Blog

Category: Cybersecurity

A reference of enterprise digital rights management terms and acronymsIT, security, compliance, and risk management leaders need a reference of terms, acronyms, and key people in the enterprise digital rights management (EDRM) domain.  Some terms may be confusing since different companies use different terms for the same thing.

This Enterprise DRM Glossary will be updated regularly and provides clarity for leaders and practitioners. The EDRM glossary draws on various sources, including books, periodicals, websites, subject matter experts, and Enterprise DRM users.

We welcome your feedback and suggestions of terms to include. Contact us at info@fasoo.com.

CAD Security
Centralized Policy Management
Data-centric Security
Data Loss Prevention (DLP)
Digital Rights Management (DRM)
Encryption
Enterprise Digital Rights Management (Enterprise DRM, EDRM)
Information Rights Management (IRM)
Insider Threat
Intellectual Property Theft (IP Theft)
Microsoft Azure Information Protection (AIP)
Microsoft Purview Information Protection
PDF Security
Permission
Personally Identifiable Information (PII)
Print Protection
Provisional Permission
Secure File Sharing
Secure Print
Unstructured Data
Zero Trust Document Protection

*

 

 

CAD Security

CAD security, also referred to as CAD file security or CAD protection, describes the methods, means, and measures available to protect specifically Computer-Aided Design (CAD) / Computer-Aided Manufacturing (CAM) / Computer-Aided Engineering (CAE) tools and documents against unauthorized access and use.

CAD files, such as 3D CAD drawings, are unstructured data. Manufacturing companies and design engineering firms looking to protect CAD files face particular challenges. The primary reasons are:

  • the wide range of niche applications and file formats not covered by information rights management solutions for common office document formats (example: Microsoft AIP),
  • the weakness of traditional CAD file password protection,
  • the lack of end-to-end encryption and loss of oversight and control in many organizations when sharing CAD files by email or in the cloud.  

Examples are the automotive industry and the mobility sector in general, where CAD files often contain a company’s most valuable know-how. CAD file protection gaps at the endpoint and remote work risks were exacerbated during the coronavirus pandemic. They contributed to an increase in IP theft by insiders and data exfiltration by external threat actors.

In response, manufacturers are adopting Enterprise Digital Rights Management – Enterprise DRM – to ensure end-to-end CAD file protection and centralized policy management and control beyond the company’s IT perimeter. This approach is based on a data-centric security model. Solutions such as Fasoo Enterprise DRM ensure CAD file security at rest, in transit, and in use. Derivatives, for example, 3D models excerpted as PDF files, automatically inherit the file security of the enterprise DRM-protected CAD file, which can include secure print protection.

Source: Enterprise DRM Glossary. Reference: How to Protect CAD FIles and Workflows Against IP Theft (Fasoo Blog)

*

 

 

Centralized Policy Management

A centralized security policy simplifies managing permissions on documents and ensures a consistent policy across an organization. The policy is persistent yet flexible and allows the organization to manage security rather than relying on individuals to make security decisions.  Compare this to the built-in PDF password protection feature provided by Adobe.

From the organizational perspective, the latter means putting the document’s fate into the hands of its creator.  The business relinquishes control to individual users. When they leave, the company is forced to dedicate valuable resources to special recovery efforts, or even loses access completely.  It also forces users to become security experts.

In comparison, the advantage of the centralized policy management provided by Fasoo Enterprise DRM is that the organization always maintains control over its documents and what happens with them, wherever they go.  This includes changing policies for a user or group at any time, regardless of where the document resides.

Users can be granted the right to maintain complete control over their documents, in those situations where it’s warranted.  This provides a layered approach giving users and groups autonomy for certain documents while maintaining centralized control of the organization.

For example, a Finance user creates a document and it is encrypted upon saving it.  All users in the Finance group automatically have access to the document.  The user decides she needs Legal to review the document, so she can manually grant them access.  If the user leaves the company or moves to another department, the document is still accessible by Finance and Legal.  The organization maintains control.

For solutions without centralized control options, like Microsoft AIP,  it is difficult to implement and change security policies with many users and constantly changing roles. The considerable burden of keeping up-to-date and in sync with the needs of departments or business units often falls on the individual creator of the document.

*

 

 

Data-centric Security

The data-centric security model aims to enhance information protection regardless of where the data resides or with whom it is shared. It is considered a core part of a Zero Trust approach to information security. Data-centric security is independent of networks, servers, locations, and devices and marks a departure from the traditional “device-centric” or location-centric security model.

Enterprise DRM applies the data-centric security model by taking a file-centric approach to secure unstructured data, such as MS Office documents, CAD/CAE files, PDF, plain text, and other digital media file types. This approach means that, in contrast to other methods, persistent encryption and Identity and Access Management (IAM) are tied to and travel with the file.

Data-centric security management requires organizations to know what data they have and its security and privacy requirements. To make data-centric protection of unstructured data feasible at scale, they have to rely on standardized mechanisms to catalog and categorize data. Fasoo Enterprise DRM, for example, applies file-centric protection based on data classification tags to

  • Encrypt the file contents: If exfiltrated, the sensitive data is obfuscated and is of no value to threat actors;
  • Limit file access to authorized users only: Users can be individuals, departments, business units, or defined by role or title.

Historically, organizations adopted file-centric solutions for specific use cases. Modern solutions take advantage of the latest in software tools like RESTful APIs and open operating system standards to work transparently across the enterprise. Centralized policy management ensures IT and data owners can grant access and apply protection consistently across all networks, devices, endpoints, and cloud services.

Source: Enterprise DRM Glossary. Reference: Data-centric security is key to resiliency, cyber risk report says (VentureBeat),  Protect-first Approach to Data-centric Security (Fasoo Brief), Data-centric Security (Fasoo Archive)

*

 

 

Data Loss Prevention (DLP)

Data Loss Prevention (DLP) describes tools and methods to prevent sensitive data, such as Personally Identifiable Information (PII) or business-critical intellectual property, from leaving an organization without proper authorization. 

To that effect, DLP software categorizes documents and emails and analyzes user behavior to restrict the transfer of data. The underlying rules and filters have to be maintained and adjusted by IT in coordination with other stakeholders to minimize workflow interruptions. 

Organizations can apply DLP only to their internal data flow. Other than Enterprise DRM, it does not protect confidential information once data has been intentionally or unintentionally exfiltrated. A typical example is an email mistakenly sent to the wrong address. Like antivirus software or web filters, DLP components have become a staple of information security in the enterprise. As part of the point solutions mix, they often complement particular applications or tools, such as cloud security services or Microsoft AIP

Larger organizations frequently leverage DLP to ensure compliance with data protection regulations such as GDPR, CCPA, or HIPAA. Critics blame DLP for creating a false sense of security and point to its blindspots (USB drives, SaaS file-sharing applications, enterprise messaging apps) and its focus on internal file downloads and sharing. 

Source: Enterprise DRM Glossary. Reference: DRM and DLP: Comparison Made Simple (Fasoo Blog), Data Loss Prevention (NIST Computer Security Resource Center Glossary)

*

 

 

Digital Rights Management (DRM)

Digital Rights Management (DRM) describes the tools, systems, and data-centric process used to automatically encrypt files and control file access privileges dynamically of unstructured data at rest, in use, and in motion. In the consumer space, DRM aims to control the use, modification, and distribution of copyrighted material, such as computer software and multimedia files.

In business, Enterprise DRM ensures data-centric document protection inside and outside the IT perimeter and along an organization’s supply chain to protect sensitive information against theft or misuse by insiders and unauthorized access from the outside.

Source: Enterprise DRM Glossary. Reference: What is Digital Rights Management? (Fortinet Cyber Glossary)

*

 

 

Encryption

The term encryption describes the cryptographic transformation of data into a form that conceals its original content to prevent it from being known or used. Decoding the encoded information requires the correct key. 

Enterprise DRM provides an additional layer of security through its data-centric combination of encryption and access control. Fasoo Enterprise DRM, for example, encrypts files containing sensitive unstructured data and limits access to the encrypted file to authorized users only within their given permissions. This approach helps organizations minimize and mitigate risks such as data leaks, insider threats, and advanced persistent threats (APT).

Fasoo EDRM encrypts files using a Packager. DRM-enabled documents cannot be opened without a DRM Client, which requests a “license” from the DRM Server. The DRM Server issues that license according to the security policy for the user and the document, which can be applied and flexibly adjusted using centralized policy management and exception handling. The DRM Client then decrypts the DRM-enabled document and sends the data to a rendering application, such as Microsoft Word, a PDF reader, or a CAD engineering tool.

Document encryption with Fasoo is based on FIPS 140-2 validated cryptographic modules that meet the requirements of the Cryptographic Module Validation Program (CMVP) run by the United States National Institute of Standards and Technology (NIST).  Fasoo uses AES 256-bit encryption which is a symmetric key encryption using block ciphers.  This is the same encryption the National Security Agency (NSA) and banks use to protect sensitive data.  Using FIPS-validated modules means it delivers the encryption strength required for organizations that are part of or do business with the U.S. federal government. 

