Blog

Image shows wall-mounted home office surveillance camerasRemote work is putting sensitive data at risk. That we can all agree on. Traditional endpoint protection frequently fails. So what about stronger surveillance of remote employees at home? 

*

Let’s monitor the heck out of them, shall we?

That seems to be the approach of some financial services firms whose remote workers handle sensitive financial data and Personally Identifiable Information (PII). Is remote work surveillance a good idea? 

Perhaps, if your organization is craving attention – from the Washington Post, for example – for all the wrong reasons: privacy concerns, lawsuits, alienated employees and contractors. 

“Excessive surveillance,” writes ZD Net’s Owen Hughes, “is having profoundly negative effects on the workforce.”

But does it work?

 

Why monitor employees at home?

You see, that’s the other catch: it may not be worth the effort and expenses. Digital surveillance, warns Tech Target’s ComputerWeekly (UK), may “increase enterprise risk” by “forcing remote workers towards shadow IT.”

In short, excessive work-from-home surveillance doesn’t only erode trust and productivity. It also results in weaker data protection and employees leaving for the competition. 

What’s not to love? Perhaps you agree: pretty much everything, if you value your employees and work culture.

The tips below favor a non-creepy approach that is more sustainable: 

 

5 data protection tips for maintaining trust in the Zero Trust era  

Fasoo’s data-centric security model maximizes document protection – not the surveillance of the people handling them from home. Fasoo enables IT to secure and keep tabs on sensitive unstructured data throughout the document lifecycle, instead of putting employees and contractors under home office surveillance.

  • Stay vigilant; keep watching. 

Fasoo Enterprise DRM lets your organization automatically assign file protection without user intervention at the point of creation. Encryption and policies keep the document secured even when it is shared outside the organization by mistake.

Efficient document protection with Fasoo enables your organization to continuously monitor, log, and flexibly change who’s accessing confidential files and how. 

 

  • Turn your employees’ bedroom nooks into secure print stations.

What would it take, aside from nationwide lease, maintenance, and insurance contracts? The kids giving up their bedroom? A two-camera surveillance system? 

Or, less creepy: You deploy Fasoo Smart Print as your organization’s remote network of monitored print stations. Regardless of which physical or virtual printer is used – including the old inkjet in the bedroom nook – IT remains fully in control.

A granular audit trail includes the text or image of the actual printed content. It ensures visibility into all print activities that involve EDRM-secured documents.

 

  • Intervene when they take a snapshot.

How do you keep remote employees, in the privacy of their home, from using the Print Screen key, screenshots, or a smartphone to take pictures of confidential information?

Install more spyware and observation cameras? Think about the possible impact on your workforce retention rate in the “great resignation” era.

Here’s a less heavy-handed approach that’s more efficient than excessive remote work surveillance. Deploy Smart Screen, Fasoo’s on-screen document protection. It enables IT to block and monitor screen capture attempts. Administrators can monitor all screen capture attempts and even view an image of the targeted areas.

It may be impossible to keep a determined person from taking photos with a smartphone or camera outside a high-security office area or designated data room. That’s why effective deterrence is essential. Fasoo Smart Screen enables admins to imprint sensitive documents with a visible “smart” watermark that contains tell-tale user-specific information.

 

  • Keep tabs on them outside work and after hours.

On your files, that is. Shareholders, customers, and regulators expect you to protect confidential financial information and PII throughout the document lifecycle. Password-based document protection or Data Loss Protection (DLP) solutions, for example, cannot provide this level of security. 

DLP aims to prevent data exfiltration, but files can still make it beyond your organization’s IT perimeter: on a USB stick, for instance, or via a personal cloud storage account.

With Fasoo Enterprise DRM, encryption and policy settings apply regardless of where the document lands and prevent unauthorized access. A confidential file remains protected even in the wrong hands.

  

  • Always and immediately involve higher-ups, IT, and HR… 

…when (former) employees attempt to access specific documents. Sounds ridiculous, right?

Well, that’s because it is. Yet, some Information Rights Management (IRM) solutions expect data owners to relinquish control over individual documents to a degree that poses challenges for organizations with many users and constantly changing roles.

Workflows become work trickles. People find shortcuts. Overall data security suffers.

Fasoo’s centralized policy management capabilities allow for flexible, people-centric exception handling. It integrates with all leading federated authentication systems, minimizing risk when employees change departments or leave the company.

This approach ensures that everyone who needs to be is in the loop about a file’s security – the document creator, supervisors, IT, and HR. No home office surveillance required. 

*

 

Zero Trust makes sense. Until it doesn’t.

Would you make Zero Trust your People & Culture or HR slogan? Let’s face it: You need a Zero Trust strategy to secure your data. As a tagline for your work culture, on the other hand, it would be a less than ideal pick.

With Fasoo Enterprise DRM, you don’t have to sacrifice trust and productivity by setting up remote work surveillance bridgeheads in your employees’ homes.

As a cornerstone of your Zero Trust strategy, Fasoo empowers your organization to maintain its work culture and trust within the team while still ensuring maximum data protection.

 

Contact the Fasoo team to find out more.

M&A Leaks: Image shows a leaking bucketMergers and acquisition (M&A) activities pose major document protection challenges for all parties involved. Leaked or stolen data has caused bidding wars, broken deals, cost millions of dollars in damages, and ruined reputations. How can M&A teams ensure maximum document security without impeding productivity?

*

Merger and acquisition teams typically range in size from a handful of members in smaller or medium-sized organizations to several hundred internal contributors at enterprise scale. That’s on the buyer’s side as well as on the seller’s teams and includes investment banks or Private Equity (PE) firms. 

This headcount, however, doesn’t yet include external contributors. Think research analysts, M&A advisories, outside legal counsel, data protection and privacy compliance consultants, and IT integration specialists. Most of them are involved at one stage or another of the M&A process.

Since the beginning of the COVID-19 pandemic, many internal and external M&A team members have accessed sensitive documents from their home offices. On tight deadlines, they collect, create, review, edit, and share sensitive data that can make or break a deal – or kill it, if that data falls into the wrong hands.

 

M&A activities at an all-time high – and deal leaks, too

The shift to remote and hybrid work is a powerful driver behind banks and their corporate clients leveraging enterprise-level Digital Rights Management (DRM) to secure M&A-relevant unstructured data. The reasons quickly become clear when we look at a real-life example. 

A global automotive component manufacturer is planning with its investment bank the acquisition of a publicly traded semiconductor design and manufacturing company.

Table Overview: Deal Leaks by Sector

Source: SS&C Intralinks 2020 M&A Leaks Report[PDF]

 

It’s high season for M&As, and the planned deal seems like a match made in heaven. Yet from an M&A security perspective, the timing couldn’t be worse. M&A leaks have been spiking recently, according to the SS&C Intralinks 2020 M&A Leaks Report [PDF]. This development means all new M&As face an unprecedented challenge. 

 

The challenge: Remote work amplifies M&A security risks

We’ve highlighted document security risks for banks and financial firms resulting from remote work before. The threat level is even more elevated for members of the extended M&A team who work from home. Preparation and execution of most mergers and acquisitions involve a wide variety of confidential documents – in some cases, thousands of them. 

Niche vendors of M&A tool platforms tout the cloud-based Virtual Data Room (VDR) as the solution. Such “deal rooms” have become a fixture in the M&A space. At the same time, data protection experts say that VDRs instill a false sense of security – comparable, perhaps, to standard M&A non-disclosure agreements.

These critics point to the weak – often password-based – security of VDRs and specialized M&A document management systems that can too easily be circumvented. Deal administrators and IT lament interoperability issues with other cloud storage services, as well as manageability and scalability problems.

 

The solution: data-centric M&A security

Enterprise DRM enables IT to strengthen M&A security instead. Fasoo Enterprise DRM, for example, enables data owners to protect confidential content through all stages of a merger or acquisition.

Bar chart: M&A cost distribution, by phase (IBM)

Source: IBM Benchmark Insights: Assessing Cyber Risk in M&A

 

In our example, we focus on negotiations, due diligence, transaction execution, and implementation. These are the M&A stages where data breaches and deal leaks can be most damaging and costly. 

Let’s take a closer look at how the acquirer, its bank, and the acquisition target leverage EDRM to maximize document protection. Enterprise DRM’s data-centric security enables IT and deal administrators to protect, control, and track sensitive data on a per-document basis, on any device, at any time.

 

M&A and beyond: document lifecycle protection

Fasoo encrypts confidential files at the point of creation or before they get uploaded to a VDR, for example. This protection applies throughout the entire document lifecycle, regardless of which M&A platform any contributing organization may be using.

 

  • Negotiations: Centralized policy management enables M&A data owners and deal administrators to remain in control. Fasoo Enterprise DRM lets them flexibly adjust who can access, edit, print, or share sensitive content – including remote workers.

    This phase usually involves a high amount of various
    Microsoft Office document formats and Adobe PDF files. Dynamic permission control enables deal administrators to assign and revoke file access permissions for reviewers on a temporary basis, for example, to facilitate more than one bidding round.

 

  • Due diligence: In our example, the due diligence document list includes (among others)  intellectual property (IP) files, tax records, financial planning P&L documents, electronic design automation (EDA) diagrams, facility blueprints, tax filings, HR records, and all sorts of legal PDFs.Throughout the document review process and beyond, data owners and deal administrators centrally manage who has access to sensitive content. Context-aware and hardware-agnostic secure print and pull print capabilities prevent the unauthorized printing of Personal Identifiable Information (PII) at a home office printer or in a shared workspace, for example. Secure screen and watermarking features (“Fasoo Smart Screen”) block or deter screen capture attempts across all applications, including in Virtual Desktop Infrastructure (VDI) environments and browsers.

