Collaboration has always been a key to a successful business. Whether working on a project or sharing documents as part of standard business operations, numerous people need to see and act on information quickly.
While ad-hoc communication uses tools like Teams, Zoom, and Slack, most people collaborate through documents.
As organizations settle into new business norms, working remotely is very common for a lot of people. A recent analysis by leading research firm Gartner predicts that by the end of 2023, 48% of knowledge workers will work hybrid and fully remotely.
Hybrid workplaces require new methods of collaboration since employees and contractors may work a few days in the office and a few days remotely. They need to collaborate securely with colleagues, partners, and customers regardless of location to stay productive and meet deadlines and goals. While video chat and instant messaging let you communicate, most of us work together to complete a project or develop ideas using documents. You need to easily share documents, make sure everyone is working on the most recent version, and guarantee that only authorized users can see the information inside.
Deploying a collaboration platform on the fly is not something you can do overnight, since it costs both time and money. The fastest way to hit the ground running and share files without losing valuable time is to use a cloud-based system with a web interface. This keeps projects on track with minimal disruption.
A key ingredient to secure collaboration is not burdening your employees or third parties with making security decisions. Wrapsody eCo is a secure and reliable collaboration platform that encrypts all shared files and makes it easy to collaborate securely. By configuring workgroups with built-in policies and permission management, your employees continue to work without worrying if decisions don’t follow policy. You can set an expiration date for your projects or revoke access to documents immediately, which simplifies security for users. They have a job to do and don’t need to worry about setting security policies.
Users can easily create a workgroup for a project and define security parameters, like permissions on downloaded files or view access to a document in a browser. Project managers can invite employees, partners, and customers to the workgroup with a few clicks. As project members upload documents, they are automatically shared with the workgroup. Authorized users get real-time and email notifications of document changes so interested parties are informed immediately of updates. Each workgroup has a centralized policy making it easier to enforce security on all documents.
Sometimes members of a project team need to interactively review a document. Creating a quick video chat with all authorized users of the document is usually faster than typing into a chat or instant messaging window. Wrapsody eCo lets you connect your Zoom account so you can quickly schedule a meeting from within the portal and get your business done.
As people work from home, they may fall into bad habits like downloading documents from protected cloud applications to work on locally. This is especially true if they do it out of frustration because the internet is slow or they are having problems with their VPNs. That could lead to emailing files, only exacerbating unsafe data handling practices. Secure in the Wrapsody eCo environment, downloading documents locally is a non-issue. When a user downloads a file, they can only open it if they have access permissions. If someone accidentally sends the file to an unauthorized user, the unauthorized user cannot view the contents. Of course, if you send it to someone who should access it, they can easily request access.
Remote workers could be anywhere, not only working from home. With our current hybrid and mobile working environments, people time shift schedules and work almost anywhere and anytime. When collaborating it’s critical that project members work on the latest document. Finding and using the latest documents is always a problem since most of us use numerous devices and can’t always be sure what’s current.
If you update a financial spreadsheet, for example, you can’t work on an old version. With Wrapsody eCo, you always work on the current version. As soon as you update the file and close it, it automatically syncs to a central location. This works whether you are accessing the document on your work laptop, a home PC, or opening it from a cloud location. The next time you open it, you get the latest version, secure in the knowledge that your data is protected and only available to authorized users.
This even works on your mobile device. If you are running to a meeting or trying to catch up in an Uber, you can review the latest document on your phone or tablet. If you want to see a previous version, that’s as easy as a few taps.
Another problem with collaborating is making sure you get input from everyone. Rather than sending emails to everyone bugging them about reading the document and providing questions or updates, you can comment on the document and have it appear in real-time on people’s devices. You can also send a view alert to quickly bring it to everyone’s attention.
You can also review logs of user activity on the document. It tells you who viewed and edited the document and when. If someone edits a document locally or in a browser, the document updates to a new version upon saving it. If you need to retrieve an earlier version, it’s a click or tap away.
Working remotely has become standard for a lot of people. Collaborating securely and effectively can ease the burden and ensure your data security controls protect your most sensitive information. And that should give you peace of mind.
Learn more about how Wrapsody eCo makes it easy for your remote workforce to securely collaborate.
One of the problems of collaborating on documents is figuring out who has the latest version. How many times are you working with a group and you spend as much time asking who has the latest copy as working on the document?
Our current hybrid and mobile working environments make it even harder, since people time shift schedules and work almost anywhere and anytime. Finding and using the latest documents is always a problem since most of us use numerous devices and can’t always be sure what’s current.
It’s not just wasting time. It’s also wasting money.
You might lose a deal if you need to create a sales proposal and can’t get it to your customer on time. If you manufacture products and have outdated specs, you have to spend money on rework.
This only gets worse if you have a lot of people who provide input to your document.
Traditional document and content management platforms provide some of the answers to these problems. But they only work inside their system. If someone opens a document, edits it, and checks it in, your system should update the document version. You might get a notification that a user updated the document so you know it changed.
But if you download a document, edit it locally, and share it with a colleague, you just broke the system. The next person looking for the document will have the wrong information. And worse, they don’t even know it.
A better approach is to use content virtualization which doesn’t rely on the location of your document to manage it. It always provides up-to-date content regardless of document location. If you have the document on your desktop, in email, or stored in the cloud, when you next open it, you will have the latest version.
Get Rid of ROT
Along with not finding the latest version of a document, another problem collaborators face is multiple versions all over the place. You might have a document on your laptop, your tablet, and even another desktop somewhere. Some people want to store documents on cloud services or local file shares, and after a while, you have outdated and redundant documents everywhere. Trying to sort all this out becomes a nightmare.
By tracking all copies of a file, you can easily find redundant versions. Your files are never outdated. The moment you open one, the latest version appears. Each document has a tracking and synchronization identifier so all files know what version they are no matter their location.
Another issue is limiting who can view or edit a file as people collaborate. Just because you are on the same project team doesn’t mean you necessarily need the same access to all files. Sometimes certain people only need to view a document, while others may not need any access. If you rely on a location-based solution to assign permissions, this all falls apart when you move the file to another location.
Document owners should be able to assign permissions to a document and change it whenever the need arises. The next time someone opens the file, the new permissions are available immediately. If the document owner needs to remove access entirely, they can do it and it applies the next time someone opens the file.
Wrapsody in Action
So how does this work in practice? Let’s take a look at how Wrapsody can make collaborating easier.
Evie works in the strategic planning group of an electronics manufacturer. She participates in a project to streamline how the company brings products to market with the goal of reducing cost and time to market. Her manager launched a task force for the project to include herself and employees from sales, finance, marketing, manufacturing, and business strategy. Evie started developing a business plan for the project.
The members of the task force shared the initial versions of documents on market analysis, financial impact, and business strategy and updated documents were sent out as new versions became available. For an interim briefing to the leader of the task force, Evie had to aggregate the latest versions of the documents on her PC into the business plan.
Before updating the material, Evie had to verify she had the latest versions by checking emails and talking with the authors over the phone. About 30% of her time was spent consolidating the latest documents before the briefing, holding the briefing, and sharing feedback after the briefing. If the business plan changed before the final report, Evie needed to repeat all these steps.
Evie had a lot of challenges to overcome. First, she needed to minimize the time wasted sharing documents, managing versions, and preparing a report. Dozens of documents are shared among the members of the task force, so this could be difficult. As different members share different versions multiple times, the same documents may be stored repeatedly on different PCs. The document name itself may not indicate whether the document is the latest version. If there is a need to review the progress or hold a briefing, it will take a long time to aggregate the latest documents.
Evie needs to create an environment to efficiently manage documents for collaboration.
By using Wrapsody all members of the task force store the initial version of the business plan on their PC. They update the plan locally and when a new version is available, the leader opens it on her PC, reads the document, and adds comments, if needed. The members read the comments and make appropriate updates to their documents. No additional document sharing or aggregation process or briefing is necessary.
Wrapsody automatically synchronizes the latest version of the business plan to everyone’s device. Evie could edit the document on her laptop and later read it on her iPad. She can always be sure everyone has the latest version. This makes collaboration easy since the document is now the system of record.
Evie and the task force successfully reduced the cost of bringing products to market and cut cycle time by 40%. Using Wrapsody streamlined their process by making it easy to update their documents and ensuring each member of the task force had the latest version.
Learn more about how Wrapsody can break the cycle of confusion when collaborating with documents
In 2022, the average cost of a data breach in the financial services sector was $5.97 million. Financial institutions are heavily targeted and regulated because of the amount of Personally Identifiable Information (PII) and Payment Card Industry (PCI) data they have.