Source: Enterprise DRM Glossary. Reference: To Encrypt or Not to Encrypt (Fasoo Blog), Encryption (Fasoo Archive)

*

 

Enterprise Digital Rights Management (Enterprise DRM, EDRM)

Enterprise Digital Right Management (EDRM)enables organizations to persistently protect, control and track sensitive documents at rest, in transit, and in use. Also referred to as Information Rights Management (IRM), this data-centric protection applies to any device throughout the entire document lifecycle. 

By encrypting files and leveraging granular controls through centralized policy management, Enterprise DRM allows organizations to limit viewing, editing, printing, and sharing of sensitive content with unauthorized users within and outside the organization’s IT perimeter.

Historically, the challenges associated with persistent policy enforcement account for the reputation of many enterprise DRM solutions being complex to deploy. This perception has changed, and industry observers agree.

According to Gartner analysts, enterprise DRM now “is one of the only mechanisms for retaining control of unstructured data transferred to business partners in secure collaboration scenarios.”

Industry observers credit Fasoo Enterprise DRM with driving much of this development. Its flagship installation spans over 170,000 internal users and over 700,000 total users of affiliates and partners worldwide.

Source: Enterprise DRM Glossary. Reference: Fasoo Enterprise DRM Whitepaper 

*

 

 

Information Rights Management (IRM)

See Enterprise DRM

*

 

 

Insider Threat

An insider threat is defined as the potential for a person with authorized access or understanding of an organization to harm that organization. This harm can include malicious, complacent, or unintentional acts that negatively affect the organization’s integrity, confidentiality, and availability, its data, personnel, or facilities.

Insider threats, such as IP theft by employees or contractors, are among the main risks to be considered when securing sensitive information in the form of unstructured data, such as office documents, PDFs, or CAD files. According to a 2020 survey conducted by the Ponemon Institute (PDF) and sponsored by ObserveIT and Proofpoint, 60% of polled organizations worldwide encountered more than 30 insider-related incidents per year involving digital assets.

The National Insider Threat Awareness Month library at the Center for the Development of Security Excellence offers guides, real-world case studies, videos, and web-based games to help organizations detect, deter, and mitigate insider threats.

Source: Enterprise DRM Glossary. Reference: IP Theft in the Automotive Industry: 10 Tips to Counter the Insider Threat (Fasoo Blog), Insider Threat Report (Fasoo Resources)

*

 

 

Intellectual Property Theft (IP Theft)

The term Intellectual Property Theft (IP Theft) describes the act of stealing ideas, creative expressions, inventions, or trade secrets – collectively known as Intellectual Property (IP) – from the person or company who owns them. IP theft is against the law. Patent, copyright, and trademark laws, among others, aim to protect intellectual property owners.

In the digital sphere, most intellectual property exists in the form of unstructured data. Movies, music, and computer software all can be targets of IP theft, as can confidential office documents (example: pricing discounts), PDF files (example: employee W-2 forms), images (example: product concept studies), or CAD templates (example: digital blueprints of manufacturing designs).

Who is committing IP theft? According to experts, insiders – i.e. (former) employees, contractors, or supply chain partners – are behind most IP theft cases. Many perpetrators knowingly or unknowingly play into the hands of people outside their organization, such as agents for a foreign power or corporate spies hired by a competitor.

Western counterintelligence professionals attribute the rise of IP theft in the U.S. and the European Union mainly to China. Its Thousand Talents Plan, conceived by the Chinese Communist Party, drives the recruitment of engineers and scientists in the US and the EU as part of a state-sponsored IP theft campaign on a global scale.

In more than 50% of documented IP theft cases, the perpetrators were employees who quit and took proprietary information with them because nothing stopped them. This risk has significantly increased with the shift to remote work caused by the COVID-19 pandemic.

How can companies prevent IP theft? Increasingly, larger organizations deploy Enterprise Digital Rights Management (EDRM) to secure documents and eliminate opportunities for IP theft across the enterprise and along its supply chain. Information security experts see EDRM as uniquely positioned for preventing IP theft respectively further damage, in cases where protected files may have been exfiltrated.  

Information security professionals describe mainly three reasons for Enterprise DRM’s effectiveness in protecting large organizations against IP theft:

  • EDRM combines access control with data-centric security that protects files at rest, in use, and in transit. This device-agnostic protection applies inside and outside the organization’s IT perimeter from the point of creation throughout the document lifecycle.
  • Centralized policy management and flexible exception handling enable IT and document owners to eliminate IP theft blindspots. It also lets them quickly adapt document use policies to meet the demands of dynamically changing environments, such as remote work scenarios (see also: Secure Print). Fasoo Enterprise DRM is an example. It empowers organizations to maintain granular control over sensitive data even if that information is shared – intentionally or mistakenly – outside the organization.
  • EDRM delivers comprehensive document security at scale, encompassing the broad spectrum of document formats and applications common in globally operating organizations. Fasoo Enterprise DRM, for example, supports more than 230 file formats, including a wide range of PDF and CAD types.

In the fight against IP theft, the capabilities listed above put designated EDRM solutions like Fasoo Enterprise DRM at a distinct advantage. Point solutions developed to protect primarily one document software ecosystem and a limited number of 3rd-party file formats (example: Microsoft AIP) cannot provide the same coverage. 

Source: Enterprise DRM Glossary. Reference: IP Theft in the Automotive Industry: 10 Tips to Counter the Insider Threat (Fasoo Blog); What’s the Biggest Challenge Manufacturing Companies Face in Their Fight Against IP Theft? (Fasoo Blog)

*

 

 

Microsoft Azure Information Protection (AIP)

Azure Information Protection (currently known as Purview Information Protection) is a data protection solution developed by Microsoft. It lets organizations discover, classify, and protect documents and emails. AIP was designed primarily to protect the document ecosystem of Microsoft Office and a limited number of third-party file formats. It focuses on end users or data owners making all security decisions on documents rather than allowing a centralized approach to security.

See Microsoft Purview Information Protection for current information.

Source: Enterprise DRM Glossary. Reference:  FAQ: Five Top Questions About Fasoo Enterprise DRM vs. Microsoft AIP, What is Azure Information Protection? (Microsoft)

*

 

 

Microsoft Purview Information Protection

Purview Information Protection (formerly known as Azure Information Protection and Microsoft Information Protection) is a data protection solution developed by Microsoft. It is part of the larger Microsoft Purview suite of tools that lets organizations discover, classify, and protect documents and emails. It was designed primarily to protect the document ecosystem of Microsoft Office and a limited number of third-party file formats. It focuses on end users or data owners making all security decisions on documents rather than allowing a centralized approach to security.

Source: Enterprise DRM Glossary. Reference:  How does Fasoo Enterprise DRM (EDRM) compare to Microsoft Purview Information Protection? (Microsoft)

*

 

 

PDF Security 

Many cybersecurity professionals consider PDF security an oxymoron because of the weaknesses of the password protection and encryption of Adobe’s platform-independent file format.

Depending on the use case, adequate PDF document protection can require a combination of various 3rd-party tools and methods. Examples are PDF password protection, encryption, on-screen protection, secure print, PDF sanitization, PDF usage monitoring.

In large organizations, the number of PDF files and versions to be secured adds to the challenge. IT can overcome this challenge with Enterprise DRM, which provides an additional layer of PDF protection.

One example is Fasoo Enterprise DRM, which integrates the most powerful PDF protection mechanisms. It supports more than 230 file formats and ensures that sensitive PDF files are protected at rest, in use, and in transit.

Source: Enterprise DRM Glossary. Reference: Document Protection: How to Secure a PDF? (Fasoo Blog)

*

 

 

Permission

Permissions are required to perform a particular action, such as View, Edit, and Print, on a document secured with Enterprise DRM. A user can only perform an action on a secured document when granted the proper permission, either as set via centralized policy management, a data owner granting specific permission or upon requesting provisional permission

Source: Enterprise DRM Glossary. Reference: World’s Steel Manufacturing Leader Adopts Fasoo Enterprise DRM (Fasoo Sucess Stories)

* 

 

 

Personally Identifiable Information (PII)

Personally Identifiable Information (PII) is defined as any data that permits the identification, by either direct or indirect means, of an individual to whom the information applies.

PII can directly identify a person (examples are name, address, phone number, social security number, any other ID number or code, and email address) or allow indirect identification in conjunction with other data elements. Such elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors.

PII is often maintained in the form of unstructured data, i.e., in Microsoft Office documents, PDF files (example: W-2 records), or computer printouts. Files containing PII are best protected by encrypting them at the point of creation. Adequate protection covers the document lifecycle in its entirety and includes provisions for data transfers to other media, i.e., screen photos or print.