 

  • Post-transaction / implementation: M&A security professionals warn that the post-merger integration of the acquired company with the buy-side is fraught with data protection and compliance risks that can cost the acquirer millions or even billions of dollars. Data breaches are one main reason for the high M&A failure rate.In our example, the acquirer already has Enterprise DRM in place across its global organization, not unlike this Fasoo customer in the same industry. This means trade secrets, personnel PII, even sensitive records exported from databases are automatically detected, classified, prioritized and encrypted when they enter the buyer company’s environment from the acquired company.

During each M&A stage and long thereafter, Enterprise DRM provides persistent protection and consistent tracking. A document usage audit trail keeps IT, compliance managers, and financial regulators in the loop. 

After all, “digital M&A became the new norm” during the pandemic, according to the consultants at Bain & Company. This year, more dealmakers discovered the power of Enterprise DRM. They use it to prevent M&A leaks and data breaches from becoming a new norm, too.

 

Which industries have the highest potential for remote work? Finance and insurance, says McKinsey & Company. There’s a catch, however. How can organizations realize this potential without compromising data security and privacy? 

*

The consultancy found that three-quarters of activities in these sectors can be done remotely without a loss of productivity. Information security wasn’t part of the study. So what are the implications from a data protection perspective?

That’s where things get dicey. The forced rush into hybrid and remote work arrangements and the sorry state of remote work security have bank CISOs and compliance officers on edge. Some – mostly larger – financial institutions have mastered the transformation more effectively than others. What’s their secret? 

Before we answer that question, let’s first take a quick step back in time. In 2015, a Morgan Stanley insider downloaded confidential information on 730,000 of the investment bank’s wealth management clients to his personal laptop and posted a sample for sale online. Back then, it could have served as a wake-up call.

Today, it almost seems like quaint history, because not many heeded that call. The shift to Work-from-Home (WFH) due to COVID-19 has taken the insider threat to unstructured data to a whole new level.

Battlezone home office: Data protection reset required?

As a result, insiders – often working remotely – now account for more than 50 % of data breaches in the financial sector, according to security research. Several terabytes of sensitive data have been ransacked or leaked from more banks and financial services or law firms since that 2015 data breach. Think Pandora Papers, the confidential documents including supposedly secure PDF files, images, emails, and spreadsheets from 14 financial service companies offshore. 

Bank CISOs and compliance officers we talk to are more worried than ever about the lack of visibility and loss of control over sensitive proprietary data when employees are working from home. 

Or take Jeremy Baumruk, who heads up Professional Services at Xamin. His company manages IT security for more than 50 U.S. banks. In early 2020, he told the American Bankers Association’s Banking Journal: “When an employee is using their own computer, IT has almost no control.”

18 months later, research shows: that warning about remote work security still stands. Industry experts point to misconfigured VPNs, insufficiently secured home WiFi networks, unmanaged personal devices, personal cloud storage services, and unmonitored home office printers.

Remote Work Security - infographic excerpt

Source: Tessian (Infographic)

Remote work hasn’t only exacerbated the insider risks posed by negligence or disgruntled employees. Cybercriminals on the outside have taken notice, too. They wage automated campaigns that increase the pressure on banks to take decisive countermeasures. 

Many recognize that the traditional, device-centric emphasis on IT perimeter defenses – Data Loss Prevention tools (DLP), firewalls, endpoint protection – cannot ensure adequate protection. Recent threat reports confirm: attackers are busy exploiting the remote work blindspots and endpoint vulnerabilities to the fullest.

 

Document theft-as-a-service: Search. Scoop up. Siphon off.

As a result, credit unions, investment banks, and mortgage lenders, and their remote workers, are bearing the brunt of automated ransomware campaigns right now. In the first half of this year alone, banks experienced a 1,318% year-over-year increase in ransomware attacks, reports cybersecurity firm TrendMicro in its 2021 Midyear Security Roundup.

What does this have to do with document protection? There’s a direct and significant connection. New ransomware variants don’t merely encrypt the victim’s business-critical data and demand a ransom for unlocking it. The latest exploit kits are also optimized for data exfiltration.

In other words, they are designed to search for, scoop up, and siphon off sensitive information, which is then used for more elaborate extortion schemes. Only last week, the FBI sent out this Private Industry Notification [PDF]. It describes how perpetrators specifically target confidential documents about planned mergers and acquisitions, to release them on the internet if the victim doesn’t pay up.

So why have some financial institutions been less impacted than others by data leaks and theft during their shift to remote work? 

Identify, protect, control  – with Enterprise DRM

One answer is that they didn’t bide their time until the next data breach. Instead, more banks launched a “digital transformation” that some say is long overdue for the industry as a whole. One pillar of their strategy is shifting to a data-centric security model, enabling them to protect their data at rest, in use, and in transit.

Bank CISOs recognize that the traditional, device-centric emphasis on IT perimeter defenses – Data Loss Prevention (DLP), firewalls, endpoint protection – cannot ensure adequate protection anymore.

Instead, they leverage Enterprise Digital Rights Management solutions such as Fasoo to identify, encrypt, and oversee the access to unstructured data at the file level. This way, sensitive documents remain protected against unauthorized access if leaked or exfiltrated, no matter how that happens.

The Fasoo Enterprise DRM framework follows a three-way approach to ensure gapless document protection and remote work security:

    • Identify: Fasoo automatically identifies data worth protecting, from legacy repositories to newly created documents, which are secured at the point of creation. Unlike DLP, which is limited to tagging such information for protection within the organization’s IT perimeter, Fasoo sets the foundation for protecting and controlling confidential data anywhere, on any device.

 

    • Protect: Enterprise DRM provides an additional layer of security by combining FIPS 140-2 validated encryption and access control. This approach helps organizations minimize and mitigate risks such as data leaks, insider threats, and advanced persistent threats (APT).

 

    • Control: Fasoo enables banks to assert control over their confidential data through the entire document lifecycle, based on flexible and people-friendly central policy management.

 

Boost for remote work security and productivity in banking

This control transcends the digital domain. Fasoo’s printer-agnostic secure print capabilities (Fasoo Smart Print), for example, enable organizations to apply print protection and watermarks for plain and DRM-secured documents alike. Its screen security component (Fasoo Smart Screen) applies screen watermarks to applications and URLs to block screen capture attempts of sensitive data and monitors all screen capture attempts.

“Enterprise DRM is working great for us,” says the CISO of an S&P Top 100 global bank, a Fasoo customer. “It gives us a quick at-a-glance look at all our sensitive data and enables us to assert control wherever it goes.”

Would you like to learn more about how organizations in the financial sector, from community banks to global financial institutions, leverage Enterprise DRM to secure their digital transformation?

Connect with our industry experts here. 

###

IT, compliance, and risk management leaders need a reference of terms, acronyms, and key people in the enterprise digital rights management (EDRM) domain. This Enterprise DRM Glossary will be updated regularly. The EDRM glossary draws on various sources, including books, periodicals, websites, subject matter experts, and Enterprise DRM users. We welcome your feedback and suggestions of terms to include. Contact us at info@fasoo.com.

CAD Security
Centralized Policy Management
Data-centric Security
Data Loss Prevention (DLP)
Digital Rights Management (DRM)
Encryption
Enterprise Digital Rights Management (Enterprise DRM, EDRM)
Information Rights Management (IRM)
Insider Threat
Intellectual Property Theft (IP Theft)
Microsoft Azure Information Protection (AIP)
PDF Security
Permission
Personally Identifiable Information (PII)
Print Protection
Provisional Permission
Secure File Sharing
Secure Print
Unstructured Data
Zero Trust Document Protection

*

 

 

CAD Security

CAD security, also referred to as CAD file security or CAD protection, describes the methods, means, and measures available to protect specifically Computer-Aided Design (CAD) / Computer-Aided Manufacturing (CAM) / Computer-Aided Engineering (CAE) tools and documents against unauthorized access and use.

CAD files, such as 3D CAD drawings, are unstructured data. Manufacturing companies and design engineering firms looking to protect CAD files face particular challenges. Primary reasons are:

  • the wide range of niche applications and file formats not covered by information rights management solutions for common office document formats (example: Microsoft AIP),
  • the weakness of traditional CAD file password protection,
  • the lack of end-to-end encryption and loss of oversight and control in many organizations when sharing CAD files by email or in the cloud.  

Examples are the automotive industry and the mobility sector in general, where CAD files often contain a company’s most valuable know-how. CAD file protection gaps at the endpoint and remote work risks were exacerbated during the coronavirus pandemic. They contributed to an increase in IP theft by insiders and data exfiltration by external threat actors.

In response, manufacturers are adopting Enterprise Digital Rights Management – Enterprise DRM – to ensure end-to-end CAD file protection and centralized policy management and control beyond the company’s IT perimeter. This approach is based on a data-centric security model. Solutions such as Fasoo Enterprise DRM ensure CAD file security at rest, in transit, and in use. Derivatives, for example 3D models excerpted as PDF files, automatically inherit the file security of the enterprise DRM-protected CAD file, which can include secure print protection.

Source: Enterprise DRM Glossary. Reference: How to Protect CAD FIles and Workflows Against IP Theft (Fasoo Blog)

*

 

 

Centralized Policy Management

A centralized security policy simplifies managing permissions on documents and ensures a consistent policy across an organization. The policy is persistent yet flexible and allows the organization to manage security rather than relying on individuals to make security decisions.  Compare this to the built-in PDF password protection feature provided by Adobe.

From the organizational perspective, the latter means putting the document’s fate into the hands of its creator.  The business relinquishes control to individual users. When they leave, the company is forced to dedicate valuable resources to special recovery efforts, or even loses access completely.  It also forces users to become security experts.

In comparison, the advantage of the centralized policy management provided by Fasoo Enterprise DRM is that the organization always maintains control over its documents and what happens with them, wherever they go.  This includes changing policies for a user or group at any time, regardless of where the document resides.

Users can be granted the right to maintain complete control over their documents, for those situations where it’s warranted.  This provides a layered approach giving users and groups autonomy for certain documents while maintaining centralized control for the organization.

