Blog

Navigating the Uncharted Waters of Unstructured Data Security

Ron Arden from Fasoo talks to Steven Bowcut about protecting and managing sensitive unstructured dataIn S5E20 of the Brilliance Security Magazine (BSM) Podcast, Ron Arden, the Executive Vice President, CTO, and COO of Fasoo, joins host Steven Bowcut to shed light on the often-overlooked realm of unstructured data security.

In Part 1 of this conversation, Ron and Steven focused on some of the challenges and approaches to protecting and managing unstructured data.

 

Steven Bowcut
Welcome to the Brilliance Security Magazine podcast and thank you for joining us today. We appreciate your listening. We’ve got an interesting guest with us today. Today, our guest is Ron Arden. Ron is the Executive Vice President, CTO, and COO of Fasoo. Fasoo provides unstructured data, security, privacy, and enterprise content platforms that protect, control, trace, analyze, and share critical business information securely while enhancing productivity.

Our topic for today is protecting and managing unstructured data. So before I bring Ron in, let me give you a little bit more information about him. Ron is responsible for operations, technology, and successful deployment of products and services to Fasoo’s customers. He has over 30 years of strategic planning, marketing, sales, business development, consulting, and technical experience in the information technology and cybersecurity industries.

Ron has held executive, management, and technical positions at numerous organizations, including Digital Equipment Corporation, Wang Laboratories, and IKON Office Solutions. With that. Welcome, Ron. Thank you for joining me today.

Ron Arden
Thank you, Steven. Nice to be here.

Steven Bowcut
All right. Well, we really appreciate this. This is going to be a fascinating conversation. I’ve been looking forward to it. Let’s start with giving our audience a little bit more information about Fasoo, what you do, how you fit in the industry, and those kinds of things.

Ron Arden
Sure. You mentioned unstructured data. So let me define that first for those who don’t understand it. If you think about data, most people break it into two or three categories. Structured data are things in databases; columns and rows. Unstructured data typically is everything else. It’s usually just the files and documents we work with on a daily basis, whether it’s Word, images, CAD files, or whatever. That’s typically what people refer to as unstructured data. Sometimes people think of something that they call semi-structured data, which might be, that I store a document in a repository like a SharePoint online. But I think for our purposes, that’s defined as unstructured data. It’s files and documents. So, what we do is help customers protect, control, and trace sensitive unstructured data. As I said, it’s the documents we work with all day long, and we bill ourselves in a couple of ways. We have what we call the Fasoo data security platform, which is a set of technologies that allows you to discover, classify, protect, trace, and manage all of these different types of files, regardless of where they are. The way we do protection is we encrypt files, and then we provide a dynamic security policy or access control policies for those files.

And we also fit into a category of technology called data security posture management, which most people tend to equate with the cloud. But I think it’s really for all data, regardless of where it is. The point of DSPM is really to say, that in my organization, I want to identify risks and vulnerabilities to my data. I want to implement proper security controls on that data, and I want to maintain visibility of that data regardless of where it is. That’s what Fasoo does in a nutshell.

Steven Bowcut
Okay. And you mentioned the cloud, and so there’s probably part of that that you could help clear up in my mind. So is your solution, your platform, a cloud-based solution where I’m going to offload all of my unstructured data to you, and that’s where you’re going to protect and help me manage it? Or is it more of an application that I’m going to run in my infrastructure internally where your solution will help me manage, or is it both?

Ron Arden
Well, it could be both. We do not typically store the data. We are just managing security policies around the data.

Steven Bowcut
Got it.

Ron Arden
And the services, the Fasoo services, we could provide that as a cloud service. It could be SaaS or a managed service or a company could run it on-prem. We’ve got a couple of customers who have air-gapped networks where they can’t go out to the cloud, and so obviously they have to run it inside their organization. And there are other people who, just for security or other purposes, want to run everything internally. But, yeah, we’re not storing the data. We’re not like a Box or something like that. We’re just managing the security around the data.

Steven Bowcut
Perfect. Okay. Thank you for that clarification. So, let’s talk about the evolution of unstructured data. I know that it’s changed greatly over the last couple of decades, so talk to us about that. Help us understand how things, that landscape has changed.