Source: Enterprise DRM Glossary. Reference: What is Personally Identifiable Information? (Department of Homeland Security), What Unstructured Data is Sensitive? (Fasoo Brief),  PII Data Breach Archives (Fasoo Blog)

*

 

 

Print Protection

see Secure Print 

*

 

 

Provisional Permission

When a user does not have permission for a specific action in a document secured with Enterprise DRM, the user can request temporary permission or exemption to the current security policy. If approved by the administrator or document owner, the user can perform that action with the given provisional permission for a time period defined by the policy.

Source: Enterprise DRM Glossary. Reference: Fasoo Enterprise DRM White Paper (Fasoo)

*

 

Secure File Sharing

Secure file sharing (also referred to as secure file exchange) describes the process of making unstructured data available to other authorized users while preventing access by others who lack proper authorization. In business environments, secure file sharing with Enterprise DRM enables individual users to transfer Microsoft Office documents, audio or video files, images, PDFs, or CAD drawings, for example, within or outside their organization, without exposing sensitive information to data theft or manipulation by unauthorized parties.

Modern digital rights management solutions enable secure file exchange based on a data-centric security model. This approach overcomes the weaknesses and limitations of traditional device-based security or file password protection (see also: PDF Security and CAD Security). It also surpasses the protection provided by file-sharing tools such as Box, Dropbox, or OneDrive, which offer encryption in the cloud and in transit, but fall short once a document reaches the recipient. Fasoo Enterprise DRM, for example, automatically encrypts each file at the point of creation and applies access policies that are centrally managed. 

Files secured with Enterprise DRM remain protected no matter where they go. This way, the data owner remains in control of if and how a shared file can be accessed, regardless of its location. The protection is device-agnostic and travels with the file. Users can securely share files without risking protection gaps on portable storage media, cloud storage services, home office printers, or when documents are sent as email attachments, for example.

Source: Enterprise DRM Glossary. Reference: Data-centric Security (Fasoo Blog Archive)

*

 

 

Secure Print (Secure Printing)

Secure print capabilities that enable the prevention and detection of document leaks or exfiltration via print output. In Enterprise DRM, policy-based print protection lets data owners centrally set and manage print rules for printing on-premises or remotely and watermark unauthorized printouts.

Fasoo Enterprise DRM, for example, takes a printer-agnostic approach to secure printing. This approach eliminates problems with using different printers or print drivers. Here’s how it works:

The basic print permission setting is part of the Fasoo-encrypted document. In addition, Fasoo’s secure printing component – a.k.a. Fasoo Smart Print – lets organizations apply print protection policies on various levels for plain and EDRM-secured documents alike.

Source: Enterprise DRM Glossary. Reference: Document Security: What Is Secure Print? (Fasoo Blog)

*

 

 

Unstructured Data

85% of today’s digitally stored information consists of unstructured data, which means it lacks a pre-defined data model or internal data organization. Examples include office documents, CAD/CAE files, PDFs, emails, videos, blogs, customer support chat logs, and social media.

Structured data, by comparison, is defined as data that is easily grouped, processed, and analyzed by rows and columns in relational databases. It only accounts for 15% of today’s information.

Unstructured data poses numerous security and regulatory compliance challenges. They are not addressed by the traditional network, device, and application cybersecurity and risk management approaches. This coverage gap is the reason why storing and sharing sensitive information in free-form documents creates numerous opportunities for leakage or exfiltration of proprietary or otherwise sensitive data.

Confidential files containing intellectual property, PII, or printouts of HIPAA-protected personal health information (PHI) are three examples of unstructured data potentially at risk of unauthorized access due to negligent or malicious insider behavior or cyber-attacks.

Sensitive unstructured data falls into two broad categories: regulated or unregulated. The adequate protection of regulated unstructured data is required by law (examples: GDPR, CCPA). Unregulated data includes both business-sensitive and publicly known information. Determining what content requires protection is left to the discretion of the business that owns, stores, or processes it.

Source: Enterprise DRM Glossary. Reference: What Is Unstructured Data And Why Is It So Important to Businesses? An Easy Explanation for Anyone (Forbes Enterprise Tech); Structured vs. Unstructured Data (Datamation); What Unstructured Data is Sensitive? (Fasoo)

*

 

 

Zero Trust Document Protection

Zero Trust document protection describes minimizing uncertainties in enforcing accurate access decisions regarding unstructured data. It delineates the shift from a device and location-centric security model to a predominantly data-centric approach.

The goal is to prevent unauthorized access to files containing confidential data by making access control enforcement as granular as possible. The Zero Trust approach requires fine-grained security controls between users, systems, data, and assets. Enterprise DRM is considered a cornerstone of any viable Zero Trust document protection strategy, according to document security experts. They point to its data-centric security model, strong encryption, and tight integration with all leading identity and access management systems.

The Zero Trust approach achieved official cybersecurity policy status with the 2021 Executive Order on Improving the Nation’s Cybersecurity issued by the Biden administration. While the directive primarily aimed to move federal agencies to secure cloud services and a zero-trust architecture, it since has sent ripple effects through the private sector. 

 

Source: Enterprise DRM Glossary. Reference: “5 data protection tips for maintaining trust in the Zero Trust era,” in Financial Services: How to Boost Your Remote Work Surveillance; 3 Top Document Protection Takeaways from the May 2021 Executive Order on Cybersecurity (Fasoo Blog)

*

Fasoo zero-trust data security platform showcased at Gartner summitA major focus at this year’s Gartner Security & Risk Management Summit in National Harbor, MD was on reframing and simplifying security to drive your business, not inhibit it.  There was a lot of talk about Zero Trust architectures and how they are critical to real security as more of us work from home and the threats to our sensitive data grow exponentially.

One area of concern is how to find and protect sensitive data without impacting how employees, business partners, and customers work.  With a hybrid workplace becoming the norm for many, this has taken on a new urgency.

At the Fasoo booth, a lot of people talked about the challenges of combining different technologies to address data security in the cloud, in the office, working at home, and sharing with partners and customers.  Companies are looking to consolidate capabilities to fewer tools and focus on more of a platform approach to address their needs.  A constant problem is setting different policies in many tools that still focus more on protecting the location of data rather than the data itself. 

One executive from a manufacturing company talked about how difficult it is to manage all the systems to protect identity and data in so many places.  She has one set of rules for her DLP system that alerts when sensitive documents are shared outside the company.  She has another set of policies to govern CASB to manage cloud access.  And a third set of policies for partner access to data repositories.  But none of them really protect the data since once a user has access, they can do whatever they want with it.

Fasoo Presentation on True Zero Trust

On Wednesday, June 8, 2022, Anthony Juliano, CTO & General Partner of Landmark Ventures; John Herring, President & CEO of Fasoo, Inc.; and Ron Arden, Executive Vice President, CTO, and COO of Fasoo, Inc., presented “Fasoo: Build a True Zero-Trust Data Security Platform“.  John talked about the challenges we’ve had in the last few years as people moved to hybrid work and the threats to sensitive data keep growing.  Documents have a habit of multiplying and getting into all sorts of places without security that protects the data itself. 

Anthony focused on data security platforms (DSP) and Gartner’s research on the need to eliminate the patchwork of silo-specific controls that actually increase risk rather than minimize it.  Simpler policy enforcement and unified approaches will prevail as companies choose a DSP with high levels of flexibility that work throughout the entire data lifecycle.  This includes eliminating redundant, obsolete, and trivial (ROT) data to minimize the threat surface and simplify protection.

Fasoo zero-trust data security platform showcased at Gartner summit

Ron talked about the capabilities of a true zero-trust platform that enables universal control of data at rest, in transit, and especially in use, while continuously validating that a user should have access to that data every time they use it.  Rather than focusing on pieces of a solution, the Fasoo Data Security Platform helps organizations discover, classify, manage, protect, share, audit, monitor, and analyze sensitive data.  Since the fundamental principle is to protect first by encrypting and controlling the use of the data, it removes many of the concerns of protecting every location the data travels.