For example, a Finance user creates a document and it is encrypted upon saving it.  All users in the Finance group automatically have access to the document.  The user decides she needs Legal to review the document, so she can manually grant them access.  If the user leaves the company or moves to another department, the document is still accessible by Finance and Legal.  The organization maintains control.

For solutions without centralized control options, like Microsoft AIP,  it is difficult to implement and change security policies with many users and constantly changing roles. The considerable burden of keeping up-to-date and in sync with the needs of departments or business units often falls on the individual creator of the document.

*

 

 

Data-centric Security

The data-centric security model aims to enhance information protection regardless of where the data resides or with whom it is shared. It is considered a core part of a Zero Trust approach to information security. Data-centric security is independent of networks, servers, locations, and devices and marks a departure from the traditional “device-centric” or location-centric security model.

Enterprise DRM applies the data-centric security model by taking a file-centric approach to secure unstructured data, such as MS Office documents, CAD/CAE files, PDF, plain text, and other digital media file types. This approach means that, in contrast to other methods, persistent encryption and Identity and Access Management (IAM) are tied to and travel with the file.

Data-centric security management requires organizations to know what data they have and its security and privacy requirements. To make data-centric protection of unstructured data feasible at scale, they have to rely on standardized mechanisms to catalog and categorize data. Fasoo Enterprise DRM, for example, applies file-centric protection based on data classification tags to

  • Encrypt the file contents: If exfiltrated, the sensitive data is obfuscated and is of no value to threat actors;
  • Limit file access to authorized users only: Users can be individuals, departments, business units, or defined by role or title.

Historically, organizations adopted file-centric solutions for specific use cases. Modern solutions take advantage of the latest in software tools like RESTful APIs and open operating system standards to work transparently across the enterprise. Centralized policy management ensures IT and data owners can grant access and apply protection consistently across all networks, devices, endpoints, and cloud services.

Source: Enterprise DRM Glossary. Reference: Data-centric security is key to resiliency, cyber risk report says (VentureBeat),  Protect-first Approach to Data-centric Security (Fasoo Brief), Data-centric Security (Fasoo Archive)

*

 

 

Data Loss Prevention (DLP)

Data Loss Prevention (DLP) describes tools and methods to prevent sensitive data, such as Personally Identifiable Information (PII) or business-critical intellectual property, from leaving an organization without proper authorization. 

To that effect, DLP software categorizes documents and emails and analyzes user behavior to restrict the transfer of data. The underlying rules and filters have to be maintained and adjusted by IT in coordination with other stakeholders to minimize workflow interruptions. 

Organizations can apply DLP only to their internal data flow. Other than Enterprise DRM, it does not protect confidential information once data has been intentionally or unintentionally exfiltrated. A typical example is an email mistakenly sent to the wrong address. Like antivirus software or web filters, DLP components have become a staple of information security in the enterprise. As part of the point solutions mix, they often complement particular applications or tools, such as cloud security services or Microsoft AIP

Larger organizations frequently leverage DLP to ensure compliance with data protection regulations such as GDPR, CCPA, or HIPAA. Critics blame DLP for creating a false sense of security and point to its blindspots (USB drives, SaaS file sharing applications, enterprise messaging apps) and its focus on internal file downloads and sharing. 

Source: Enterprise DRM Glossary. Reference: DRM and DLP: Comparison Made Simple (Fasoo Blog), Data Loss Prevention (NIST Computer Security Resource Center Glossary)

*

 

 

Digital Rights Management (DRM)

Digital Rights Management (DRM) describes the tools, systems, and data-centric process used to automatically encrypt files and control file access privileges dynamically of unstructured data at rest, in use, and in motion. In the consumer space, DRM aims to control the use, modification, and distribution of copyrighted material, such as computer software and multimedia files.

In business, Enterprise DRM ensures data-centric document protection inside and outside the IT perimeter and along an organization’s supply chain to protect sensitive information against theft or misuse by insiders and unauthorized access from the outside.

Source: Enterprise DRM Glossary. Reference: What is Digital Rights Management? (Fortinet Cyber Glossary)

*

 

 

Encryption

The term encryption describes the cryptographic transformation of data into a form that conceals its original content to prevent it from being known or used. Decoding the encoded information requires the correct key. 

Enterprise DRM provides an additional layer of security through its data-centric combination of encryption and access control. Fasoo Enterprise DRM, for example, encrypts files containing sensitive unstructured data and limits access to the encrypted file to authorized users only within their given permissions. This approach helps organizations minimize and mitigate risks such as data leaks, insider threats, and advanced persistent threats (APT).

Fasoo EDRM encrypts files using a Packager. DRM-enabled documents cannot be opened without a DRM Client, which requests a “license” from the DRM Server. The DRM Server issues that license according to the security policy for the user and the document, which can be applied and flexibly adjusted using centralized policy management and exception handling. The DRM Client then decrypts the DRM-enabled document and sends the data to a rendering application, such as Microsoft Word, a PDF reader, or a CAD engineering tool.

Document encryption with Fasoo is based on FIPS 140-2 validated cryptographic modules that meet the requirements of the Cryptographic Module Validation Program (CMVP) run by the United States National Institute of Standards and Technology (NIST). That means it delivers the encryption strength required for organizations that are part of or do business with the U.S. federal government. 

Source: Enterprise DRM Glossary. Reference: To Encrypt or Not to Encrypt (Fasoo Blog), Encryption (Fasoo Archive)

*

 

Enterprise Digital Rights Management (Enterprise DRM, EDRM)

Enterprise Digital Right Management (EDRM)enables organizations to persistently protect, control and track sensitive documents at rest, in transit, and in use. Also referred to as Information Rights Management (IRM), this data-centric protection applies on any device throughout the entire document lifecycle. 

By encrypting files and leveraging granular controls through centralized policy management, Enterprise DRM allows organizations to limit viewing, editing, printing, and sharing sensitive content with unauthorized users within and outside the organization’s IT perimeter.

Historically, the challenges associated with persistent policy enforcement account for the reputation of many enterprise DRM solutions being complex to deploy. This perception has changed, industry observers agree.

According to Gartner analysts, enterprise DRM now “is one of the only mechanisms for retaining control of unstructured data transferred to business partners in secure collaboration scenarios.”

Industry observers credit Fasoo Enterprise DRM with driving much of this development. Its flagship installation spans over 170,000 internal users and over 700,000 total users of affiliates and partners worldwide.

Source: Enterprise DRM Glossary. Reference: Fasoo Enterprise DRM Whitepaper 

*

 

 

Information Rights Management (IRM)

See Enterprise DRM

*

 

 

Insider Threat

An insider threat is defined as the potential for a person with authorized access or understanding of an organization to harm that organization. This harm can include malicious, complacent, or unintentional acts that negatively affect the organization’s integrity, confidentiality, and availability, its data, personnel, or facilities.

Insider threats, such as IP theft by employees or contractors, are among the main risks to be considered when securing sensitive information in the form of unstructured data, such as office documents, PDFs, or CAD files. According to a 2020 survey conducted by the Ponemon Institute (PDF) and sponsored by ObserveIT and Proofpoint, 60% of polled organizations worldwide encountered more than 30 insider-related incidents per year involving digital assets.

The National Insider Threat Awareness Month library at the Center for the Development of Security Excellence offers guides, real-world case studies, videos, and web-based games to help organizations detect, deter, and mitigate insider threats.

Source: Enterprise DRM Glossary. Reference: IP Theft in the Automotive Industry: 10 Tips to Counter the Insider Threat (Fasoo Blog), Insider Threat Report (Fasoo Resources)

*

 

 

Intellectual Property Theft (IP Theft)

The term Intellectual Property Theft (IP Theft) describes the act of stealing ideas, creative expressions, inventions, or trade secrets – collectively known as Intellectual Property (IP) – from the person or company who owns them. IP theft is against the law. Patent, copyright, and trademark laws, among others, aim to protect intellectual property owners.

In the digital sphere, most intellectual property exists in the form of unstructured data. Movies, music, and computer software all can be targets of IP theft, as can confidential office documents (example: pricing discounts), PDF files (example: employee W-2 forms), images (example: product concept studies), or CAD templates (example: digital blueprints of manufacturing designs).

Who is committing IP theft? According to experts, insiders – i.e. (former) employees, contractors, or supply chain partners – are behind most IP theft cases. Many perpetrators knowingly or unknowingly play into the hands of people outside their organization, such as agents for a foreign power or corporate spies hired by a competitor.

Western counterintelligence professionals attribute the rise of IP theft in the U.S. and the European Union mainly to China. Its Thousand Talents Plan, conceived by the Chinese Communist Party, drives the recruitment of engineers and scientists in the US and the EU as part of a state-sponsored IP theft campaign on a global scale.

In more than 50% of documented IP theft cases, the perpetrators were employees who quit and took proprietary information with them because nothing stopped them. This risk has significantly increased with the shift to remote work caused by the COVID-19 pandemic.

How can companies prevent IP theft? Increasingly, larger organizations deploy Enterprise Digital Rights Management (EDRM) to secure documents and eliminate opportunities for IP theft across the enterprise and along its supply chain. Information security experts see EDRM as uniquely positioned for preventing IP theft respectively further damage, in cases where protected files may have been exfiltrated.  

Information security professionals describe mainly three reasons for Enterprise DRM’s effectiveness in protecting large organizations against IP theft:

  • EDRM combines access control with data-centric security that protects files at rest, in use, and in transit. This device-agnostic protection applies inside and outside the organization’s IT perimeter from the point of creation throughout the document lifecycle.
  • Centralized policy management and flexible exception handling enable IT and document owners to eliminate IP theft blindspots. It also lets them quickly adapt document use policies to meet the demands of dynamically changing environments, such as remote work scenarios (see also: Secure Print). Fasoo Enterprise DRM is an example. It empowers organizations to maintain granular control over sensitive data even if that information is shared – intentionally or mistakenly – outside the organization.
  • EDRM delivers comprehensive document security at scale, encompassing the broad spectrum of document formats and applications common in globally operating organizations. Fasoo Enterprise DRM, for example, supports more than 230 file formats, including a wide range of PDF and CAD types.

