Blog

Category: Sensitive Unstructured Data

Fasoo zero trust data security platform protects your sensitive unstructured dataZero Trust is a major trend in 2022 and one that affects public and private sector organizations alike.  Last year when the Biden administration in the US issued its Executive Order on Improving the Nation’s Cybersecurity, zero trust was a major component of this initiative.

Organizations implement traditional perimeter-based security strategies on the assumption that the perimeter is secure inside.  Zero trust assumes that no person or device inside or outside of an organization is trusted.  It is a system that requires thorough verification of all users, data, and devices, and allows only minimal privileges.

The concept of zero trust is not new.  It was suggested in 2010 by analyst John Kindervag of Forrester Research to denote stricter cybersecurity programs and access control within corporations.

Now 12 years later, security experts agree that a zero-trust-based security strategy is needed, not perimeter-based security.  The reason is simple.  The environment is changing.
 

Why zero-trust now?

The pandemic-driven transition to a hybrid workplace has become the norm.  As telecommuting and remote work becomes common, concerns about perimeter-based security are growing more than ever before.  This is because the boundaries of the work environment have become blurred, driven in part by the increased adoption of mobile and cloud services.  This will inevitably lead to a security vacuum.

The environment surrounding data security faces a variety of changes, including cyber warfare caused by the conflict between Russia and Ukraine, cyberattacks on companies by hacker groups like Lapsus$, and numerous incidents of corporate data breaches by trusted insiders.

In this environment, it is natural for zero-trust-based solutions to be in the spotlight.  It’s the data itself that we need to protect, so we need a data-driven security system that can safely protect our data in a rapidly changing environment.

 

Zero Trust Data Security

Protecting sensitive data first requires identifying it, classifying or labeling it, and then determining who should have access to it.  This requires constant authentication and verification of user identity.  Fasoo’s zero-trust approach to safeguarding sensitive unstructured data goes beyond just access controls.  It layers three powerful security methods to achieve a strong, proactive first-line defense again external and insider threats.

  • Encryption
  • Adaptive Access Control
  • Control Data in Use

 

Cloud misconfigurations, user errors, and work from home environments all expose sensitive files to breaches that access control alone can’t prevent.  A true zero-trust approach secures the file at all times – at rest, in transit, and while in use – and continuously monitors user, device, and other contexts to adaptively evaluate access permissions.
 

Encrypt Files

The best way to protect a sensitive file is to encrypt it.  It ensures files are protected while at rest and in transit no matter the location or network.  This sets the foundation for a zero-trust approach on which other safeguards build.

  • Automatically discover, classify and encrypt sensitive files when created or modified, all transparent to the user. User errors are eliminated and workflows are uninterrupted.
  • Encryption keys are centrally held and controlled by the company – not by the user, cloud provider, or any other third party. This is increasingly important in hybrid and multi-cloud workplaces as privacy regulations become more proscriptive regarding data residency and access rights.

 
Encrypted files ensure any exfiltration of sensitive information is safe from misuse.  Many privacy regulations exempt encrypted file exfiltration from breach reporting or significantly reduce any fines.  It all negates one of the worst risks related to today’s ransomware threats – exploitation of exfiltrated data.
 

Apply Access Control

User verification is enforced each time the file is accessed and incorporates contextual information about the user and device to dynamically adapt to grant or deny access.

  • User access to a sensitive document is automatically applied as part of the initial discovery process with presets that are centrally configured and provide flexible and practical settings. Individual users, departments, roles in the organization, and “all internal share” are examples of preset alternatives.
  • Fasoo enables a range of other elements, including device identity, time of day, and geolocation to be assessed as part of its adaptive zero-trust access approach. This dynamic linking of multiple verification points ensures the highest degree of trust can be enforced for sensitive data.

 

While centralized control of document access is the default, the platform provides flexibility so that document owners can unilaterally change access, if business needs dictate.  This allows those closest to the data to make security decisions without needing to involve security or IT.  Continuous monitoring of user behavior reports such exceptions for line manager and compliance team inspection.  Such analytics are also applied to continuous monitoring of device and location information.
 

Control over Data

Insider threats expose a major gap in many declared zero-trust solutions.  Once a verified insider gains access to the file, it’s a free pass to use corporate sensitive data.  Joiners and leavers in a transient workforce, work from home environments, and supply chain collaboration opens the door for inadvertent or malicious insider data breaches.

  • True zero-trust requires control over usage as well as access. Forward, cut and paste, copy, print, and screen capture are examples of the many ways insiders can maliciously or unintentionally expose sensitive information to unauthorized parties.
  • Usage controls must consider the sensitivity of the data, and the context in which it’s being used and enable a wide range of permissions, from restricting actions to watermarking files, to address insider threats.

 

Fasoo enables a comprehensive set of file permissions to control what authorized users can and can’t do with a document in use.  Central pre-set policies can be implemented at the user, department, or organization-wide level as well as by role (all Directors) or project (M&A, Drug Approval).

Proactive control over data usage is essential to a true zero-trust approach.

Talk with us about how Fasoo Data Security will strengthen your zero-trust initiatives.

Protect data in the cloud with Fasoo encryption, access control and in-use protectionThe enterprise is moving to the cloud to ease collaboration for partners and employees. The cloud enables work-from-home and hybrid working models and enhances productivity.

But the cloud is vulnerable to human error and misguided settings, putting your data at risk of unauthorized access. According to Gartner, preventable misconfigurations and end-user mistakes cause more than 99% of cloud breaches. Cloud providers use a flavor of security. But data needs its own protection.

What’s the risk of storing data in the cloud?

End-users share Dropbox links and credentials from personal smartphones via Wi-Fi hotspots. They email documents to friends and unauthorized third parties. You’d no more send your data out into the world without policies, access controls, and encryption than send a child out into the cold without a coat. But if you leave security to the cloud, who knows where your data ends up.

Amazon S3 buckets include unlimited storage. But weak settings leave default credentials intact, granting limitless access to criminal hackers who automatically search and exploit bucket links. When criminal hackers kidnap your files, cloud cyber defenses seldom follow behind. You need centralized control with enterprise security that wraps your data and sticks with it.

Enterprises work with many cloud providers, passing data from one environment to the next, one job to the next. You may have some visibility when you pass data directly to the cloud. But what happens when that cloud routes your data to other cloud environments for processing? It’s one thing to entrust your child to someone you know; it’s another to let them hand her off to someone they know.

Cloud providers may offer security policies, identity and access controls, and encryption for data in transit and at rest. But those stop short where the cloud ends, leaving your intellectual property (IP) open to theft by criminal hackers and exploitation by unscrupulous competitors.

How do I protect my sensitive data in the cloud?

Enterprise Digital Rights Management (EDRM) eases moving to the cloud, binding location-agnostic security controls to unstructured data. EDRM embeds encryption, persistent IDs, and access control policies with sensitive documents. Your custom controls travel with your files into unmanaged, unsecured environments.

EDRM maintains data governance policies and controls on your confidential documents whether you move them to Salesforce, Box, Microsoft Azure, or AWS. You can track documents in and beyond the cloud, maintain access controls, and change granular permissions and privileges at any point using centralized policy management.

You don’t have to care what cloud has your data; EDRM keeps it safe when cloud security fails. If the cloud provider has a breach, so what? EDRM maintains the security policies, controls, and enforcements you’ve set in motion, no matter who has your data.

You can ease moving to the cloud by mitigating your risk. The Discovery Classification Tool (DCT) identifies old, redundant, and obsolete data. You can delete obsolete files and duplicates and archive data you must keep, reducing your attack surface, data management requirements, and cloud costs. Then use EDRM to apply policies and encryption to the data you use, and move it to the cloud.

Chat with the Fasoo team and discover how your peers deploy Enterprise DRM in the cloud.

 

IP Theft Insider Threat Photo MontageNo matter if your company is an automotive OEM, Tier 1-3 supplier, or a small engineering studio that serves component manufacturers across various industries: all eyes are on you.

The eyes of commercial spies, that is. 

Intellectual property (IP) theft, most of it on behalf of China, damages the US economy to the tune of about $500 billion a year, says the FBI. Automotive, aerospace, and other innovation-driven tech companies are bearing the brunt of commercial espionage efforts.

What do the nation-states and competitors behind the IP theft have in common? They all rely on a secret weapon: company insiders

 

What is an “insider threat”?

The US government’s National Insider Threat Task Force (NITTF) defines an insider as “any person with authorized access to an organization’s resources to include personnel, facilities, information, equipment, networks, or systems.”  This not only includes your employees but contractors, partners, and potentially anyone in your supply chain.

In the vehicle manufacturing sector, most sensitive information is now stored and managed digitally: in the form of CAD drawings, for example, or as digital image files, as Microsoft Office documents, or in various Adobe PDF formats, including PDF/A, PDF/E, or PDF/X. 

The dependency on these files makes IP theft by company insiders with access to that information the biggest potential security threat for automotive manufacturers and their suppliers today. Under pressure to innovate and develop startup-like cultures, traditional manufacturers struggle to protect their digital IP without sacrificing productivity.

A key security component in this fight is International Cybersecurity Standard ISO/SAE 21434 which specifies engineering requirements for cybersecurity risk management in the design and development of car electronics.  It covers cybersecurity governance and structure, secure engineering throughout the life cycle of the vehicle, and post-production security processes.  It covers vehicle manufacturers and their entire supply chain.  This standard is becoming more important as the industry moves toward autonomous vehicles.

How does someone become an insider risk? What are the warning signs of potential insider theft? Is your company prepared? 

Experts agree: securing unstructured data across the automotive manufacturing supply chain requires a comprehensive approach by Security, IT, HR, Compliance, and Legal. Here’s what they recommend:

 

1. Raise your organization’s threat awareness.

The battle for the future of mobility is marked by innovation at break-neck speed and tough competition for top performers. 

Traditional players find themselves competing with Silicon Valley giants, startups, and nation-state-sponsored groups to recruit and hold on to the best talent. Electric vehicle development, connectivity, battery technology innovation, and the rise of additive manufacturing are changing the industry.