Gartner Presentations Reinforce Fasoo Approach

There were a lot of  Gartner Analyst presentations that focused on zero-trust, data security, and data security platforms.  One session highlighted that “60% of organizations will embrace Zero Trust as a starting point for security by 2025.” Many of the sessions directly reinforced Fasoo’s approach to zero-trust and below are some of the highlights:

 

Andrew Bales: Outlook for Data Security

  • Andrew addressed Gartner’s prediction that “By 2025, 30% of organizations will adopt a Data Security Platform (DSP), due to the pent-up demand for higher levels of data security and the rapid increase in product capabilities.” The presentation reviewed the evolution of data security capabilities and their convergence into a centralized platform.  Fasoo leads the industry in unstructured data product consolidation with its Zero Trust DSP.
  •  

Michael Hoeck: How to Secure Your Data Using Data Security Platforms

  • Michael identified a category of DSPs that are more narrowly focused on use-case driven needs, in particular for unstructured data, that do a better job than more broad-spectrum platforms.  Fasoo’s DSP specifically addresses unstructured data security and privacy use cases.
  •  

Neil McDonald: A Pragmatic Approach to Implementing a Zero Trust Security Architecture

  • Neil highlighted the importance of data encryption at rest and in transit in a zero-trust architecture. Fasoo extends this to control over data in use and is a critical element of evolving security service edge (SSE) architectures, which focus more on security capabilities and less on network connectivity and infrastructure.
  •  

Anthony Carpino: Technical Insights: Dark Data, Data Security’s Biggest Miss

  • Anthony reported that “Dark data could be between 52 to 90% of the data our business stores and know very little about its content including the risk that could be lurking within it.” He identified discovery, classification, auditing, and data protection as key features to shed light on dark data, all of which are core processes in Fasoo’s DSP.
  •  

Fasoo booth at GSRM 2022 showing data protectionDuring the course of the summit, a lot of attendees and analysts came to the Fasoo booth to understand how Fasoo’s Zero Trust Data Security can meet security and privacy regulations and protect sensitive data from both internal and external threats. 

One IT manager wanted an easy way to protect IP from going out the door when employees left the company and also needed to share sensitive information securely with customers.  He liked how the Fasoo Data Security Platform could help with both in one solution.

A number of visitors commented that Fasoo technology is very robust, balances security with usability, and integrates with an organization’s existing infrastructure.  A common strategy is to make the technology almost invisible to users unless they try to violate a security policy.  I remember one person saying, “I was a little skeptical during your presentation, but convinced once I saw it in action.” 

Meet ISO 21434 for Cybersecurity in the Global Automotive IndustryElectric cars, hydrogen cars, self-driving cars …

In the near future, we will see a completely different automobile industry from what we see today.  And what’s emerging as one of the most important topics with these recent changes?  Security.

In particular, Level 3 autonomous cars, which provide conditional automation that can make informed driving decisions, will start arriving this year.  Mercedes-Benz has already received internationally valid regulatory approval to produce vehicles capable of Level 3 autonomous driving.  BMW, Audi, Honda, Volvo, GM, and Tesla, among others, also have similar projects in the works.

Level 3 autonomous driving, as defined by SAE International, means that the driver can hand over control to the vehicle, but must be ready to take over when prompted.  Autonomous vehicles communicate with and receive data through far more sensors than electric or hybrid vehicles.  This means there is a high possibility that the personal information of vehicle owners and important data related to automobile software will be leaked.

Global Security Requirements

Against this backdrop, the global automobile industry is investing heavily in security-related technology development and certification.  Automotive security regulations have also been tightened, requiring the United States, the EU, Japan, Korea, and other countries to identify and respond to threats in accordance with the International Cybersecurity Standard ISO/SAE 21434.  This standard specifies engineering requirements for cybersecurity risk management in the design and development of car electronics.  It covers cybersecurity governance and structure, secure engineering throughout the life cycle of the vehicle, and post-production security processes.  The supply chain is also included to cover each step in automotive production.

New cars sold in Europe starting in July 2022 and all new cars sold in 54 countries starting in July 2024 must meet these requirements.  The manufacturer must be certified for cybersecurity management capabilities, which include protecting the sensitive data used in the design, development, manufacturing, and servicing of these vehicles.

All phases of a connected vehicle’s lifecycle covering electrical and electronic systems, including their components and interfaces, are covered in ISO/SAE 21434 including:

  • Design and engineering
  • Production
  • Operation by customer
  • Maintenance and service
  • Decommissioning

This lifecycle approach to cybersecurity management makes ISO/SAE 21434 one of the most comprehensive approaches to connected vehicle cybersecurity.  Certified test reports issued by certification centers are mutually recognized worldwide, including in the United States, Europe, Korea, and Japan, and have equal efficacy and public confidence internationally.  Compliance with security regulations now serves as a “right to enter” into new markets, and only companies with this capability can export and gain new supply chains.

Getting TISAX and ISO 21434 Certified

TISAX (Trusted Information Security Assessment Exchange) certification, a cybersecurity framework devised by the German Automobile Industry Association (Verband der Automobilindustrie, VDA), has established itself as an information security standard in the global automotive industry.  Sensitive data in CAD/CAE files, office documents, and supplier information, which are the center of corporate competitiveness, are shared within a huge supply chain.  Since important information is being circulated on a much larger scale than in other industries, affiliates must prove each other’s security level to prevent information leakage during the collaboration process.Protecting files to design, develop, manufacture and service autonomous vehicles

Virtually all companies in the German automotive supply chain (automobile manufacturers, OEMs, partners, suppliers), whether based in Germany or not, must demonstrate a level of information security management in accordance with the requirements set out by the VDA-ISA.  The problem is that TISAX and ISO 21434 certifications are complex and difficult to obtain compared to other international standard information security certifications (ISO) or information security management system certifications (ISMS).

Protect Sensitive Vehicle Information

The best approach to meet the certifications and enable selling into global markets is to use a data-centric security approach to protect and manage files that contain the sensitive data used during the design, development, and manufacture of autonomous vehicles.

Enterprise DRM (EDRM) protects sensitive information from unauthorized access and controls what an authorized user can do with it.  By encrypting the files and applying dynamic access controls, you can grant or block a user’s ability to view, edit, print, copy, and even take a screen capture of the information.  You can control derivatives of documents since engineers and other users frequently share PDFs or other common formats both internally and throughout the supply chain.  Since you have a complete audit trail of user and document activity, you know if someone accessed the documents inside or outside your network.  You can also revoke access or change permissions after you distribute a document if the sensitivity of the information changes or those who should have access to it.

Protecting your sensitive intellectual property (IP) while complying with ISO/SAE 21434 and TISAX will be critical for any company working in the automotive industry.  Using EDRM to protect your files without changing user workflows will meet these requirements so you can compete in this market.

Do you have questions about protecting CAD files and other sensitive data with Enterprise DRM?
Contact us here.

Image shows wall-mounted home office surveillance camerasRemote work is putting sensitive data at risk. That we can all agree on. Traditional endpoint protection frequently fails. So what about stronger surveillance of remote employees at home? 

*

Let’s monitor the heck out of them, shall we?

That seems to be the approach of some financial services firms whose remote workers handle sensitive financial data and Personally Identifiable Information (PII). Is remote work surveillance a good idea? 

Perhaps, if your organization is craving attention – from the Washington Post, for example – for all the wrong reasons: privacy concerns, lawsuits, alienated employees and contractors. 

“Excessive surveillance,” writes ZD Net’s Owen Hughes, “is having profoundly negative effects on the workforce.”

But does it work?

 

Why monitor employees at home?

You see, that’s the other catch: it may not be worth the effort and expenses. Digital surveillance, warns Tech Target’s ComputerWeekly (UK), may “increase enterprise risk” by “forcing remote workers towards shadow IT.”

In short, excessive work-from-home surveillance doesn’t only erode trust and productivity. It also results in weaker data protection and employees leaving for the competition. 

What’s not to love? Perhaps you agree: pretty much everything, if you value your employees and work culture.

The tips below favor a non-creepy approach that is more sustainable: 

 

5 data protection tips for maintaining trust in the Zero Trust era  

Fasoo’s data-centric security model maximizes document protection – not the surveillance of the people handling them from home. Fasoo enables IT to secure and keep tabs on sensitive unstructured data throughout the document lifecycle, instead of putting employees and contractors under home office surveillance.

  • Stay vigilant; keep watching. 

Fasoo Enterprise DRM lets your organization automatically assign file protection without user intervention at the point of creation. Encryption and policies keep the document secured even when it is shared outside the organization by mistake.

Efficient document protection with Fasoo enables your organization to continuously monitor, log, and flexibly change who’s accessing confidential files and how. 

 

  • Turn your employees’ bedroom nooks into secure print stations.

What would it take, aside from nationwide lease, maintenance, and insurance contracts? The kids giving up their bedroom? A two-camera surveillance system? 

Or, less creepy: You deploy Fasoo Smart Print as your organization’s remote network of monitored print stations. Regardless of which physical or virtual printer is used – including the old inkjet in the bedroom nook – IT remains fully in control.

A granular audit trail includes the text or image of the actual printed content. It ensures visibility into all print activities that involve EDRM-secured documents.

 

  • Intervene when they take a snapshot.

How do you keep remote employees, in the privacy of their home, from using the Print Screen key, screenshots, or a smartphone to take pictures of confidential information?

Install more spyware and observation cameras? Think about the possible impact on your workforce retention rate in the “great resignation” era.