External threats and hacking tend to make the news, but managing threats from current employees and partners with privileged access to sensitive data is also critical. Without a first line of defense, your data is exposed and available to risk.
Here are five use cases for protecting your sensitive data.
Stop Unauthorized Use of Confidential Data
Allow employees and contractors to work with confidential customer data while minimizing the risk of a data breach by sharing it with unauthorized users.
Your employees access sensitive and confidential customer information so they can do their jobs. Once the data leaves the protected confines of an information repository, file share, or cloud-based service, your authorized users can share it with anyone, do anything with it and compromise your customer’s confidential information. You may be subject to regulatory fines, not to mention losing customers because they cannot trust you to maintain their confidentiality. You need to persistently protect confidential data, so that customer information is protected regardless of where it goes and who has it.
As an example, a former employee of a large financial company pleaded guilty to stealing confidential data from about 730,000 customer accounts. He copied names, addresses, account numbers, investment information, and other data to his home computer so he could work on it. While improperly accessing the information, he was interviewing for a new job with two competitors.
Fasoo Enterprise DRM protects customer information by encrypting the files and applying persistent security policies to protect them regardless of where they are or their format. Once the data is protected, you can safely share sensitive files through email, USB drive, external portal, or any cloud-based file-sharing site. The files are not accessible on unmanaged devices, including personal PCs, unless you choose to allow that. File access is tracked in real-time for precise auditing, and you can revoke access instantly. Fasoo not only ensures that you meet privacy regulations and safeguard customer confidentiality but truly protects and controls sensitive information while at rest, in motion, and in use.
Safeguard M&A Deals by Limiting File Access
Protect M&A transactions so that only deal participants can securely share confidential documents.
Mergers and acquisitions (M&A) often involve intensive collaboration between investment bankers, lawyers, accountants, auditors, and other deal participants from different companies. They share countless confidential M&A documents, and it is crucial to safeguard them during and after the process. Deal participants may download and share sensitive documents from a virtual deal room to non-participating members or other unauthorized users, deliberately or by mistake. This could put your deal at risk. All sensitive documents in local servers, cloud storage locations, and personal devices should be discarded once the M&A project is complete.
Fasoo Enterprise DRM provides data-centric security to secure virtual deal rooms. All M&A-related documents in the virtual deal rooms are automatically encrypted at download, and only specific groups can access the protected documents. After closing an M&A deal, the deal room or other repository stores the final copies. All transaction documents on desktops, on mobile devices, in email, on file servers, and other storage locations are revoked by the security administrator, disabling user access to all other copies.
Allow users to view sensitive data without compromising privacy or Security
Defend against unauthorized screen captures and sharing of sensitive information.
Most customer service and contact centers use terminal sessions or remote desktops to control access to highly confidential information in databases and websites. Financial institutions protect information while it is within a database but struggles to protect data when viewed within the terminal session or remote desktop. Protecting data from users who click the print screen key, run screen capture tools, or take pictures of the screen with a phone is one of the many challenges companies face in preventing data breaches.
Fasoo Smart Screen allows specific groups to access terminal or server-based computing (SBC) consoles while preventing the user from capturing sensitive data. When an authorized user accesses sensitive data, the user cannot take a screenshot, and a visible watermark displays on the screen showing the user’s name, company information, IP address, time, and date. This deters the user from taking a picture of the sensitive data with their phone and prevents computer image capture tools from taking a screenshot and sharing it with unauthorized people.
Protect PII Documents Handled by Authorized Users
Keep PII documents secure and only accessible to authorized users.
Financial organizations deploy firewalls, DLP, full disk encryption, and network transport encryption (TLS/SSL) to prevent data loss from unauthorized users. Threats from authorized users are increasing, whether accidentally or deliberately. Data breaches often result in serious litigation and severe contingent liability. Users send PII information to the wrong person through email deliberately or by mistake. Unprotected sensitive documents residing on an employee’s PC or in another storage location can increase the risk of a data breach.
Fasoo Data Radar allows financial institutions to discover sensitive data based on content patterns and enforce policy (encryption/re-classification) on the data without user intervention. It automatically detects and encrypts or reclassifies documents containing PII while the documents are in use. A central security policy continuously discovers and encrypts unprotected documents as they appear on PCs, file servers, and other locations. Dynamic access controls limit what a user can do once they open the document to protect your PII from misuse and potential litigation from a data breach.
Secure Data Downloaded from Databases and Information Systems
Automatically protect financial and customer reports downloaded from database-driven systems.
Financial organizations maintain relatively strong protection policies for structured data in databases using various security tools or techniques. When authorized users access this structured data for legitimate purposes like data mining or other analysis, they can extract or export the data into XLSX, CSV, or PDF files. This new unstructured data is vulnerable to misuse and often overlooked as a source of a data breach. Allowing authorized users to download structured data into files while maintaining persistent protection of sensitive data is critical to protecting your customers and your business.
Fasoo Enterprise DRM automatically encrypts and applies protection policies to reports when saved (localized) to desktops. For example, when an authorized user extracts structured data and saves it in XLSX/CSV format, the files are automatically encrypted and only accessible by authorized users. When a user copies the file to an external storage device or a cloud location or shares it through email, unauthorized users are not able to access the file. This ensures your sensitive data remains in the hands of authorized users.
Learn more about how Fasoo protects sensitive data and prevents data breaches in Financial Services.
The first solution is an enterprise digital rights management platform to protect documents at scale in large organizations and along their supply chain. Thousands of customers worldwide use it in a large variety of industries with numerous use cases.
The latter was developed primarily to protect the document ecosystem of Microsoft Office plus a few third-party file formats.
Over the years, Microsoft enhanced its security offerings and changed names so many times that many people are very confused. What started as rights management server (RMS), morphed into Azure Rights Management, then Azure Information Protection (AIP), then Microsoft Information Protection (MIP), and now Purview. If I missed a few, I apologize.
In talking to many of our customers who use Microsoft products, they want to protect sensitive data in many locations but struggle with understanding what to buy, how to deploy it, and how it works. It is very confusing and a lot of the Microsoft solutions don’t work as advertised.
Microsoft Purview vs. Fasoo comparison
Many years ago, companies used enterprise DRM in limited use cases and it was complex to implement. It didn’t scale well and required a lot of administration. As a result, many IT and security groups today still lack hands-on experience with modern DRM-based information protection capabilities at scale.
Fast-forward to 2023: Enterprise DRM solutions have matured significantly over the past decade. This has caused a considerable change in perceptions and is credited with the recent resurgence of enterprise DRM. Gartner states “Enterprise digital rights management offers persistent data-centric defense, solving security and compliance challenges with clear goals and governance.”
Combined with the shift towards a data-centric information security approach, this development now has more information security leaders asking about the specific strengths of enterprise DRM.
Fasoo uses a centralized approach to manage security policy, while Microsoft relies on users to make security decisions. Fasoo’s policy management model is flexible to allow a document owner to control protection and assigning of rights, but it shouldn’t be the only choice. This centralized model allows administrators to define an overall policy and then allow subsets of policy to be delegated to users. Since it’s your company’s data, you can decide if the data owner has ultimate control or the company. This flexible but secure approach allows organizations to implement an ideal policy management model with checks and balances that accommodate many different use cases.
Microsoft relies primarily on the individual to assign the rights, with less capability for centralized control. In contrast with the “assign and forget” policy like Microsoft, Fasoo enables dynamic policy enforcement which uses rich contextual information available about the user, device, time of use, nature of access (e.g., authorized, unauthorized), and even the content itself to intelligently adjust policies.
Below are some highlights of the differences between the two approaches.
1. Supported File Formats
How many file formats does Fasoo support compared to Microsoft Purview?
Microsoft file protection supports about 20 file types; Microsoft Office and PDF. It modifies file extensions for non-Office file types (txt to ptxt, jpeg to pjpeg, bmp to pbmp). This can cause issues with security applications and firewalls. It also confuses users if they are looking for a specific file extension.
Fasoo supports more than 230 file formats, including a broad range of PDF files, CAD, image, multimedia, Office and many less common file formats using a niche application that a customer might use. Users can open all files in their native application. It does not modify file extensions, which means applications that rely on native file extensions for scanning or other purposes keep working.
2. Data Encryption
How strong is Fasoo’s encryption compared to Microsoft Purview?
Microsoft is limited to AES 128-bit encryption for Office files because Office 2010 cannot support AES 256-bit encryption. Other file types use 256-bit. Microsoft does not support encryption for Office 2007. It recommends upgrading to Office 2016 or later for ease of deployment and management.
