at the file. It doesn’t rely on security being in place at every cloud location, endpoint, or third party to implement Zero Trust principles, a key to Zero Trust data protection in today’s hybrid workplace.

Learn more about protecting sensitive files with Fasoo.

 

Align to Business Drivers

Focus on tactical challenges

Past Zero Trust programs often lacked clear business benefits and were too often developed around Zero Trust concepts rather than present-day challenges.

The hybrid workforce and moving to the cloud are key candidates for introducing Zero Trust into sensitive file protection. Forrester notes compliance as a “secret weapon” to get organizations moving. Insider and supply chain risk, cloud misconfiguration, and external threats are all in play for this dataset that’s growing exponentially.

Look to incrementally implement Zero Trust principles in tactical initiatives of immediate relevance to the business. Buy-in with well-understood drivers and outcomes will get your organization on the right path to Zero Trust.

Learn more about securing the hybrid workforce and cloud security with Fasoo.

 

Refresh of Key Principles

Implement these updated principles in your data protection initiatives

As attacks have evolved, so have Forrester’s published principles for Zero Trust initiatives.

Principle 1. All entities are untrusted by default and access for every session is continuously reviewed and informed by context. Often this context can be the posture of a device, type of workload, attributes around identity, and more.

Principle 2. Least privilege access is enforced. Users, applications, and other computing infrastructure must utilize the bare minimum access needed to perform their function.

Principle 3. Comprehensive security monitoring is implemented. Understand how users operate and assets communicate. Pair this visibility with the tools, processes, and controls required to stop, remediate, and surgically remove or isolate detected threats.

Learn more about Fasoo’s approach to these key Zero Trust principles.

 

Scope your Zero Trust Data Initiative

Narrow focus for early Zero Trust Wins

Data protection encompasses a broad array of use cases and disparate technologies. Teams should narrow initiatives and look for high pay-off returns that bring Zero Trust principles to enhance current solutions.

Structured databases got early attention as network micro-segmentation tightened access to stop the lateral movement of threat actors. Look for tokenization and format-preserving encryption projects as next step Zero Trust initiatives in this segment.

Attention is now turning from structured to unstructured data risk as sensitive files are created, accessed, shared, and stored across the hybrid workplace, often with little visibility and control. Traditional solutions failed to scale, and data is mostly monitored rather than protected.

Learn how Fasoo’s file encryption and data-in-use access controls minimize your risk and drive you toward real protection.

 

Avoid Rip and Replace Initiatives

Enhance data protection by building on existing solutions

Security teams today are adjusting their thinking about Zero Trust as new reference architectures, like NIST and CISA, present Zero Trust as a journey. The transition to Zero Trust is a strategic, multi-year process and is unique to each organization based on its enterprise architecture and risk evaluations.

It’s important that Zero Trust initiatives meet your organization where you are today. Most organizations have in place some form of data loss protection solutions and are already following a subset of Zero Trust principles.

High pay-off Zero Trust enhancements include control over data in use and self-governing files that carry protection and compliance wherever they travel. Capabilities that deliver deep visibility and universal logging of data usage are even more critical today to provide the rich context necessary to inform explicit access decisions.

Read the Forrester report to gain a more in-depth perspective and keep these highlighted guardrails in mind while advancing your 2023 initiatives and Zero Trust Architecture.

Learn how one CISO used a quick-take playbook to get going with Zero Trust Data Security.

 

Six steps to meet your Zero Trust standardsOrganizations working to upgrade their traditional data protection solutions to Zero Trust standards are struggling.  Zero Trust sets a higher bar and technologies underlying today’s solutions don’t scale to meet the challenges of the hybrid workplace nor do they protect data with strong enough methods.

Today’s DLP, CASB, and EPP solutions sit at data ingress/egress points applying rules and analytics as sensitive data moves about. But sensitive files find their way to third parties, unmanaged BYODs, and unsanctioned cloud services where data is accessed, used, and stored outside the corporate lens.

They also focus more on controlling, rather than protecting data. DLP and behavior analytics query and assess files to see if they follow rules and check for anomalous events. But the data itself is left unprotected and when breached too often goes undetected for weeks if not months.

Lost visibility and “observe rather than protect” methods fall short of Zero Trust standards. Zero Trust relies on continuous monitoring to gather context about users, applications, data usage, and devices to detect anomalous events. And data needs to be secure in all states, particularly for data in use, to stop exfiltration by insider and external actors.

How does Fasoo overcome these challenges to make Zero Trust for data security a reality?

Fasoo takes a different approach than today’s solutions. We push controls and advanced protection methods to what needs defense – the file – rather than chasing locations data may wander. Visibility is always maintained delivering rich context for Zero Trust explicit access decisions while data is encrypted at rest, in transit, and controlled while in use.

Here’s how our file-centric approach and these six key control and protection methods enhance your data security stack and put you on the path to Zero Trust.

1. Encrypt Sensitive Files Without Exception.

This seems an obvious need for an explicit-based model dealing with sensitive data. Don’t ask the new hire to decide. Use centralized policies and automated processes to transparently discover, classify, and encrypt sensitive files when users create or modify them. Hold the keys centrally so users don’t control your data, you do.

2. User Access, Least Privilege Access.

Letting an insider wander through a document repository or folders to access files is too implicit. Automatically assign and control user access to the file when and wherever it’s created. Use policies and automatically federate file access to the employee’s managers or department. Enhance least privilege access with data in use controls.