Here’s a less heavy-handed approach that’s more efficient than excessive remote work surveillance. Deploy Smart Screen, Fasoo’s on-screen document protection. It enables IT to block and monitor screen capture attempts. Administrators can monitor all screen capture attempts and even view an image of the targeted areas.

It may be impossible to keep a determined person from taking photos with a smartphone or camera outside a high-security office area or designated data room. That’s why effective deterrence is essential. Fasoo Smart Screen enables admins to imprint sensitive documents with a visible “smart” watermark that contains tell-tale user-specific information.

 

  • Keep tabs on them outside work and after hours.

On your files, that is. Shareholders, customers, and regulators expect you to protect confidential financial information and PII throughout the document lifecycle. Password-based document protection or Data Loss Protection (DLP) solutions, for example, cannot provide this level of security. 

DLP aims to prevent data exfiltration, but files can still make it beyond your organization’s IT perimeter: on a USB stick, for instance, or via a personal cloud storage account.

With Fasoo Enterprise DRM, encryption and policy settings apply regardless of where the document lands and prevent unauthorized access. A confidential file remains protected even in the wrong hands.

  

  • Always and immediately involve higher-ups, IT, and HR… 

…when (former) employees attempt to access specific documents. Sounds ridiculous, right?

Well, that’s because it is. Yet, some Information Rights Management (IRM) solutions expect data owners to relinquish control over individual documents to a degree that poses challenges for organizations with many users and constantly changing roles.

Workflows become work trickles. People find shortcuts. Overall data security suffers.

Fasoo’s centralized policy management capabilities allow for flexible, people-centric exception handling. It integrates with all leading federated authentication systems, minimizing risk when employees change departments or leave the company.

This approach ensures that everyone who needs to be is in the loop about a file’s security – the document creator, supervisors, IT, and HR. No home office surveillance required. 

*

 

Zero Trust makes sense. Until it doesn’t.

Would you make Zero Trust your People & Culture or HR slogan? Let’s face it: You need a Zero Trust strategy to secure your data. As a tagline for your work culture, on the other hand, it would be a less than ideal pick.

With Fasoo Enterprise DRM, you don’t have to sacrifice trust and productivity by setting up remote work surveillance bridgeheads in your employees’ homes.

As a cornerstone of your Zero Trust strategy, Fasoo empowers your organization to maintain its work culture and trust within the team while still ensuring maximum data protection.

 

Contact the Fasoo team to find out more.

Which industries have the highest potential for remote work? Finance and insurance, says McKinsey & Company. There’s a catch, however. How can organizations realize this potential without compromising data security and privacy? 

*

The consultancy found that three-quarters of activities in these sectors can be done remotely without a loss of productivity. Information security wasn’t part of the study. So what are the implications from a data protection perspective?

That’s where things get dicey. The forced rush into hybrid and remote work arrangements and the sorry state of remote work security have bank CISOs and compliance officers on edge. Some – mostly larger – financial institutions have mastered the transformation more effectively than others. What’s their secret? 

Before we answer that question, let’s first take a quick step back in time. In 2015, a Morgan Stanley insider downloaded confidential information on 730,000 of the investment bank’s wealth management clients to his personal laptop and posted a sample for sale online. Back then, it could have served as a wake-up call.

Today, it almost seems like quaint history, because not many heeded that call. The shift to Work-from-Home (WFH) due to COVID-19 has taken the insider threat to unstructured data to a whole new level.

Battlezone home office: Data protection reset required?

As a result, insiders – often working remotely – now account for more than 50 % of data breaches in the financial sector, according to security research. Several terabytes of sensitive data have been ransacked or leaked from more banks and financial services or law firms since that 2015 data breach. Think Pandora Papers, the confidential documents including supposedly secure PDF files, images, emails, and spreadsheets from 14 financial service companies offshore. 

Bank CISOs and compliance officers we talk to are more worried than ever about the lack of visibility and loss of control over sensitive proprietary data when employees are working from home. 

Or take Jeremy Baumruk, who heads up Professional Services at Xamin. His company manages IT security for more than 50 U.S. banks. In early 2020, he told the American Bankers Association’s Banking Journal: “When an employee is using their own computer, IT has almost no control.”

18 months later, research shows: that warning about remote work security still stands. Industry experts point to misconfigured VPNs, insufficiently secured home WiFi networks, unmanaged personal devices, personal cloud storage services, and unmonitored home office printers.

Remote Work Security - infographic excerpt

Source: Tessian (Infographic)

Remote work hasn’t only exacerbated the insider risks posed by negligence or disgruntled employees. Cybercriminals on the outside have taken notice, too. They wage automated campaigns that increase the pressure on banks to take decisive countermeasures. 

Many recognize that the traditional, device-centric emphasis on IT perimeter defenses – Data Loss Prevention tools (DLP), firewalls, endpoint protection – cannot ensure adequate protection. Recent threat reports confirm: attackers are busy exploiting the remote work blindspots and endpoint vulnerabilities to the fullest.

 

Document theft-as-a-service: Search. Scoop up. Siphon off.

As a result, credit unions, investment banks, and mortgage lenders, and their remote workers, are bearing the brunt of automated ransomware campaigns right now. In the first half of this year alone, banks experienced a 1,318% year-over-year increase in ransomware attacks, reports cybersecurity firm TrendMicro in its 2021 Midyear Security Roundup.

What does this have to do with document protection? There’s a direct and significant connection. New ransomware variants don’t merely encrypt the victim’s business-critical data and demand a ransom for unlocking it. The latest exploit kits are also optimized for data exfiltration.

In other words, they are designed to search for, scoop up, and siphon off sensitive information, which is then used for more elaborate extortion schemes. Only last week, the FBI sent out this Private Industry Notification [PDF]. It describes how perpetrators specifically target confidential documents about planned mergers and acquisitions, to release them on the internet if the victim doesn’t pay up.

So why have some financial institutions been less impacted than others by data leaks and theft during their shift to remote work? 

Identify, protect, control  – with Enterprise DRM

One answer is that they didn’t bide their time until the next data breach. Instead, more banks launched a “digital transformation” that some say is long overdue for the industry as a whole. One pillar of their strategy is shifting to a data-centric security model, enabling them to protect their data at rest, in use, and in transit.

Bank CISOs recognize that the traditional, device-centric emphasis on IT perimeter defenses – Data Loss Prevention (DLP), firewalls, endpoint protection – cannot ensure adequate protection anymore.

Instead, they leverage Enterprise Digital Rights Management solutions such as Fasoo to identify, encrypt, and oversee the access to unstructured data at the file level. This way, sensitive documents remain protected against unauthorized access if leaked or exfiltrated, no matter how that happens.

The Fasoo Enterprise DRM framework follows a three-way approach to ensure gapless document protection and remote work security:

    • Identify: Fasoo automatically identifies data worth protecting, from legacy repositories to newly created documents, which are secured at the point of creation. Unlike DLP, which is limited to tagging such information for protection within the organization’s IT perimeter, Fasoo sets the foundation for protecting and controlling confidential data anywhere, on any device.

 

    • Protect: Enterprise DRM provides an additional layer of security by combining FIPS 140-2 validated encryption and access control. This approach helps organizations minimize and mitigate risks such as data leaks, insider threats, and advanced persistent threats (APT).

 

    • Control: Fasoo enables banks to assert control over their confidential data through the entire document lifecycle, based on flexible and people-friendly central policy management.

 

Boost for remote work security and productivity in banking

This control transcends the digital domain. Fasoo’s printer-agnostic secure print capabilities (Fasoo Smart Print), for example, enable organizations to apply print protection and watermarks for plain and DRM-secured documents alike. Its screen security component (Fasoo Smart Screen) applies screen watermarks to applications and URLs to block screen capture attempts of sensitive data and monitors all screen capture attempts.

“Enterprise DRM is working great for us,” says the CISO of an S&P Top 100 global bank, a Fasoo customer. “It gives us a quick at-a-glance look at all our sensitive data and enables us to assert control wherever it goes.”

Would you like to learn more about how organizations in the financial sector, from community banks to global financial institutions, leverage Enterprise DRM to secure their digital transformation?

Connect with our industry experts here. 

###

Movie Sign: Policy Exception Handling

Wouldn’t it be a shame if it slowed down your business and turned out to be useless for protecting your data? Here’s what I’m getting at:

74 percent of U.S. companies say they will keep some remote work arrangements in place post-pandemic. In other news, roughly 359,000 cybersecurity positions in the U.S. went unfilled at last count.

Taken together, these data points spell trouble. This is where the policy part comes in. Data breaches involving sensitive information have been skyrocketing recently. What about the document access and use policies at the affected organizations? Why didn’t they matter?

You likely know the answer. Remote work, a flood of unmanaged devices, VPN node expansions, and cloud service adoption run wild have created more weak spots than point solutions and understaffed IT teams can handle. 