Fasoo uses multi-layered encryption for all file types, including AES 256-bit encryption for all file payloads. This is the same encryption the NSA, banks, and other organizations use for highly sensitive data. This is important for compliance with specific regulations. Fasoo supports Microsoft Office 2007, 2010, 2013, 2016, 2019, 2021, and 365.
3. Audit Trail
How do the document tracking and monitoring capabilities of Fasoo compare with those of Purview?
Microsoft currently has no centralized report portal for usage, adoption, or document activities. It also doesn’t provide a method for tracking user licenses. Microsoft recommends editing the registry to remove access to functions from specific users designated as “consumers only” of protected files.
Fasoo provides centralized reporting on all document and user activities in a web-based console. Thresholds can alert administrators to anomalous and potentially suspicious activity. Fasoo EDRM also tracks all licensed users in a web-based, centralized console. Customers can export audit logs to SIEM tools or other business intelligence applications for further analysis and alerting.
4. Policy and Exception Management
How are Fasoo’s policy and exception management different from Microsoft’s?
Microsoft relies on individual users to make security policy decisions on how to protect documents. Users must decide the level of sensitivity and manually apply a security label before applying protection. This approach requires IT and data owners to relinquish control over individual documents to a degree that poses challenges for organizations with many users and constantly changing roles. If someone picks the wrong label, data protection may suffer. This also adds to the administrative burden, since admins need to create and manage the security labels, and may need to assist in reclassifying documents.
Fasoo can automatically assign file protection without user intervention. Security can be based on the user, content, or other context, and not burden the user. It provides centralized policy management and exception-handling capabilities that can predefine security as users create documents. This “file-centric, people-centric” approach allows the organization to determine who can access a protected document, rather than relying on the document creator to make that decision. In cases where a user should make a decision, the user can manually encrypt a file and assign predefined permissions. Users with appropriate rights can extend access rights and permissions to other users as needed, and a very simple workflow allows users to request access or additional permissions to a document.
If users download files from document repositories, Fasoo automatically encrypts them and automatically extends the security policies defined in the repository to the downloaded document. This real-time policy creation and federation reduces user and administrative overhead and simplifies use.
5. Fasoo vs Microsoft Deployment
Can I deploy in the cloud, on-premise, or both?
Microsoft provides you with one option. Purview is a cloud-based service. Users require an Azure account to access protected documents, whether you are an internal user or an external partner or customer. Accounts are most commonly stored in Azure AD. For many customers, this is not a viable option, since Microsoft requires users to be in Azure and tracks all user and file activity. Other customers do not want to deploy services in the cloud for regulatory or security reasons.
Fasoo can run in an on-premise data center, private cloud, hybrid cloud, or completely managed as SaaS. Services can run on Windows or Linux systems and can deploy into AWS, Azure, Google, or other cloud providers. You can use your existing identity & access management system to authenticate and authorize users to access protected files. No need to store users in a specific system or give Fasoo any access.
6. External Sharing
Is it easy to share sensitive documents with external users?
Microsoft requires all external users to have accounts and credentials in Azure and gathers data on document exchange between parties. Predefined sensitivity label-based policies make it impossible to adopt for ad-hoc collaboration making it less flexible, admin dependent, and introducing delays. Every time a new partner or customer is onboarded and needs to access Microsoft-protected documents, they will first need to be added to the sensitivity label policies. This can impose unnecessary requirements on customers, partners, and administrators, and gives Microsoft potential access to too much of your data. Many organizations do not want to create another login and worry that their sensitive information is in the hands of a vendor.
Fasoo policies are built at runtime to accommodate real-world ad-hoc collaboration needs. Users with sharing rights can extend permissions to collaborators and share documents through email, cloud applications, or any sharing service. Fasoo can use existing credentials from your identity and access management system or allow external users to authenticate with an email address simply. All transaction data is stored within your system and not available to Fasoo. The system is yours and self-contained. You decide how your users share, authenticate and access sensitive files.
7. Cloud Security
Is my sensitive data protected even if I use cloud applications?
With Microsoft, documents are not secure when uploaded to cloud apps, and there are easy ways to bypass the security, which provides a false sense of security. You need to integrate Purview Information Protection with Defender for Cloud Apps to accomplish this, but it only supports specific cloud environments. As with all Purview operations, everything is based on labels, and there is a limit to the number of labels you can apply in a day. Microsoft claims this limit is to prevent mistakenly applying a label to a large number of files. That decision should be the customer’s, not Microsoft’s, and introduces a major risk if you need to protect large numbers of files.
Fasoo provides robust and persistent data protection with adaptive security controls at the endpoint, network, cloud, and beyond. Once protected, the protection persists with the file regardless of location. Dynamic policies allow you to change permissions, expire files and even grant additional access with a few clicks. You decide on what is protected, how, and by whom. There are no arbitrary limitations on protection and access.
8. Protect CAD files
How does Fasoo Enterprise DRM protect CAD files in comparison to Microsoft?
Microsoft does not support the protection of CAD files while in use. It relies on third-party applications to protect CAD. Fasoo protects CAD files while at rest, in transit, and in use natively. By integrating directly with over forty different CAD applications, Fasoo EDRM allows users to interact with CAD files as they normally do while maintaining strong protection of the data.
Will it fit and grow with your mission?
Most inquiries we get about Microsoft Purview vs. Fasoo boil down to a single general question: How does a dedicated solution for securing documents in large organizations stack up against an assemblage of document protection components designed with a focus on Microsoft Office applications and file formats?
It’s like comparing a Ford F-450 Super Duty truck with a Chrysler Pacifica minivan. Both have four wheels and move you, but if you plan to haul a trailer with horses, the minivan is not the best choice. If you plan to protect and share sensitive files that can go anywhere and need to control all aspects of the process, Fasoo is a better choice.
Deciding between a work truck and a family van becomes much easier when we ask this question:
IT, security, compliance, and risk management leaders need a reference of terms, acronyms, and key people in the enterprise digital rights management (EDRM) domain. Some terms may be confusing since different companies use different terms for the same thing.
This Enterprise DRM Glossary will be updated regularly and provides clarity for leaders and practitioners. The EDRM glossary draws on various sources, including books, periodicals, websites, subject matter experts, and Enterprise DRM users.
We welcome your feedback and suggestions of terms to include. Contact us at firstname.lastname@example.org.
CAD security, also referred to as CAD file security or CAD protection, describes the methods, means, and measures available to protect specifically Computer-Aided Design (CAD) / Computer-Aided Manufacturing (CAM) / Computer-Aided Engineering (CAE) tools and documents against unauthorized access and use.
CAD files, such as 3D CAD drawings, are unstructured data. Manufacturing companies and design engineering firms looking to protect CAD files face particular challenges. The primary reasons are:
the lack of end-to-end encryption and loss of oversight and control in many organizations when sharing CAD files by email or in the cloud.
Examples are the automotive industry and the mobility sector in general, where CAD files often contain a company’s most valuable know-how. CAD file protection gaps at the endpoint and remote work risks were exacerbated during the coronavirus pandemic. They contributed to an increase in IP theft by insiders and data exfiltration by external threat actors.
In response, manufacturers are adopting Enterprise Digital Rights Management – Enterprise DRM – to ensure end-to-end CAD file protection and centralized policy management and control beyond the company’s IT perimeter. This approach is based on a data-centric security model. Solutions such as Fasoo Enterprise DRM ensure CAD file security at rest, in transit, and in use. Derivatives, for example, 3D models excerpted as PDF files, automatically inherit the file security of the enterprise DRM-protected CAD file, which can include secure print protection.
A centralized security policy simplifies managing permissions on documents and ensures a consistent policy across an organization. The policy is persistent yet flexible and allows the organization to manage security rather than relying on individuals to make security decisions. Compare this to the built-in PDF password protection feature provided by Adobe.
From the organizational perspective, the latter means putting the document’s fate into the hands of its creator. The business relinquishes control to individual users. When they leave, the company is forced to dedicate valuable resources to special recovery efforts, or even loses access completely. It also forces users to become security experts.
In comparison, the advantage of the centralized policy management provided by Fasoo Enterprise DRM is that the organization always maintains control over its documents and what happens with them, wherever they go. This includes changing policies for a user or group at any time, regardless of where the document resides.
Users can be granted the right to maintain complete control over their documents, in those situations where it’s warranted. This provides a layered approach giving users and groups autonomy for certain documents while maintaining centralized control of the organization.