3. Control Data in Use.

What happens today with traditional solutions after an insider gains access to a file? It’s a free pass to copy, cut, paste, share, and store sensitive corporate data as they wish. If I simply need to view a document, why let me extract or share the data? Gain control with granular rights that limit how an insider uses your sensitive data.

4. Visibility.

Zero Trust relies on data visibility for continuous monitoring across the hybrid workplace. Today’s solutions lose visibility as data moves about siloed applications and unmanaged assets. Attach controls to the file itself to ensure visibility is never lost and logs capture all interactions throughout the document lifecycle.

5. Continuous Monitoring.

Siloed solutions don’t track data the same way or share log information. It’s impossible to monitor thousands if not hundreds of thousands of document interactions to surface anomalous events. Instead, enable each file to self-report context about users, devices, and data interactions to a universal log to make monitoring straightforward.

6. Adaptive Access.

Can you invoke a policy change across your entire hybrid workplace, dynamically, with tools in each solution to make stepped, adaptive changes to access? That’s what Zero Trust requires. A centralized policy engine can reach sensitive files anywhere across the hybrid workplace. Data in use tools can revoke or expand what users can or can’t do with the document.

 

Take the Right Path to Zero Trust Data Security

Zero Trust is not a product. It’s a model. Vendor approaches to implementing Zero Trust for data security differ and most fall short of the higher standards Zero Trust demands. Make sure your security teams distinguish between the underlying technologies used to operationalize Zero Trust.

As users and data continue to move around, Fasoo’s file-centric approach and these six key control and protection methods are your best path to Zero Trust. Fortify data security with these explicit safeguards that are the cornerstones for Zero Trust Data Security.

Learn more about how Fasoo converges these explicit controls and protection with its Data Security Platform that makes Zero Trust implementation easy.

And how one of our customer’s CISOs executed a quick-take playbook to prioritize and accelerate the organization’s 2023 Zero Trust initiatives.

See how a CISO fast-tracked a Zero Trust Data Security initiativeAs 2023 planning kicks off, how many Zero Trust initiatives has your security team surfaced?  Which are real Zero Trust or ones just seeking a budget home?  There’s plenty of confusion and misunderstanding.

Analysts observe that most organizations are in the early strategy stages for Zero Trust, especially for data security.  Your multi-year plan is probably starting to take shape but it’s not the playbook you need to make today’s priority calls.  Teams struggle to move an emerging Zero Trust strategy to practical implementation.

So, what approaches can help with practical implementation and accelerate Zero Trust data initiatives?

Here’s a quick-take playbook from one of our customer’s CISOs.  She gave her team guidance on challenges, 2023 candidate initiatives, and key Zero Trust principles to implement.  The straightforward guidance worked and here’s how one project rose to the top.

 

Challenge

Find a situation that needs an immediate fix.  Data is under attack from any number of vectors, whether moving to the cloud, dealing with insider threats, or the explosion of endpoints.

Protecting and controlling sensitive unstructured data is an ongoing effort critical to corporate competitiveness and compliance with global regulations.

As employees moved to remote work, it accelerated the company’s hybrid workplace with cloud migration, mobility, BYOD, and collaboration platforms.  Sensitive files made their way to unmanaged devices, cloud services, and third parties, where you lose visibility, and controls and protection are inconsistently enforced.  Preventing the exfiltration of sensitive data became more difficult to control.

This left the CISO’s security team scrambling to deploy new point solutions, adding to their existing endpoint, network, CASB, and other data protection tools.  These disparate, siloed point solutions still leave security gaps, are complex to operate, and overwhelm administrators.

 

Scope

Bring Zero Trust principles to core data protection capabilities first.  These capabilities should enable a foundation on which you can build future Zero Trust data initiatives.

The team identified data discovery, classification, and enhanced data loss prevention as core processes needed to address sensitive data challenges in their hybrid workplace.  They scoped the project to address two key issues.

  1. Siloed point solutions present a fundamental problem for Zero Trust.  Zero Trust requires deep visibility to continuously monitor interactions between users, applications, data, and devices everywhere.  It won’t work when context isn’t readily available and dynamically shared across the entire infrastructure.

 

  1. The team decided it was crucial to consolidate core data-centric processes in conjunction with the Zero Trust project.

 

  1. Traditional data-centric tools fell short of applying Zero Trust principles in their hybrid workplace. They needed new methods for stronger protection, control, and visibility of data wherever it travels and however users access it.

 

  1. The team used a Zero Trust network best practice – segment the network into micro-perimeters and place controls closest to what you look to protect.  The team took aim at the file as the most discrete micro-perimeter and sought solutions that apply persistent controls and protection to the file itself.

 

Zero Trust

Implement key Zero Trust principles

The Zero Trust model uses three key principles:

  1. Do not trust all entities by default
  2. Enforce least privilege access
  3. Implement comprehensive monitoring

 

The CISO expected candidate projects to implement these principles.

Working through the challenge and scope, the team identified Fasoo’s Zero Trust Data Security Platform as a leading candidate.  The Platform integrates a continuum of core data-centric security processes in a common framework.  It eliminates siloes so data is visible and you can share contextual events across the infrastructure.

Data-Centric Processes

Fasoo zero trust data security platform

Fasoo’s methods for safeguarding sensitive files differed from other candidates.  Fasoo enforces encryption, control over data-in-use, and access management, all implemented at the file.  It doesn’t rely on security being in place at every cloud location, endpoint, or third party to implement Zero Trust principles.