In the fight against IP theft, the capabilities listed above put designated EDRM solutions like Fasoo Enterprise DRM at a distinct advantage. Point solutions developed to protect primarily one document software ecosystem and a limited number of 3rd-party file formats (example: Microsoft AIP) cannot provide the same coverage. 

Source: Enterprise DRM Glossary. Reference: IP Theft in the Automotive Industry: 10 Tips to Counter the Insider Threat (Fasoo Blog); What’s the Biggest Challenge Manufacturing Companies Face in Their Fight Against IP Theft? (Fasoo Blog)

*

 

 

Microsoft Azure Information Protection (AIP)

Azure Information Protection is a data protection solution developed by Microsoft. It lets organizations discover, classify, and protect documents and emails. AIP was designed primarily to protect the document ecosystem of Microsoft Office and a limited number of third-party file formats. It focuses on end users or data owners making all security decisions on documents rather than allowing a centralized approach to security.

Source: Enterprise DRM Glossary. Reference:  FAQ: Five Top Questions About Fasoo Enterprise DRM vs. Microsoft AIP, What is Azure Information Protection? (Microsoft)

*

 

 

PDF Security 

Many cybersecurity professionals consider PDF security an oxymoron because of the weaknesses of the password protection and encryption of Adobe’s platform-independent file format.

Depending on the use case, adequate PDF document protection can require a combination of various 3rd-party tools and methods. Examples are PDF password protection, encryption, on-screen protection, secure print, PDF sanitization, PDF usage monitoring.

In large organizations, the number of PDF files and versions to be secured adds to the challenge. IT can overcome this challenge with Enterprise DRM, which provides an additional layer of PDF protection.

One example is Fasoo Enterprise DRM, which integrates the most powerful PDF protection mechanisms. It supports more than 230 file formats and ensures that sensitive PDF files are protected at rest, in use, and in transit.

Source: Enterprise DRM Glossary. Reference: Document Protection: How to Secure a PDF? (Fasoo Blog)

*

 

 

Permission

A permission is required to perform a particular action, such as View, Edit, and Print, on a document secured with Enterprise DRM. A user can only perform an action on a secured document when granted the proper permission, either as set via centralized policy management, a data owner granting specific permission, or upon requesting a provisional permission

Source: Enterprise DRM Glossary. Reference: World’s Steel Manufacturing Leader Adopts Fasoo Enterprise DRM (Fasoo Sucess Stories)

* 

 

 

Personally Identifiable Information (PII)

Personally Identifiable Information (PII) is defined as any data that permits the identification, by either direct or indirect means, of an individual to whom the information applies.

PII can directly identify a person (examples are name, address, phone number, social security number, any other ID number or code, and email address) or allow indirect identification in conjunction with other data elements. Such elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors.

PII is often maintained in the form of unstructured data, i.e., in Microsoft Office documents, PDF files (example: W-2 records), or computer printouts. Files containing PII are best protected by encrypting them at the point of creation. Adequate protection covers the document lifecycle in its entirety and includes provisions for data transfers to other media, i.e., screen photos or print.

Source: Enterprise DRM Glossary. Reference: What is Personally Identifiable Information? (Department of Homeland Security), What Unstructured Data is Sensitive? (Fasoo Brief),  PII Data Breach Archives (Fasoo Blog)

*

 

 

Print Protection

see Secure Print 

*

 

 

Provisional Permission

When a user does not have permission for a specific action in a document secured with Enterprise DRM, the user can request a temporary permission or exemption to the current security policy. If approved by the administrator or document owner, the user can perform that action with the given provisional permission for a time period defined by policy.

Source: Enterprise DRM Glossary. Reference: Fasoo Enterprise DRM White Paper (Fasoo)

*

 

Secure File Sharing

Secure file sharing (also referred to as secure file exchange) describes the process of making unstructured data available to other authorized users, while preventing access by others who lack proper authorization. In business environments, secure file sharing with Enterprise DRM enables individual users to transfer Microsoft Office documents, audio or video files, images, PDFs, or CAD drawings, for example, within or outside their organization, without exposing sensitive information to data theft or manipulation by unauthorized parties.

Modern digital rights management solutions enable secure file exchange based on a data-centric security model. This approach overcomes the weaknesses and limitations of traditional device-based security or file password protection (see also: PDF Security and CAD Security). It also surpasses the protection provided by file-sharing tools such as Box, Dropbox, or OneDrive, which offer encryption in the cloud and in transit, but fall short once a document reaches the recipient. Fasoo Enterprise DRM, for example, automatically encrypts each file at the point of creation and applies access policies that are centrally managed. 

Files secured with Enterprise DRM remain protected no matter where they go. This way, the data owner remains in control if and how a shared file can be accessed, regardless of its location. The protection is device-agnostic and travels with the file. Users can securely share files without risking protection gaps on portable storage media, cloud storage services, home office printers, or when documents are sent as email attachments, for example.

Source: Enterprise DRM Glossary. Reference: Data-centric Security (Fasoo Blog Archive)

*

 

 

Secure Print (Secure Printing)

Secure print capabilities that enable the prevention and detection of document leaks or exfiltration via print output. In Enterprise DRM, policy-based print protection lets data owners centrally set and manage print rules for printing on-premises or remotely and watermark unauthorized printouts.

Fasoo Enterprise DRM, for example, takes a printer-agnostic approach to secure printing. This approach eliminates problems with using different printers or print drivers. Here’s how it works:

The basic print permission setting is part of the Fasoo-encrypted document. In addition, Fasoo’s secure printing component – a.k.a. Fasoo Smart Print – lets organizations apply print protection policies on various levels for plain and EDRM-secured documents alike.

Source: Enterprise DRM Glossary. Reference: Document Security: What Is Secure Print? (Fasoo Blog)

*

 

 

Unstructured Data

85% of today’s digitally stored information consists of unstructured data, which means it lacks a pre-defined data model or internal data organization. Examples include office documents, CAD/CAE files, PDFs, email, video, blogs, customer support chat logs, and social media.

Structured data, by comparison, is defined as data that is easily grouped, processed, and analyzed by rows and columns in relational databases. It only accounts for 15% of today’s information.

Unstructured data poses numerous security and regulatory compliance challenges. They are not addressed by the traditional network, device, and application cybersecurity and risk management approaches. This coverage gap is the reason why storing and sharing sensitive information in free-form documents creates numerous opportunities for leakage or exfiltration of proprietary or otherwise sensitive data.

Confidential files containing intellectual property, PII, or printouts of HIPAA-protected personal health information (PHI) are three examples of unstructured data potentially at risk of unauthorized access due to negligent or malicious insider behavior or cyber-attacks.

Sensitive unstructured data falls into two broad categories: regulated or unregulated. The adequate protection of regulated unstructured data is required by law (examples: GDPR, CCPA). Unregulated data includes both business-sensitive and publicly known information. Determining what content requires protection is left to the discretion of the business that owns, stores, or processes it.

Source: Enterprise DRM Glossary. Reference: What Is Unstructured Data And Why Is It So Important to Businesses? An Easy Explanation for Anyone (Forbes Enterprise Tech); Structured vs. Unstructured Data (Datamation); What Unstructured Data is Sensitive? (Fasoo)

*

 

 

Zero Trust Document Protection

Zero Trust document protection describes minimizing uncertainties in enforcing accurate access decisions regarding unstructured data. It delineates the shift from a device and location-centric security model to a predominantly data-centric approach.

The goal is to prevent unauthorized access to files containing confidential data by making access control enforcement as granular as possible. The Zero Trust approach requires fine-grained security controls between users, systems, data and assets. Enterprise DRM is considered a cornerstone of any viable Zero Trust document protection strategy, according to document security experts. They point to its data-centric security model, strong encryption, and tight integration with all leading identity and access management systems.

The Zero Trust approach achieved official cybersecurity policy status with the 2021 Executive Order on Improving the Nation’s Cybersecurity issued by the Biden administration. While the directive primarily aimed to move federal agencies to secure cloud services and a zero-trust architecture, it since has sent ripple effects through the private sector. 

 

Source: Enterprise DRM Glossary. Reference: “5 data protection tips for maintaining trust in the Zero Trust era,” in Financial Services: How to Boost Your Remote Work Surveillance; 3 Top Document Protection Takeaways from the May 2021 Executive Order on Cybersecurity (Fasoo Blog)

*

Top 10 Tips to Stop a Data BreachData breaches continue to torment organizations.  There are numerous examples of malicious or inadvertent data breaches throughout businesses and organizations of all types and sizes.  Hackers get all the press, but insiders pose as great a risk as any external party when it comes to vulnerabilities.

Regardless of who you are, your information is under attack.

With the start of fall and most employers still focused on remote workers, now is a good time for a few tips on preventing a data breach.

