Last month, Ron Arden sat down with ISMG’s Chris Riotta to discuss how the traditional location-centric approach to data security has proven inadequate as technology changes and employees increasingly work remotely with sensitive files on laptops, external drives, and cloud platforms.
The widespread adoption of hybrid work has exposed critical gaps in how organizations track and secure sensitive data, particularly unstructured files that employees access across multiple devices and locations. This shift requires a fundamental change in how organizations approach data protection, moving from securing locations to securing the data itself.
Chris Riotta
Hello and welcome to ISMG Studios. My name is Chris Riotta for ISMG, and today we are at our New York Financial Services Summit. I am so delighted to be joined by Ron Arden, Executive Vice President for Fasoo. Ron, thanks so much for joining us today.
Ron Arden
Thanks, Chris. Great to be here.
Question 1
Chris Riotta
I’d love if we could just start by discussing some of the main challenges that you’re seeing around data security in hybrid and remote work environments, and how does Fasoo address these with really proactive solutions?
Ron Arden
I think the biggest problem that people have today is that they don’t know what they have and they don’t know where it is. We, at Fasoo, focus on unstructured data or data that’s in documents and files. We are not worried about databases, but the documents people use every day; Word, PowerPoint, Excel, that kind of stuff. And in a remote and hybrid world, people started taking things home with them to be more productive. So, I’ve got financial data, things that are very sensitive on my laptop, or on a thumb drive, or on an external hard drive, whatever it is. And even though people are trying to make better use of SharePoint and cloud-based systems, people just don’t know what they have and they don’t know where it is. I think those are the biggest challenges.
And in a regulated environment like financial services, you have to know what you have. You have to know levels of sensitivity of that data. And it’s not that everything is sensitive, you know, it might be the 80:20 rule. 20% of what you have is very critical data. The rest of it, it doesn’t matter. But if you don’t know what it is, you don’t know where it is, you can’t manage it. You can’t control it. You can’t gain any visibility. I think that’s the biggest problem we see today.
Question 2
Chris Riotta
Sure. And speaking of sensitive data, can you sort of describe Fasoo’s approach to securing sensitive data throughout the lifecycle, particularly around encryption?
Ron Arden
Yeah. The approach we take, we refer to it as a data-centric approach as opposed to a location-centered approach. There are lots of tools out there that will help you contain data that’s in a location. The problem is as soon as you move it out of the location, you have no more controls.
So, we encrypt a file and then we apply what we call advanced security or granular controls to that file. And what that does is it says every time a user goes to open the file, they have to be authorized and validated by some identity and access management system; whatever the customer has. Then I need to have a policy in place that says, can they open the file? Beyond opening the file, what I want them to do with the file. Do I want to just allow them to view, or view and edit, or print, or take a screen capture? So, we have a lot of controls like that.
If you start thinking about a lot of solutions, even with encryption solutions, once you’ve opened the document, you can do anything you want. You could copy and paste it into ChatGPT or a Slack channel and now you’ve got a problem because this regulated or sensitive data is no longer controlled. If I can control the fact that I’m not going to allow you to copy and paste to an email or Slack, I now actually have real control over the data. So that’s our focus. Data centric and encryption in a way that users don’t have to do anything. There are policies. All this stuff is just done by the system and users don’t have to become experts at anything. They just do their jobs.
Question 3
Chris Riotta
So how do you think organizations should be thinking about, you know, the need to enhance accessibility to data, especially in remote and hybrid environments, while also balancing the need for security?
Ron Arden
One of the key things that we always try to do is balance productivity and security. The perfect system is something you can’t use, a locked-down computer in a room. It’s pointless. Right? So, our system is as unobtrusive or unintrusive as we can make it. It’s as simple as if I have a policy that says I’m allowed to edit a file.
Let’s say it’s a Word file. I double-click it. I open it. It’s just Word to me. I can edit it; I can do everything I need to. So, I have all the accessibility. But maybe I’m not allowed to print it. So, I can’t print it. The print menu is actually grayed out. Or if I try to use something like Snagit, let’s say, to take a screenshot of it, there’s going to be a blue mask. So, for the most part, people can just do what they do and the productivity is fine. I’m not impacting my productivity.
If you get into a situation where the customer or the end user needs to be able to do something that they weren’t authorized. we have a very simple exception management system where a user could right click on a file and just say, I need to request a change in the policy for a period of time. I need to be able to edit this document because of whatever business reason. So that’s a very good way to balance, I think, the productivity and the security. And it’s our goal to make sure that customers really don’t know there’s security there. It’s just a document, and they work with the document as they always do.
Question 4
Chris Riotta
So obviously we’ve seen kind of an avalanche of data privacy regulations in recent years. Lots of compliance requirements. How do you find organizations are meeting those sort of requirements? And what role do you think Fasoo and other similar organizations can play in supporting those sort of journeys?