For example, a Finance user creates a document and it is encrypted upon saving it. All users in the Finance group automatically have access to the document. The user decides she needs Legal to review the document, so she can manually grant them access. If the user leaves the company or moves to another department, the document is still accessible by Finance and Legal. The organization maintains control.
For solutions without centralized control options, like Microsoft AIP, it is difficult to implement and change security policies with many users and constantly changing roles. The considerable burden of keeping up-to-date and in sync with the needs of departments or business units often falls on the individual creator of the document.
The data-centric security model aims to enhance information protection regardless of where the data resides or with whom it is shared. It is considered a core part of a Zero Trust approach to information security. Data-centric security is independent of networks, servers, locations, and devices and marks a departure from the traditional “device-centric” or location-centric security model.
Enterprise DRM applies the data-centric security model by taking a file-centric approach to secure unstructured data, such as MS Office documents, CAD/CAE files, PDF, plain text, and other digital media file types. This approach means that, in contrast to other methods, persistent encryption and Identity and Access Management (IAM) are tied to and travel with the file.
Data-centric security management requires organizations to know what data they have and its security and privacy requirements. To make data-centric protection of unstructured data feasible at scale, they have to rely on standardized mechanisms to catalog and categorize data. Fasoo Enterprise DRM, for example, applies file-centric protection based on data classification tags to
Encrypt the file contents: If exfiltrated, the sensitive data is obfuscated and is of no value to threat actors;
Limit file access to authorized users only: Users can be individuals, departments, business units, or defined by role or title.
Historically, organizations adopted file-centric solutions for specific use cases. Modern solutions take advantage of the latest in software tools like RESTful APIs and open operating system standards to work transparently across the enterprise. Centralized policy management ensures IT and data owners can grant access and apply protection consistently across all networks, devices, endpoints, and cloud services.
Data Loss Prevention (DLP) describes tools and methods to prevent sensitive data, such as Personally Identifiable Information (PII) or business-critical intellectual property, from leaving an organization without proper authorization.
To that effect, DLP software categorizes documents and emails and analyzes user behavior to restrict the transfer of data. The underlying rules and filters have to be maintained and adjusted by IT in coordination with other stakeholders to minimize workflow interruptions.
Organizations can apply DLP only to their internal data flow. Other than Enterprise DRM, it does not protect confidential information once data has been intentionally or unintentionally exfiltrated. A typical example is an email mistakenly sent to the wrong address. Like antivirus software or web filters, DLP components have become a staple of information security in the enterprise. As part of the point solutions mix, they often complement particular applications or tools, such as cloud security services or Microsoft AIP.
Larger organizations frequently leverage DLP to ensure compliance with data protection regulations such as GDPR, CCPA, or HIPAA. Critics blame DLP for creating a false sense of security and point to its blindspots (USB drives, SaaS file-sharing applications, enterprise messaging apps) and its focus on internal file downloads and sharing.
Digital Rights Management (DRM) describes the tools, systems, and data-centric process used to automatically encrypt files and control file access privileges dynamically of unstructured data at rest, in use, and in motion. In the consumer space, DRM aims to control the use, modification, and distribution of copyrighted material, such as computer software and multimedia files.
In business, Enterprise DRM ensures data-centric document protection inside and outside the IT perimeter and along an organization’s supply chain to protect sensitive information against theft or misuse by insiders and unauthorized access from the outside.
The term encryption describes the cryptographic transformation of data into a form that conceals its original content to prevent it from being known or used. Decoding the encoded information requires the correct key.
Enterprise DRM provides an additional layer of security through its data-centric combination of encryption and access control. Fasoo Enterprise DRM, for example, encrypts files containing sensitive unstructured data and limits access to the encrypted file to authorized users only within their given permissions. This approach helps organizations minimize and mitigate risks such as data leaks, insider threats, and advanced persistent threats (APT).
Fasoo EDRM encrypts files using a Packager. DRM-enabled documents cannot be opened without a DRM Client, which requests a “license” from the DRM Server. The DRM Server issues that license according to the security policy for the user and the document, which can be applied and flexibly adjusted using centralized policy management and exception handling. The DRM Client then decrypts the DRM-enabled document and sends the data to a rendering application, such as Microsoft Word, a PDF reader, or a CAD engineering tool.
Document encryption with Fasoo is based on FIPS 140-2 validated cryptographic modules that meet the requirements of the Cryptographic Module Validation Program (CMVP) run by the United States National Institute of Standards and Technology (NIST). Fasoo uses AES 256-bit encryption which is a symmetric key encryption using block ciphers. This is the same encryption the National Security Agency (NSA) and banks use to protect sensitive data. Using FIPS-validated modules means it delivers the encryption strength required for organizations that are part of or do business with the U.S. federal government.
Enterprise Digital Rights Management (Enterprise DRM, EDRM)
Enterprise Digital Right Management (EDRM)enables organizations to persistently protect, control and track sensitive documents at rest, in transit, and in use. Also referred to as Information Rights Management (IRM), this data-centric protection applies to any device throughout the entire document lifecycle.
By encrypting files and leveraging granular controls through centralized policy management, Enterprise DRM allows organizations to limit viewing, editing, printing, and sharing of sensitive content with unauthorized users within and outside the organization’s IT perimeter.
Historically, the challenges associated with persistent policy enforcement account for the reputation of many enterprise DRM solutions being complex to deploy. This perception has changed, and industry observers agree.
According to Gartner analysts, enterprise DRM now “is one of the only mechanisms for retaining control of unstructured data transferred to business partners in secure collaboration scenarios.”
Industry observers credit Fasoo Enterprise DRM with driving much of this development. Its flagship installation spans over 170,000 internal users and over 700,000 total users of affiliates and partners worldwide.
An insider threat is defined as the potential for a person with authorized access or understanding of an organization to harm that organization. This harm can include malicious, complacent, or unintentional acts that negatively affect the organization’s integrity, confidentiality, and availability, its data, personnel, or facilities.
Insider threats, such as IP theft by employees or contractors, are among the main risks to be considered when securing sensitive information in the form of unstructured data, such as office documents, PDFs, or CAD files. According to a 2020 survey conducted by the Ponemon Institute (PDF) and sponsored by ObserveIT and Proofpoint, 60% of polled organizations worldwide encountered more than 30 insider-related incidents per year involving digital assets.
The term Intellectual Property Theft (IP Theft) describes the act of stealing ideas, creative expressions, inventions, or trade secrets – collectively known as Intellectual Property (IP) – from the person or company who owns them. IP theft is against the law. Patent, copyright, and trademark laws, among others, aim to protect intellectual property owners.
In the digital sphere, most intellectual property exists in the form of unstructured data. Movies, music, and computer software all can be targets of IP theft, as can confidential office documents (example: pricing discounts), PDF files (example: employee W-2 forms), images (example: product concept studies), or CAD templates (example: digital blueprints of manufacturing designs).
Who is committing IP theft? According to experts, insiders – i.e. (former) employees, contractors, or supply chain partners – are behind most IP theft cases. Many perpetrators knowingly or unknowingly play into the hands of people outside their organization, such as agents for a foreign power or corporate spies hired by a competitor.
Western counterintelligence professionals attribute the rise of IP theft in the U.S. and the European Union mainly to China. Its Thousand Talents Plan, conceived by the Chinese Communist Party, drives the recruitment of engineers and scientists in the US and the EU as part of a state-sponsored IP theft campaign on a global scale.
In more than 50% of documented IP theft cases, the perpetrators were employees who quit and took proprietary information with them because nothing stopped them. This risk has significantly increased with the shift to remote work caused by the COVID-19 pandemic.
How can companies prevent IP theft? Increasingly, larger organizations deploy Enterprise Digital Rights Management (EDRM) to secure documents and eliminate opportunities for IP theft across the enterprise and along its supply chain. Information security experts see EDRM as uniquely positioned for preventing IP theft respectively further damage, in cases where protected files may have been exfiltrated.
Information security professionals describe mainly three reasons for Enterprise DRM’s effectiveness in protecting large organizations against IP theft:
EDRM combines access control with data-centric security that protects files at rest, in use, and in transit. This device-agnostic protection applies inside and outside the organization’s IT perimeter from the point of creation throughout the document lifecycle.
Centralized policy management and flexible exception handling enable IT and document owners to eliminate IP theft blindspots. It also lets them quickly adapt document use policies to meet the demands of dynamically changing environments, such as remote work scenarios (see also: Secure Print). Fasoo Enterprise DRM is an example. It empowers organizations to maintain granular control over sensitive data even if that information is shared – intentionally or mistakenly – outside the organization.