  1. Identity sensitive data – before you can prevent a data breach, you need to know the sensitive data you collect, store, transmit, or process.  Hackers and malicious insiders target non-public personal information (NPI), personally identifiable information (PII), and intellectual property, like designs, patent documents, or trade secrets.
  2. Encrypt sensitive dataencryption with a centralized access policy helps protect the security and privacy of files as they are transmitted, while on your computer, in the cloud, and in use. Encrypt all sensitive information with a data-centric security policy using Advanced Encryption Standard (AES) 256-bit cryptography.  Only give access to those who need it to do their jobs.
  3. Secure sensitive customer, employee, or patient files – store paper files containing sensitive information in a locked drawer, cabinet, safe, or another secure container when not in use.  This becomes more of an issue as people continue to work from home and use local printers to print and review information.
  4. Properly dispose of sensitive data – shred physical documents containing sensitive data prior to recycling.  Remove all data from computers and electronic storage devices before disposing of them.  If the documents are encrypted, there is less potential for a data breach even if accidentally left on a device.
  5. Use password protection – password protect your computers, including laptops and smartphones, and access to your network and servers. Since so many applications are in the cloud, consider a single sign-on (SSO) and multi-factor authentication (MFA) solution to strengthen your access policies.
  6. Protect against viruses and malware –  install and use antivirus and antimalware software on all of your computers. Don’t open email attachments or other downloads unless you’re sure they’re from a trusted source.  Phishing attacks are still one of the main culprits of data breaches.
  7. Keep your software and operating systems up to date – install updates to security, web browser, operating system, and antivirus software as soon as they are available.  Hopefully, these processes are automated, but it’s good to check and automate them if possible.
  8. Secure access to your network – ensure your network firewall, proxy server, and other network appliances are up to date with patches.  Enable your operating system’s firewall.  Ensure your Wi-Fi network is password-protected, secure, encrypted, and hidden so that its network name or SSID can’t be picked up by the public.  This is very important for work at home scenarios, even if you are using a VPN to access corporate resources.
  9. Verify the security controls of third parties – before working with third parties that have access to your data or computer systems or manage your security functions, be sure their data protection practices meet your minimum requirements and that you have the right to audit them.  It’s best to have a vendor risk management policy in place to address these needs.
  10. Train your employees – people are the weakest link in security, so make sure your employees understand your data protection practices and their importance. Document your policies and practices, and distribute them to everyone. Review them regularly and update them as required. Be sure to retrain your staff as updates are made.

 

Woman at home office printerDid you know that paper-based incidents still account for a whopping 30 % of data breaches? It’s helpful to keep this statistic in mind and plan for secure print in your organization’s document protection program.

*

How well is your print infrastructure protected against security breaches? When market research firm Quocirca posed this question to more than 500 IT leaders worldwide at the end of last year, their response wasn’t exactly reassuring.

Only 33 % of respondents in the U.S. said they were completely confident, a drop from 50 % before the COVID-19 pandemic. What happened?

Survey chart image: Print-related data loss before / after COVID

Source: Quocirca Infographic

Work-from-home (WFH) arrangements are to blame, says Quocirca. And you thought unmanaged home office computers already created enough of a headache for IT? Well, think again. 

The Quocirca report shines a harsh light on a piece of office equipment that’s omnipresent but often overlooked as a risk factor: the printer. 

 

Increased risk through WFH printers  

Printers remain underestimated as a threat to document security, and not for lack of evidence: 30 % of data breaches last year involved paper documents, according to the 2021 Privacy Incident Benchmark Report published by incident response specialist RadarFirst.

That’s 13 % down from the year before. But don’t pop open the champagne just yet. This number doesn’t account for sensitive data, such as Personally Identifiable Information (PII) of customers, that was mishandled or intentionally exfiltrated via unmanaged and unmonitored WFH printers. After all, who’d be able to tell?

Charts Infographic: Print-related incidents

Source: RadarFirst Infographic

Let’s put the risk in perspective. It’s helpful to remember that modern printers and print/scan/photocopy/fax multifunction devices are special-purpose computers. As such, they are susceptible to software exploits, online attacks, as well as data theft and leakage by insiders. But unintentional or deliberate misuse of printers and printouts aren’t the only risks to consider.

Auditability and chain-of-custody requirements are of equal concern. For example, in financial services, healthcare, and pharmaceutical companies, regulatory compliance demands the traceability of the PII paper trail. In the criminal justice system, another example, the law requires tracking the movement of evidence through its collection, safeguarding, and analysis lifecycle. This includes documenting when files are printed, by whom, and for what purpose.

I’ve written about printers and their role in data theft and leaks on this blog before here, here, and here. If mortgage applications or medical record printouts, for example, are left unattended in the paper output tray and end up in the wrong hands, the result may be costly. Think brand damages, litigation, or steep penalties and other enforcement action by state and federal regulators.

 

Do we need monitored print stations for remote workers?

Many organizations mitigate such risks to a certain degree by setting up dedicated print stations with closely monitored secure printers. Print activities of remote workers and how they handle the printouts, on the other hand, remain out of sight and beyond the control of staff. So what are IT’s options then?  

Too often, these options are limited by a lack of resources – or outright impractical. Support employee-owned printers? Talk about a rabbit hole. Provision company-owned printers to remote workers and block unmanaged devices? Prevent employees from printing at home altogether? 

Wanted: a sensible yet effective method to prevent confidential data from seeping out of some inkjet printer in a home office nook, without invading the privacy of remote employees. Enter secure print.  

 

What is “secure print”?

The term “secure print” (or “secure printing”) describes functionalities that enable the prevention and detection of document leaks or exfiltration via print output. In digital rights management at the enterprise level (Enterprise DRM or EDRM), policy-based print protection enables data owners to centrally set and manage print-at-home rules, as well as mark unauthorized printouts.

Fasoo Enterprise DRM takes a printer-agnostic approach to secure printing. This eliminates problems with using different printers or print drivers. Here’s how it works:

The basic print permission setting is part of the Fasoo-encrypted document. In addition, Fasoo’s secure printing component – a.k.a. Fasoo Smart Print – lets organizations apply print protection policies on various levels, for plain and EDRM-secured documents alike.

 

Fasoo print protection enables organizations to 

  • prevent printing of files that contain PII or other sensitive information, based on predefined patterns in the document, or mask sensitive data; users can request an exception to print an unmasked version;
  • require authentication before retrieving a printout, and also require users to enter a PIN or use a smart card before releasing a print job for added security;
  • apply visible watermarks that show a user name, date, time, IP address, and other company information to printouts without user intervention, to deter insider theft and as future forensic evidence; users can request an exception to print without a watermark. 

 

Smart Print’s file-centric print protection means that IT maintains control and oversight regardless of which physical or virtual printer is used. A granular audit trail, including the text or image of the actual printed content, ensures maximum visibility into all print activities by employees and vendors. 

For maximum print security in a WFH world, deploy Fasoo Smart Print as your organization’s remote network of monitored print stations – without the creepiness factor.

Find out more about secure printing with Smart Print and Fasoo Enterprise DRM here.

###

 

DLP (the traffic cop) vs. DRM (the armored truck)Like digital rights management (DRM) for the enterprise, data loss prevention (DLP) solutions have recently seen a resurgence. Both aim to protect sensitive documents against leakage and exfiltration. Those looking to deploy or expand one or the other frequently weigh DRM vs. DLP. But how helpful is this “either/or” perspective really?

For starters, it risks missing one crucial difference between these two approaches to document protection. Other than DRM, DLP isn’t designed to protect information once it makes it outside an organization’s IT perimeter.

By definition, that’s precisely the scenario DLP purports to prevent in the first place. So this wouldn’t be a problem if DLP worked reliably 100 % of the time. But it doesn’t. Why? 

One answer is that DLP still requires a high degree of human intervention or supervision. This fact doesn’t take away from the advantages of document security automation. I’ll get into the details below. But first, let’s back up a moment and look at the definition of DRM vs. DLP.  

 

What’s the main difference between DRM and DLP?

DRM (a.k.a. IRM, for Information Rights Management) automatically encrypts files and controls file access privileges dynamically at rest, in use, and in motion. 

DLP analyzes document content and user behavior patterns and can restrict movement of information based on preset criteria.

I’ve written about DRM vs. DLP on this blog before, in 2014. While little has changed about the definitions, cloud services and remote work have become ubiquitous since – and IT perimeters more blurred.

Add to that the dramatic rise of (AWS) data leaks, insider threats (such as IP theft), and double-extortion ransomware attacks. Taken together, these trends explain why the main difference between DRM and DLP has become more pronounced recently.

In a nutshell, it’s the difference between a traffic cop and an armored truck. As for the cop part, I’m not the first to draw this analogy; DLP has been compared to an officer posted at an exit ramp before.

In this analogy, only traffic identified as legitimate is waved through and allowed to leave the main drag (i.e., your network) and race off into uncontrolled territory. A police officer may check a car’s license plates, ask for ID, and scan the vehicle’s interior before giving someone permission to pass through.

Image for DRM / DLP comparison: DLP works like a police checkpoint

Traditional DLP works in a similar way. It scans files, detects data patterns, and automatically enforces appropriate actions using contextual awareness to avoid data loss. However, the similarities don’t end here.

 

DLP’s biggest weakness

DLP also faces three significant challenges similar to those of a roadblock cop:

 

    • How can you accurately establish which traffic to allow through and handle the task effectively and expediently, before the exit point becomes a bottleneck?
       
    • What about all the exits not covered? With DLP, those would be USB drives, SaaS file sharing applications, such as Google Drive or Dropbox, or enterprise messaging apps, such as Slack or Microsoft Teams.  Think of them as equivalents of the service road turnoff some locals (i.e., insiders) know and use to avoid a roadblock.  
    • And, last but not least, what happens with the traffic that should never have made it past the checkpoint, but somehow did so anyway? Most companies need to share sensitive data with external contacts, like vendors or customers. A common occurrence is that a confidential document is mistakenly sent to the “wrong” person in a company whose email domain is safelisted as a recipient.

     

    “Not my problem anymore,” says the (DLP) cop. What’s gone is gone, even if it ends up in the wrong hands.  With the first two issues on this shortlist, data loss prevention products have been struggling from the beginning. As for the third item, it exposes DLP’s biggest weakness.

    Here’s what I mean: By promoting a solipsistic focus on internal file downloads and sharing, DLP creates a false sense of security. In reality, once sensitive information moves beyond the point of egress, an organization loses all visibility and control over what happens with its sensitive data.

     

    Has DLP been a failure? 

    I wouldn’t go that far. If that were the case, why did Gartner analysts expect about 90 % of organizations to have “at least one form of integrated DLP” in place by this year? That’s an increase from 50% in 2017. 

    While DLP wasn’t the panacea that marketers made it out to be, it still has its place. In the enterprise, DLP has helped establish a baseline for document protection. One example is tagging documents that contain personally identifiable information (PII) to ensure compliance with GDPR [PDF], the General Data Protection Regulation of the European Union.