The IP Awareness Assessment, offered by the National Institute of Standards and Technology/Manufacturing Extension Partnership (NIST/MEP), enables affected companies to assess their intellectual property awareness. 

Another valuable resource for your internal IP Theft awareness program and training is the National Insider Threat Awareness Month library at the Center for the Development of Security Excellence. It offers guides, real-world case studies, videos, and even web-based games to help organizations detect, deter, and mitigate insider threats.

 

2. Know the IP theft threatscape.

According to Ponemon Institute research from 2022, 67% of surveyed organizations worldwide reported more than 30 insider-related incidents per year involving digital assets.

In the US and the EU, counterintelligence experts and manufacturing industry security advisers attribute the rise of IP theft mainly to China. Take the Thousand Talents Plan, for example, which was conceived by the Chinese Communist Party.

Officially, TTP is a recruitment program for up-and-coming scientists and engineers to experience China and work side-by-side with their Chinese peers. In reality, it now serves as a vehicle for a state-sponsored IP theft campaign on a global scale, with more than 140 recruitment stations set up in the US alone.

Infographic: Steps to Manage and Mitigate Insider Threats

Source: CISA

Social media and business networking platforms (LinkedIn, for example) are increasingly used to identify and target company insiders for later exploitation. 

To keep you abreast of recent developments and emerging threats, the FBI provides IP theft prevention resources on its website and sends out email alerts.

 

3. Identify what’s most at risk of IP theft in your organization.

Unstructured data such as CAD/CAE files, digital images, and confidential sales or legal PDF documents contain your organization’s most valuable intellectual property and blueprints for its future. Yet IT and Security face a unique challenge in protecting it against IP theft.

How to secure these files across the enterprise and along its diverse supply chain? IP protection at the document level often requires that the information rights management service supports all industry-relevant CAD applications.

 

Automotive engineer working with CAD drawings

Automotive engineer

Your teams may currently use mainly one or two such tools. But this can change quickly due to new requirements. Effective information rights management in this dynamic environment makes support for tools such as AutoCAD, CATIA, PTC Creo, Siemens NX-CAD, or SolidWorks essential. 

PDF file formats are another example. Does the information protection software cover the broadest possible range of documents? Support for at least 200 file formats is considered the bare minimum in a globally integrated enterprise environment.

 

4. Determine who’s posing an insider threat.

As paradoxical as it may sound, this question is the easiest to answer. Experts will tell you that any executive and rank-and-file employee, contractor, or temp with access to sensitive information is potentially a risk. This includes external business partners and is made even worse by so many people working remotely or from home. 

Security professionals differentiate between malicious, negligent, and compromised insiders. The lines between these categories are blurry. Common scenarios resulting in the loss or theft of proprietary information that involves negligent or compromised insiders:

Negligent insiders 

Insiders are compromised when 

All of these examples can result in exfiltrated CAD files, office documents, or process information. IT can minimize the risk of unintentional IP exfiltration by controlling access to proprietary information at the file level and limiting or blocking possible ways of sharing, such as copying, printing, or taking screenshots.

 

5. Prevent the #1 IP theft scenario.

What about the malicious insiders? In the manufacturing sector, who are the real-life spies?

Let’s forget about James Bond and his Minox camera for a moment. Instead, let’s focus on Jill with a smartphone and money problems. Joe in R&D may fancy making VP at a competitor. Then there’s Jim, the work-from-home (WFH) contract engineer who just got an invite to visit China, all expenses paid, courtesy of the Thousand Talents program. 

Not to forget the ambitious – now-former – head of your self-driving vehicle division (if you are Google). 

That last case reminded us that the risk of IP theft is highest when employees leave. In more than 50% of documented IP theft, the perpetrators are employees who quit and take proprietary information with them. 

This happens simply because they could. Nothing got in the way.

A design engineer, for instance, may store critical CAD drawings on a private hard disk or personal cloud storage “just in case” and later use them when interviewing with the competition.

IT and other stakeholders need a mechanism that makes it simple to centrally disable access to sensitive documents for a departing employee at the file level, even if that file now resides on an unmanaged work-from-home laptop.

 

6. Establish or expand your threat intelligence program.

Managing IP theft risk in 2022 requires more than cursory reference checks or LinkedIn profile once-overs for potential hires.

Smaller companies can outsource their pre-hire background checks to background investigation specialists and threat intelligence firms. Large manufacturers may expand their internal open-source intelligence (OSINT) collection capabilities.

Photo: Inside the FBI's Cyber Division

This enables investigators and SOC analysts to examine, for example, dark web marketplaces for suspicious data movements. 

Where to find private-sector professionals that specialize in digital insider threats on all levels? Industry associations, trade groups, and government resources such as the National Center for Cybersecurity in Manufacturing can help.

 

7. Monitor to identify insider threat warning signs.

What are the indicators of insider threats that may culminate in IP theft? Behavioral and personality changes can be early warning signs, experts say. Financial problems, a drop in performance, or a sudden interest in files outside the employee’s work scope are indicators as well.

To catch such telltale signs early on, the software selected to secure and manage proprietary information should include the capability to flag suspicious files and user activities. Do they indicate sufficient risk for intervention by business management? 

Digital rights management combined with user and entity behavior analytics (UEBA) enables visibility into employees’ interaction with IP at the file level. It applies rule-based modeling to the respective data sources.

This approach allows the system to establish baseline behavioral patterns and help determine suspicious activities.

Fasoo’s RiskView, for example, provides such UEBA protection for sensitive files. For IT, it serves as an early warning system against infractions by users even with sufficient inside knowledge to bypass other security controls and methods.

 

8. Choose productivity over paranoia.

Under pressure to innovate and develop startup-like cultures, traditional manufacturers struggle to protect their digital IP without sacrificing productivity.

An overly rigid and inflexible approach to IP protection risks slowing down workflows and alienating top performers.

It also introduces additional risks. A typical example is team members who develop “creative” workarounds to access or share sensitive proprietary information they need to get the job done.

Security or productivity: do we have to choose? It doesn’t have to be an either/or choice. Let’s look at Digital Rights Management (DRM) as an example.

DRM (also referred to as Information Rights Management, IRM) today is at the heart of many enterprise-wide initiatives to prevent intellectual property theft or unintentional digital IP leakage. 

How to solve the IP Theft Protection vs. Productivity conundrum? Enterprise IT leaders emphasize the importance of carefully selecting an enterprise DRM software that is flexible and fast at scale.

 

9. Put manageability and flexibility first.  

Can we really expect data owners to become security experts when managing document-level protection for the files they oversee? 

We shouldn’t. But that’s what happens, IT says, when the company deploys the kind of information protection service that was developed almost as an afterthought to popular office software and design tools.

Many IT leaders have determined such rights management services are too limited for the use cases in their enterprise-wide deployment. They are also cumbersome to manage and use on the ground.

Exception management is a prime example. How do you give everyone on the team who needs it fast and uncomplicated access to critical IP while ensuring that it doesn’t fall into the wrong hands? 

An effective DRM solution simplifies and accelerates the process of obtaining exemptions from file access and management restrictions. A user’s legitimate exception request should not increase IT’s workload, be held up by slow support desk response times, or get forgotten in the system once it has been granted.

 

10. Select DRM that enables centralized policy and visibility 

Opportunity makes thieves, as highlighted in Tip # 5. Eliminate the opportunity for digital IP theft with DRM. Protect your IP from the onboarding through the offboarding process, including all user activities on your network in between.

Centralized policy management empowers IT and management to conveniently set and change data-centric and user-centric document use policies at-a-glance.

The past three years have seen a significant uptick in companies looking to deploy EDRM to prevent IP theft. Industry observers attribute this trend primarily to three factors:

  • the rising threat of IP theft by corporate insiders,
  • Microsoft now supports its rights management in Azure, on Apple’s iOS, and on Google’s Android,
  • the pressure to protect intellectual property accessed by remote workers, often on unmanaged home networks and devices. 

Fasoo Enterprise DRM’s authentication APIs, for example, supports numerous 3rd party, federated, and proprietary authentication systems. In the enterprise environment with its hybrid mix of on-premises, cloud, and WFH digital assets and devices, this means less headache for IT when securing remote access.

This way, IT can quickly adapt your document use policies to fit remote work scenarios. It also means that when your company shuts off access to an employee for good, it doesn’t run the risk anymore that a critical resource gets overlooked.

Fasoo Enterprise DRM’s encryption renders protected files useless for the former employee and other unauthorized 3rd parties.

*

Talk to our team about how Fasoo Enterprise DRM will complement and strengthen your insider risk program.

 

This post was originally published in March 2021 and has been updated for accuracy and comprehensiveness.

What good is a secure island if you’re left stranded? Former Secure Islands customers want to know, since their data protection software has finally reached end-of-life support after the company was acquired by Microsoft a few years back. The good news: they have more options than they may have thought.

*

As a startup, Secure Islands Technologies Ltd. was a success story. Not so much for some of its early customers, we hear.

Two brothers, Aki and Yuval Eldar, founded Secure Islands in 2006 in Jerusalem. Microsoft acquired the company for $150 million in 2015 and made its technology an essential building block for Microsoft’s Azure Information Protection (AIP, part of the Microsoft Information Protection framework MIP). Six years later, to Secure Islands customers who decided AIP wasn’t for them, it may seem as if they are stuck.

So far, so predictable. As far as startup exits go, you’ve heard the stories. The outcome can be ugly: early customers are left holding the bag, with nowhere to turn. It can also be a blessing in disguise: for example, when IT discovers alternatives that show how far a technology has come elsewhere since its nascent stage.

Such happy endings happen. Take enterprise-level Digital Information Rights Management (DRM), for example. Also referred to as Information Rights Management (IRM) sometimes, it has come a long way since the aughts. This development is good news for organizations looking for AIP alternatives.