Ron Arden
So typically, with privacy, there’s really two components to it. One is I need to have an audit trail, possibly to prove to a regulator that these are the people that touch the document and I can prove that the controls I put into place are in fact effective.
Chris Riotta
Right.
Ron Arden
The other issue is I want to make sure that anything subject to a privacy regulation is only accessible by people who need to access it and that that data can’t get out of the organization. If so, I would have some kind of a data breach, which means there are fines and things like that. So, with this method I’ve been talking about, again, a document will be encrypted. And there’s a couple of ways to do it. One is I could set a policy that just says when a user saves a document, it automatically gets encrypted. If you’re in a department, let’s say you’re in a bank and you’re in the wealth management group, everything you touch is going to be sensitive. So just automatically do it. Users don’t even have to think about it. So that does the things I’ve been talking about. I have auditability, which I could prove to a regulator. If a document gets exfiltrated, people on the outside have just gibberish because it’s an encrypted file and I can control who in the organization has legitimate access to it. So that kind of meets all the requirements of my privacy.
Question 5
Chris Riotta
And so, then what do you feel are sort of the key advancements in data security technology that organizations should be watching closely over the next year? Obviously, something we’ve talked a lot about today is automation, AI, emerging tech throughout the summit.
Ron Arden
Yeah, I think that getting people, meaning users, out of the business of having to worry about security is something that is getting better and better. Users are not security experts. They are financial analysts or HR people or whatever they are. They’ve got a job to do. You know, it’s kind of like antivirus. It just sort of works in the background.
I think AI has helped in a number of areas. In our area, we have things where we’re using some LLM engines that we’ve built to help with the discovery of sensitive data. So, it’s better at recognizing context, let’s say. Because I could have a number that looks like a social, but it isn’t. It’s something else. But if I have context around that, I can tell it’s sensitive. So, we have AI that can help with that in our product set. In a lot of other companies, I think using AI is just a better way to surface something sensitive. I think is very helpful. And I think another area where AI is very helpful is to make sense of all of the audit data that you have. You know, so whether it’s in our product or I mentioned in my talk, people have SIEMs that pull in everything, but it’s just it’s an avalanche of data. You can’t make any sense of it. So, I think AI is helping to sift through that and just make it easier for security professionals to do their job and worry about the stuff that’s important.
One area that we have focused on even before AI was a lot of the tools that people use are focusing on, you know, I’ll call it the goes-intas and the goes-outas. Stuff that’s moving around. And if you are encrypting your documents and everything is at that layer, you don’t care as much about the movement because it’s always controlled. So, the fact that it hit a thumb drive or it got exfiltrated is sort of an irrelevancy. I think if people think a little bit more like that and then use something like AI to help them whittle down the information that they really need to pay attention to, I think those are some of the areas that could be very helpful.
Question 6
Chris Riotta
And in your opinion, has the net benefits of implementing AI tools and new technologies and automation, they outweighed the risks and sort of the inherent vulnerabilities that come along with those new technologies?
Ron Arden
I think for the most part, yes. I mean, AI to me is still in its infancy. AI per se is not. AI has been around for a long time. I think it’s the ChatGPT side of the world, and I think we’re all trying to get our hands around it. I was at an event with a bunch of CISOs a few months ago, and a lot of them were saying, it’s just another tool. Granted, there’s all the gloom and doom around, you know, whatever, but it’s just another tool that we have to deal with. I think the difference, especially with people who are using public LLMs, is that an organization needs to put a little bit more control around what they’re putting up there, because we’ve heard things like, oh, I could use it to code. Well, that’s great, except if I’m putting a bunch of proprietary code into an LLM, not a good deal. So, I think we’re kind of in this odd stage where I don’t think AI to me is the boogeyman. And I think people are getting benefits that I think are outweighing the risks. But you have to be kind of judicious, I think, in the way you use it.
Chris Riotta
Yeah, yeah. It’ll be fascinating to see how it all develops.
Ron Arden
Yeah. I mean, even in the last year, I think it’s changed quite dramatically. We went from gloom and doom to, you know, this is a pretty good tool. I mean, on my phone, I was texting just in my SMS app, and an AI thing popped up. It’s like, I didn’t even know that was there, but I took advantage of it.
Chris Riotta
Yeah. So, it’ll be crazy to see how it all advances in a year from now.
Ron Arden
Yeah, exactly. It’ll be really fascinating.
Chris Riotta
Well, Ron, thank you so much for your time. We really appreciate it.
Ron Arden
My pleasure. Thank you, Chris.
Chris Riotta
Absolutely. Thanks so much for tuning in for ISMG. I’m Chris Riotta.