    DLP deployments require IT and other stakeholders (compliance teams, data owners) to take stock of sensitive information across the board and categorize it. The downside is that it also demands constant tweaking and fine-tuning of filters and policies. 

    If your business deploys DLP, you learned the hard way that most of this burden falls on IT. DLP filters are notorious for generating “false positives”. They are known to cause workflow breakdowns because of mistakenly flagged files. The DLP filter may, for example, identify a 16-digit internal reference number in a document as a credit card number and prevent the file from getting shared. 

    In 2021, DLP describes more a mindset than a unified approach or one specific method to stop data leakage or exfiltration. But DLP modules and add-ons have become part of the point solutions mix. They complement particular applications or tools, such as cloud security services or Microsoft AIP

    And like with many point solutions, blindspots and coverage gaps remain* that you can drive a truck through. Which brings us back to the armored truck. 

     

    Armored truck for confidential data

    If we understand DLP as the cop who creates a bottleneck sorting out which traffic can pass, we can think of enterprise DRM as the equivalent of an armored truck.  Tethered to a C3 (command, control, and communication) center, it can only be unlocked by dispatchers at a remote location.

    In other words, whatever neighborhood the vehicle ends up in once it’s past the exit point, the load remains secure. The owner maintains control over the cargo and who can access it. 

    With Fasoo Enterprise DRM, the C3 center would be the Fasoo server. The cargo is your sensitive data locked down with Fasoo encryption. And the dispatcher would be Enterprise DRM’s centrally managed policy settings.

    So what happens to DLP in this picture? My main point here is that you don’t have to bother with interrogating file content once it is encrypted by Enterprise DRM. That doesn’t mean your existing DLP deployment becomes irrelevant. 

     

    DRM + DLP for the win

    Case in point: sensitive emails. DRM doesn’t automatically encrypt any outgoing email, for example. DLP, on the other hand, can flag content inside of emails for extra protection, or to prevent a message from leaving the organization altogether. 

    Another advantage of DLP is that it helps IT teams gain and maintain a baseline understanding of how sensitive data moves through their network. With adequate calibration, it serves as a low-investment, yet efficient tool for data risk discovery.

    From a pure document security perspective, DRM fills in the remaining blanks. It gives us peace of mind that confidentiality and compliance remain ensured for any file that finds its way past the egress point. Or, to put it differently – if you ran a bank, would you feel comfortable having a bicycle courier handle the money transports?

    Nope, you’d leave it to the pros with proper equipment.

    So, the armored van it is. In summary, deploying an enterprise-scale DRM solution enables your organization to protect its existing DLP investments. It helps you tie up loose ends in a global, multi-cloud, work-from-anywhere IT environment.  

    By combining both methods, you can play to DLP’s actual strengths. Examples include spotting suspicious activities and patterns that indicate possible insider threats, or flagging files – including emails – for DRM protection before they can leave the organization. 

    That way, you don’t have to rely exclusively on the overwhelmed cop at the exit ramp anymore. 

    Would you like to learn more about how Fasoo Enterprise DRM and DLP work together for maximum protection of unstructured data? Connect with our experts!  

    ###

    *For a comprehensive overview, I recommend the post Insider Threat Management: Part 1 – 7 Reasons Not to Settle for DLP on the blog of cybersecurity company Proofpoint.

     

Image shows business team watching comparison chart presentationHow does Fasoo Enterprise DRM (Fasoo EDRM) compare to Microsoft Azure Information Protection (AIP)?

The first solution is a digital rights management platform to protect documents at scale in large organizations and along their supply chain.

The latter was developed primarily to protect the document ecosystem of MS Office plus a few third-party file formats.

 

Can you compare them at all?  It’s a common question we get, so let’s try.

*

“We’re looking at our options for securing documents across the whole organization, including our worldwide subsidiaries and supply chain. What advantages would we have from choosing Fasoo Enterprise DRM over Azure Information Protection (AIP) by Microsoft?”

I have to admit, each time we receive an email like that, we cringe a little.  It’s a bit like asking us to compare a Ford F-series pickup truck (America’s most popular car in 2020) and a Chrysler minivan (the best-selling minivan during the same year), on the grounds that they both have four wheels and can take a load.

We welcome such questions, though, because they give us an excellent opportunity to clear up some confusion. Read on for a few of our answers.

 

MS AIP vs. Fasoo comparison: Frequently Asked Questions (FAQ)  

Image shows a Minivan vs. Ford Super Duty Pickup Truck Tableau

 

Minivans keep us moving, but heavy-duty tasks require different means.
Photo sources: Dreamstime / Ford   

The confusion is understandable. The early and often niche-focused enterprise-level DRM solutions of the past were considered expensive, complex to deploy, and difficult to scale. As a result, many IT teams today still lack hands-on experience with modern DRM-based information protection capabilities at scale.

Fast-forward to 2021: Enterprise DRM solutions have matured significantly over the past decade. This has caused a considerable change in perceptions and is credited with the recent resurgence of enterprise DRM. 

Combined with the shift towards a data-centric information security approach, this development now has more information security leaders asking about the specific strengths of enterprise DRM. Here are five frequently asked questions involving Fasoo EDRM and AIP:

 

1. How many file formats does Fasoo support compared to AIP?

Microsoft file protection supports approximately 20 file types. AIP modifies file extensions for non-Office files types (txt to ptxt, jpeg to pjpeg, bmp to pbmp). This can cause issues with third-party applications and firewalls.

Fasoo supports more than 230 file formats, including a broad range of PDF files, plus any less common file format based on a niche application that a customer might use. All formats Fasoo supports can be opened in their native application. It does not modify file extensions, which means applications that rely on native file extensions for scanning or other purposes keep working. 

 

2. How does Fasoo EDRM protect CAD files in comparison to AIP?

AIP does not support protection of CAD files while in use. Fasoo protects CAD files while at rest, in transit, and in use.  By integrating directly with over forty different CAD applications, Fasoo EDRM allows users to interact with CAD files as they normally do while maintaining strong protection of the data.

 

3. How strong is Fasoo’s encryption compared to MS AIP?

AIP is limited to AES 128-bit encryption for Office files because Office 2010 cannot support AES

256-bit encryption. Other file types use 256-bit. Microsoft does not support encryption for Office 2007. It recommends upgrading to Office 2016 for ease of deployment and management.

Fasoo uses multi-layered encryption for all file types, including AES 256-bit encryption for all file payloads. This is important for compliance with certain regulations. Fasoo supports Microsoft Office 2007, 2010, 2013, 2016, 2019, and 365.

 

4. How do the document tracking and monitoring capabilities of Fasoo compare with those of MS AIP?

AIP currently has no centralized report portal for usage, adoption, or document activities. It also doesn’t provide a method for tracking AIP user licenses. Microsoft recommends editing the registry to remove access to functions from specific users designated as “consumers only” of AIP-protected files.

Fasoo provides centralized reporting on all document and user activities in a web-based console. Thresholds can alert administrators to anomalous and potentially suspicious activity. Fasoo EDRM also tracks all licensed users in a web-based, centralized console. 

 

5. How are Fasoo’s policy and exception management different from AIP’s?

This question comes up frequently because Microsoft AIP relies on individual users to make security policy decisions on how to protect documents. This approach requires IT and data owners to relinquish control over individual documents to a degree that poses challenges for organizations with many users and constantly changing roles.

Fasoo can automatically assign file protection without user intervention. It provides centralized policy management and exception handling capabilities. This “file-centric, people-centric” approach allows the organization to determine who can access a protected document, rather than relying on the document creator to make that decision. Users with permissions are empowered to extend access rights and permissions to other users as needed.

*

Will it fit and grow with your mission?

In summary, most inquiries we get about Microsoft AIP vs. Fasoo boil down to a single general question: How does a dedicated solution for securing documents in large organizations stack up against an assemblage of document protection components designed with a focus on MS Office applications and file formats?

My answer, in a nutshell: It’s difficult to compare a Ford F-450 Super Duty truck and a Chrysler Pacifica minivan. To stay with the analogy for a moment, deciding between work truck and family van becomes much easier when we ask this question:

Will it fit the mission? 

###

Do you have questions about any of the items above or related topics?
Contact the Fasoo team here.

Movie Sign: Policy Exception Handling

Wouldn’t it be a shame if it slowed down your business and turned out to be useless for protecting your data? Here’s what I’m getting at:

74 percent of U.S. companies say they will keep some remote work arrangements in place post-pandemic. In other news, roughly 359,000 cybersecurity positions in the U.S. went unfilled at last count.

Taken together, these data points spell trouble. This is where the policy part comes in. Data breaches involving sensitive information have been skyrocketing recently. What about the document access and use policies at the affected organizations? Why didn’t they matter?

You likely know the answer. Remote work, a flood of unmanaged devices, VPN node expansions, and cloud service adoption run wild have created more weak spots than point solutions and understaffed IT teams can handle. 

Patch schedules need to be adhered to. Access controls and policies have to be applied and managed. Not to forget the exception requests. Someone has to follow up. But who? And how? “This support ticket will be automatically closed after 5 days.” Will it get resolved before the workflow turns into a work trickle?

It doesn’t help that many point solutions that promise to keep your data secure foster inconsistent policies that leave security and privacy gaps. Your organization could pay a high price if your document protection strategy doesn’t connect the dots and eliminate the gaps and blindspots. Think stolen intellectual property (IP), legal fees, or brand damages.

BYOD report: “Enterprises are running blind”

The point isn’t lost on Anurag Kahol, the Chief Technology Officer (CTO) of cloud security firm Bitglass. Introducing the company’s 2021 BYOD Security Report, he warned in June: “There has never been a more important time for enterprises to seriously rethink their approach and secure all forms of communication amongst users, devices, apps, or web destinations.”