No happy endings on security islands

Information protection solutions of the past were difficult to deploy and scale. Workflows slowed down. Productivity suffered. That said, today, we see a different picture. The success of solutions such as Fasoo Enterprise DRM triggered a resurgence of the category, primarily for three reasons: 

  • Mature Enterprise DRM solutions ensure comprehensive data protection that extends far beyond one or two document ecosystems

Fasoo Enterprise DRM, for example, covers more than 230 document formats, including images, CAD files created with forty different applications, and old Microsoft Office documents that even AIP cannot encrypt. This approach extends beyond Microsoft Office or  Adobe PDF files and prevents the creation of “security islands” that leave critical documents unprotected.

 

 

  • Centralized policy management and control beats having to deputize (and train) your end users as security experts.

AIP uses Secure Islands technology to categorize documents, which can result in certain limitations. Depending on a company’s Microsoft licensing level, users may have to manually label the documents they import or create and decide what protection and permissions to assign.

Other limitations concern larger organizations that deal with high volumes of unstructured data daily, such as financial institutions and globally operating law firms. AIP limits the number of sensitivity labels per organization to 500 for labels that assign encryption specifying the users and permissions.

Another issue in these industries is AIP’s lack of SDKs to facilitate integration with iManage and other Enterprise Content Management (ECM) platforms. In organizations that need to encrypt files across thousands of file-sharing folders and subfolders, this means they would have to apply an AIP label to each manually just for simple encryption.

Fasoo Enterprise DRM represents a different, “file-centric, people-centric” approach that enables organizations to preserve and support proven and efficient workflows. Policies defined by IT automatically determine at the point of creation who can access a protected document and how. Exceptions are handled flexibly and “on the fly”, for example by granting a provisional permission on a temporary basis.

  • Document protection in the cloud requires a mature enterprise DRM solution.

Cloud collaboration plays an important role in selecting an enterprise DRM solution. Companies now looking for alternatives to AIP are clear about this point: they want document protection that travels with the file and doesn’t end at their organization’s IT perimeter.

Their old information protection technology was devised years ago, with no consideration yet for the cloud. One consequence is that it can only protect sensitive documents on a computer or mobile device. Once the file is uploaded to the cloud outside the Microsoft ecosystem, document protection is lost.

In contrast, Fasoo Enterprise DRM ensures that persistent security remains with documents, pictures, audio, video, and 3D CAD drawings regardless of their location, whether in the cloud or on a flash drive. Senders can set a validity period or revoke access immediately, even after distribution. The organization remains in control of sensitive files at rest, in use, and in motion – no matter where they may end up. 

Worried about your document protection getting stuck on a security island? In summary, these three rules will help you not to miss the boat: 

1. Document protection worth its name requires properly protecting all confidential documents that need protecting, not just those preferred by one solution vendor. 2. If “automatic labeling” was the promise, you’ll hate seeing it turn into manual labor over a few hundred or thousand file-sharing folders. 3. No company is a secure island; the cloud is real, and so is the need for document protection in the cloud. 

Contact the Fasoo team to find out more!

How can you protect CAD files against IP theft, data leakage, and tampering? In 2022, securing confidential data along the supply chain, end-to-end, is paramount.

*

Manufacturing companies face growing pressure to better shield their trade secrets from prying eyes. Since the beginning of the coronavirus pandemic, they have been hit by a wave of intellectual property (IP) theft by insiders, cyber attacks, and data leaks caused by negligence.

In particular, instances of engineers copying critical CAD drawings on flash drives on their way out the door have increased dramatically. Among the victims are automotive, aerospace, defense, and semiconductor companies.

CAD/CAM/CAE files often contain the most valuable know-how in these industries. They hold the key to the company’s future – or to that of a competitor, if outsiders get hold of the data. That’s why more manufacturers now adopt Enterprise Digital Rights Management (Enterprise DRM) for end-to-end document protection. So what does it actually look like to protect CAD files from the engineer’s perspective? 

 

CAD file password protection is for victims

CAD file password protection can be guessed or cracked. Data Loss Prevention (DLP) tools provide only limited protection. Enterprise DRM, on the other hand, provides an alternative. Based on a data-centric security model and strong FIPS 140-2 encryption, it is the key to a viable Zero Trust strategy.

Let’s take the automotive industry, for example. Many companies in the mobility sector realize the need to secure their CAD drawings and other unstructured data properly. The wide variety of CAD tools and file formats used across various companies in the supply chain poses a major challenge.

A viable solution protects Catia, Creo, or Siemens NX drawings, plus Solidworks, SolidEdge, JT, 3D-PDF, or STEP files, among many others, depending on the use case. Their quest for effective and gapless document protection leads many companies to Fasoo Enterprise DRM, which covers more than 230 applications and document formats. This means the company can encrypt, control, and track its sensitive data – no matter where it goes or who handles it. 

 

How to protect CAD drawings without productivity loss?

These capabilities are now crucial in the automotive sector, where information security teams were hit by a triple whammy during the pandemic:

    • Remote work and unmanaged devices have created blind spots for IT and increased insider risks. In addition, remote access vulnerabilities like misconfigured VPNs and spotty endpoint security make it easier for outside attackers to penetrate corporate networks, often through supply chain partners.

 

    • In the automotive industry, the “great reset” – the shift to development and production of “intelligent” electric vehicles (EV) – is coinciding with the “great resignation”. Companies struggle with higher turnover rates among their top talent, including senior engineers who join competitors.

 

    • IT in manufacturing companies is particularly impacted by both developments. The coronavirus crisis exacerbated personnel shortages in this sector. In many organizations, this development has increased the vulnerability to data theft and leaks. Critical software patches, for example, are often postponed or missed altogether. 

 

As a result, companies take additional measures to secure their CAD drawings. One concern IT has to deal with is: How will the new CAD file protection impact workflows in the engineering department? 

 

CAD file protection without gaps or friction 

In organizations that deploy Fasoo Enterprise DRM, such concerns are quickly alleviated. Let’s look at a leading automotive components supplier, for example.

Image shows a brake caliper (red)Brake caliper (red)

Here’s what happens when a design engineer opens and modifies a Fasoo-protected 3D CAD drawing of a brake caliper:

 

      1. The engineer finds and clicks the CAD file in the company’s Product Lifecycle Management (PLM) system. This is also where related data sets, such as process information, are stored and maintained. This system is shared by the company’s tech centers on several continents.

 

      1. This particular document opens in CATIA, the tool it was created with. Like all files containing confidential IP, it was automatically encrypted by Fasoo at the point of creation, with specific permissions assigned to a limited group of authorized users. As a senior member of the development team, our engineer can download, view, and modify the file.

 

      1. The senior engineer reviews the CAD drawing and discovers a possible improvement opportunity that would make the caliper piston more efficient. To be sure it hasn’t been incorporated before and abandoned, the user runs and downloads a report from the PLM that includes updates and revisions of related documents. Fasoo automatically encrypts this report as it is downloaded to the engineer’s computer.

 

      1. In the next step, our user saves an excerpt of the 3D geometry as a PDF file to email to one of the company’s outside engineering consultants for discussion. Because security policies automatically apply to file derivatives protected with Fasoo Enterprise DRM, the new file inherits the security of the original file. The senior engineer then manually grants temporary access to the engineering consultant, who now can view and annotate the PDF before submitting a formal quote for this project.

 
Throughout the process, Fasoo Enterprise DRM secures the CAD file and its derivative at rest, in transit, and in motion. Equally protected is all associated unstructured data, such as Microsoft Office, images, or PDF documents. Security policies are centrally managed and travel with the file.

An audit trail of document activities provides granular insight into how each CAD file and related documents are accessed during this process. This includes unauthorized access attempts. Seamless integration with the automotive company’s knowledge management system and flexible policy management ensure a frictionless user experience for engineering teams – no IT intervention required. 

Do you have questions about protecting CAD files and workflows with Enterprise DRM?
Contact us here
.

 

Remote worker in home office settingGartner predicted that roughly 50 % of knowledge workers worldwide should be logging in remotely by now. More remote work puts more sensitive data at risk, which increasingly also impacts manufacturing companies. Check out the following ten tips to ramp up your document protection program in 2022.

*

Quick question: What do automated ransomware campaigns conducted by external attackers have in common with data theft committed by corporate insiders?

In the light of recent incident reports, I can think of three answers off the bat – at a minimum:

 

  • In both categories, incidents are on the rise.
  • Both target sensitive data, since more ransomware attacks begin with stealing confidential documents for extortion or sale on the dark web before encrypting the victim’s data.
  • Both increasingly exploit work-from-home data security weaknesses.

 

Examples of the latter include unsecured WiFi networks, unmanaged devices, and endpoint vulnerabilities. At the same time, IT lacks visibility into the online activities of remote employees and contractors.

In a nutshell, this example shows how remote work has become the primary source of risk to digital assets in the enterprise. Now the Omicron variant is pushing even more organizations (back) into remote or hybrid work arrangements.

Additional factors exacerbate the crisis going into 2022. The automotive industry and its supply chains feel the impact. Key employees leverage the “Great Reset” in the industry and leave to join competitors, sometimes taking trade secrets with them. IT teams struggle with staff shortages and often only learn about what happened when it’s too late.

Does this sound familiar?

 

10 tips to boost your remote work document protection

 

Get ready for 2022 with our ten tips on how to protect unstructured data in remote work settings:

 

    1. Identify the threat.

Beware intellectual property theft by insiders. In more than 50 % of documented IP theft cases, the perpetrators were current or former employees or contractors. In addition, when external attackers exfiltrate sensitive information, employee negligence often plays a role.

 

    1. Identify what’s most at risk.

In most innovation-driven companies, trade secrets are stored in the form of unstructured data. Think confidential Microsoft Office documents, CAD/CAE files, digital images, or PDFs. They come in various (legacy) formats and are often scattered across the organization and along its supply chain. Securing them will be an uphill battle, especially in remote work environments, without the right strategy.

 

    1. Identify your data protection strategy.

The push into remote and hybrid work environments requires a comprehensive approach to data protection, rather than merely a mix of device-centric endpoint and data loss prevention (DLP) solutions. Recognizing this, more technology companies are adopting a data-centric security model.

With sensitive documents, this means they remain protected regardless of where a file resides or with whom it is shared. The data-centric model ensures document protection independently of networks, servers, locations, and devices, such as unmanaged home office printers.

