Encrypt, Control and Manage Unstructured Data

Fasoo discusses how to encrypt and manage sensitive unstructured dataIn S5E20 of the Brilliance Security Magazine (BSM) Podcast, Ron Arden, the Executive Vice President, CTO, and COO of Fasoo, joins host Steven Bowcut to shed light on the often-overlooked realm of unstructured data security.

In Part 2 of this conversation, Ron and Steven focused on security challenges and some use cases of how businesses protect and manage their unstructured data.


Steven Bowcut
Let’s pivot just a little bit and maybe address the why question. So why being, why the security? So what are some of the security challenges associated with unstructured data? What threats are there?

Ron Arden

If you think about what people are trying to do, in the security world, there are really only two things.  Somebody’s either trying to disrupt your business or they’re trying to steal your data.  So we’re focused on the steal your data part and there are only two reasons for data security.  One is you want to protect your intellectual property or you have to comply with privacy and security regulations like GDPR or similar regulations. That’s it.

We have somewhat of a simplistic way of looking at the world of data, and this is an oversimplification, but it’s a good way to start. Think about bifurcating your data, and say it’s either public or it’s not.  If it’s not, I need to protect it.  So the challenge is, how do you do that?  I need to look at the visibility or data lineage of all of my data. Data lineage is something that people talk about when they’re talking about privacy more than I think, intellectual property. But like I said, with all these derivatives and everything, I need to determine what I have and where it is.  So that’s a key security challenge. What do you have that’s sensitive? And what do you do to ensure that only authorized users are accessing it?

The other issue that people have is trusted insiders, or what people call insider threats. An insider threat is two issues. It’s deliberate, or it’s what I call oops. How many times have you fat-fingered an email address and you send it to the wrong person? Or you copy something to the wrong location.  That’s not malicious.  It’s people trying to do their jobs and something gets out and now an unauthorized person has it.

You also have a malicious insider who wants to make a buck or wants to hurt their employer. So that’s what I talked about earlier with what we call data in-use protection. If I use, let’s say, full disk encryption on my endpoint, then the document is encrypted. But as soon as I open it, I can do anything I want with it. I can copy and paste, I can do anything with it. So to be able to protect against that and things like screen captures and printing, we apply security through both authorization and access controls. I want to make sure that only an authorized user can access the file. I think those are some of the biggest data challenges people will have.

Steven Bowcut
Interesting. And as you were saying that, it just occurred to me that, and anybody in security understands this, but a lot of times it’s the oops and the malicious intent. Working together is what causes the real threat. So the Oops is I forgot to protect this storage. Like you said, it’s so easy to spin up a new storage container somewhere and I forgot to protect it. I just didn’t click the right things. And now I’ve got this data out there that’s not protected. Well, that’s what a lot of the threat actors are looking for, right, is an Oops. They’re looking for something that somebody did, they didn’t configure correctly. And so there’s their opening. So those two work hand in hand all the time.

Ron Arden
Yeah. Most IT organizations are overburdened and trying to keep up with patch management. Just all the basic hygiene. Yeah, it’s really hard. And so it’s not malicious. It’s just oops.

Steven Bowcut
Yeah. And mistakes will be made. That’s what humans do. Right? And you also mentioned GDPR. I’d like to expand on that a little bit. GDPR, CCPA, and compliance in general.  I assume that that’s part of your security rules. You take whatever compliance issues the client has and build rules around that or don’t. Let me talk about your product, you tell us how you do it.

Ron Arden
There are two approaches we have. One is that we can help you find data that is subject to regulation. So PII, PHI, anything like that. We have tools that will go out and do crawling of content and help determine what is sensitive and what is not and then can take appropriate action.  Can tag it, put encryption on it, and things like that. A number of the regulations talk about encryption, like GDPR, which I think was the first one that talked about encryption. They’re a little bit vague as to what encryption means because as I mentioned earlier, you’ve got encryption at rest, encryption in transit, and then data in use encryption. Most of them are just saying encryption. So the assumption is if a document is encrypted and I move it somewhere else, I exfiltrate it, then I don’t have an event. There are no privacy issues. But since we’re controlling what a user can do with the file when it’s open, and we require authentication and authorization each time, we can guarantee that only an authorized person can access it.

To be able to prove to a regulator that I know where my sensitive data is, here’s how I’m managing it, and here’s how I’m controlling its access, that’s how you’re meeting the variety of these regulations. The other thing I mention is most of the regulations, I think this started with HIPAA years ago, they said that if a piece of data is encrypted and it gets out and it’s not in human-readable form, that’s not considered a breach event. So you don’t even have to go through breach notification. I’m not an attorney, and I’m never going to tell a company what not to do. You have to check with your attorneys as to what a breach is. But that’s something I’ve heard from attorneys. So if you think about just the point of view of preventing fines or preventing a regulator from dinging you, going through this process and saying, okay, everything’s encrypted, everything’s controlled, I don’t have to worry about it because I’ve met all your compliance requirements.