EDRM delivers comprehensive document security at scale, encompassing the broad spectrum of document formats and applications common in globally operating organizations. Fasoo Enterprise DRM, for example, supports more than 230 file formats, including a wide range of PDF and CAD types.
In the fight against IP theft, the capabilities listed above put designated EDRM solutions like Fasoo Enterprise DRM at a distinct advantage. Point solutions developed to protect primarily one document software ecosystem and a limited number of 3rd-party file formats (example: Microsoft AIP) cannot provide the same coverage.
Azure Information Protection (currently known as Purview Information Protection) is a data protection solution developed by Microsoft. It lets organizations discover, classify, and protect documents and emails. AIP was designed primarily to protect the document ecosystem of Microsoft Office and a limited number of third-party file formats. It focuses on end users or data owners making all security decisions on documents rather than allowing a centralized approach to security.
Purview Information Protection (formerly known as Azure Information Protection and Microsoft Information Protection) is a data protection solution developed by Microsoft. It is part of the larger Microsoft Purview suite of tools that lets organizations discover, classify, and protect documents and emails. It was designed primarily to protect the document ecosystem of Microsoft Office and a limited number of third-party file formats. It focuses on end users or data owners making all security decisions on documents rather than allowing a centralized approach to security.
Many cybersecurity professionals consider PDF security an oxymoron because of the weaknesses of the password protection and encryption of Adobe’s platform-independent file format.
Depending on the use case, adequate PDF document protection can require a combination of various 3rd-party tools and methods. Examples are PDF password protection, encryption, on-screen protection, secure print, PDF sanitization, PDF usage monitoring.
In large organizations, the number of PDF files and versions to be secured adds to the challenge. IT can overcome this challenge with Enterprise DRM, which provides an additional layer of PDF protection.
One example is Fasoo Enterprise DRM, which integrates the most powerful PDF protection mechanisms. It supports more than 230 file formats and ensures that sensitive PDF files are protected at rest, in use, and in transit.
Permissions are required to perform a particular action, such as View, Edit, and Print, on a document secured with Enterprise DRM. A user can only perform an action on a secured document when granted the proper permission, either as set via centralized policy management, a data owner granting specific permission or upon requesting provisional permission.
Personally Identifiable Information (PII) is defined as any data that permits the identification, by either direct or indirect means, of an individual to whom the information applies.
PII can directly identify a person (examples are name, address, phone number, social security number, any other ID number or code, and email address) or allow indirect identification in conjunction with other data elements. Such elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors.
PII is often maintained in the form of unstructured data, i.e., in Microsoft Office documents, PDF files (example: W-2 records), or computer printouts. Files containing PII are best protected by encrypting them at the point of creation. Adequate protection covers the document lifecycle in its entirety and includes provisions for data transfers to other media, i.e., screen photos or print.
When a user does not have permission for a specific action in a document secured with Enterprise DRM, the user can request temporary permission or exemption to the current security policy. If approved by the administrator or document owner, the user can perform that action with the given provisional permission for a time period defined by the policy.
Secure file sharing (also referred to as secure file exchange) describes the process of making unstructured data available to other authorized users while preventing access by others who lack proper authorization. In business environments, secure file sharing with Enterprise DRM enables individual users to transfer Microsoft Office documents, audio or video files, images, PDFs, or CAD drawings, for example, within or outside their organization, without exposing sensitive information to data theft or manipulation by unauthorized parties.
Modern digital rights management solutions enable secure file exchange based on a data-centric security model. This approach overcomes the weaknesses and limitations of traditional device-based security or file password protection (see also: PDF Security and CAD Security). It also surpasses the protection provided by file-sharing tools such as Box, Dropbox, or OneDrive, which offer encryption in the cloud and in transit, but fall short once a document reaches the recipient. Fasoo Enterprise DRM, for example, automatically encrypts each file at the point of creation and applies access policies that are centrally managed.
Files secured with Enterprise DRM remain protected no matter where they go. This way, the data owner remains in control of if and how a shared file can be accessed, regardless of its location. The protection is device-agnostic and travels with the file. Users can securely share files without risking protection gaps on portable storage media, cloud storage services, home office printers, or when documents are sent as email attachments, for example.
Secure print capabilities that enable the prevention and detection of document leaks or exfiltration via print output. In Enterprise DRM, policy-based print protection lets data owners centrally set and manage print rules for printing on-premises or remotely and watermark unauthorized printouts.
Fasoo Enterprise DRM, for example, takes a printer-agnostic approach to secure printing. This approach eliminates problems with using different printers or print drivers. Here’s how it works:
The basic print permission setting is part of the Fasoo-encrypted document. In addition, Fasoo’s secure printing component – a.k.a. Fasoo Smart Print – lets organizations apply print protection policies on various levels for plain and EDRM-secured documents alike.
85% of today’s digitally stored information consists of unstructured data, which means it lacks a pre-defined data model or internal data organization. Examples include office documents, CAD/CAE files, PDFs, emails, videos, blogs, customer support chat logs, and social media.
Structured data, by comparison, is defined as data that is easily grouped, processed, and analyzed by rows and columns in relational databases. It only accounts for 15% of today’s information.
Unstructured data poses numerous security and regulatory compliance challenges. They are not addressed by the traditional network, device, and application cybersecurity and risk management approaches. This coverage gap is the reason why storing and sharing sensitive information in free-form documents creates numerous opportunities for leakage or exfiltration of proprietary or otherwise sensitive data.
Confidential files containing intellectual property, PII, or printouts of HIPAA-protected personal health information (PHI) are three examples of unstructured data potentially at risk of unauthorized access due to negligent or malicious insider behavior or cyber-attacks.
Sensitive unstructured data falls into two broad categories: regulated or unregulated. The adequate protection of regulated unstructured data is required by law (examples: GDPR, CCPA). Unregulated data includes both business-sensitive and publicly known information. Determining what content requires protection is left to the discretion of the business that owns, stores, or processes it.
Zero Trust document protection describes minimizing uncertainties in enforcing accurate access decisions regarding unstructured data. It delineates the shift from a device and location-centric security model to a predominantly data-centric approach.
The goal is to prevent unauthorized access to files containing confidential data by making access control enforcement as granular as possible. The Zero Trust approach requires fine-grained security controls between users, systems, data, and assets. Enterprise DRM is considered a cornerstone of any viable Zero Trust document protection strategy, according to document security experts. They point to its data-centric security model, strong encryption, and tight integration with all leading identity and access management systems.
The Zero Trust approach achieved official cybersecurity policy status with the 2021 Executive Order on Improving the Nation’s Cybersecurity issued by the Biden administration. While the directive primarily aimed to move federal agencies to secure cloud services and a zero-trust architecture, it since has sent ripple effects through the private sector.
January 28 marks Data Protection Day (or Data Privacy Day), an international effort to create awareness about the importance of respecting privacy, safeguarding data, and enabling trust. For companies entrusted with personal data, this day is the opportunity to take stock and ensure everyone’s data remains safe and does not get into the hands of unauthorized people.
The privacy world has seen wholesale changes to privacy legislation across the world, and a huge shift in public awareness. One of the earliest data laws in the US was the Privacy Act of 1974. This law codified how federal agencies can collect, manage, and use personal information. With the introduction of the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada in 2000, countries codified efforts to seriously tackle the privacy of information in our digital world. The EU introduced GDPR (General Data Protection Regulation) in 2016 which levied punitive damages for violations. In the US, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) moved the conversation further into addressing potential data breaches of Personally Identifiable Information (PII).
What is Personally Identifiable Information (PII)?
Personally Identifiable Information (PII) is any data that permits the identification, by either direct or indirect means, of an individual to whom the information applies.
PII can directly identify a person (examples are name, address, phone number, social security number, any other ID number or code, and email address) or allow indirect identification in conjunction with other data elements. Such elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors.
What is PII compliance?
As more of our world goes online, more of our data is subject to privacy legislation and compliance. PII compliance involves the standards organizations must maintain to fulfill PII regulations.
While a lot of data is in databases, the major risks are data that is in reports and documents or unstructured data. These have a tendency to move around from PCs to the cloud to mobile devices and are difficult to track. Becoming compliant is to discover, classify and protect these files while limiting access to only authorized people.
1. Discover all PII
The first step to safeguarding PII is to find it. You can’t protect what you can’t find. By locating and identifying PII, you can determine what to do with it. Once you accurately identify the PII that needs protection, the next step is establishing its storage location. In most cases, you shouldn’t store PII on mobile devices, user PCs, and general cloud storage. It’s better to find a secure repository, but in many cases, that’s not convenient or practical.