Patch schedules need to be adhered to. Access controls and policies have to be applied and managed. Not to forget the exception requests. Someone has to follow up. But who? And how? “This support ticket will be automatically closed after 5 days.” Will it get resolved before the workflow turns into a work trickle?

It doesn’t help that many point solutions that promise to keep your data secure foster inconsistent policies that leave security and privacy gaps. Your organization could pay a high price if your document protection strategy doesn’t connect the dots and eliminate the gaps and blindspots. Think stolen intellectual property (IP), legal fees, or brand damages.

BYOD report: “Enterprises are running blind”

The point isn’t lost on Anurag Kahol, the Chief Technology Officer (CTO) of cloud security firm Bitglass. Introducing the company’s 2021 BYOD Security Report, he warned in June: “There has never been a more important time for enterprises to seriously rethink their approach and secure all forms of communication amongst users, devices, apps, or web destinations.”

Source: Bitglass 2021 BYOD Security Report

Source: 2021 BYOD Security Report (Bitglass/Cybersecurity Insiders)

The survey (conducted in collaboration with Cybersecurity Insiders) shows the rapid adoption of unmanaged personal devices connecting to work-related resources (a.k.a. BYOD):
 

  • 47 percent of organizations reported an increase in personal devices being used for work.
  • 82 percent said they now actively enable BYOD to some extent.
  • The most critical concerns of respondents were data leakage or loss (62 percent), users downloading unsafe apps or content (54 percent), lost or stolen devices (53 percent), and unauthorized access to company data and systems (51 percent).

The survey results also show how ill-equipped companies still are to deal with malware and data theft – more than 18 months into the pandemic. The authors conclude: “Enterprises are running blind.”

Their point is validated by the recent escalation of data leaks following extortion attempts. Yet, while IT teams struggle to stem the tide of malware attacks and data theft, it seems that some large organizations seem better prepared than others in preventing confidential information from leaking or getting stolen. So what’s their secret?

Keep tabs on your data and worry less where it goes

Spoiler alert: There isn’t just one answer, and it doesn’t start with an “A”,  as in AI or Automation.  Presumed panaceas can do more harm than good if they introduce more complexity instead of minimizing it. 

One hint comes from Capgemini and Forrester, who published a joint study on cyber resilience in March. It showed that 71 percent of companies planning to increase their cybersecurity budgets said they now prioritized data-centric security.

Growing investments in enterprise-level digital rights management (DRM) are part of this trend. One example is Fasoo Enterprise DRM. Globally operating businesses and U.S. government agencies rely on Enterprise DRM to secure their unstructured data, such as Microsoft Office documents, PDFs, or CAD designs, at the file level. 

Centralized policy management: fewer gaps, faster workflows 

Enterprise DRM enables them to automatically encrypt documents at the point of creation. It applies a persistent yet flexible file policy and puts sensitive files under lock and key. 

This policy is centrally managed by the organization. What’s the advantage of this approach over, say, the built-in PDF password protection feature already provided by Adobe?

I’ve addressed a few known security deficiencies of the latter method in this post. From the organizational perspective, it means putting the document’s fate into the hands of its creator. The business relinquishes control to individual users. When they leave, the company is forced to dedicate valuable resources to special recovery efforts, or even loses access completely. 

In comparison, the main advantage of the centralized policy management provided by Fasoo Enterprise DRM is that the organization always maintains control over its documents and what happens with them, wherever they go.  This includes changing policies for a user or group at any time, regardless of where the document resides.

So what about centralized solutions designed to protect a broader range of files across the enterprise? Basic PDF password protection marks one end of the spectrum. On the other end, let’s look at Azure Information Protection (AIP) by Microsoft, for example.

AIP was designed with a focus on protecting documents in the MS Office ecosystem. While AIP lets organizations include a limited range of third-party file formats under its protection umbrella, it also still relies on individual users to make security policy decisions on securing documents. Specific training may be required.

In addition, AIP’s lack of centralized control options makes it difficult to implement and change security policies in organizations with many users and constantly changing roles. The considerable burden of keeping AIP protection up-to-date and in sync with the needs of their department or business unit often falls on the individual creator of the document.

Support requests down, document security up with Enterprise DRM

Team members in a Fasoo Enterprise DRM-protected environment, on the other hand, don’t have to worry that a document may lose its protection or become inaccessible when sent as an email attachment or uploaded to the cloud, for instance. 

Each time someone attempts to access a file, this requires a usage license issued by a DRM server. This license is based on parameters such as user, document, device, time, and location. The policy determines who can open a particular file and for what purpose (examples: “view on the screen only”, “view, edit and save “, “print only with watermark”).

The policy applies regardless of which endpoints, storage devices, or cloud services the files traverse. They are protected, and access details are monitored by Fasoo Enterprise DRM, no matter where they wander inside or outside the organization and its supply chain.  

What does this mean in case of a data breach? Files secured with Fasoo DRM – example: W-2 PDF forms – are useless in the wrong hands, should they be exfiltrated for wholesale on the dark web

The same applies to documents with sensitive intellectual property, such as CAD files from the engineering department. If a rogue engineer downloads them to a flash drive to take them to a competitor, like in this case, nothing is lost or compromised. 

Image shows hand with USB
When internal documents leave your organization, are you still in control? Photo: Anete Lusina on Pexels

Safe policy exceptions at startup speed

Why do our customers select Fasoo Enterprise DRM?  One main advantage, they say, is its centralized policy management, which puts admins and data owners in control. Policies are implemented platform-agnostic and consistently across the entire data inventory.

Equally important, they stress, is that these policies can be flexibly adjusted at a moment’s notice to support the workflow of global companies running at startup speed.

Customers praise its capability to quickly accommodate changes in security policy to meet changing business needs.  Suppose a document owner leaves the organization or changes jobs. In that case, a department manager, IT, or security can easily grant or remove access to the document with the click of a button, regardless of the document’s location.

Another example is the way the exception management approval system handles temporary document permissions. Fasoo Enterprise DRM facilitates a pre-approval, post-approval, or self-approval workflow. Exception approval can be delegated to department heads, managers, or coworkers so that the organization doesn’t have to rely on IT.

Centralized policy management and flexible exception handling are critical for Fasoo customer ZF Group, a global automotive industry supplier. The company deploys Fasoo Enterprise DRM to secure critical IP, such as CAD drawings and process information, in tech centers on three continents. 

“You have to find the right balance between maximum IP protection on one side, and productivity on the other,” said Markus Fischer, VP Engineering at ZF Group’s Active Safety Systems. “You need to be able to quickly adjust access privileges on a granular level, without delay.”

###

Find out more about Fasoo Enterprise DRM and its centralized policy management capabilities here.

 

Cover of Biden Administration Executive Order Cybersecurity 05-2021 (NIST)

In its Executive Order on Improving the Nation’s Cybersecurity on May 12th, the Biden administration mandated major improvements to how federal agencies protect their networks and data. How does this affect companies that do business with the federal government (or plan to) and their suppliers and contractors? 

*

“Outdated security models and unencrypted data have led to compromises of systems in the public and private sectors.” That’s how the White House explained in a statement the reasoning behind this executive order.

Following the SolarWinds and Microsoft Exchange incidents and the ransomware attack on Colonial Pipeline, the directive laid out “bold changes and significant investments.” Officials position it as merely a first step. Security experts agree that it is already creating some much-needed momentum.

They predict that the executive order will have a substantial impact on the private sector as well. So if you are tasked with IT security and data protection in such an organization, you want to know what that means for you.

In general terms, the directive aims to help move the federal government to secure cloud services and a zero-trust architecture. It also mandates federal agencies to adopt, on a short-term schedule, multi-factor authentication and “encryption for data at rest and in transit.”

That means data protection along the supply chain is now a priority. To wit, contractors, vendors, and suppliers are mentioned 13 times in the executive order. The specific instructions referring to them make clear: the goal is to create an immediate, yet long-lasting ripple effect far beyond federal agencies.

Enterprise DRM – a shortcut to compliance?

Those ripples are felt in the market already, say insiders.

Case in point: a noticeable uptick in demand for platform-agnostic, file-centric document protection that meets the federal requirements. Industry analysts report a resurging interest in Digital Rights Management (DRM) software, such as Fasoo Enterprise DRM.

DRM solutions for the enterprise have been around for more than a decade. They enable organizations to encrypt and centrally manage their sensitive files throughout the document lifecycle, regardless of device, application, or access location.

So what’s causing the buzz now, in the wake of President Biden’s executive order?

In a nutshell, a mature enterprise DRM solution typically comes with key capabilities baked in that check the boxes mandated by the Executive Order.

Could this be your shortcut to meeting these mandates across your organization and its supply chain, with the least amount of pain and friction? 

Image shows President Biden at swearing-in ceremony at the White House

As always, it depends. Does the solution in question check all the boxes, or only a few? An information protection service that was designed as a tack-on for a limited range of popular office file formats, for example, will fall short. It won’t cover many essential document formats used by federal contractors – CAD files come to mind. 