Higher standard for data security

Outcome

Approved 2023 Zero Trust Project

Fasoo comprehensively met the CISO and security team’s requirements for a 2023 Zero Trust initiative.  The platform’s flexibility and modular features allowed the use and integration of their existing security stack so the timeline for implementation would provide an early 2023 Zero Trust win.

———————————————————————————————

See if the CISO’s quick-take playbook using these three straightforward guidelines – Challenge, Scope, and Zero Trust – works for you and your team.

And if the hybrid workplace and control and protection of sensitive data are on your 2023 candidate list, Fasoo is ready to help.  For over 20 years Fasoo’s developed and consolidated data-centric capabilities as we continually work to meet our customers growing demands for lifecycle management of sensitive data.  Now, Fasoo leads the industry to converge Zero Trust and its Data Security Platform to make security stronger and easier.

 

Enhance your data security with the Fasoo Zero Trust Data Security platformAre you struggling to implement Zero Trust across siloed data-centric tool sets?  You’re not alone.  Analysts say this is one of the major roadblocks to Zero Trust uptake.

The hybrid workplace left security teams scrambling to deploy new point solutions, adding to an existing array of data protection tools. These disparate solutions sit at ingress/egress points (DLP/CASB/EPP) applying rules and analytics where sensitive data intersects with users, applications, and devices.

It’s where data intersects and crosses these siloed solutions that cause real problems for Zero Trust. This interrupts the continuity of data flow, visibility is lost, and policy misconfigurations occur.

 

Zero Trust relies on context about users, applications, data, and devices everywhere, always available

Vital to Zero Trust is continuous monitoring of context to detect anomalous events. It’s the basis for adaptive risk assessments that decide if, and how much access a user merits. It won’t work if you lose sight of sensitive files and their use.

But that’s the world of the hybrid workplace. Users extract data from corporate databases, insert it into ad-hoc documents on endpoints anywhere, move it to the cloud, and share it with external partners. Sensitive files easily find their way to unmanaged devices and unsanctioned cloud services, out of the purview of corporate control.

It’s clear security and operations teams need new approaches and methods to move forward with Zero Trust initiatives.

 

Consolidate siloed data-centric processes in conjunction with implementing Zero Trust principles

Consolidation of data-centric processes into Data Security Platforms (DSP) is underway and teams can leverage this trend to accelerate Zero Trust initiatives. Gartner projects that by 2024, 30% of enterprises will adopt Data Security Platforms, up from less than 5% in 2019.

A platform better implements control and security policies using a centralized policy engine that spans all data-centric processes. The integration and continuity of processes remove siloes to enhance data visibility and make tracking more consistent. This allows you to leverage automation across the platform to make security transparent to users and operations less complex.

Forrester Research recommends a platform first establish a data control foundation with core processes. One that includes unifying data discovery, classification, control, and some form of data loss prevention and obfuscation, like encryption, as a start. The deployment of this initial core provides your team key insights into where sensitive data originates, travels, and is accessed.

A DSP delivers an infrastructure that makes it easier for security teams to implement Zero Trust across your organization’s hybrid workplace.

 

Recognize Zero Trust principles set higher standards for sensitive data control and protection

Many modern DSPs emerged during the move to a hybrid workplace, formed by traditional vendors adding adjacent technologies. Examples include DLP vendors integrating classification and alternatively classification vendors adding protection. While all are steps forward, today’s DSP capabilities vary widely and can leave Zero Trust initiatives at risk.

Zero Trust principles set a higher bar for sensitive data. It requires enhanced control, visibility, and monitoring of data that today’s traditional solutions struggle to deliver.

It’s no longer enough to keep layering MFA techniques onto user access. It’s just as critical to control how the data is used once users gain authorized access. With today’s solutions, the user has a free pass to copy, cut, paste, share, and store sensitive files as they wish.

Explicit trust requires data never be unprotected. DLP and behavior analytics query and assess files to make sure you follow rules or check for anomalous events, but don’t usually protect the data itself. Exposed data is exfiltrated and goes undetected for weeks if not months.

Security teams need to pull back the covers on DSP and understand the underlying technology. While all deliver platform advantages from tool consolidation, capabilities to achieve Zero Trust standards can be limited.

 

A true Zero Trust Data Security Platform to make security stronger and easier

For over 20 years, Fasoo developed and consolidated data-centric capabilities as we continually work to meet our customer demands for lifecycle management of sensitive data. Fasoo now leads the industry to converge Zero Trust with an advanced Data Security Platform.

Fasoo consolidates core data-centric processes to deliver the benefits of a DSP. Centralized policies, deeper data visibility, and automation all contribute to more effective and less complex operations. And within this infrastructure, Fasoo has built the most advanced control and security methods to comprehensively implement Zero Trust standards.

Our advanced methods differ from traditional solutions. We push controls and security closest to what you need to protect, the file itself, so safeguards travel with the sensitive data. Binding controls and protection to the file provide deep visibility, data is never out of sight, and policies are consistent across the hybrid workplace.

The file is the new micro perimeter where we not only control access but control how you use the data. If I simply need to view a document, why let me extract or share the data? Granular rights enforce document controls that explicitly protect data and enable least privilege Zero Trust principles.

Protection of the data itself needs to be present always. Encryption is an obvious need for an explicit-based model. It automatically encrypts a sensitive file when a user creates or modifies it – that’s true adherence to never trust, always verify principles. Don’t ask the new hire to decide.