You also have a problem with file derivatives and copies. Every time someone saves files as a PDF or runs a report and downloads data to a spreadsheet, you have another copy of sensitive data. This leads to the question of whether you should be keeping PII in the first place. Is it necessary for your business? Having it can inevitably lead to a data breach.
2. Classify PII
After discovering PII, you need to classify or label it. This organizes the data into relevant data types which helps determine who should access it and how to protect it.
The easiest way to classify data is public versus non-public. This may seem oversimplified, but either the data should be available to anyone or it shouldn’t. If that is not granular enough, you can classify data by how much it will cost you if it is compromised or illegally exposed.
Below are standard classifications you can use:
Public: This is the broadest category because it consists of data already in the public domain and is not sensitive.
Confidential or Private: This is more sensitive, and organizations should allow only their employees to view and process it.
Restricted: This is very sensitive data and could result in fines or litigation if it is leaked or gets into the wrong hands.
3. Protect PII
Once you organize your PII, you can protect it and ensure that only authorized people can access the data. This is critical for proper governance and risk mitigation strategies. The most effective protection is to encrypt the files and apply security policies that control who can access the data and what they can do with it.
A common protection approach is trying to track data flow through the organization. While that has value, trying to monitor where files go is time-consuming and ultimately not very important. The reason many do this is to limit access to file locations, whether in the cloud or in on-premise storage. Unfortunately, this is like playing whack-a-mole. Once you secure one location, another appears.
A better approach is to protect the files themselves and control them regardless of location. This allows the data to travel naturally from person to person in the course of business. Your data is always protected regardless of where it is and who is trying to access it.
To ensure PII isn’t exposed to unauthorized access, companies need clearly defined roles implemented throughout the organization. Once identified, you can apply security policies to sensitive files that limit a user’s action once opened. For example, someone in HR may have a legitimate reason to View and Edit a document with an employee’s PII, but that person’s manager should only be allowed to View it, or maybe not have access at all.
Access control and permissions should be dynamic to address changing roles in the organization. If the HR person changes departments and no longer needs access to PII, her access should change. A file she once opened should be inaccessible, regardless of where it is or even if she saved it to another format. This ensures no unauthorized people can access this sensitive data.
Protection rather than Litigation
According to privacy regulations and data breach notification laws, if data gets into the wrong hands but the files are not in human-readable form, there is no breach. If a computer or person can’t read the sensitive data, you have not violated any laws.
Rather than focusing on location-based protections and monitoring where data travels, encrypt it and assign a dynamic security policy that protects PII regardless of where it is. This ensures if (or when) your data gets out, it won’t cause any harm to your organization.
As more operations move to the cloud, employees, contractors, and partners access sensitive data through a browser or remote desktop. Frequently users run reports to localize the data for further analysis.
Protecting this sensitive data when viewed on your computer or mobile screen is critical to protect the data from unauthorized use and ensure you aren’t subject to litigation and fines for violating privacy legislation.
Here are four use cases for using Screen Security to protect your sensitive data.
Protect PII and PHI on the screen
Allow employees and contractors to work with sensitive data while minimizing the risk of a data breach by sharing pictures of sensitive data with unauthorized users.
ERP, CRM, EMR, financial, and other business systems provide users with easy access to detailed personal and company information. This information is not adequately protected against malicious or inadvertent screen capturing, especially with so many remote workers and people working from home.
Users can access sensitive data on web-based applications and share it with anyone. They can capture the screen content with an image capture tool or by taking a picture with a phone. This can lead to a data breach that violates privacy legislation and can lead to litigation, fines, and reputational damage.
Fasoo Smart Screen can block screen capture attempts from specific applications and websites by blocking access to sensitive content with a secure image warning users they are trying to copy sensitive data. By allowing specific users to access applications while preventing them from capturing sensitive data, you minimize potential data breaches. You can even forcibly minimize target applications when known capture tools are launched to deter further sharing of sensitive data.
Prevent pre-release of information in files and on internal websites
Stop data leaks by blocking screen capture attempts of product designs, media, and other sensitive information in files and on internal websites.
Internal websites showcase new products and other strategic information that employees and contractors need for planning marketing and sales activities. Sometimes, these users take pictures of this information and use it for personal gain, send them to competitors, or share them on social media.
These actions may cause competitive pressures that can lead to loss of sales or market share if your competitors get ahold of them. Since anyone with a phone can take a picture and share it, you need to deter this from creating a loss of competitive advantage.
Fasoo Smart Screen can block screen capture attempts of sensitive data on websites and apply visible watermarks to trace potential data leaks to the source. Dynamic watermarks appear in certain applications and specific URLs showing the user’s name, IP address, and timestamp to deter screen capture. By blocking screen capture tools on specific URLs, administrators can control sharing of sensitive data and even see image logs of attempted screen captures.
Protect sensitive data in call and contact centers
Minimize the risk of data leaks by applying a visible watermark to trace sensitive data back to call or contact center employees.
Customer service and contact centers use virtualized or remote desktops to control access to highly confidential information. Workers could take a screen capture of PII or take a picture with their phone and share that information with unauthorized people outside the company. This is especially risky with outsourced vendors who may have a high turnover of employees and contractors, and who allow many people to work from home.
Anyone with sensitive data on the screen can easily use a screen capture tool or take a picture of the screen with a phone and share it with colleagues and friends. If this information becomes public, your company may be subject to fines and litigation.
Fasoo Smart Screen discourages screen capture attempts by applying visible watermarks with user and company information to trace potential data leaks to the source. A customizable, visible screen watermark appears on websites, specific applications, and sensitive documents showing the user’s name, company name or logo, IP address, and timestamp. Administrators can see image logs of attempted screen captures. The visible watermarks deter leaking sensitive data since the user’s name is on the captured image.
Safeguard sensitive financial information in documents
Reduce the possibility of customer and supply chain loss by blocking screen capture attempts of sensitive financial information in files.
Employees and contractors share documents containing sensitive financial information as they work with customers and suppliers. Someone may create a document and share it or run a report from a financial system. The users could take a screenshot of the content and share it with anyone, either inside or outside the organization.
If a public company shares this data prematurely, it may disrupt markets and run afoul of SEC rules. If competitors have this data, they may undermine your supply chain or make a run at your customers with discounts and other strategies to steal them. Since anyone with a phone can take a picture and share it, you need to stop this from causing problems.
Fasoo Smart Screen can block screen capture attempts of sensitive data in documents and apply visible watermarks to trace potential data leaks to the source. Dynamic watermarks appear in sensitive documents and deter users from sharing images of them since the user’s name, timestamp and other identifying information are visible. If a user tries to take a screenshot of the document, an image appears over the content preventing the attempt. Administrators can see image logs of attempted screen captures to help address potential leaks with users.
Learn more about how Fasoo Smart Screen can help you protect sensitive data shared on screens.
Think about your worst nightmare. Someone steals confidential information about your customers or company and posts it on the Internet. You lose all credibility and your business suffers.
You pay stiff financial penalties and you face lawsuits from regulators and your customers. If you are a public company, you face shareholder lawsuits.
This situation is more commonplace as hackers exploit weak human and technology systems to gain access to your most important business information. With new technologies like ChatGPT allowing AI-driven malware, more phishing scams, and ever more sophisticated attacks, it’s not a matter of if you will be compromised, but when.
In the last year, there have been a number of large data breaches that caused big problems for the victims. In 2022, U.S. organizations issued 1,802 data breach notifications, reporting the exposure of records or personal information affecting more than 400 million individuals.
Nissan recently had customer information compromised by a partner in their supply chain. Avamere Health Services lost files with patient personally identifiable information (PII) and personal health information (PHI). Other major brands like Toyota, Twitter, and Cash App had critical information downloaded from databases or files stolen from misconfigured systems. A common approach is to target smaller companies within a supply chain whose security may not be as sophisticated as larger companies.
While a lot of the headlines talk about compromised databases, a lot of confidential and sensitive information is in documents. All organizations need to determine what is sensitive and where it exists. Then determine who has access to that information. The last step is to encrypt these documents with a persistent security policy that controls who can access the content and what they can do with it.
At a minimum, you should encrypt documents with personal information, such as customer and employee name, password, email, street address, phone number, social security or insurance number, birth date, and financial information. Next is anything critical to your business, such as budgets, strategic plans, product designs, software code, proprietary processes, and algorithms. Think about the secret formula for Coke or the search algorithms for Google. If it’s unique to your business and important, protect it.
Here are a few tips to prevent a data breach.