 

    1. Protect data throughout its lifecycle.

Digital Right Management (DRM, sometimes also referred to as Information Rights Management, IRM) is based on the data-centric security model at the core of any Zero Trust strategy. Fasoo Enterprise DRM (EDRM) enables organizations to persistently protect, control and track sensitive documents at rest, in transit, and in use. Encryption, flexible policies, and granular controls govern how and by whom a file can be viewed, edited, printed, and shared within the organization’s IT perimeter and outside – like in the home office.

 

    1. Protect sensitive files without exceptions.

Does the Enterprise DRM solution you’re evaluating support all industry-relevant CAD and CAE applications? In the automotive industry, support for tools such as AutoCAD, CATIA, or PTC Creo (and many more) and a broad range of PDF file formats is considered essential to ensure future-proof document protection.

 

    1. Protect workflows and productivity.

Some information protection solutions lack centralized policy management. This shortcoming is known to slow down workflows to a trickle, especially when remote contributors are involved. Fasoo combines central control options with flexible exception management. Exception approval for accessing particular documents from the home office, for example, can be delegated to managers or coworkers instead of waiting for IT.

 

    1. Control confidential data wherever it goes.

A supplier’s design engineer working from home is requesting remote access to sensitive documents? With Enterprise DRM, it’s just another day in the office. Gartner analysts describe DRM as “one of the only mechanisms for retaining control of unstructured data transferred to business partners in secure collaboration scenarios.”

 

    1. Control print.

Fasoo takes a printer-agnostic approach to secure printing. This approach eliminates most challenges that commonly arise in remote work environments with home printers or print drivers. It enables data owners to centrally set and manage print rules for printing on-premises or remotely and watermark unauthorized printouts. Fasoo Smart Print also lets you set print protection policies for plain documents not secured by EDRM.

 

    1. Control the screen.

Concerned about a remote team member capturing sensitive data on a screen during an internal Zoom or Skype call presentation? Enterprise DRM provides a screen security component, Fasoo Smart Screen, enabling IT to block and monitor screen capture attempts. For deterrence, it can also imprint documents with a watermark that contains tell-tale user-specific information.

 

    1. Control data without alienating workers.

Fasoo’s centralized policy management enables flexible, people-centric document protection across organizational boundaries. Everyone who needs to can keep tabs on documents’ whereabouts and protection status, without risking privacy complaints and lawsuits from home office workers. Fasoo Enterprise DRM integrates with all leading federated authentication services, enabling IT to automatically revoke access to EDRM-protected documents once an employee leaves.

 

Contact the Fasoo team and find out how others in your industry deploy Enterprise DRM in remote and hybrid work environments.

M&A Leaks: Image shows a leaking bucketMergers and acquisition (M&A) activities pose major document protection challenges for all parties involved. Leaked or stolen data has caused bidding wars, broken deals, cost millions of dollars in damages, and ruined reputations. How can M&A teams ensure maximum document security without impeding productivity?

*

Merger and acquisition teams typically range in size from a handful of members in smaller or medium-sized organizations to several hundred internal contributors at enterprise scale. That’s on the buyer’s side as well as on the seller’s teams and includes investment banks or Private Equity (PE) firms. 

This headcount, however, doesn’t yet include external contributors. Think research analysts, M&A advisories, outside legal counsel, data protection and privacy compliance consultants, and IT integration specialists. Most of them are involved at one stage or another of the M&A process.

Since the beginning of the COVID-19 pandemic, many internal and external M&A team members have accessed sensitive documents from their home offices. On tight deadlines, they collect, create, review, edit, and share sensitive data that can make or break a deal – or kill it, if that data falls into the wrong hands.

 

M&A activities at an all-time high – and deal leaks, too

The shift to remote and hybrid work is a powerful driver behind banks and their corporate clients leveraging enterprise-level Digital Rights Management (DRM) to secure M&A-relevant unstructured data. The reasons quickly become clear when we look at a real-life example. 

A global automotive component manufacturer is planning with its investment bank the acquisition of a publicly traded semiconductor design and manufacturing company.

Table Overview: Deal Leaks by Sector

Source: SS&C Intralinks 2020 M&A Leaks Report[PDF]

 

It’s high season for M&As, and the planned deal seems like a match made in heaven. Yet from an M&A security perspective, the timing couldn’t be worse. M&A leaks have been spiking recently, according to the SS&C Intralinks 2020 M&A Leaks Report [PDF]. This development means all new M&As face an unprecedented challenge. 

 

The challenge: Remote work amplifies M&A security risks

We’ve highlighted document security risks for banks and financial firms resulting from remote work before. The threat level is even more elevated for members of the extended M&A team who work from home. Preparation and execution of most mergers and acquisitions involve a wide variety of confidential documents – in some cases, thousands of them. 

Niche vendors of M&A tool platforms tout the cloud-based Virtual Data Room (VDR) as the solution. Such “deal rooms” have become a fixture in the M&A space. At the same time, data protection experts say that VDRs instill a false sense of security – comparable, perhaps, to standard M&A non-disclosure agreements.

These critics point to the weak – often password-based – security of VDRs and specialized M&A document management systems that can too easily be circumvented. Deal administrators and IT lament interoperability issues with other cloud storage services, as well as manageability and scalability problems.

 

The solution: data-centric M&A security

Enterprise DRM enables IT to strengthen M&A security instead. Fasoo Enterprise DRM, for example, enables data owners to protect confidential content through all stages of a merger or acquisition.

Bar chart: M&A cost distribution, by phase (IBM)

Source: IBM Benchmark Insights: Assessing Cyber Risk in M&A

 

In our example, we focus on negotiations, due diligence, transaction execution, and implementation. These are the M&A stages where data breaches and deal leaks can be most damaging and costly. 

Let’s take a closer look at how the acquirer, its bank, and the acquisition target leverage EDRM to maximize document protection. Enterprise DRM’s data-centric security enables IT and deal administrators to protect, control, and track sensitive data on a per-document basis, on any device, at any time.

 

M&A and beyond: document lifecycle protection

Fasoo encrypts confidential files at the point of creation or before they get uploaded to a VDR, for example. This protection applies throughout the entire document lifecycle, regardless of which M&A platform any contributing organization may be using.

 

  • Negotiations: Centralized policy management enables M&A data owners and deal administrators to remain in control. Fasoo Enterprise DRM lets them flexibly adjust who can access, edit, print, or share sensitive content – including remote workers.

    This phase usually involves a high amount of various
    Microsoft Office document formats and Adobe PDF files. Dynamic permission control enables deal administrators to assign and revoke file access permissions for reviewers on a temporary basis, for example, to facilitate more than one bidding round.

 

  • Due diligence: In our example, the due diligence document list includes (among others)  intellectual property (IP) files, tax records, financial planning P&L documents, electronic design automation (EDA) diagrams, facility blueprints, tax filings, HR records, and all sorts of legal PDFs.Throughout the document review process and beyond, data owners and deal administrators centrally manage who has access to sensitive content. Context-aware and hardware-agnostic secure print and pull print capabilities prevent the unauthorized printing of Personal Identifiable Information (PII) at a home office printer or in a shared workspace, for example. Secure screen and watermarking features (“Fasoo Smart Screen”) block or deter screen capture attempts across all applications, including in Virtual Desktop Infrastructure (VDI) environments and browsers.

 

  • Post-transaction / implementation: M&A security professionals warn that the post-merger integration of the acquired company with the buy-side is fraught with data protection and compliance risks that can cost the acquirer millions or even billions of dollars. Data breaches are one main reason for the high M&A failure rate.In our example, the acquirer already has Enterprise DRM in place across its global organization, not unlike this Fasoo customer in the same industry. This means trade secrets, personnel PII, even sensitive records exported from databases are automatically detected, classified, prioritized and encrypted when they enter the buyer company’s environment from the acquired company.

During each M&A stage and long thereafter, Enterprise DRM provides persistent protection and consistent tracking. A document usage audit trail keeps IT, compliance managers, and financial regulators in the loop. 

After all, “digital M&A became the new norm” during the pandemic, according to the consultants at Bain & Company. This year, more dealmakers discovered the power of Enterprise DRM. They use it to prevent M&A leaks and data breaches from becoming a new norm, too.

 

Which industries have the highest potential for remote work? Finance and insurance, says McKinsey & Company. There’s a catch, however. How can organizations realize this potential without compromising data security and privacy? 

*

The consultancy found that three-quarters of activities in these sectors can be done remotely without a loss of productivity. Information security wasn’t part of the study. So what are the implications from a data protection perspective?

That’s where things get dicey. The forced rush into hybrid and remote work arrangements and the sorry state of remote work security have bank CISOs and compliance officers on edge. Some – mostly larger – financial institutions have mastered the transformation more effectively than others. What’s their secret? 

Before we answer that question, let’s first take a quick step back in time. In 2015, a Morgan Stanley insider downloaded confidential information on 730,000 of the investment bank’s wealth management clients to his personal laptop and posted a sample for sale online. Back then, it could have served as a wake-up call.

Today, it almost seems like quaint history, because not many heeded that call. The shift to Work-from-Home (WFH) due to COVID-19 has taken the insider threat to unstructured data to a whole new level.

Battlezone home office: Data protection reset required?

As a result, insiders – often working remotely – now account for more than 50 % of data breaches in the financial sector, according to security research. Several terabytes of sensitive data have been ransacked or leaked from more banks and financial services or law firms since that 2015 data breach. Think Pandora Papers, the confidential documents including supposedly secure PDF files, images, emails, and spreadsheets from 14 financial service companies offshore. 

Bank CISOs and compliance officers we talk to are more worried than ever about the lack of visibility and loss of control over sensitive proprietary data when employees are working from home. 

Or take Jeremy Baumruk, who heads up Professional Services at Xamin. His company manages IT security for more than 50 U.S. banks. In early 2020, he told the American Bankers Association’s Banking Journal: “When an employee is using their own computer, IT has almost no control.”