Fasoo’s Platform delivers this and a complete suite of advanced methods that implement Zero Trust standards. Fasoo’s approach is superior and it’s why security teams select our Platform as their path to Zero Trust.

 

Learn more about Fasoo’s Zero Trust Data Security Platform

Learn more about the full suite of advanced data-centric methods Fasoo employs to truly achieve Zero Trust for data security.

Understand the core data-centric processes Fasoo’s Platform consolidates and the benefits of a Data Security Platform.

Read how one CISO used a quick-take playbook to prioritize and down-select 2023 Zero Trust Initiatives and accelerate the security team’s journey to Zero Trust.

Data security platforms are the way forwardGartner projects that by 2024, 30% of enterprises will have adopted Data Security Platforms, up from less than 5% in 2019.

The move to a hybrid workplace left security teams scrambling to deploy new point solutions, adding to an existing array of data protection tools.

Today, the number of separate tools in your arsenal may span data discovery, classification, DLP, EDRM, EPP, and CASB.

This patchwork approach and silo-specific security controls add operational complexity that you need to get under control.  What’s the best way to address this challenge?

Map out a strategy that consolidates data-centric tools into a Data Security Platform (DSP). Here’s Fasoo’s take on why this should be one of your top priorities in 2023 and how to move forward.

Data Security Isn’t Getting Easier

The variety and volume of sensitive data in your organization are growing and the need to process and share information is accelerating. The pace is disrupting traditional business and security processes leaving digital assets exposed to new threats more than ever.

With this unrelenting pace and complexity, there’s never enough time for you to evaluate new tools. Analysts report that implementing a new data security product takes one year or longer and eventually delivers only part of what you envisioned.

Inevitably, gaps and overlapping capabilities are fielded that complicate daily operations like:

  • Managing rule sets in disparate tools independently fosters inconsistent policies leaving gaps that expose data to breaches.
  • Multiple consoles and alert tools create operational complexity and often overwhelm the team’s ability to administer and respond in a timely fashion.
  • Implementing vendor upgrades to multiple point solutions disrupts operations and increases the overall total cost of ownership.

 

Data Security Platforms

Your peers are looking to DSPs to overcome these challenges. Within the next 18 months, Gartner predicts over 30% of enterprises are expected to adopt DSPs.

Gartner defines DSPs “as products and services characterized by data security offerings that target the integration of the unique protection requirements of data across data types, storage silos, and ecosystems.” In addition to making data security easier, they point to better utilization and increased data value.

Gartner recommends you start by building a multi-year migration plan from siloed data security offerings to DSPs enabling simpler, consistent end-to-end data security. In doing so:

  • Start consolidation where it makes sense in an area that’s already in need of an upgrade to address security gaps. Make consolidation part of that upgrade.
  • Take steps to consolidate. Select a subset of already adjacent technologies to form purpose-built DSPs that solve today’s immediate issues.

 

Consolidate Data-Centric Tools Now

You’ve likely deployed data loss prevention tools and are experiencing the challenges mentioned previously. And now the hybrid workplace creates new challenges to secure sensitive content including insider threats, third-party collaboration, multi-cloud environments, and BYOD endpoints.

This all makes data-centric tools a prime candidate for DSP consolidation.

  • Modern DSPs have evolved to address the challenges of today’s hybrid workplace, overcoming traditional solution shortfalls.
  • A confluence of adjacent technologies, like data classification and insider risk management, may either be in place or on your list for evaluation.

 

Don’t be left behind. Start your migration planning to DSPs now and move forward in 2023.  Consider these five key DSP data-centric capabilities as a start.  And learn more about Fasoo’s purpose-built, Zero Trust Data Security Platform that delivers these capabilities and much more.

 

What is a data security platform?

 

 

RELATED READING

Learn more about Data Security Platforms.

Learn more about Fasoo’s Zero Trust Data Security Platform.

 

Quick takeaways on how Fasoo enables zero trust data securityEnterprise Digital Rights Management (EDRM) encrypts files, enforces user access, and controls data in use – no implicit assumptions. It sets a least privilege baseline for sensitive data on which you can dynamically grant increasing levels of explicit access. It’s what Zero Trust is all about.

Inside the perimeter, implicit trust was turned on its head by digital transformation and the hybrid workplace. Zero Trust’s explicit, least privilege, continuous monitoring, and adaptive risk assessment are the new standards for data security in today’s world.

You likely have some set of DLP or Insider Risk Management tools, but these fall well short of the new standards. So how do you move to Zero Trust Data Security?

Learn more about how to bring DLP up to Zero Trust standards.

Consider integrating EDRM. It fortifies your existing tools with strong protection methods and explicit controls. And with Fasoo’s approach to EDRM, gain the high-resolution data visibility Zero Trust continuous monitoring and adaptive access standards demand.

7 Quick Takeaways

Here are 7 quick takeaways on how EDRM and Fasoo can set you on the path to Zero Trust Data Security.

1. File-Centric, Location Agnostic

Go to the source itself. The file. Quit chasing and trying to enforce data security and control at every new place the file may travel, reside, or a user accesses it. Traffic cops at every ingress and egress point are old school, perimeter thinking. Bind all security and privacy controls to the file itself so you can persistently enforce enterprise safeguards in the cloud, WFH, on BYOD, and at supply chain partners.

2. File Encryption

It seems obvious for an explicit-based model. But today’s DLP tactics are mostly a monitor-alert approach while you expose the data to risk. Instead, automatically encrypt sensitive files when users create or modify them. Use centralized policies and hold the keys so users don’t control your data. Use this no-nonsense, least privilege baseline to build explicit access to sensitive data.