Identity sensitive data – before you can prevent a data breach, you need to know the sensitive data you collect, store, transmit, or process. Hackers and malicious insiders target non-public personal information (NPI), personally identifiable information (PII), and intellectual property, like designs, patent documents, or trade secrets. You need to identify it before you can protect it.
Encrypt sensitive data – encryption with a centralized access policy helps protect the security and privacy of files as they are transmitted, while on your computer, in the cloud, and in use. Encrypt all sensitive information with a data-centric security policy using Advanced Encryption Standard (AES) 256-bit cryptography. Only give access to those who need it to do their jobs.
Protect sensitive data when printed – with so many remote workers, you need to protect documents and other sensitive data sources with a visible watermark when users choose to print them. This becomes more of an issue as people continue to work from home and use local printers to print and review information. While many of us view information on screens, there are still many times when it’s easier to print something for review, and you should be able to trace the printout to its source in the event of a data breach.
Preventing data breaches is not complicated when you think about protecting the data. Protecting servers, networks, and storage locations is important, but focusing on the data is the most important thing. The best way to protect information that is critical to your business is to encrypt documents with a persistent security policy. If an unauthorized person gets your document, it’s useless to them, since they can’t read the information inside without your express permission.
Give yourself some piece of mind by finding and protecting the information that is most critical to your business. You will prevent a data breach, protect your company and sleep better at night.
Many organizations have moved to a hybrid workplace and found there are new ways for employees and contractors to compromise their secure information. How do you ask?
The screen is drawing attention again as a new blind spot as many people work from home, use virtualized desktops and access a lot of applications in a browser.
There are two ways to protect sensitive data viewed on screens.
Add a dynamic visible watermark that discourages taking screenshots with a phone or computer and sharing them with unauthorized people.
Block computer screen capture tools from taking a screenshot.
Adding a watermark to your sensitive data is a simple way to protect it. It can show company and user information that deters leaking or misusing the data since it’s easily traced back to the data owner or company. You can show your company logo, the user’s name, and email, a timestamp, and other information that meets company security requirements.
If you collaborate with partners and customers, it helps maintain the security of your intellectual property and other sensitive data. It is critical to keep that data secure when accessing it in different applications or browsers.
While adding a watermark to increase security, you don’t want to prevent someone from reading the information. If the watermark is too intrusive and hides the critical details in a document or on the screen, it’s not useable.
Of course, the perfect security is to make it unreadable, but that will stop your business in its tracks.
Block Screen Capture Attempts
If someone works with sensitive data in an application, what’s to stop them from using a screen capture tool on the computer to grab an image of the data and send it anywhere?
Sometimes a watermark may not be enough to protect your sensitive data. You may want to block the Print Screen key, snipping tools, remote control, or any other screen capture applications that let users take an image of your data and share it. This gives you more control to prevent a user from maliciously or accidentally sharing this data with the wrong person.
Screen Security in Action
The finance department in a large company has a lot of employees working from home. Each person uses a number of applications to manage customer and vendor orders, payments, and contracts.
Mary needs to update some payment terms and banking information for one of her vendors. She opens a browser and logs into the vendor finance portal. Stan in vendor management sent her a document with the details to update. She copies the details from the document and updates the information in the portal. While updating, she is reminded to change some contact information, so she clicks into the CRM application to complete that.
While Mary is working on these applications, a faint watermark appears in the background with her name, the time, and a company logo. It doesn’t prevent her from working and after a while she barely notices it.
When Mary goes downstairs to grab a bite for lunch, her son comes into her office to use his computer. He sees some vendor information on Mary’s screen and is curious, so he picks up his phone and takes a picture of the screen. Opening the image, he notices there is some writing on it and sees his mom’s name and the time. He doesn’t want to get his mom in trouble by keeping the picture, so he deletes it from his phone.
Mary comes into her office after lunch and goes back to work. She opens a customer portal that shows orders for their largest customer. She runs a report showing orders for the last year because she needs to let the sales reps know the most popular items. They want to give major customers year-end incentives to boost revenue.
It’s late in the day and she decides to send a screenshot of the report to the account executive so he can see it on his phone. Mary uses an image capture tool to take a picture of the screen but sees a mask over the image. She remembers she can’t do that since this is very sensitive data and the company prevents users from taking screenshots of these pages. She decides to send the rep the link to the report, so he can access it in the portal.
How Does It Help?
The dynamic watermark on the screen is a deterrent to data leaks using a phone or camera. When Mary’s son took a picture of the screen with his phone, he noticed his mom’s name and other identifying information in the image. If he sent that anywhere, he not only could compromise company security but cause his mom a lot of problems.
When Mary tried to share a screenshot of customer data with her sales reps, she couldn’t because any attempts at screen capture are blocked. This not only reminds Mary of the sensitivity of the data but also protects it in case she forgets or if she or someone else decides to be malicious and share it with unauthorized people.
As a result, your sensitive data is secure throughout its lifecycle, and there is no compromise on its usability. The dynamic watermarks do not disrupt business processes and you prevent people from taking screenshots and sharing them with unauthorized people.
Forrester Research, the creator of the Zero Trust Model more than a decade ago, looks to clear up the matter. Marketing hype has co-opted the term, creating confusion and misunderstanding about the actual definition of Zero Trust, and driving skepticism about its practical, real-world implementation.
In its report The Definition of Modern Zero Trust, Forrester recounts the evolution of Zero Trust from 2009’s focus on network segmentation to today’s view that “data protection is the heart of Zero Trust”. The report provides a clear, concise definition of Zero Trust so security teams can cut through the noise to define what Zero Trust is, what it’s not, and what you can do to implement Zero Trust in your organization.
So, what can security teams take away from the report to guide their 2023 Zero Trust journey? Here are a few highlights.
From Network to Data
Make data protection a 2023 Zero Trust priority.
It’s no longer about the network, but more about data. Forrester goes so far as to state “data protection is the heart of Zero Trust.”
Data is often the real value of businesses today. By focusing on data and its movement across the digital ecosystem, Forrester creates an extended Zero Trust framework.
Data intersects with all other pillars of the Zero Trust Model – network, workloads, applications, and people. Building a framework to implement Zero Trust around data covers a broad range of use cases and makes sense in today’s hybrid workplace.
Network security is typically in the background and invisible to users. As the focus moves from networks to data, it’s important to present as little friction as possible, so that security is an easy choice for users.
Fasoo’s methods for safeguarding sensitive files enforce encryption, control over data-in-use, and access management, all implemented at the file. It doesn’t rely on security being in place at every cloud location, endpoint, or third party to implement Zero Trust principles, a key to Zero Trust data protection in today’s hybrid workplace.
Past Zero Trust programs often lacked clear business benefits and were too often developed around Zero Trust concepts rather than present-day challenges.
The hybrid workforce and moving to the cloud are key candidates for introducing Zero Trust into sensitive file protection. Forrester notes compliance as a “secret weapon” to get organizations moving. Insider and supply chain risk, cloud misconfiguration, and external threats are all in play for this dataset that’s growing exponentially.
Look to incrementally implement Zero Trust principles in tactical initiatives of immediate relevance to the business. Buy-in with well-understood drivers and outcomes will get your organization on the right path to Zero Trust.
Implement these updated principles in your data protection initiatives
As attacks have evolved, so have Forrester’s published principles for Zero Trust initiatives.
Principle 1. All entities are untrusted by default and access for every session is continuously reviewed and informed by context. Often this context can be the posture of a device, type of workload, attributes around identity, and more.
Principle 2. Least privilege access is enforced. Users, applications, and other computing infrastructure must utilize the bare minimum access needed to perform their function.
Principle 3. Comprehensive security monitoring is implemented. Understand how users operate and assets communicate. Pair this visibility with the tools, processes, and controls required to stop, remediate, and surgically remove or isolate detected threats.
Data protection encompasses a broad array of use cases and disparate technologies. Teams should narrow initiatives and look for high pay-off returns that bring Zero Trust principles to enhance current solutions.
Structured databases got early attention as network micro-segmentation tightened access to stop the lateral movement of threat actors. Look for tokenization and format-preserving encryption projects as next step Zero Trust initiatives in this segment.
Attention is now turning from structured to unstructured data risk as sensitive files are created, accessed, shared, and stored across the hybrid workplace, often with little visibility and control. Traditional solutions failed to scale, and data is mostly monitored rather than protected.
Enhance data protection by building on existing solutions
Security teams today are adjusting their thinking about Zero Trust as new reference architectures, like NIST and CISA, present Zero Trust as a journey. The transition to Zero Trust is a strategic, multi-year process and is unique to each organization based on its enterprise architecture and risk evaluations.