Source: Bitglass 2021 BYOD Security Report

Source: 2021 BYOD Security Report (Bitglass/Cybersecurity Insiders)

The survey (conducted in collaboration with Cybersecurity Insiders) shows the rapid adoption of unmanaged personal devices connecting to work-related resources (a.k.a. BYOD):
 

  • 47 percent of organizations reported an increase in personal devices being used for work.
  • 82 percent said they now actively enable BYOD to some extent.
  • The most critical concerns of respondents were data leakage or loss (62 percent), users downloading unsafe apps or content (54 percent), lost or stolen devices (53 percent), and unauthorized access to company data and systems (51 percent).

The survey results also show how ill-equipped companies still are to deal with malware and data theft – more than 18 months into the pandemic. The authors conclude: “Enterprises are running blind.”

Their point is validated by the recent escalation of data leaks following extortion attempts. Yet, while IT teams struggle to stem the tide of malware attacks and data theft, it seems that some large organizations seem better prepared than others in preventing confidential information from leaking or getting stolen. So what’s their secret?

Keep tabs on your data and worry less where it goes

Spoiler alert: There isn’t just one answer, and it doesn’t start with an “A”,  as in AI or Automation.  Presumed panaceas can do more harm than good if they introduce more complexity instead of minimizing it. 

One hint comes from Capgemini and Forrester, who published a joint study on cyber resilience in March. It showed that 71 percent of companies planning to increase their cybersecurity budgets said they now prioritized data-centric security.

Growing investments in enterprise-level digital rights management (DRM) are part of this trend. One example is Fasoo Enterprise DRM. Globally operating businesses and U.S. government agencies rely on Enterprise DRM to secure their unstructured data, such as Microsoft Office documents, PDFs, or CAD designs, at the file level. 

Centralized policy management: fewer gaps, faster workflows 

Enterprise DRM enables them to automatically encrypt documents at the point of creation. It applies a persistent yet flexible file policy and puts sensitive files under lock and key. 

This policy is centrally managed by the organization. What’s the advantage of this approach over, say, the built-in PDF password protection feature already provided by Adobe?

I’ve addressed a few known security deficiencies of the latter method in this post. From the organizational perspective, it means putting the document’s fate into the hands of its creator. The business relinquishes control to individual users. When they leave, the company is forced to dedicate valuable resources to special recovery efforts, or even loses access completely. 

In comparison, the main advantage of the centralized policy management provided by Fasoo Enterprise DRM is that the organization always maintains control over its documents and what happens with them, wherever they go.  This includes changing policies for a user or group at any time, regardless of where the document resides.

So what about centralized solutions designed to protect a broader range of files across the enterprise? Basic PDF password protection marks one end of the spectrum. On the other end, let’s look at Azure Information Protection (AIP) by Microsoft, for example.

AIP was designed with a focus on protecting documents in the MS Office ecosystem. While AIP lets organizations include a limited range of third-party file formats under its protection umbrella, it also still relies on individual users to make security policy decisions on securing documents. Specific training may be required.

In addition, AIP’s lack of centralized control options makes it difficult to implement and change security policies in organizations with many users and constantly changing roles. The considerable burden of keeping AIP protection up-to-date and in sync with the needs of their department or business unit often falls on the individual creator of the document.

Support requests down, document security up with Enterprise DRM

Team members in a Fasoo Enterprise DRM-protected environment, on the other hand, don’t have to worry that a document may lose its protection or become inaccessible when sent as an email attachment or uploaded to the cloud, for instance. 

Each time someone attempts to access a file, this requires a usage license issued by a DRM server. This license is based on parameters such as user, document, device, time, and location. The policy determines who can open a particular file and for what purpose (examples: “view on the screen only”, “view, edit and save “, “print only with watermark”).

The policy applies regardless of which endpoints, storage devices, or cloud services the files traverse. They are protected, and access details are monitored by Fasoo Enterprise DRM, no matter where they wander inside or outside the organization and its supply chain.  

What does this mean in case of a data breach? Files secured with Fasoo DRM – example: W-2 PDF forms – are useless in the wrong hands, should they be exfiltrated for wholesale on the dark web

The same applies to documents with sensitive intellectual property, such as CAD files from the engineering department. If a rogue engineer downloads them to a flash drive to take them to a competitor, like in this case, nothing is lost or compromised. 

Image shows hand with USB
When internal documents leave your organization, are you still in control? Photo: Anete Lusina on Pexels

Safe policy exceptions at startup speed

Why do our customers select Fasoo Enterprise DRM?  One main advantage, they say, is its centralized policy management, which puts admins and data owners in control. Policies are implemented platform-agnostic and consistently across the entire data inventory.

Equally important, they stress, is that these policies can be flexibly adjusted at a moment’s notice to support the workflow of global companies running at startup speed.

Customers praise its capability to quickly accommodate changes in security policy to meet changing business needs.  Suppose a document owner leaves the organization or changes jobs. In that case, a department manager, IT, or security can easily grant or remove access to the document with the click of a button, regardless of the document’s location.

Another example is the way the exception management approval system handles temporary document permissions. Fasoo Enterprise DRM facilitates a pre-approval, post-approval, or self-approval workflow. Exception approval can be delegated to department heads, managers, or coworkers so that the organization doesn’t have to rely on IT.

Centralized policy management and flexible exception handling are critical for Fasoo customer ZF Group, a global automotive industry supplier. The company deploys Fasoo Enterprise DRM to secure critical IP, such as CAD drawings and process information, in tech centers on three continents. 

“You have to find the right balance between maximum IP protection on one side, and productivity on the other,” said Markus Fischer, VP Engineering at ZF Group’s Active Safety Systems. “You need to be able to quickly adjust access privileges on a granular level, without delay.”

###

Find out more about Fasoo Enterprise DRM and its centralized policy management capabilities here.

Download PDF IconDo you know where all your sensitive PDF files are stored?  How well are they protected, and who can access them?

Answering these questions becomes more urgent as unstructured data now accounts for about 80% of business data inventories.  Adobe’s platform-independent PDF files make up a large share of that.

So how can you protect PDF files from prying eyes and against unauthorized editing, printing, copying, or screenshots?  You have several options to pick from:


At-a-glance overview: 6 methods to protect PDF files 

 

1. PDF password protection

At the most basic level, you can protect PDF files with a password.  This feature encrypts the file and also allows you to lock in print, edit, and copy restrictions for the file.

Upside: Adobe Acrobat, 3rd-party PDF editors, downloadable tools, and specialized web apps all enable you to password-protect a PDF file.

Downside: It’s better than nothing, but that’s about it.  Experts agree that passwords provide a false sense of security and poor protection at best.  Tools to “recover” (= crack), circumvent, or remove PDF passwords are readily available.  Sometimes, simple guesswork may be faster: 20% of passwords in Fortune 500 companies were the company name or a variation, security researchers for VPN provider NordPass reported in June 2021.

Screenshot: PDF password removal tools

Screenshot: PDF password removal tools

2. PDF encryption 

The shortcomings of individual password-based PDF encryption make it insufficient for serious document protection.  What happens when a big law firm needs to circulate a “strictly confidential” PDF document among the partners or a manufacturing company shares a PDF of its latest design with its supply chain, for example?  This scenario requires a far more robust approach.  Enter Digital Rights Management (DRM).

Fasoo Enterprise DRM, as an example, integrates with the organization’s centralized user access and policy controls.  When a PDF (or any document) is created, it gets automatically encrypted – no manual password-setting required.  The policy server passes the user credentials to an authentication service, such as Microsoft Active Directory (AD) or SAML, to validate and authenticate users and their document permissions.

Upside: Password-based encryption doesn’t prevent people from picking weak passwords or sharing them with unauthorized users. DRM with access control integration and centralized policy management solves this problem and allows you to change document access and permissions after the PDF is distributed.

Downside: Encryption standards, tools, and cloud services for PDF encryption vary.  Many DRM solutions cover only a limited range of use cases or document formats.  Others, such as Microsoft’s Azure Information Protection (AIP), require specific training and hands-on intervention from PDF users and IT admins.

3. On-screen PDF protection

Did you consider the risk posed by the Print Screen key, screen capture programs, or smartphone cameras?  Specialized solutions that protect a sensitive document while in use enable you to block or discourage efforts by insiders with access to the PDF to capture its content as an image.

Upside: The standard copy and editing restrictions on password-protected PDFs are too easily circumvented.  On-screen PDF protection, such as Fasoo Smart Screen, enables IT administrators to block and monitor screen capture attempts.  

Downside: It’s impossible to prevent a determined person from taking PDF snapshots with a smartphone or camera, no matter what.  That’s why effective deterrence is essential.  For instance, with Fasoo Smart Screen, admins can put a visible “smart” watermark on sensitive PDFs. It contains user-specific information, such as the screen location and who is using it.

4. PDF sanitization

PDF sanitization removes sensitive metadata and other elements, such as comments, JavaScript Actions, or hidden layers, from the document.

Upside: Sanitizing PDFs prevents the inadvertent and potentially harmful leakage of data when a PDF is shared or published.  Metadata and other information buried deep in PDFs can be used to identify employees running outdated software, making them more susceptible to spyware attacks.  It also allows outsiders to gather intelligence about an organization’s internal structures.

Example: A personal assistant’s name gleaned from a non-sanitized PDF allows an attacker to pose as that person in a phishing email sent to a corporation’s CFO.

Security researchers from the University of Grenoble (France) analyzed PDF metadata of 75 security agencies from 47 countries.  “We identified only 7 security agencies which sanitize few of their PDF files before publishing,” they reported earlier this year.  The team still found sensitive information within 65% of sanitized PDF files, attributed to “weak sanitization techniques”.

Downside: None for any government agency, regulated organization, or global enterprise with sensitive data and systems to protect. Tools to sanitize PDFs files are available from Adobe and companies that have specialized in document sanitation software.