3. User Access

You don’t want an insider wandering through an entire repository or even folders – it’s too implicit. Most insider breaches are mistakes in handling sensitive data, like storing it in the wrong location. It’s better to enforce explicit access decisions, for each file, every time a user opens it. That’s Zero Trust Data Security.

4. Control Data in Use

But what happens after an insider gains access to a file? It’s a free pass to copy, cut, paste share, and store sensitive corporate data as they wish. That’s not Zero Trust. If I simply need to read the document, why let me extract or share the data? A supply chain partner needs to edit a file. But why let them copy, print, or store the document locally? Use explicit granular document rights to enforce Zero Trust least privileges and control your data in use.

5. Visibility

Visibility is knowing how your data is used, how it moves about, and what users do with it. Zero Trust relies on data visibility for continuous monitoring. Not easy in today’s hybrid workplace with existing tools. At best, its reliance and reconciliation of disparate security, network, application, repository, and endpoint logs. Better to use file-centric controls to make the file self-reporting, recording all lifetime interactions to a Central File Log no matter where it travels or who accesses it.

6. Continuous Monitoring

Just because you had access before doesn’t matter. That would be implicit trust. Zero Trust wants an explicit, context-aware decision each time. To do so, you need to monitor user identity, prior file interactions, devices, times, and places for each of the thousand if not millions of documents in your inventory. In real-time. Impossible? The Central File Log makes it easy, staging up-to-date, file-specific log data for Zero Trust monitoring.

7. Adaptive Access

Access is no longer an “all or none” decision. More “if so, how much.” It must adapt based on current circumstances, informed by the findings of continuous monitoring, and enabled by deep file visibility. Once you assess the risk, employ a wide range of granular document controls that can enforce the appropriate Zero Trust privileges.

Start on Zero Trust Data Security Now

Adopting a least privilege, explicit access to your sensitive data is key to protect your intellectual property and comply with privacy regulations. Integrating EDRM fortifies your existing tools with strong protection methods and explicit controls that are the cornerstones of Zero Trust Data Security.

As users and data continue to move around, protecting the data itself with these strong controls is your best bet to protect your business and your customers.

 

RELATED READING
Learn more about Enterprise Digital Rights Management
Learn more about how Fasoo implements Zero Trust Data Security

DLP needs EDRM to control data-in-use and protect documents everywhere

Data loss prevention (DLP) solutions focus on the movement of sensitive data. They analyze document content and user behavior patterns and can restrict the movement of information based on preset criteria. With the move to remote work, traditional DLP solutions can’t safeguard sensitive data since it’s difficult to monitor all the locations users can send and store documents.

While DLP is good at finding sensitive data in files, it can’t control access to the data inside. Once a user has access, they can copy and paste the data anywhere. If someone shares a sensitive document with a business partner or customer, DLP has no visibility to that document and can’t control access to it.

Enterprise Digital Rights Management (EDRM) focuses on protecting sensitive data in documents. It automatically encrypts files and controls file access privileges dynamically at rest, in use, and in motion. It provides visibility and control regardless of where the document travels.

Four ways EDRM enhances DLP

 

1. Protects Sensitive Data Wherever It Travels

DLP is a perimeter-based solution that stops the movement of data. By blocking ingress and egress points, you can stop users from copying sensitive documents to a USB drive, a collaboration solution, or the cloud. This presents challenges as security teams try to block all the locations a document can go. With many people working from home and using personal devices (BYOD), this is becoming almost unmanageable.

EDRM takes a file-centric approach to security. It applies encryption, access control, and document usage rights that travel with the file everywhere. Controls are always enforced regardless of location or device. You know your sensitive data is safe even if users access files on new devices or share data with customers, partners, and other third parties.

 

2. Enforces Consistent Controls Across Cloud Environments

You probably have numerous perimeter security solutions across your internal networks, cloud services, and endpoints. This creates inconsistent policies that leave security and privacy gaps. Gartner projects that “through 2025, more than 99% of cloud breaches will have a root cause of preventable misconfigurations or mistakes by end-users.”

With EDRM you set safeguards centrally and retain ultimate control over who can access the data and how. Cloud administrators and end-users can’t remove the protections which remain with the file no matter where the data resides or who accesses it. This simplifies your security controls and eliminates a major reason for a data breach in today’s multi-cloud environment.

Learn more about how to implement consistent data protection controls in the cloud.

 

3. Controls Data-In-Use to Minimize Risk from Insider Threats

Once a verified user gains access to a file, that sensitive corporate data can go anywhere. Users can copy, cut, and paste sensitive data into new file formats, share it in collaboration applications, and store and print sensitive files on personal devices. Someone may not be malicious but accidentally may share sensitive data. How many times have you accidentally emailed a file to the wrong person?

EDRM can apply a broad range of file permissions to control data-in-use. If a user only needs to read a document, you can prevent them from sharing or printing it. If that user needs to edit the file, you can change permissions and allow them to edit, but restrict copying the data to an email or other insecure location. Controlling what a user can do when a file is open stops data breaches by insiders in today’s world of leavers and joiners.

Learn more about how to minimize insider threats.

 

4. File Visibility Ensures Security

Visibility is lost in today’s hybrid workplace because users can store and access data on just about any device and in any location, many not in your control. Traditional DLP and network tools create a patchwork approach to data visibility with some organizations employing over 40 IT and security tools to trace sensitive data.