Ron Arden
The biggest issue around unstructured data is it’s everywhere, and it’s growing like crazy. One of the issues is that most companies don’t know what they have and they don’t know where it is. One thing that the cloud has helped, or made worse depending on your point of view, is I can go up to Amazon and spin up or provision new storage in a couple of clicks. And it’s so cheap that people essentially don’t care to manage it. And you just have data growing like crazy. So that’s the biggest issue. There’s so much data out there, you just think about this, every time you create anything on your endpoint or in the cloud you’ve got another piece of unstructured data. It’s growing exponentially. It’s in the cloud, it’s in on-prem systems, it’s in applications like Salesforce, it’s on your endpoint, it’s on your phone, it’s on your tablet, so it’s everywhere. That’s one issue. The second issue as to why it’s growing is you’ve got duplicates and derivatives everywhere. Let’s say I create a document and I email it to you and five other people. Now there are seven versions of this and then you make a copy and on and on and on. And so now you’ve got this insane amount of data that you can’t manage. And trying to determine where it is and what it is and if there’s any sensitivity around it is a huge challenge.

Steven Bowcut
Yeah, I can imagine that’s true. So obviously Fasoo is not the first one to think about how are we going to manage and protect unstructured data. So, what do you do differently? Or is there something that Fasoo does differently that sets you apart?

Ron Arden
There are a couple of different approaches that vendors take to managing data. One is they will use what we call a location-based or perimeter-based type of solution. I’m going to put a moat around my data and it’s usually location-based. So, let’s say I’m inside an organization, I have access control lists that will govern the ability to access a file on a server, or I have a CASB product that would allow me to control things that are in the cloud. The other approach is we bring the security down to the file. The issue with doing it in a location is what happens when I move it from the location. Well, all my security now evaporates, so it’s not an effective approach. And what I always say is people will play a game of whack-a-mole. I want to prevent you from moving it to the cloud, to a USB, or to something. And you can’t win that game because somebody’s going to figure out a way to get around it.

So we focus on the file, and as I said, we encrypt files. We assign dynamic security controls to those files to limit what users can do with the file. We also take it a little step further. There are a lot of other ways that you can exfiltrate data. Two of them are print and screen. A lot of people don’t think about this, but if I just print something to a PDF, I can now take it and I have no control over it. If I have sensitive data up on a screen and it could be I’m in a call center and I’ve got PII or something sensitive. Or maybe I’m in an environment where I’ve got CAD applications and I’m doing some kind of a VDI. There’s just a lot of stuff on the screen. Well, anybody could take out their phone and take a picture of it. And now you’ve compromised your data. So, we protect the screen, print, and all of these other areas. What we’re doing at the file level is, I said we’re doing encryption, but we’re providing a dynamic security policy. So, if you think about the world of security and data, you have data controls, data at rest, data in transit, and you have data in use.

So data at rest. Everybody’s got encryption on their hard drive. But if you take it off the hard drive, it’s no longer protected. In transit, I’ve got SSL communication everywhere, so that’s cool. But when I open up a document, I need to have some protections, because if I allow you to copy and paste something into a Slack channel or into an instant messaging app, you no longer have any control over that. So, we’re providing that level of control to all of these types of documents. The other thing that I think makes us somewhat unique, is we have a very large set of file formats and applications that we support, including CAD applications. That’s very important, obviously, in manufacturing. We support the ability to protect your source code as well as your standard office documents and multimedia and things like that. The other two areas that I think are very important for us are there are a lot of companies who believe that the user of the data or the data owner should ultimately be in control of the security of that data. And at times that makes sense. But for some organizations, it makes no sense and it makes more sense to do things centrally.

You create security policies and users just work with their documents. And as they create and modify them, they get encrypted and protected and policies get applied. Centralized management prevents users from having to become security experts. And again, sometimes that makes sense, but sometimes it doesn’t make sense. You just need people to do their jobs. And the last thing I think that is also very important, which I think talks to the maturity of our platform, is what we broadly call exception management. I don’t care how diligent you are with your security controls, there’s always got to be a change. Business changes and people move to different departments. So, making it easy to apply exceptions to security policy is very important. In our case, a user can right-click and request a change, whether it’s granting them additional permissions or exempting them from something like a watermark on a screen. Again, you need to be flexible and make it easy for the end users to be able to work.

Steven Bowcut
Interesting. Well, I certainly like that approach where you protect the data regardless of where it’s at. And a couple of times you kind of alluded to this. There’s a phenomenon that I’ve noted that happens in security. It happens a lot. We find ways to secure things, but in doing so, we’ve hampered how people work and we underestimate how creative they will get just to do their jobs. They’re not doing anything nefarious, but they need to do their jobs and they will come to all kinds of creative solutions to figure out how to continue to do their jobs. And so if we force them, they will in so doing bypass our security.

Ron Arden
Yeah, I mean, we always said that the perfect security is unusable. We’re always trying to balance productivity and security because like you said, people are going to find a way around it and then what’s the point in having it?

 

Part 2 of this conversation is coming soon.  Click to hear the podcast in its entirety.

 

###

The transcript of this conversation has been shortened and edited for clarity and the blog format.

Tags
Book a meeting