18 months later, research shows: that warning about remote work security still stands. Industry experts point to misconfigured VPNs, insufficiently secured home WiFi networks, unmanaged personal devices, personal cloud storage services, and unmonitored home office printers.

Remote Work Security - infographic excerpt

Source: Tessian (Infographic)

Remote work hasn’t only exacerbated the insider risks posed by negligence or disgruntled employees. Cybercriminals on the outside have taken notice, too. They wage automated campaigns that increase the pressure on banks to take decisive countermeasures. 

Many recognize that the traditional, device-centric emphasis on IT perimeter defenses – Data Loss Prevention tools (DLP), firewalls, endpoint protection – cannot ensure adequate protection. Recent threat reports confirm: attackers are busy exploiting the remote work blindspots and endpoint vulnerabilities to the fullest.

 

Document theft-as-a-service: Search. Scoop up. Siphon off.

As a result, credit unions, investment banks, and mortgage lenders, and their remote workers, are bearing the brunt of automated ransomware campaigns right now. In the first half of this year alone, banks experienced a 1,318% year-over-year increase in ransomware attacks, reports cybersecurity firm TrendMicro in its 2021 Midyear Security Roundup.

What does this have to do with document protection? There’s a direct and significant connection. New ransomware variants don’t merely encrypt the victim’s business-critical data and demand a ransom for unlocking it. The latest exploit kits are also optimized for data exfiltration.

In other words, they are designed to search for, scoop up, and siphon off sensitive information, which is then used for more elaborate extortion schemes. Only last week, the FBI sent out this Private Industry Notification [PDF]. It describes how perpetrators specifically target confidential documents about planned mergers and acquisitions, to release them on the internet if the victim doesn’t pay up.

So why have some financial institutions been less impacted than others by data leaks and theft during their shift to remote work? 

Identify, protect, control  – with Enterprise DRM

One answer is that they didn’t bide their time until the next data breach. Instead, more banks launched a “digital transformation” that some say is long overdue for the industry as a whole. One pillar of their strategy is shifting to a data-centric security model, enabling them to protect their data at rest, in use, and in transit.

Bank CISOs recognize that the traditional, device-centric emphasis on IT perimeter defenses – Data Loss Prevention (DLP), firewalls, endpoint protection – cannot ensure adequate protection anymore.

Instead, they leverage Enterprise Digital Rights Management solutions such as Fasoo to identify, encrypt, and oversee the access to unstructured data at the file level. This way, sensitive documents remain protected against unauthorized access if leaked or exfiltrated, no matter how that happens.

The Fasoo Enterprise DRM framework follows a three-way approach to ensure gapless document protection and remote work security:

    • Identify: Fasoo automatically identifies data worth protecting, from legacy repositories to newly created documents, which are secured at the point of creation. Unlike DLP, which is limited to tagging such information for protection within the organization’s IT perimeter, Fasoo sets the foundation for protecting and controlling confidential data anywhere, on any device.

 

    • Protect: Enterprise DRM provides an additional layer of security by combining FIPS 140-2 validated encryption and access control. This approach helps organizations minimize and mitigate risks such as data leaks, insider threats, and advanced persistent threats (APT).

 

    • Control: Fasoo enables banks to assert control over their confidential data through the entire document lifecycle, based on flexible and people-friendly central policy management.

 

Boost for remote work security and productivity in banking

This control transcends the digital domain. Fasoo’s printer-agnostic secure print capabilities (Fasoo Smart Print), for example, enable organizations to apply print protection and watermarks for plain and DRM-secured documents alike. Its screen security component (Fasoo Smart Screen) applies screen watermarks to applications and URLs to block screen capture attempts of sensitive data and monitors all screen capture attempts.

“Enterprise DRM is working great for us,” says the CISO of an S&P Top 100 global bank, a Fasoo customer. “It gives us a quick at-a-glance look at all our sensitive data and enables us to assert control wherever it goes.”

Would you like to learn more about how organizations in the financial sector, from community banks to global financial institutions, leverage Enterprise DRM to secure their digital transformation?

Connect with our industry experts here. 

###

IT, compliance, and risk management leaders need a reference of terms, acronyms, and key people in the enterprise digital rights management (EDRM) domain. This Enterprise DRM Glossary will be updated regularly. The EDRM glossary draws on various sources, including books, periodicals, websites, subject matter experts, and Enterprise DRM users. We welcome your feedback and suggestions of terms to include. Contact us at info@fasoo.com.

CAD Security
Centralized Policy Management
Data-centric Security
Data Loss Prevention (DLP)
Digital Rights Management (DRM)
Encryption
Enterprise Digital Rights Management (Enterprise DRM, EDRM)
Information Rights Management (IRM)
Insider Threat
Intellectual Property Theft (IP Theft)
Microsoft Azure Information Protection (AIP)
PDF Security
Permission
Personally Identifiable Information (PII)
Print Protection
Provisional Permission
Secure File Sharing
Secure Print
Unstructured Data
Zero Trust Document Protection

*

 

 

CAD Security

CAD security, also referred to as CAD file security or CAD protection, describes the methods, means, and measures available to protect specifically Computer-Aided Design (CAD) / Computer-Aided Manufacturing (CAM) / Computer-Aided Engineering (CAE) tools and documents against unauthorized access and use.

CAD files, such as 3D CAD drawings, are unstructured data. Manufacturing companies and design engineering firms looking to protect CAD files face particular challenges. Primary reasons are:

  • the wide range of niche applications and file formats not covered by information rights management solutions for common office document formats (example: Microsoft AIP),
  • the weakness of traditional CAD file password protection,
  • the lack of end-to-end encryption and loss of oversight and control in many organizations when sharing CAD files by email or in the cloud.  

Examples are the automotive industry and the mobility sector in general, where CAD files often contain a company’s most valuable know-how. CAD file protection gaps at the endpoint and remote work risks were exacerbated during the coronavirus pandemic. They contributed to an increase in IP theft by insiders and data exfiltration by external threat actors.

In response, manufacturers are adopting Enterprise Digital Rights Management – Enterprise DRM – to ensure end-to-end CAD file protection and centralized policy management and control beyond the company’s IT perimeter. This approach is based on a data-centric security model. Solutions such as Fasoo Enterprise DRM ensure CAD file security at rest, in transit, and in use. Derivatives, for example 3D models excerpted as PDF files, automatically inherit the file security of the enterprise DRM-protected CAD file, which can include secure print protection.

Source: Enterprise DRM Glossary. Reference: How to Protect CAD FIles and Workflows Against IP Theft (Fasoo Blog)

*

 

 

Centralized Policy Management

A centralized security policy simplifies managing permissions on documents and ensures a consistent policy across an organization. The policy is persistent yet flexible and allows the organization to manage security rather than relying on individuals to make security decisions.  Compare this to the built-in PDF password protection feature provided by Adobe.

From the organizational perspective, the latter means putting the document’s fate into the hands of its creator.  The business relinquishes control to individual users. When they leave, the company is forced to dedicate valuable resources to special recovery efforts, or even loses access completely.  It also forces users to become security experts.

In comparison, the advantage of the centralized policy management provided by Fasoo Enterprise DRM is that the organization always maintains control over its documents and what happens with them, wherever they go.  This includes changing policies for a user or group at any time, regardless of where the document resides.

Users can be granted the right to maintain complete control over their documents, for those situations where it’s warranted.  This provides a layered approach giving users and groups autonomy for certain documents while maintaining centralized control for the organization.

For example, a Finance user creates a document and it is encrypted upon saving it.  All users in the Finance group automatically have access to the document.  The user decides she needs Legal to review the document, so she can manually grant them access.  If the user leaves the company or moves to another department, the document is still accessible by Finance and Legal.  The organization maintains control.

For solutions without centralized control options, like Microsoft AIP,  it is difficult to implement and change security policies with many users and constantly changing roles. The considerable burden of keeping up-to-date and in sync with the needs of departments or business units often falls on the individual creator of the document.

*

 

 

Data-centric Security

The data-centric security model aims to enhance information protection regardless of where the data resides or with whom it is shared. It is considered a core part of a Zero Trust approach to information security. Data-centric security is independent of networks, servers, locations, and devices and marks a departure from the traditional “device-centric” or location-centric security model.

Enterprise DRM applies the data-centric security model by taking a file-centric approach to secure unstructured data, such as MS Office documents, CAD/CAE files, PDF, plain text, and other digital media file types. This approach means that, in contrast to other methods, persistent encryption and Identity and Access Management (IAM) are tied to and travel with the file.

Data-centric security management requires organizations to know what data they have and its security and privacy requirements. To make data-centric protection of unstructured data feasible at scale, they have to rely on standardized mechanisms to catalog and categorize data. Fasoo Enterprise DRM, for example, applies file-centric protection based on data classification tags to

  • Encrypt the file contents: If exfiltrated, the sensitive data is obfuscated and is of no value to threat actors;
  • Limit file access to authorized users only: Users can be individuals, departments, business units, or defined by role or title.

Historically, organizations adopted file-centric solutions for specific use cases. Modern solutions take advantage of the latest in software tools like RESTful APIs and open operating system standards to work transparently across the enterprise. Centralized policy management ensures IT and data owners can grant access and apply protection consistently across all networks, devices, endpoints, and cloud services.

Source: Enterprise DRM Glossary. Reference: Data-centric security is key to resiliency, cyber risk report says (VentureBeat),  Protect-first Approach to Data-centric Security (Fasoo Brief), Data-centric Security (Fasoo Archive)

*

 

 

Data Loss Prevention (DLP)

Data Loss Prevention (DLP) describes tools and methods to prevent sensitive data, such as Personally Identifiable Information (PII) or business-critical intellectual property, from leaving an organization without proper authorization. 

To that effect, DLP software categorizes documents and emails and analyzes user behavior to restrict the transfer of data. The underlying rules and filters have to be maintained and adjusted by IT in coordination with other stakeholders to minimize workflow interruptions. 