Other solutions suffer from performance issues at scale and are challenging to maintain and manage. How can you ensure that the enterprise DRM suite you’re evaluating fits the bill? 

Here’s what to look for concerning the provisions in the May 2021 Executive Order on Cybersecurity: 

  • Smart and flexible encryption: Can the enterprise DRM solution under consideration automatically identify unknown data and protect and trace it persistently, regardless of its location? Does it provide the encryption strength mandated for organizations that are part of or do business with the U.S. government? Fasoo’s FIPS 140-2 validated cryptographic modules meet the strict demands of the Cryptographic Module Validation Program (CMVP) run by the National Institute of Standards and Technology (NIST). NIST is tasked with developing the guidelines for the administration’s cybersecurity program.

 

  • Access control: Does the information protection service your organization is considering support the broadest possible range of 3rd party, federated, and proprietary authentication systems, including those used by the federal government? Fasoo Enterprise DRM integrates with Active Directory, other LDAP -compatible and SAML-based systems. Its SSO and other authentication APIs support the full hybrid mix of on-premise, cloud, and WFH digital assets and devices deployed by the federal government and its contractors and suppliers.

 

  • Frictionless rights and exception management: Affected organizations inside and outside the federal government are wary of the mandated “encryption of data at rest and in transit.” They fear that complex systems with inflexible file access and usage policy management would make slow federal workflows even slower. How does the solution under evaluation keep tabs on critical data and who gets to access what, while ensuring compliance with federal mandates and regulations? Will it require filing a support ticket each time a team member needs an exception from file restrictions? Fasoo Enterprise DRM secures information across large organizations without compromising performance. Its centralized management capabilities make exception handling by IT or data owners a fast and straightforward process and reduce IT’s workload.

 

The executive order calls for federal entities to “evaluate the types and sensitivity of their respective agency’s […] data […] The evaluation shall prioritize identification of the unclassified data considered by the agency to be the most sensitive and under the greatest threat, and appropriate processing and storage solutions for those data.”

Several federal agencies are already using Fasoo Enterprise DRM, which enables organizations to automate the identification and tagging of documents for encryption. So do industry leaders in sectors most affected by the changes in the new Executive Order on Cybersecurity. To learn about more factors that drive them to deploy enterprise DRM, check out this conversation between Fasoo CTO Ron Arden and GE Gas Power cybersecurity researchers Hillary Fehr and Chris Babie.

Is your organization re-evaluating its document protection options in light of the Biden administration’s cybersecurity plans? Contact our team to find out how federal agencies and their leading contractors leverage Fasoo Enterprise DRM to “adopt the security best practices” as directed by the new executive order.

 

Further reading tips:

 

Image shows a screenshot (top left), Hillary Fehr (GE), and Chris Babie (GE) of the IP Protection Fireside Chat: Fasoo's Ron ArdenHow to stop intellectual property leakage and theft in manufacturing?

That was the topic of a discussion hosted by Fasoo at the 2021 Apex Assembly Tech Leaders Northeast Summit. CTO Ron Arden spoke with Hillary Fehr, Senior Cyber Security Researcher with GE Gas Power, and Chris Babie, Staff Cyber Security Researcher with GE Gas Power, about the challenges of IP protection in the manufacturing enterprise. 

In Part 1 of this conversation, IP Protection: “We need a tool with a wider scope”, we focused on how to protect sensitive CAD files, 3D-PDFs and other PDF file formats, in addition to the wide variety of Microsoft Office and other documents typically found in innovation-driven manufacturing companies.

In this post, Ron, Hillary and Chris zoom in on additional insider threats and risks introduced through the rise of the cloud and the rapid shift to work-from-home due to COVID-19.

What advice do the GE security researchers have for IT leaders in manufacturing companies looking to update their document protection program? Find out in Part 2 of the conversation:

*

Ron Arden: With everybody being remote, all of a sudden new threat vectors are appearing. There are things you didn’t even think about before. Somebody is going to copy something to their private OneDrive or their Dropbox account because it’s convenient. It’s easy to move stuff around. We all used to copy things to our USB drives, but now it’s just as easy to go to a cloud service. You know employees are just working along, and they’re not really worried about all of this.

Chris Babie: Exactly. Most of it is amiss on our [the IT security] side. If we told [engineers] the proper running rules, they wouldn’t perform that risky activity. People want to back up their data. Right now, there’s no help desk for them. I think people don’t want their productivity to dip. That’s a perfect example of the “I need to make sure my data is safe, hey, let me move it to my desktop” kind of thing. We need an answer for that now.

“A ton of new risk has bubbled up”

Hillary Fehr: And engineering machines, which typically were in a lab environment in the business before, now are in somebody’s home. That’s a whole other layer of risk that was never there. 

Chris Babie: We kind of knew that our “walls” in the manufacturing environment were okay. Now you’re worried about “does a virus now get on that machine?”, “is the home network protected?” It’s not even a data protection issue alone anymore. It’s also a home networking issue. A ton of new risk has bubbled up.

Ron Arden: Chris, what was your experience with other solutions that you use to protect and control sensitive documents?

Chris Babie: I think one thing that every solution struggles with in our world is scale. If you think about 300,000 folks, millions of transactions every single day, all these different mediums for transacting data. We already touched on the complex file types [see Part 1, IP Protection: “We need a tool with a wider scope”].

Our value is not driven by the standard stuff. It’s more in part files, CAD drawings. We were finding certain populations really love mobile. That’s just how they work. They’re very busy, they’re traveling, and it would work great on the endpoint. And then it would fall down.

We cover all these different complex workflows. Finding a solution that works everywhere is very challenging. It worked well when it was a standard workflow, very cookie-cutter. But we don’t do cookie-cutter at GE. 

This image announces a Fireside Chat on IP Protection in Manufacturing, with Fasoo CTO Ron Arden and GE Gas Power security researchers Hillary Fehr and Chris Babie

I talked about our vast network. I need a solution that works if it gets sent to an organization with 500,000 people and a supplier with three folks, and they’re more of like a mom-and-pop shop. We have a whole spectrum. We kind of cover everything, in terms of file types, network entity types… 

How do you find something that works everywhere? It’s a challenge.

Wanted: IP protection that “works everywhere”

Hillary Fehr: It’s got to be adaptable, especially with business requirements and environments. We know how quickly those can change. Last year was a big indicator of your ability to really pivot and adjust your priorities and approach, based on new risks that come up in the business.

Chris Babie: We touched on user experience. That’s literally everything —the main bucket. If the user experience wasn’t there… – people do not like change. They just don’t. 

We need to make sure that however they are working today, the technology works. That’s getting really hard to find with all these new solutions, cloud storage… It’s critical if we’re going to bring anything in-house.

Ron Arden: As you said, we all hate change. If we initiate the change, that’s different, but when the change is brought down on us – no. You got a job to do. The person who is creating the next generation of turbines has to focus on that. They cannot waste their time learning a new tool and completely changing their workflow.

And like you said, Chris: If you go out to GE’s smaller suppliers, they work the way they work. I mean, you might be able to impose some things on them. Still, they want to work the way they want to work. Mobile is extremely important today. Working with a flexible solution is key.

Adaptability is key, because the tool should adapt to you. You shouldn’t have to force yourself to adapt to the tool because that never works. People just get annoyed, and they don’t use it. 

I’d like to wrap up with one last item. Hillary, what advice would you give to people listening in?

Hillary Fehr: I would say you need to know where your data is. You need to have a strong process for identifying your data, tracking it, understanding the movement, how that data is used.

Until you have that, you really don’t know where you have sensitive data and how to protect it. Once you have a good understanding of what that data movement looks like and where that data is, you can start to build your approach to data protection.

Data protection is about auditability, too

Like we mentioned before, it’s also important to listen to the business because things are changing all the time. So you need to understand the business processes and be adaptable as they change and as the business priorities change.

You need to have standards and best practices in place. Not only to outline the do’s and don’ts for your end users, but also from an auditability perspective. It gives you legs to stand on.

Ron Arden: Chris, your advice? 

Chris Babie: We touched on it – communication and education. In the insider threat space, we wouldn’t see a dominant portion of the [insider threat] activity if we were simply upfront with them on how people are supposed to work, and how data is supposed to transact.

To anyone implementing a solution, I would say: Try to get really close to the business. Do you understand all the different use cases you’re going to encounter? 

At least in our world, there’s all this function overlap. If you’re going to implement anything, it cannot be in a silo. There needs to be a major partnership with the business. Everyone has to have a seat at the table before we go in any direction.

Hillary Fehr: That’s a good point, Chris. I think relationship management is a big part of getting their buy-in, too, and building out your process – because your data owners are the ones that understand your data and can help you to identify the best approach to protecting it.