Advanced EDRM solutions use a file-centric approach to embed a unique ID in each file. It makes the file self-reporting, logging all access and actions taken on the file. This also applies to copies and derivatives, like PDFs. The file is “never lost” and is constantly monitored providing essential feedback for adaptive control and access decisions.

 

EDRM Makes DLP Stronger

By adding EDRM, you can protect your sensitive data regardless of its location and control that all important data in use. This is critical to stop both malicious and accidental insider threats. It lets you sleep at night knowing that your sensitive data is protected, controlled, and monitored at all times.

 

RELATED READING
Learn more about EDRM.
Learn more about how to improve traditional DLP systems.

EDRM deployments on the riseA resurgence of interest in Enterprise Digital Rights Management (EDRM) is trending as cloud, mobile, work-from-home (WFH), personal devices (BYOD) and collaboration platforms create new coverage gaps in traditional data protection approaches.

Gartner reports that EDRM technology, a core solution of Fasoo’s Zero Trust Data Security Platform, entered the “Plateau of Productivity” stage across three of its Hype Cycle Reports. In this Hype Cycle stage:

“the innovation has demonstrated real-world productivity and benefits, and
more organizations feel comfortable with the greatly reduced level of risk.”

Quick Glance Back

Many security veterans recall that EDRM was one of the first data-centric tools to run the gauntlet of operational deployments. IT professionals familiar with network tools were unprepared for the more involved engagement required with business units and end users to protect sensitive data.

EDRM was too often deployed in a decentralized manner forcing users to decide how to implement the wide-ranging capabilities. Improper policy decisions set restrictive enforcement measures that overwhelmed business processes and had a negative impact on worker productivity.

Today, most organizations have a better understanding of the unique challenges to secure and control sensitive data and overcome these earlier missteps. EDRM uses centralized policies, implements capabilities without user interaction, enforces adaptive security, and does not interrupt workflows.

Moving Forward

The ease of EDRM deployments isn’t the only reason for its resurgence. Industry experts also note:

1. EDRM closes DLP coverage gaps triggered by the hybrid workplace

2. EDRM capabilities are essential to Zero Trust Data Security

 

EDRM and DLP

The Gartner Hype Cycle for Cloud Security findings is a good example of where DLP falls short in today’s hybrid and multi-cloud environments. DLP can’t enforce rules at all locations where data may travel, often outside of enterprise controls like WFH or files shared with supply chain partners. And here’s another wake-up call from the Gartner report:

“Through 2025, more than 99% of cloud breaches will have a root cause of preventable misconfigurations or mistakes by end-users.”

With EDRM, you are in control of your data no matter where it travels or who accesses it. That’s because EDRM safeguards – encryption, user access, and data-in-use controls – travel with the file itself. Safeguards are persistently enforced no matter the location. This eliminates misconfiguration and end-user mistakes.

Learn more about “Why DLP Needs EDRM

 

EDRM and Zero Trust

Zero Trust is all about explicit risk assessments. It’s an approach that requires thorough verification of all users, data, and devices, and allows only minimal privileges.

Analysts and many organizations recognize that EDRM is now foundational to Zero Trust Data Security. Its core functionality enables the assignment of minimal privileges to sensitive data and the ability to dynamically grant increasing levels of explicit access. It encrypts, restricts user access, controls the use of data, monitors data, and employs adaptive measures based on context-aware user and device behavior.

Learn more about “How EDRM and Fasoo Enable Zero Trust Data Security

 

A New Perspective on EDRM

EDRM has come a long way since those first projects, and you can feel comfortable deploying this robust technology to protect and control your sensitive data. EDRM also sets you on a path to fortify your existing DLP infrastructure and move to a true Zero Trust Data Security capability.

Fasoo, an EDRM pioneer for the past 20 years with over 2,000 customers and millions of users, has been at the forefront of simplifying EDRM deployments and operational demands. Today, these EDRM capabilities are one of many data-centric tools consolidated into Fasoo’s industry-leading Zero Trust Data Security Platform. This purpose-built, highly automated, centrally managed, data-centric platform lets organizations secure their data better and more easily.

Learn more about “Fasoo’s Data Security Platform

 

Three ways to update your DLP to Zero Trust standards with FasooOrganizations are working to bring existing security capabilities up to date with Zero Trust standards.  An organization’s path to Zero Trust Data Security often starts with an existing DLP solution set.

Zero Trust is all about explicit risk assessments, monitoring, and control.  One that extends beyond just managing access to data but to control how you use the data.  An approach that uses continuous monitoring to make dynamic, explicit decisions each time a user accesses sensitive files.

Traditional DLP falls short of these standards.

Here are three essential capabilities to bring your existing data security up to Zero Trust standards.

1. Centrally Apply File Encryption

DLP solutions monitor data – Allow/Block – but the sensitive data itself is left unprotected.

Zero Trust principles dictate stronger measures like file encryption. This eliminates implicit access to files and sets a clear reference point to make Zero Trust explicit access decisions.

Zero Trust Data Security also cares about “who” encrypts the file. Many solutions rely on the user to encrypt sensitive files and in some cases, a user sets a password. This can lead to errors in protecting data and requires the encryptor – your employees – to grant access to your own critical data.

A centralized policy platform is foundational to Zero Trust Data Security. With centrally enforced policies, a file with sensitive data can be automatically encrypted when created or modified, all transparent to the user. It lifts the burden from the user, eliminates errors, and keeps workflows moving.