Organizations can apply DLP only to their internal data flow. Other than Enterprise DRM, it does not protect confidential information once data has been intentionally or unintentionally exfiltrated. A typical example is an email mistakenly sent to the wrong address. Like antivirus software or web filters, DLP components have become a staple of information security in the enterprise. As part of the point solutions mix, they often complement particular applications or tools, such as cloud security services or Microsoft AIP

Larger organizations frequently leverage DLP to ensure compliance with data protection regulations such as GDPR, CCPA, or HIPAA. Critics blame DLP for creating a false sense of security and point to its blindspots (USB drives, SaaS file sharing applications, enterprise messaging apps) and its focus on internal file downloads and sharing. 

Source: Enterprise DRM Glossary. Reference: DRM and DLP: Comparison Made Simple (Fasoo Blog), Data Loss Prevention (NIST Computer Security Resource Center Glossary)

*

 

 

Digital Rights Management (DRM)

Digital Rights Management (DRM) describes the tools, systems, and data-centric process used to automatically encrypt files and control file access privileges dynamically of unstructured data at rest, in use, and in motion. In the consumer space, DRM aims to control the use, modification, and distribution of copyrighted material, such as computer software and multimedia files.

In business, Enterprise DRM ensures data-centric document protection inside and outside the IT perimeter and along an organization’s supply chain to protect sensitive information against theft or misuse by insiders and unauthorized access from the outside.

Source: Enterprise DRM Glossary. Reference: What is Digital Rights Management? (Fortinet Cyber Glossary)

*

 

 

Encryption

The term encryption describes the cryptographic transformation of data into a form that conceals its original content to prevent it from being known or used. Decoding the encoded information requires the correct key. 

Enterprise DRM provides an additional layer of security through its data-centric combination of encryption and access control. Fasoo Enterprise DRM, for example, encrypts files containing sensitive unstructured data and limits access to the encrypted file to authorized users only within their given permissions. This approach helps organizations minimize and mitigate risks such as data leaks, insider threats, and advanced persistent threats (APT).

Fasoo EDRM encrypts files using a Packager. DRM-enabled documents cannot be opened without a DRM Client, which requests a “license” from the DRM Server. The DRM Server issues that license according to the security policy for the user and the document, which can be applied and flexibly adjusted using centralized policy management and exception handling. The DRM Client then decrypts the DRM-enabled document and sends the data to a rendering application, such as Microsoft Word, a PDF reader, or a CAD engineering tool.

Document encryption with Fasoo is based on FIPS 140-2 validated cryptographic modules that meet the requirements of the Cryptographic Module Validation Program (CMVP) run by the United States National Institute of Standards and Technology (NIST). That means it delivers the encryption strength required for organizations that are part of or do business with the U.S. federal government. 

Source: Enterprise DRM Glossary. Reference: To Encrypt or Not to Encrypt (Fasoo Blog), Encryption (Fasoo Archive)

*

 

Enterprise Digital Rights Management (Enterprise DRM, EDRM)

Enterprise Digital Right Management (EDRM)enables organizations to persistently protect, control and track sensitive documents at rest, in transit, and in use. Also referred to as Information Rights Management (IRM), this data-centric protection applies on any device throughout the entire document lifecycle. 

By encrypting files and leveraging granular controls through centralized policy management, Enterprise DRM allows organizations to limit viewing, editing, printing, and sharing sensitive content with unauthorized users within and outside the organization’s IT perimeter.

Historically, the challenges associated with persistent policy enforcement account for the reputation of many enterprise DRM solutions being complex to deploy. This perception has changed, industry observers agree.

According to Gartner analysts, enterprise DRM now “is one of the only mechanisms for retaining control of unstructured data transferred to business partners in secure collaboration scenarios.”

Industry observers credit Fasoo Enterprise DRM with driving much of this development. Its flagship installation spans over 170,000 internal users and over 700,000 total users of affiliates and partners worldwide.

Source: Enterprise DRM Glossary. Reference: Fasoo Enterprise DRM Whitepaper 

*

 

 

Information Rights Management (IRM)

See Enterprise DRM

*

 

 

Insider Threat

An insider threat is defined as the potential for a person with authorized access or understanding of an organization to harm that organization. This harm can include malicious, complacent, or unintentional acts that negatively affect the organization’s integrity, confidentiality, and availability, its data, personnel, or facilities.

Insider threats, such as IP theft by employees or contractors, are among the main risks to be considered when securing sensitive information in the form of unstructured data, such as office documents, PDFs, or CAD files. According to a 2020 survey conducted by the Ponemon Institute (PDF) and sponsored by ObserveIT and Proofpoint, 60% of polled organizations worldwide encountered more than 30 insider-related incidents per year involving digital assets.

The National Insider Threat Awareness Month library at the Center for the Development of Security Excellence offers guides, real-world case studies, videos, and web-based games to help organizations detect, deter, and mitigate insider threats.

Source: Enterprise DRM Glossary. Reference: IP Theft in the Automotive Industry: 10 Tips to Counter the Insider Threat (Fasoo Blog), Insider Threat Report (Fasoo Resources)

*

 

 

Intellectual Property Theft (IP Theft)

The term Intellectual Property Theft (IP Theft) describes the act of stealing ideas, creative expressions, inventions, or trade secrets – collectively known as Intellectual Property (IP) – from the person or company who owns them. IP theft is against the law. Patent, copyright, and trademark laws, among others, aim to protect intellectual property owners.

In the digital sphere, most intellectual property exists in the form of unstructured data. Movies, music, and computer software all can be targets of IP theft, as can confidential office documents (example: pricing discounts), PDF files (example: employee W-2 forms), images (example: product concept studies), or CAD templates (example: digital blueprints of manufacturing designs).

Who is committing IP theft? According to experts, insiders – i.e. (former) employees, contractors, or supply chain partners – are behind most IP theft cases. Many perpetrators knowingly or unknowingly play into the hands of people outside their organization, such as agents for a foreign power or corporate spies hired by a competitor.

Western counterintelligence professionals attribute the rise of IP theft in the U.S. and the European Union mainly to China. Its Thousand Talents Plan, conceived by the Chinese Communist Party, drives the recruitment of engineers and scientists in the US and the EU as part of a state-sponsored IP theft campaign on a global scale.

In more than 50% of documented IP theft cases, the perpetrators were employees who quit and took proprietary information with them because nothing stopped them. This risk has significantly increased with the shift to remote work caused by the COVID-19 pandemic.

How can companies prevent IP theft? Increasingly, larger organizations deploy Enterprise Digital Rights Management (EDRM) to secure documents and eliminate opportunities for IP theft across the enterprise and along its supply chain. Information security experts see EDRM as uniquely positioned for preventing IP theft respectively further damage, in cases where protected files may have been exfiltrated.  

Information security professionals describe mainly three reasons for Enterprise DRM’s effectiveness in protecting large organizations against IP theft:

  • EDRM combines access control with data-centric security that protects files at rest, in use, and in transit. This device-agnostic protection applies inside and outside the organization’s IT perimeter from the point of creation throughout the document lifecycle.
  • Centralized policy management and flexible exception handling enable IT and document owners to eliminate IP theft blindspots. It also lets them quickly adapt document use policies to meet the demands of dynamically changing environments, such as remote work scenarios (see also: Secure Print). Fasoo Enterprise DRM is an example. It empowers organizations to maintain granular control over sensitive data even if that information is shared – intentionally or mistakenly – outside the organization.
  • EDRM delivers comprehensive document security at scale, encompassing the broad spectrum of document formats and applications common in globally operating organizations. Fasoo Enterprise DRM, for example, supports more than 230 file formats, including a wide range of PDF and CAD types.

In the fight against IP theft, the capabilities listed above put designated EDRM solutions like Fasoo Enterprise DRM at a distinct advantage. Point solutions developed to protect primarily one document software ecosystem and a limited number of 3rd-party file formats (example: Microsoft AIP) cannot provide the same coverage. 

Source: Enterprise DRM Glossary. Reference: IP Theft in the Automotive Industry: 10 Tips to Counter the Insider Threat (Fasoo Blog); What’s the Biggest Challenge Manufacturing Companies Face in Their Fight Against IP Theft? (Fasoo Blog)

*

 

 

Microsoft Azure Information Protection (AIP)

Azure Information Protection is a data protection solution developed by Microsoft. It lets organizations discover, classify, and protect documents and emails. AIP was designed primarily to protect the document ecosystem of Microsoft Office and a limited number of third-party file formats. It focuses on end users or data owners making all security decisions on documents rather than allowing a centralized approach to security.

Source: Enterprise DRM Glossary. Reference:  FAQ: Five Top Questions About Fasoo Enterprise DRM vs. Microsoft AIP, What is Azure Information Protection? (Microsoft)

*

 

 

PDF Security 

Many cybersecurity professionals consider PDF security an oxymoron because of the weaknesses of the password protection and encryption of Adobe’s platform-independent file format.

Depending on the use case, adequate PDF document protection can require a combination of various 3rd-party tools and methods. Examples are PDF password protection, encryption, on-screen protection, secure print, PDF sanitization, PDF usage monitoring.

In large organizations, the number of PDF files and versions to be secured adds to the challenge. IT can overcome this challenge with Enterprise DRM, which provides an additional layer of PDF protection.

One example is Fasoo Enterprise DRM, which integrates the most powerful PDF protection mechanisms. It supports more than 230 file formats and ensures that sensitive PDF files are protected at rest, in use, and in transit.

Source: Enterprise DRM Glossary. Reference: Document Protection: How to Secure a PDF? (Fasoo Blog)

*

 

 

Permission

A permission is required to perform a particular action, such as View, Edit, and Print, on a document secured with Enterprise DRM. A user can only perform an action on a secured document when granted the proper permission, either as set via centralized policy management, a data owner granting specific permission, or upon requesting a provisional permission

Source: Enterprise DRM Glossary. Reference: World’s Steel Manufacturing Leader Adopts Fasoo Enterprise DRM (Fasoo Sucess Stories)

* 

 

 

Personally Identifiable Information (PII)

Personally Identifiable Information (PII) is defined as any data that permits the identification, by either direct or indirect means, of an individual to whom the information applies.