Steven Bowcut
Yeah, I appreciate that clarification because I know that sometimes I think about the news media, and as a journalist, I feel entitled to talk about the news media this way. But we don’t really do a service to the public because we don’t clarify that sometimes there’s a breach. Some data was exfiltrated. All right, well, was it really sensitive data and was it encrypted data? And those kinds of details don’t always make the headline or even the body of the story. And so people are left with an impression that may or may not be accurate. So I appreciate that.

So let’s pivot again here. And so if I’m an organization and I’m interested in your solution, talk to me about how arduous it’s going to be to integrate your solution into my existing infrastructure.

Ron Arden
A lot of companies are looking at cloud solutions. With all of our server-based components, the services can run in a cloud.  It could be SaaS, it could be managed, it could be their cloud, it could be our cloud. If it’s on-prem, we can run on pretty much any major operating system, any Unix, Linux, or Windows variant.  So we’ll just fit into whatever their stack is.

We also will use an existing identity and access management system. So when people log into their computers, we’re just picking up whatever credentials they have. It could be Microsoft Active Directory, or it could be a SAML-based product. Whatever it is, we’re just leveraging that authentication. We’re not doing the authentication, we’re just saying whatever authentication system you have, you are being authenticated, and then you are telling our system, okay, this is Ron, or this is Steven.  And then beyond that, all the communication between the client and server is HTTPS. It’s just standard web-based traffic. So we’re not going to violate firewall rules. Most people are passing that kind of stuff anyway.

Our systems can all run in any kind of virtualized type of environment, including AWS, Google, and Azure. What we’re trying to do is fit into an existing infrastructure as best we can. One of the advantages I think we have is that 80% of our systems are all UI-based, but like most good configurable systems, a lot under the covers is XML.  I can change configurations in an XML file to fit with any type of infrastructure. We’ve had some of the most complex infrastructures you could imagine with security. And given the flexibility of our platform, it’s just very easy for us to get in there. On the endpoints, there is an endpoint agent that’s going to manage all of this. Any distribution process that any company has to deploy software, we can just fit right in.

Steven Bowcut
Okay, excellent. All right, so everyone loves good use cases or success stories. So do you have any of those you can share with us?  Some examples and you could protect your client’s names if you feel like you need to.

Ron Arden
Yeah, most of our customers don’t like us mentioning their names.

Steven Bowcut
That’s the thing about security, right?

Ron Arden
Absolutely.  And if you go to our website, there are several success stories and use cases. But I’ll give you a couple of examples, some fairly broad, some fairly specific. We have a couple of very large global manufacturing companies. There’s one that’s in the automotive parts industry. Their VP of Engineering came to us and said at one point he felt like he was Automotive U, because they would train engineers, and then the engineers would walk out the door with all their CAD drawings and go to a competitor. So that was a key thing. They wanted to guarantee that all of their intellectual property, it was primarily CAD drawings and process type of information, was secured and protected. Then we extended it beyond that to all kinds of standard office documents.  We have another manufacturing company that’s also extending that security out to their supply chain. They have a lot of subs who make components and they have to guarantee that when they share it with a sub, that sub cannot compromise it, share it with their sub, or potentially their competitor.

I have a small company that’s one of our customers in Texas, and they make the razor blades for the oil and gas industry.  A lot of consumables that are part of that industry. And what they used to do is very interesting because they have a lot of customers that are competitors in the oil and gas industry. They’d be making components and they color-coded things on the manufacturing floor. If company A executives were walking through, they would put a tarp over the competitor stuff to make sure that they didn’t see brand names on it.  With our technology, they can protect all their IP.  They use that as a marketing tool because they could say to their customer, ABC Oil company, I can guarantee you that any specs you send us for us to make parts on your behalf aren’t going to get to your competitor, and here’s why. So those are a couple of interesting ones in the manufacturing field.

We also have a couple of other examples. One of our banking customers had a regulatory issue.  They have branches, as many banks do in New York, and a couple of years ago, New York came out with what they called NYDFS.  This was a data security and privacy rule, something similar to a CCPA, but very focused on the financial industry. They had to guarantee that they could find, tag, manage, and control all of their PII. So we helped them with some of our tools to do that.

And then another very specific example, we have a retail customer, and I’m not going to mention a name, but many of us have been in their stores.  If you go to purchase one of their products or services, it’s very common that you’re going to have to hand over a driver’s license or maybe a pay stub if you’re going to get some kind of a discount.  They need to scan that PII and it goes through a processing chain into an order processing system.  As soon as that information is scanned, it’s turned into a PDF, and then it’s encrypted with our technology.  So it’s kind of an inline workflow, and then by the time it gets to the processing people, they open it and they’re very limited in what they can do. It’s primarily just reading that information. So those are just a handful of use cases and examples.

Steven Bowcut
I really like your example when you’re talking about the supply chain because, in today’s world, we’re so dependent on the supply chain. We’re sharing data with our supply chain partners all of the time. And as you pointed out, oftentimes our supply chain partners are also partners with our competitors. And you need to have some way to be able to protect that data, not only from threat actors but from someone purposely sharing it with one of your competitors. So that’s an interesting use case. I appreciate that.



Part 3 of this conversation is coming soon.  Read part 1 of this conversation or click to hear the podcast in its entirety.



The transcript of this conversation has been shortened and edited for clarity and the blog format.

Book a meeting