80% quote/outake

5. PDF usage logs

Keeping tabs on PDFs goes a long way towards effective document protection.  Enterprise-level DRM solutions use dedicated servers to log who views, edits, and prints documents.  They can also alert admins to security breaches.

Upside: Mainly for agencies handling classified information, government contractors, regulated industries, and corporations with large intellectual property caches to protect.  They cannot afford to lose track of critical PDFs.  The Fasoo Integrated Log Manager (FILM), for example, enables security and compliance teams to monitor each document’s usage throughout its lifecycle.

Downside: Businesses that use niche DRM tools report performance issues and productivity loss at scale because employees have to be online when opening PDFs tracked by a 3rd-party server.  Fasoo’s mature Enterprise DRM technology, on the other hand, has rendered this effect a non-issue,  even for global corporations with hundreds of thousands of employees.  PDF usage is tracked online and offline.

6. PDF-on-a-stick

Use a dedicated USB thumb drive with hardware encryption as your portable PDF vault.

Upside: This method makes the most sense for PDF files intended for a small circle of one-at-a-time viewers or editors.  USB sticks with a built-in fingerprint reader work best for this purpose.

Downside: Keep in mind that thumb drives are not designed for long-term data storage of more than 10 years.  USB sticks also get lost, stolen, or mixed up.  Thumb drives protected merely with a numeric passcode or password are still susceptible to hacking or guessing (see: PDF password protection).

 

And the best PDF protection is…

Of the methods presented here, which offers the strongest PDF protection?  Any of them has its advantages and disadvantages.  The answer depends primarily on the specific situation and data that needs to be protected.

What they have in common: None of these measures can, by itself, provide effective and efficient PDF document protection.  That would require combining and hardening them.

Key in this context is the number of PDF versions and file formats you need to cover.  What PDF iterations can the software under review actually protect?  Fasoo Enterprise DRM, for example, supports more than 200 file formats.  It adds an extra layer of protection to each document at the point of creation.

Centralized policy management, flexible exception handling, and granular permission control ensure that PDFs – and other unstructured data – are protected at rest, in use, and in transit.

 

PDF protection for (file) life

This data-centric and platform-agnostic file protection is controlled via Fasoo servers.  It applies whenever, wherever a PDF file is accessed from any device, inside or outside the organization, online or offline.

And yes, it would also have your back when USB thumb drives are involved.  With summer vacation upon us, does that mean you need enterprise-level DRM for your passport and airline tickets?

Only if you’re also reviewing corporate financial data or sales plans on the beach.  Otherwise, you should be fine.  That fingerprint-protected PDF-on-a-stick will do.

###

PDF files often contain sensitive information. Find out more about data that requires extra protection in this brief:
What Unstructured Data is Sensitive?

 

Cover of Biden Administration Executive Order Cybersecurity 05-2021 (NIST)

In its Executive Order on Improving the Nation’s Cybersecurity on May 12th, the Biden administration mandated major improvements to how federal agencies protect their networks and data. How does this affect companies that do business with the federal government (or plan to) and their suppliers and contractors? 

*

“Outdated security models and unencrypted data have led to compromises of systems in the public and private sectors.” That’s how the White House explained in a statement the reasoning behind this executive order.

Following the SolarWinds and Microsoft Exchange incidents and the ransomware attack on Colonial Pipeline, the directive laid out “bold changes and significant investments.” Officials position it as merely a first step. Security experts agree that it is already creating some much-needed momentum.

They predict that the executive order will have a substantial impact on the private sector as well. So if you are tasked with IT security and data protection in such an organization, you want to know what that means for you.

In general terms, the directive aims to help move the federal government to secure cloud services and a zero-trust architecture. It also mandates federal agencies to adopt, on a short-term schedule, multi-factor authentication and “encryption for data at rest and in transit.”

That means data protection along the supply chain is now a priority. To wit, contractors, vendors, and suppliers are mentioned 13 times in the executive order. The specific instructions referring to them make clear: the goal is to create an immediate, yet long-lasting ripple effect far beyond federal agencies.

Enterprise DRM – a shortcut to compliance?

Those ripples are felt in the market already, say insiders.

Case in point: a noticeable uptick in demand for platform-agnostic, file-centric document protection that meets the federal requirements. Industry analysts report a resurging interest in Digital Rights Management (DRM) software, such as Fasoo Enterprise DRM.

DRM solutions for the enterprise have been around for more than a decade. They enable organizations to encrypt and centrally manage their sensitive files throughout the document lifecycle, regardless of device, application, or access location.

So what’s causing the buzz now, in the wake of President Biden’s executive order?

In a nutshell, a mature enterprise DRM solution typically comes with key capabilities baked in that check the boxes mandated by the Executive Order.

Could this be your shortcut to meeting these mandates across your organization and its supply chain, with the least amount of pain and friction? 

Image shows President Biden at swearing-in ceremony at the White House

As always, it depends. Does the solution in question check all the boxes, or only a few? An information protection service that was designed as a tack-on for a limited range of popular office file formats, for example, will fall short. It won’t cover many essential document formats used by federal contractors – CAD files come to mind. 

Other solutions suffer from performance issues at scale and are challenging to maintain and manage. How can you ensure that the enterprise DRM suite you’re evaluating fits the bill? 

Here’s what to look for concerning the provisions in the May 2021 Executive Order on Cybersecurity: 

  • Smart and flexible encryption: Can the enterprise DRM solution under consideration automatically identify unknown data and protect and trace it persistently, regardless of its location? Does it provide the encryption strength mandated for organizations that are part of or do business with the U.S. government? Fasoo’s FIPS 140-2 validated cryptographic modules meet the strict demands of the Cryptographic Module Validation Program (CMVP) run by the National Institute of Standards and Technology (NIST). NIST is tasked with developing the guidelines for the administration’s cybersecurity program.

 

  • Access control: Does the information protection service your organization is considering support the broadest possible range of 3rd party, federated, and proprietary authentication systems, including those used by the federal government? Fasoo Enterprise DRM integrates with Active Directory, other LDAP -compatible and SAML-based systems. Its SSO and other authentication APIs support the full hybrid mix of on-premise, cloud, and WFH digital assets and devices deployed by the federal government and its contractors and suppliers.

 

  • Frictionless rights and exception management: Affected organizations inside and outside the federal government are wary of the mandated “encryption of data at rest and in transit.” They fear that complex systems with inflexible file access and usage policy management would make slow federal workflows even slower. How does the solution under evaluation keep tabs on critical data and who gets to access what, while ensuring compliance with federal mandates and regulations? Will it require filing a support ticket each time a team member needs an exception from file restrictions? Fasoo Enterprise DRM secures information across large organizations without compromising performance. Its centralized management capabilities make exception handling by IT or data owners a fast and straightforward process and reduce IT’s workload.

 

The executive order calls for federal entities to “evaluate the types and sensitivity of their respective agency’s […] data […] The evaluation shall prioritize identification of the unclassified data considered by the agency to be the most sensitive and under the greatest threat, and appropriate processing and storage solutions for those data.”

Several federal agencies are already using Fasoo Enterprise DRM, which enables organizations to automate the identification and tagging of documents for encryption. So do industry leaders in sectors most affected by the changes in the new Executive Order on Cybersecurity. To learn about more factors that drive them to deploy enterprise DRM, check out this conversation between Fasoo CTO Ron Arden and GE Gas Power cybersecurity researchers Hillary Fehr and Chris Babie.

Is your organization re-evaluating its document protection options in light of the Biden administration’s cybersecurity plans? Contact our team to find out how federal agencies and their leading contractors leverage Fasoo Enterprise DRM to “adopt the security best practices” as directed by the new executive order.

 

Further reading tips:

 

Protect your sensitive data with FasooInformation security is a big arena, and it seems like there are more and more holes to plug every year.  Most organizations focus on perimeter-based security intending to keep out the bad guys.  Unfortunately, that doesn’t address the accidental or malicious exposure of sensitive information by trusted insiders.  Enterprise based data-centric security is security for individual files that keep data safe even after it’s left a company’s secure network — and that can be a lifesaver.

To understand why let’s look at the story of Company X.  The Company was a strong, growing, medium-sized enterprise that was earning a reputation in its field.  Leadership was aware of the need for strong data security, and the top-level executives invested a lot of time, effort, and money into securing the Company’s network and backing up all files.  Its information security efforts focused both internally and externally: they went far beyond a firewall to keep out hackers, implementing smart policies and security controls on internal users to prevent intentional or accidental breaches of sensitive files.

They did everything correctly, right?

Not quite. Their security-savvy measures did not include enterprise-based data-centric security, and that became a fatal weakness when the company sent one of its VPs to a major conference (yes they are coming back).

Like most leaders, the VP—let’s call him Rob—needed to work while he traveled.  In addition to presenting and networking at the conference, he reviewed progress on a new project still in development.  This included both getting reports from team members back at the office and working with a few other colleagues who had come to the conference.

Rob had remote access to the Company’s secure server and was able to work on files on his secure laptop.  All of this was fine until he needed to share something.  While talking with one of his Company X colleagues at the conference, Rob shared a draft of one of the files.  He moved it to a shared Dropbox folder so the colleague could see it.

What Rob didn’t realize was that this folder had already been shared with other, non-Company peers at the conference.  In other words, the competition.

When a few curious conference goers saw the file, they opened it.  They weren’t asked for a password or any kind of authentication.  And now they had Company X’s trade secrets for the yet-to-be-unveiled project.

Situations like this are not uncommon.  Rob certainly didn’t mean to leak secrets or betray his company.  It was an honest mistake.  And if Company X had had enterprise-based data-centric security, it would have been a harmless mistake.  Instead, the lack of data-centric security meant that Company X’s secrets were out in the open, never to be secured again.  All they could do is hurry forward on their project and hope to minimize the damage.  And, most likely, rethink Bob’s tenure.

Contact us today and protect your business tomorrow with enterprise-based data-centric security.

 

Photo credit DonkeyHotey

Categories
Book a meeting