PII can directly identify a person (examples are name, address, phone number, social security number, any other ID number or code, and email address) or allow indirect identification in conjunction with other data elements. Such elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors.

PII is often maintained in the form of unstructured data, i.e., in Microsoft Office documents, PDF files (example: W-2 records), or computer printouts. Files containing PII are best protected by encrypting them at the point of creation. Adequate protection covers the document lifecycle in its entirety and includes provisions for data transfers to other media, i.e., screen photos or print.

Source: Enterprise DRM Glossary. Reference: What is Personally Identifiable Information? (Department of Homeland Security), What Unstructured Data is Sensitive? (Fasoo Brief),  PII Data Breach Archives (Fasoo Blog)

*

 

 

Print Protection

see Secure Print 

*

 

 

Provisional Permission

When a user does not have permission for a specific action in a document secured with Enterprise DRM, the user can request a temporary permission or exemption to the current security policy. If approved by the administrator or document owner, the user can perform that action with the given provisional permission for a time period defined by policy.

Source: Enterprise DRM Glossary. Reference: Fasoo Enterprise DRM White Paper (Fasoo)

*

 

Secure File Sharing

Secure file sharing (also referred to as secure file exchange) describes the process of making unstructured data available to other authorized users, while preventing access by others who lack proper authorization. In business environments, secure file sharing with Enterprise DRM enables individual users to transfer Microsoft Office documents, audio or video files, images, PDFs, or CAD drawings, for example, within or outside their organization, without exposing sensitive information to data theft or manipulation by unauthorized parties.

Modern digital rights management solutions enable secure file exchange based on a data-centric security model. This approach overcomes the weaknesses and limitations of traditional device-based security or file password protection (see also: PDF Security and CAD Security). It also surpasses the protection provided by file-sharing tools such as Box, Dropbox, or OneDrive, which offer encryption in the cloud and in transit, but fall short once a document reaches the recipient. Fasoo Enterprise DRM, for example, automatically encrypts each file at the point of creation and applies access policies that are centrally managed. 

Files secured with Enterprise DRM remain protected no matter where they go. This way, the data owner remains in control if and how a shared file can be accessed, regardless of its location. The protection is device-agnostic and travels with the file. Users can securely share files without risking protection gaps on portable storage media, cloud storage services, home office printers, or when documents are sent as email attachments, for example.

Source: Enterprise DRM Glossary. Reference: Data-centric Security (Fasoo Blog Archive)

*

 

 

Secure Print (Secure Printing)

Secure print capabilities that enable the prevention and detection of document leaks or exfiltration via print output. In Enterprise DRM, policy-based print protection lets data owners centrally set and manage print rules for printing on-premises or remotely and watermark unauthorized printouts.

Fasoo Enterprise DRM, for example, takes a printer-agnostic approach to secure printing. This approach eliminates problems with using different printers or print drivers. Here’s how it works:

The basic print permission setting is part of the Fasoo-encrypted document. In addition, Fasoo’s secure printing component – a.k.a. Fasoo Smart Print – lets organizations apply print protection policies on various levels for plain and EDRM-secured documents alike.

Source: Enterprise DRM Glossary. Reference: Document Security: What Is Secure Print? (Fasoo Blog)

*

 

 

Unstructured Data

85% of today’s digitally stored information consists of unstructured data, which means it lacks a pre-defined data model or internal data organization. Examples include office documents, CAD/CAE files, PDFs, email, video, blogs, customer support chat logs, and social media.

Structured data, by comparison, is defined as data that is easily grouped, processed, and analyzed by rows and columns in relational databases. It only accounts for 15% of today’s information.

Unstructured data poses numerous security and regulatory compliance challenges. They are not addressed by the traditional network, device, and application cybersecurity and risk management approaches. This coverage gap is the reason why storing and sharing sensitive information in free-form documents creates numerous opportunities for leakage or exfiltration of proprietary or otherwise sensitive data.

Confidential files containing intellectual property, PII, or printouts of HIPAA-protected personal health information (PHI) are three examples of unstructured data potentially at risk of unauthorized access due to negligent or malicious insider behavior or cyber-attacks.

Sensitive unstructured data falls into two broad categories: regulated or unregulated. The adequate protection of regulated unstructured data is required by law (examples: GDPR, CCPA). Unregulated data includes both business-sensitive and publicly known information. Determining what content requires protection is left to the discretion of the business that owns, stores, or processes it.

Source: Enterprise DRM Glossary. Reference: What Is Unstructured Data And Why Is It So Important to Businesses? An Easy Explanation for Anyone (Forbes Enterprise Tech); Structured vs. Unstructured Data (Datamation); What Unstructured Data is Sensitive? (Fasoo)

*

 

 

Zero Trust Document Protection

Zero Trust document protection describes minimizing uncertainties in enforcing accurate access decisions regarding unstructured data. It delineates the shift from a device and location-centric security model to a predominantly data-centric approach.

The goal is to prevent unauthorized access to files containing confidential data by making access control enforcement as granular as possible. The Zero Trust approach requires fine-grained security controls between users, systems, data and assets. Enterprise DRM is considered a cornerstone of any viable Zero Trust document protection strategy, according to document security experts. They point to its data-centric security model, strong encryption, and tight integration with all leading identity and access management systems.

The Zero Trust approach achieved official cybersecurity policy status with the 2021 Executive Order on Improving the Nation’s Cybersecurity issued by the Biden administration. While the directive primarily aimed to move federal agencies to secure cloud services and a zero-trust architecture, it since has sent ripple effects through the private sector. 

 

Source: Enterprise DRM Glossary. Reference: “5 data protection tips for maintaining trust in the Zero Trust era,” in Financial Services: How to Boost Your Remote Work Surveillance; 3 Top Document Protection Takeaways from the May 2021 Executive Order on Cybersecurity (Fasoo Blog)

*

 

DLP (the traffic cop) vs. DRM (the armored truck)Like digital rights management (DRM) for the enterprise, data loss prevention (DLP) solutions have recently seen a resurgence. Both aim to protect sensitive documents against leakage and exfiltration. Those looking to deploy or expand one or the other frequently weigh DRM vs. DLP. But how helpful is this “either/or” perspective really?

For starters, it risks missing one crucial difference between these two approaches to document protection. Other than DRM, DLP isn’t designed to protect information once it makes it outside an organization’s IT perimeter.

By definition, that’s precisely the scenario DLP purports to prevent in the first place. So this wouldn’t be a problem if DLP worked reliably 100 % of the time. But it doesn’t. Why? 

One answer is that DLP still requires a high degree of human intervention or supervision. This fact doesn’t take away from the advantages of document security automation. I’ll get into the details below. But first, let’s back up a moment and look at the definition of DRM vs. DLP.  

 

What’s the main difference between DRM and DLP?

DRM (a.k.a. IRM, for Information Rights Management) automatically encrypts files and controls file access privileges dynamically at rest, in use, and in motion. 

DLP analyzes document content and user behavior patterns and can restrict movement of information based on preset criteria.

I’ve written about DRM vs. DLP on this blog before, in 2014. While little has changed about the definitions, cloud services and remote work have become ubiquitous since – and IT perimeters more blurred.

Add to that the dramatic rise of (AWS) data leaks, insider threats (such as IP theft), and double-extortion ransomware attacks. Taken together, these trends explain why the main difference between DRM and DLP has become more pronounced recently.

In a nutshell, it’s the difference between a traffic cop and an armored truck. As for the cop part, I’m not the first to draw this analogy; DLP has been compared to an officer posted at an exit ramp before.

In this analogy, only traffic identified as legitimate is waved through and allowed to leave the main drag (i.e., your network) and race off into uncontrolled territory. A police officer may check a car’s license plates, ask for ID, and scan the vehicle’s interior before giving someone permission to pass through.

Image for DRM / DLP comparison: DLP works like a police checkpoint

Traditional DLP works in a similar way. It scans files, detects data patterns, and automatically enforces appropriate actions using contextual awareness to avoid data loss. However, the similarities don’t end here.

 

DLP’s biggest weakness

DLP also faces three significant challenges similar to those of a roadblock cop:

 

    • How can you accurately establish which traffic to allow through and handle the task effectively and expediently, before the exit point becomes a bottleneck?
       
    • What about all the exits not covered? With DLP, those would be USB drives, SaaS file sharing applications, such as Google Drive or Dropbox, or enterprise messaging apps, such as Slack or Microsoft Teams.  Think of them as equivalents of the service road turnoff some locals (i.e., insiders) know and use to avoid a roadblock.  
    • And, last but not least, what happens with the traffic that should never have made it past the checkpoint, but somehow did so anyway? Most companies need to share sensitive data with external contacts, like vendors or customers. A common occurrence is that a confidential document is mistakenly sent to the “wrong” person in a company whose email domain is safelisted as a recipient.

     

    “Not my problem anymore,” says the (DLP) cop. What’s gone is gone, even if it ends up in the wrong hands.  With the first two issues on this shortlist, data loss prevention products have been struggling from the beginning. As for the third item, it exposes DLP’s biggest weakness.

    Here’s what I mean: By promoting a solipsistic focus on internal file downloads and sharing, DLP creates a false sense of security. In reality, once sensitive information moves beyond the point of egress, an organization loses all visibility and control over what happens with its sensitive data.

     

    Has DLP been a failure? 

    I wouldn’t go that far. If that were the case, why did Gartner analysts expect about 90 % of organizations to have “at least one form of integrated DLP” in place by this year? That’s an increase from 50% in 2017. 

    While DLP wasn’t the panacea that marketers made it out to be, it still has its place. In the enterprise, DLP has helped establish a baseline for document protection. One example is tagging documents that contain personally identifiable information (PII) to ensure compliance with GDPR [PDF], the General Data Protection Regulation of the European Union.

    DLP deployments require IT and other stakeholders (compliance teams, data owners) to take stock of sensitive information across the board and categorize it. The downside is that it also demands constant tweaking and fine-tuning of filters and policies. 

    If your business deploys DLP, you learned the hard way that most of this burden falls on IT. DLP filters are notorious for generating “false positives”. They are known to cause workflow breakdowns because of mistakenly flagged files. The DLP filter may, for example, identify a 16-digit internal reference number in a document as a credit card number and prevent the file from getting shared. 