It’s important that Zero Trust initiatives meet your organization where you are today. Most organizations have in place some form of data loss protection solutions and are already following a subset of Zero Trust principles.
High pay-off Zero Trust enhancements include control over data in use and self-governing files that carry protection and compliance wherever they travel. Capabilities that deliver deep visibility and universal logging of data usage are even more critical today to provide the rich context necessary to inform explicit access decisions.
Read the Forrester report to gain a more in-depth perspective and keep these highlighted guardrails in mind while advancing your 2023 initiatives and Zero Trust Architecture.
Organizations working to upgrade their traditional data protection solutions to Zero Trust standards are struggling. Zero Trust sets a higher bar and technologies underlying today’s solutions don’t scale to meet the challenges of the hybrid workplace nor do they protect data with strong enough methods.
Today’s DLP, CASB, and EPP solutions sit at data ingress/egress points applying rules and analytics as sensitive data moves about. But sensitive files find their way to third parties, unmanaged BYODs, and unsanctioned cloud services where data is accessed, used, and stored outside the corporate lens.
They also focus more on controlling, rather than protecting data. DLP and behavior analytics query and assess files to see if they follow rules and check for anomalous events. But the data itself is left unprotected and when breached too often goes undetected for weeks if not months.
Lost visibility and “observe rather than protect” methods fall short of Zero Trust standards. Zero Trust relies on continuous monitoring to gather context about users, applications, data usage, and devices to detect anomalous events. And data needs to be secure in all states, particularly for data in use, to stop exfiltration by insider and external actors.
How does Fasoo overcome these challenges to make Zero Trust for data security a reality?
Fasoo takes a different approach than today’s solutions. We push controls and advanced protection methods to what needs defense – the file – rather than chasing locations data may wander. Visibility is always maintained delivering rich context for Zero Trust explicit access decisions while data is encrypted at rest, in transit, and controlled while in use.
Here’s how our file-centric approach and these six key control and protection methods enhance your data security stack and put you on the path to Zero Trust.
1. Encrypt Sensitive Files Without Exception.
This seems an obvious need for an explicit-based model dealing with sensitive data. Don’t ask the new hire to decide. Use centralized policies and automated processes to transparently discover, classify, and encrypt sensitive files when users create or modify them. Hold the keys centrally so users don’t control your data, you do.
2. User Access, Least Privilege Access.
Letting an insider wander through a document repository or folders to access files is too implicit. Automatically assign and control user access to the file when and wherever it’s created. Use policies and automatically federate file access to the employee’s managers or department. Enhance least privilege access with data in use controls.
3. Control Data in Use.
What happens today with traditional solutions after an insider gains access to a file? It’s a free pass to copy, cut, paste, share, and store sensitive corporate data as they wish. If I simply need to view a document, why let me extract or share the data? Gain control with granular rights that limit how an insider uses your sensitive data.
Zero Trust relies on data visibility for continuous monitoring across the hybrid workplace. Today’s solutions lose visibility as data moves about siloed applications and unmanaged assets. Attach controls to the file itself to ensure visibility is never lost and logs capture all interactions throughout the document lifecycle.
5. Continuous Monitoring.
Siloed solutions don’t track data the same way or share log information. It’s impossible to monitor thousands if not hundreds of thousands of document interactions to surface anomalous events. Instead, enable each file to self-report context about users, devices, and data interactions to a universal log to make monitoring straightforward.
6. Adaptive Access.
Can you invoke a policy change across your entire hybrid workplace, dynamically, with tools in each solution to make stepped, adaptive changes to access? That’s what Zero Trust requires. A centralized policy engine can reach sensitive files anywhere across the hybrid workplace. Data in use tools can revoke or expand what users can or can’t do with the document.
Take the Right Path to Zero Trust Data Security
Zero Trust is not a product. It’s a model. Vendor approaches to implementing Zero Trust for data security differ and most fall short of the higher standards Zero Trust demands. Make sure your security teams distinguish between the underlying technologies used to operationalize Zero Trust.
As users and data continue to move around, Fasoo’s file-centric approach and these six key control and protection methods are your best path to Zero Trust. Fortify data security with these explicit safeguards that are the cornerstones for Zero Trust Data Security.
Learn more about how Fasoo converges these explicit controls and protection with its Data Security Platform that makes Zero Trust implementation easy.
And how one of our customer’s CISOs executed a quick-take playbook to prioritize and accelerate the organization’s 2023 Zero Trust initiatives.
As 2023 planning kicks off, how many Zero Trust initiatives has your security team surfaced? Which are real Zero Trust or ones just seeking a budget home? There’s plenty of confusion and misunderstanding.
Analysts observe that most organizations are in the early strategy stages for Zero Trust, especially for data security. Your multi-year plan is probably starting to take shape but it’s not the playbook you need to make today’s priority calls. Teams struggle to move an emerging Zero Trust strategy to practical implementation.
So, what approaches can help with practical implementation and accelerate Zero Trust data initiatives?
Here’s a quick-take playbook from one of our customer’s CISOs. She gave her team guidance on challenges, 2023 candidate initiatives, and key Zero Trust principles to implement. The straightforward guidance worked and here’s how one project rose to the top.
Find a situation that needs an immediate fix. Data is under attack from any number of vectors, whether moving to the cloud, dealing with insider threats, or the explosion of endpoints.
Protecting and controlling sensitive unstructured data is an ongoing effort critical to corporate competitiveness and compliance with global regulations.
As employees moved to remote work, it accelerated the company’s hybrid workplace with cloud migration, mobility, BYOD, and collaboration platforms. Sensitive files made their way to unmanaged devices, cloud services, and third parties, where you lose visibility, and controls and protection are inconsistently enforced. Preventing the exfiltration of sensitive data became more difficult to control.
This left the CISO’s security team scrambling to deploy new point solutions, adding to their existing endpoint, network, CASB, and other data protection tools. These disparate, siloed point solutions still leave security gaps, are complex to operate, and overwhelm administrators.
Bring Zero Trust principles to core data protection capabilities first. These capabilities should enable a foundation on which you can build future Zero Trust data initiatives.
The team identified data discovery, classification, and enhanced data loss prevention as core processes needed to address sensitive data challenges in their hybrid workplace. They scoped the project to address two key issues.
Siloed point solutions present a fundamental problem for Zero Trust. Zero Trust requires deep visibility to continuously monitor interactions between users, applications, data, and devices everywhere. It won’t work when context isn’t readily available and dynamically shared across the entire infrastructure.
The team decided it was crucial to consolidate core data-centric processes in conjunction with the Zero Trust project.
Traditional data-centric tools fell short of applying Zero Trust principles in their hybrid workplace. They needed new methods for stronger protection, control, and visibility of data wherever it travels and however users access it.
The team used a Zero Trust network best practice – segment the network into micro-perimeters and place controls closest to what you look to protect. The team took aim at the file as the most discrete micro-perimeter and sought solutions that apply persistent controls and protection to the file itself.
Implement key Zero Trust principles
The Zero Trust model uses three key principles:
Do not trust all entities by default
Enforce least privilege access
Implement comprehensive monitoring
The CISO expected candidate projects to implement these principles.
Working through the challenge and scope, the team identified Fasoo’s Zero Trust Data Security Platform as a leading candidate. The Platform integrates a continuum of core data-centric security processes in a common framework. It eliminates siloes so data is visible and you can share contextual events across the infrastructure.
Fasoo’s methods for safeguarding sensitive files differed from other candidates. Fasoo enforces encryption, control over data-in-use, and access management, all implemented at the file. It doesn’t rely on security being in place at every cloud location, endpoint, or third party to implement Zero Trust principles.
Approved 2023 Zero Trust Project
Fasoo comprehensively met the CISO and security team’s requirements for a 2023 Zero Trust initiative. The platform’s flexibility and modular features allowed the use and integration of their existing security stack so the timeline for implementation would provide an early 2023 Zero Trust win.
See if the CISO’s quick-take playbook using these three straightforward guidelines – Challenge, Scope, and Zero Trust – works for you and your team.
And if the hybrid workplace and control and protection of sensitive data are on your 2023 candidate list, Fasoo is ready to help. For over 20 years Fasoo’s developed and consolidated data-centric capabilities as we continually work to meet our customers growing demands for lifecycle management of sensitive data. Now, Fasoo leads the industry to converge Zero Trust and its Data Security Platform to make security stronger and easier.
3rd Party Cookies (Analytics)
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Please enable Strictly Necessary Cookies first so that we can save your preferences!