This also gives you control over the encryption keys – not the user, cloud provider, or any other third party. This is increasingly important in hybrid and multi-cloud workplaces as privacy regulations become more proscriptive regarding data residency and access rights.

Consistently and proactively centrally applied file encryption is a big step toward achieving Zero Trust Data Security.

 

2. Control Data-In-Use

Insider threats expose a major gap in DLP solutions. It’s the poster child example for implicit trust that Zero Trust looks to eliminate.

With DLP, once a verified user gains access to the file, it’s a free pass to use corporate sensitive data. Users can copy, cut, and paste sensitive data into new file formats; share the data across multiple collaboration applications; and store and print sensitive files on personal (BYOD) devices.

DLP binary actions, full or no access, are no longer enough. Zero Trust principles are based on a continuous, explicit risk assessment that takes a least-privilege approach to access and use. It considers the sensitivity of the data and the context in which it’s being used.

Zero Trust Data Security requires the availability of a broader range of file permissions to control data-in-use. For example, a user that only needs to read a document should be restricted from extracting or sharing the data. Allowing a user to edit a file, but restricting copy or print, are other examples of granular document controls. Disabling screen sharing when displaying sensitive data, and print watermarking are other necessary capabilities in a Zero Trust world.

Upgrading DLP with granular document rights controls provides the data-in-use options that enable Zero Trust Data Security.

 

3. Monitoring Depends on Visibility

The ability to continuously monitor data activities so you can make explicit decisions each time someone tries to access sensitive files is central to a Zero Trust approach. How you use data, how it moves about, and what users do with it is an essential input to an explicit model.

However, traditional DLP and network tools create a patchwork approach to data visibility with some organizations employing over 40 IT and security tools to trace data. Visibility is also thwarted in today’s hybrid workplace by cloud and work-from-home environments where data can be stored in unauthorized locations and devices.

To move toward Zero Trust Data Security, you should upgrade your DLP solutions with a file-centric approach, making the file itself the source of reporting. A unique ID embedded in each file logs every access (network/application/individual), what was done with the file, and other context-aware information like device and geographical location.

Implement a file-centric approach to achieve the visibility necessary to enable Zero Trust Data Security.

 

Update DLP to Zero Trust Data Security

Implementing a Zero Trust approach to an existing security model is gradual.  The Fasoo Data Security Platform helps you achieve success without ripping out your current DLP infrastructure.  This protects your existing investment but gives you true Zero Trust Data Security to meet your governance and regulatory requirements.

Fasoo zero-trust data security platform showcased at Gartner summitA major focus at this year’s Gartner Security & Risk Management Summit in National Harbor, MD was on reframing and simplifying security to drive your business, not inhibit it.  There was a lot of talk about Zero Trust architectures and how they are critical to real security as more of us work from home and the threats to our sensitive data grow exponentially.

One area of concern is how to find and protect sensitive data without impacting how employees, business partners, and customers work.  With a hybrid workplace becoming the norm for many, this has taken on a new urgency.

At the Fasoo booth, a lot of people talked about the challenges of combining different technologies to address data security in the cloud, in the office, working at home, and sharing with partners and customers.  Companies are looking to consolidate capabilities to fewer tools and focus on more of a platform approach to address their needs.  A constant problem is setting different policies in many tools that still focus more on protecting the location of data rather than the data itself. 

One executive from a manufacturing company talked about how difficult it is to manage all the systems to protect identity and data in so many places.  She has one set of rules for her DLP system that alerts when sensitive documents are shared outside the company.  She has another set of policies to govern CASB to manage cloud access.  And a third set of policies for partner access to data repositories.  But none of them really protect the data since once a user has access, they can do whatever they want with it.

Fasoo Presentation on True Zero Trust

On Wednesday, June 8, 2022, Anthony Juliano, CTO & General Partner of Landmark Ventures; John Herring, President & CEO of Fasoo, Inc.; and Ron Arden, Executive Vice President, CTO, and COO of Fasoo, Inc., presented “Fasoo: Build a True Zero-Trust Data Security Platform“.  John talked about the challenges we’ve had in the last few years as people moved to hybrid work and the threats to sensitive data keep growing.  Documents have a habit of multiplying and getting into all sorts of places without security that protects the data itself. 

Anthony focused on data security platforms (DSP) and Gartner’s research on the need to eliminate the patchwork of silo-specific controls that actually increase risk rather than minimize it.  Simpler policy enforcement and unified approaches will prevail as companies choose a DSP with high levels of flexibility that work throughout the entire data lifecycle.  This includes eliminating redundant, obsolete, and trivial (ROT) data to minimize the threat surface and simplify protection.

Fasoo zero-trust data security platform showcased at Gartner summit

Ron talked about the capabilities of a true zero-trust platform that enables universal control of data at rest, in transit, and especially in use, while continuously validating that a user should have access to that data every time they use it.  Rather than focusing on pieces of a solution, the Fasoo Data Security Platform helps organizations discover, classify, manage, protect, share, audit, monitor, and analyze sensitive data.  Since the fundamental principle is to protect first by encrypting and controlling the use of the data, it removes many of the concerns of protecting every location the data travels.