Chris Babie: Having some of these basic “101” items – assets inventory, knowing your environment – gives you a head start, especially at our scale. It can be very challenging, as you can imagine.

Hillary Fehr: You have churn of employees and contractors, and people who may have known where the data was – years ago – are no longer with the company. That’s where you need to partner with the business and the functional areas to get to the heart of where things are and what they do with them.

Ron Arden: In essence, what you’ve been saying is that you need a solution that is location agnostic, because you have a lot of systems. Some would be legacy; some might be brand new. In the cloud, on people’s phones, home devices, engineering workstations…

So you can’t rely on a perimeter. There’s no perimeter anymore. It’s everywhere. I’m guessing you probably even have storage assets that you don’t even know about because somebody put a server somewhere in a room and nobody remembers what’s there, and then all of a sudden you find out something of value is sitting on that device.

Hillary Fehr: Or an endpoint in their bottom drawer of their desk.

Chris Babie (chuckles): I can confirm that our data is everywhere. Most organizations need to shift towards that [location agnostic] model. There’s zero perimeter today. Our data is all over the world, in every system imaginable. How do we make sure it’s protected wherever it goes? 

“Shift towards location-agnostic model” of data protection

Ron Arden: We have some customers with scenarios where they have to feed the data to machines. Those systems tend to be older, because of the cost of those types of machines. So you might even have a Windows XP machine that’s connected to one of these devices with important process information on it. 

It’s sensitive information. If you’ve got a contractor or a person who just ups and leaves the business and says, “Hey, this might be really cool for me to take to my next company,” you’re never going to know that, and something very important walks out of the door.

*

Do the scenarios mentioned in this conversation sound familiar? Most innovation-driven manufacturing companies face similar challenges, due to remote work demands under COVID. This explains why manufacturers increasingly rely on a file-centric approach to protecting intellectual property.

Fasoo Enterprise DRM comes with centralized policy management and granular controls baked in that can be adjusted flexibly by the data owner. This approach enables large organizations to provide maximum protection – across the enterprise and its supply chain – against insider threats and IP exfiltration at scale, while maintaining workflows and productivity.

Watch Ron Arden’s complete Apex Summit Fireside Chat with GE Gas Power’s Hillary Fehr and Chris Babie here

###

 

The transcript of this conversation has been shortened and edited for clarity and the blog format.

Protect data on laptops from terminated employees I read a Tweet recently from “Accidental CISO” about collecting laptops from terminated employees during the pandemic that I deemed retweetable (if that is a word).  Some comments focused more on the hardware – how to get it back – but this got me thinking more about what is actually on the hardware. What sensitive information, like intellectual property, might reside on them?  It also made me think, in a situation like this, how the potential for insider theft is far greater.

Files containing IP can be either printed on home printers, sent over email to personal accounts, saved on a USB stick, screen captured and so on.  These are not necessarily actions of malice, but obvious desperation to assist with the basic need for employment.

It reminded me of a webinar we did in 2019, Close the Gap on Insider Threat: Granular Access Controls and Behavior Analytics, where we focused on the best way to protect and control unstructured data without having to think about where it is located, who is accessing it or how it is being used.  It’s part of a 3-part series, so check out the other two.

In my last post, I talked about how many companies are not prepared to suddenly support a remote workforce and provided some thoughts on things you can do.  But this tweet brings to the surface the extent of how unpreparedness can lead to (and this is going to sound weird) intentional, non-malicious behavior.

I encourage you to think about it, watch, and at the very least, start putting a plan in place to protect and control your unstructured business critical information.  The time is now to do your best research so when you are ready to pull the trigger on your unstructured data security project, you will be able to hit the ground running.

Contact us if you want to talk about any of this and in the meantime, stay safe and healthy!

 

Photo credit Ian Sane

 

Overnight, companies across the globe were forced into a fully remote workforce.  If you are prepared, under the best of circumstances, it can still be a challenge, but if you are not, the challenges are even greater and some things can potentially fall through the cracks.  People working from home can lead to a few unintended bad habits. With business continuity being the priority, data is even more at risk as hackers and thieves see opportunity when your guard is down.

For companies that don’t have tools in place, and for that matter, those that don’t have the right tools in place, here are some things you can do while ensuring the health of your employees, and your business stays on track.

  • Reiterate document handling policies – remind workers creating documents of data classification schemes and to encrypt whenever possible for sensitive data.  When in doubt, encrypt.
  • Remind your work-at-home staff of your security awareness training (SAT) (if you have a program in place) – there have been lots of reports of phishing and other types of scams going on because bad people will take advantage of the population when vulnerable.  Ensure your employees know how to identify these things, whether you have programs in place or not.
  • Data sharing across email – it is always a best practice to remind workers that care be taken when sending an email with unprotected documents attached – double-check who is in the “To” and that appropriate protection is applied to what is sent.
  • Working in cloud applications –  the clogged and slow internet may have some workers pulling documents out of the application to work on locally.  And for the sake of expedience, some of these documents may be sent through email (see the previous comment), shared on a Zoom or Teams video conference, or remain on a local drive or in a folder, exposed to theft from outsiders.
  • Ensure your Wifi has a strong password and that your computers have anti-virus software installed – for the unprepared, some workers may be working on their personal laptops or desktops, may not have a VPN, may not have renewed the free anti-virus software installed, because “that will never happen to me”, and may not have created a strong Wifi password when first setting up their internet connection.  Now might be the time to ask them to change passwords and check licenses on security software.
  • Printing – discourage printing sensitive information on home printers. While there isn’t much you can do to prevent this and foster secure printing, discouraging workers from printing sensitive documents locally and encouraging them to work in the applications.  Besides, it is good for the environment (save a tree).

While all of these might seem like motherhood and apple pie, they are just good reminders at a time when things happen so fast.

Photo by Kate

Protect intellectual property in the automotive industryIntellectual property is a valuable asset in manufacturing, and more specifically the automotive industry.  It is particularly vulnerable to theft.  In our Webinar “Close the Gap on Insider Threat: Granular Access Controls & Behavior Analytics , we cited a Deloitte survey where the respondents put the automotive industry at the highest risk of insider cyber threat.  Executives, IT and security groups need to put serious consideration into protecting their intellectual property in files, especially when handled by multiple parties.

The auto industry is suffering because of the trade war between the U.S. and China.  While they have enough to worry about with tariffs, it doesn’t mean they can let their guard down with protecting CAD/CAE designs, which are very critical to their success.  It’s a very competitive market for both talent and designs.  In fact, one of our customers considered themselves the “University of Auto Manufacturing”.  They would put time, effort, and money into training individuals on their designs, giving them access to their precious CAD/CAE files only to see them walk off on a USB stick and show up at a competitor.  They got tired of that and took control of their intellectual property by encrypting files and assigning them granular access rights.  They stopped the bleeding since only authorized users could access the files.

Fasoo recently talked to Engineering and Manufacturing executives seeking solutions to safeguard their intellectual property. We talked to one executive who said protecting data going into and out of the machines in their manufacturing environment was the “big challenge”.  Another was looking to integrate security into its recent standardization on a new PLM platform.  Seamlesss integration into existing workflows is critical to success.

Protecting designs in CAD/CAE files from insider threat and ensuring security across the supply chain and third-party sharing apps are becoming part of the conversation when developing data governance and policy management strategies.  Companies need solutions that regain control of their sensitive data with particular emphasis on encryption and access control.

 

Define a Practical Data Governance Plan for Unstructured DataThe phrase “It takes a Village to raise a child” is true.  But it is also true that it takes a team to develop a data governance and policy management strategy!

Teamwork is important when developing a data security strategy. As part of that process, data governance and policy management needs to be part of the equation. It’s becoming more and more clear that organizations struggle with policy management – particularly with unstructured data. The very nature of unstructured data leaves it vulnerable to exposure and loss. Insider threat is of particular concern because while hackers typically attack structured databases, your employees and other valued insiders are accessing those databases on a regular basis. The insiders can download sensitive information into spreadsheets and reports. They are accessing your intellectual property, such as product designs and roadmaps. It’s the insiders that will walk off with those designs and sell them to your competition or bring it to a competitor to jumpstart the next phase of their career. The loss of this information will not only cost you revenue, but can also result in a regulatory fine. Who can afford that?

It’s really important to work as a team to:

  • Define a Practical Data Governance Plan for Unstructured Data
  • Identify Use Cases & Conduct Workflow Reviews
  • Turn Use Cases Into Unified and Centralized Policies
  • Develop a Change Management Plan

In Fasoo’s next webinar, Why Leadership and Data Governance is Critical to Policy Management, Ron Arden and Deborah Kish will call out these steps and provide insights to what the best practices around the teamwork that will help you get to a better data governance and policy management strategy.  The last of our 3 part webinar will be September 18th at 2 pm.  You won’t want to miss it.

Photo credit Anna Samoylova

Categories
Book a meeting