Gartner Presentations Reinforce Fasoo Approach

There were a lot of  Gartner Analyst presentations that focused on zero-trust, data security, and data security platforms.  One session highlighted that “60% of organizations will embrace Zero Trust as a starting point for security by 2025.” Many of the sessions directly reinforced Fasoo’s approach to zero-trust and below are some of the highlights:

 

Andrew Bales: Outlook for Data Security

  • Andrew addressed Gartner’s prediction that “By 2025, 30% of organizations will adopt a Data Security Platform (DSP), due to the pent-up demand for higher levels of data security and the rapid increase in product capabilities.” The presentation reviewed the evolution of data security capabilities and their convergence into a centralized platform.  Fasoo leads the industry in unstructured data product consolidation with its Zero Trust DSP.
  •  

Michael Hoeck: How to Secure Your Data Using Data Security Platforms

  • Michael identified a category of DSPs that are more narrowly focused on use-case driven needs, in particular for unstructured data, that do a better job than more broad-spectrum platforms.  Fasoo’s DSP specifically addresses unstructured data security and privacy use cases.
  •  

Neil McDonald: A Pragmatic Approach to Implementing a Zero Trust Security Architecture

  • Neil highlighted the importance of data encryption at rest and in transit in a zero-trust architecture. Fasoo extends this to control over data in use and is a critical element of evolving security service edge (SSE) architectures, which focus more on security capabilities and less on network connectivity and infrastructure.
  •  

Anthony Carpino: Technical Insights: Dark Data, Data Security’s Biggest Miss

  • Anthony reported that “Dark data could be between 52 to 90% of the data our business stores and know very little about its content including the risk that could be lurking within it.” He identified discovery, classification, auditing, and data protection as key features to shed light on dark data, all of which are core processes in Fasoo’s DSP.
  •  

Fasoo booth at GSRM 2022 showing data protectionDuring the course of the summit, a lot of attendees and analysts came to the Fasoo booth to understand how Fasoo’s Zero Trust Data Security can meet security and privacy regulations and protect sensitive data from both internal and external threats. 

One IT manager wanted an easy way to protect IP from going out the door when employees left the company and also needed to share sensitive information securely with customers.  He liked how the Fasoo Data Security Platform could help with both in one solution.

A number of visitors commented that Fasoo technology is very robust, balances security with usability, and integrates with an organization’s existing infrastructure.  A common strategy is to make the technology almost invisible to users unless they try to violate a security policy.  I remember one person saying, “I was a little skeptical during your presentation, but convinced once I saw it in action.” 

Extend your DLP with zero trust data protectionThe term data loss prevention or DLP is used throughout the information security industry to mean any technology that can stop users from sending sensitive information outside the corporate network.  It can take many forms and can include locking down USB ports on PCs, stopping emails from leaving the company, and preventing documents from moving outside of your firewall.  DLP can mean many things to different people.

While DLP can enhance your information security by changing employee behavior, it does so by limiting activities and is dependent on creating adequate policies.  It acts to restrict data use, not enable it.  Business users need to legitimately share and use information and preventing that can cause problems.

DLP has two main functions, monitoring, and blocking.  Many organizations only monitor activity to understand usage patterns.  Once they start blocking the movement of information, there are typically a lot of exceptions because people need to get their jobs done.  If you are only monitoring data access and movement, you are not protecting the data.  You are only aware of a problem after the data has left your organization and already gotten into the wrong hands.  If you throttle back blocking to the point where it is primarily monitoring, you have the same situation.

What are some of DLP’s challenges?

DLP’s ability to scan, detect data patterns, and enforce appropriate actions using contextual awareness reduces the risk of losing sensitive data.  It depends on policies to govern the movement of information, and those policies can become complex to manage.  A lot of companies will monitor and potentially block personally identifiable information (PII), personal health information (PHI), social security numbers, PCI data, and any data that is governed by regulations.  You can easily write policies to block this information, but what about all the trade secrets and intellectual property (IP) that really drive your business?

The problem is that most businesses need to share sensitive data with outside people.  DLP does not provide any protection in case users have to send confidential information legitimately to a business partner or customer.  It cannot protect information once it is outside the organization’s perimeter.  This has become more of an issue with remote work becoming the norm for many businesses.

Considering most data leaks originate from trusted insiders who have or had access to sensitive documents, organizations must complement and empower the existing security infrastructure with a zero trust data security solution that protects data in use persistently.

Add zero trust data security

By adding context-aware data protection to DLP, you ensure that only authorized people can access sensitive information no matter where it is.  The three key areas to consider are:

    • Encryption – by encrypting the data with centralized security policies, you can extend the monitoring capabilities of DLP.  If the information does leave your network, it is always protected and under your control.  If an unauthorized person tries to access that information, the protected data will appear as useless bits.  This policy can even apply to authorized people who are on the wrong device, or in the wrong place.
    • Control use of the data – apply a persistent security policy that travels with the data and controls what a user can do with it when they open a file.  By limiting editing, copy & paste, or printing, you eliminate sharing data with the wrong people.  This can extend to immediately revoking access to files once shared, regardless of location or device.
    • Monitor and validate use – continuously validating user access to sensitive data is critical since people’s roles change and the data may not be relevant if the person changes jobs or leaves your organization.  This ensures you only grant access to sensitive data if and when a user needs it.

 

Today data is everywhere and continues to grow.  I could access a file on my mobile device, move it to the cloud, copy it onto my PC, and then move it into a document repository.  Keeping up by managing and monitoring every location and every device is almost impossible.  It’s like playing whack-a-mole.  You plug one hole and another appears.

You need to expand your thinking on how you protect your data, by locking it at the moment you create it and continuously validating user access.  This gives you visibility and control through its entire lifecycle.

 

Categories
Book a meeting