    In 2021, DLP describes more a mindset than a unified approach or one specific method to stop data leakage or exfiltration. But DLP modules and add-ons have become part of the point solutions mix. They complement particular applications or tools, such as cloud security services or Microsoft AIP

    And like with many point solutions, blindspots and coverage gaps remain* that you can drive a truck through. Which brings us back to the armored truck. 

     

    Armored truck for confidential data

    If we understand DLP as the cop who creates a bottleneck sorting out which traffic can pass, we can think of enterprise DRM as the equivalent of an armored truck.  Tethered to a C3 (command, control, and communication) center, it can only be unlocked by dispatchers at a remote location.

    In other words, whatever neighborhood the vehicle ends up in once it’s past the exit point, the load remains secure. The owner maintains control over the cargo and who can access it. 

    With Fasoo Enterprise DRM, the C3 center would be the Fasoo server. The cargo is your sensitive data locked down with Fasoo encryption. And the dispatcher would be Enterprise DRM’s centrally managed policy settings.

    So what happens to DLP in this picture? My main point here is that you don’t have to bother with interrogating file content once it is encrypted by Enterprise DRM. That doesn’t mean your existing DLP deployment becomes irrelevant. 

     

    DRM + DLP for the win

    Case in point: sensitive emails. DRM doesn’t automatically encrypt any outgoing email, for example. DLP, on the other hand, can flag content inside of emails for extra protection, or to prevent a message from leaving the organization altogether. 

    Another advantage of DLP is that it helps IT teams gain and maintain a baseline understanding of how sensitive data moves through their network. With adequate calibration, it serves as a low-investment, yet efficient tool for data risk discovery.

    From a pure document security perspective, DRM fills in the remaining blanks. It gives us peace of mind that confidentiality and compliance remain ensured for any file that finds its way past the egress point. Or, to put it differently – if you ran a bank, would you feel comfortable having a bicycle courier handle the money transports?

    Nope, you’d leave it to the pros with proper equipment.

    So, the armored van it is. In summary, deploying an enterprise-scale DRM solution enables your organization to protect its existing DLP investments. It helps you tie up loose ends in a global, multi-cloud, work-from-anywhere IT environment.  

    By combining both methods, you can play to DLP’s actual strengths. Examples include spotting suspicious activities and patterns that indicate possible insider threats, or flagging files – including emails – for DRM protection before they can leave the organization. 

    That way, you don’t have to rely exclusively on the overwhelmed cop at the exit ramp anymore. 

    Would you like to learn more about how Fasoo Enterprise DRM and DLP work together for maximum protection of unstructured data? Connect with our experts!  

    ###

    *For a comprehensive overview, I recommend the post Insider Threat Management: Part 1 – 7 Reasons Not to Settle for DLP on the blog of cybersecurity company Proofpoint.

     

Download PDF IconDo you know where all your sensitive PDF files are stored?  How well are they protected, and who can access them?

Answering these questions becomes more urgent as unstructured data now accounts for about 80% of business data inventories.  Adobe’s platform-independent PDF files make up a large share of that.

So how can you protect PDF files from prying eyes and against unauthorized editing, printing, copying, or screenshots?  You have several options to pick from:


At-a-glance overview: 6 methods to protect PDF files 

 

1. PDF password protection

At the most basic level, you can protect PDF files with a password.  This feature encrypts the file and also allows you to lock in print, edit, and copy restrictions for the file.

Upside: Adobe Acrobat, 3rd-party PDF editors, downloadable tools, and specialized web apps all enable you to password-protect a PDF file.

Downside: It’s better than nothing, but that’s about it.  Experts agree that passwords provide a false sense of security and poor protection at best.  Tools to “recover” (= crack), circumvent, or remove PDF passwords are readily available.  Sometimes, simple guesswork may be faster: 20% of passwords in Fortune 500 companies were the company name or a variation, security researchers for VPN provider NordPass reported in June 2021.

Screenshot: PDF password removal tools

Screenshot: PDF password removal tools

2. PDF encryption 

The shortcomings of individual password-based PDF encryption make it insufficient for serious document protection.  What happens when a big law firm needs to circulate a “strictly confidential” PDF document among the partners or a manufacturing company shares a PDF of its latest design with its supply chain, for example?  This scenario requires a far more robust approach.  Enter Digital Rights Management (DRM).

Fasoo Enterprise DRM, as an example, integrates with the organization’s centralized user access and policy controls.  When a PDF (or any document) is created, it gets automatically encrypted – no manual password-setting required.  The policy server passes the user credentials to an authentication service, such as Microsoft Active Directory (AD) or SAML, to validate and authenticate users and their document permissions.

Upside: Password-based encryption doesn’t prevent people from picking weak passwords or sharing them with unauthorized users. DRM with access control integration and centralized policy management solves this problem and allows you to change document access and permissions after the PDF is distributed.

Downside: Encryption standards, tools, and cloud services for PDF encryption vary.  Many DRM solutions cover only a limited range of use cases or document formats.  Others, such as Microsoft’s Azure Information Protection (AIP), require specific training and hands-on intervention from PDF users and IT admins.

3. On-screen PDF protection

Did you consider the risk posed by the Print Screen key, screen capture programs, or smartphone cameras?  Specialized solutions that protect a sensitive document while in use enable you to block or discourage efforts by insiders with access to the PDF to capture its content as an image.

Upside: The standard copy and editing restrictions on password-protected PDFs are too easily circumvented.  On-screen PDF protection, such as Fasoo Smart Screen, enables IT administrators to block and monitor screen capture attempts.  

Downside: It’s impossible to prevent a determined person from taking PDF snapshots with a smartphone or camera, no matter what.  That’s why effective deterrence is essential.  For instance, with Fasoo Smart Screen, admins can put a visible “smart” watermark on sensitive PDFs. It contains user-specific information, such as the screen location and who is using it.

4. PDF sanitization

PDF sanitization removes sensitive metadata and other elements, such as comments, JavaScript Actions, or hidden layers, from the document.

Upside: Sanitizing PDFs prevents the inadvertent and potentially harmful leakage of data when a PDF is shared or published.  Metadata and other information buried deep in PDFs can be used to identify employees running outdated software, making them more susceptible to spyware attacks.  It also allows outsiders to gather intelligence about an organization’s internal structures.

Example: A personal assistant’s name gleaned from a non-sanitized PDF allows an attacker to pose as that person in a phishing email sent to a corporation’s CFO.

Security researchers from the University of Grenoble (France) analyzed PDF metadata of 75 security agencies from 47 countries.  “We identified only 7 security agencies which sanitize few of their PDF files before publishing,” they reported earlier this year.  The team still found sensitive information within 65% of sanitized PDF files, attributed to “weak sanitization techniques”.

Downside: None for any government agency, regulated organization, or global enterprise with sensitive data and systems to protect. Tools to sanitize PDFs files are available from Adobe and companies that have specialized in document sanitation software.

80% quote/outake

5. PDF usage logs

Keeping tabs on PDFs goes a long way towards effective document protection.  Enterprise-level DRM solutions use dedicated servers to log who views, edits, and prints documents.  They can also alert admins to security breaches.

Upside: Mainly for agencies handling classified information, government contractors, regulated industries, and corporations with large intellectual property caches to protect.  They cannot afford to lose track of critical PDFs.  The Fasoo Integrated Log Manager (FILM), for example, enables security and compliance teams to monitor each document’s usage throughout its lifecycle.

Downside: Businesses that use niche DRM tools report performance issues and productivity loss at scale because employees have to be online when opening PDFs tracked by a 3rd-party server.  Fasoo’s mature Enterprise DRM technology, on the other hand, has rendered this effect a non-issue,  even for global corporations with hundreds of thousands of employees.  PDF usage is tracked online and offline.

6. PDF-on-a-stick

Use a dedicated USB thumb drive with hardware encryption as your portable PDF vault.

Upside: This method makes the most sense for PDF files intended for a small circle of one-at-a-time viewers or editors.  USB sticks with a built-in fingerprint reader work best for this purpose.

Downside: Keep in mind that thumb drives are not designed for long-term data storage of more than 10 years.  USB sticks also get lost, stolen, or mixed up.  Thumb drives protected merely with a numeric passcode or password are still susceptible to hacking or guessing (see: PDF password protection).

 

And the best PDF protection is…

Of the methods presented here, which offers the strongest PDF protection?  Any of them has its advantages and disadvantages.  The answer depends primarily on the specific situation and data that needs to be protected.

What they have in common: None of these measures can, by itself, provide effective and efficient PDF document protection.  That would require combining and hardening them.

Key in this context is the number of PDF versions and file formats you need to cover.  What PDF iterations can the software under review actually protect?  Fasoo Enterprise DRM, for example, supports more than 200 file formats.  It adds an extra layer of protection to each document at the point of creation.

Centralized policy management, flexible exception handling, and granular permission control ensure that PDFs – and other unstructured data – are protected at rest, in use, and in transit.

 

PDF protection for (file) life

This data-centric and platform-agnostic file protection is controlled via Fasoo servers.  It applies whenever, wherever a PDF file is accessed from any device, inside or outside the organization, online or offline.

And yes, it would also have your back when USB thumb drives are involved.  With summer vacation upon us, does that mean you need enterprise-level DRM for your passport and airline tickets?

Only if you’re also reviewing corporate financial data or sales plans on the beach.  Otherwise, you should be fine.  That fingerprint-protected PDF-on-a-stick will do.

###

PDF files often contain sensitive information. Find out more about data that requires extra protection in this brief:
What Unstructured Data is Sensitive?

Image shows a screenshot (top left), Hillary Fehr (GE), and Chris Babie (GE) of the IP Protection Fireside Chat: Fasoo's Ron ArdenHow to stop intellectual property leakage and theft in manufacturing?

That was the topic of a discussion hosted by Fasoo at the 2021 Apex Assembly Tech Leaders Northeast Summit. CTO Ron Arden spoke with Hillary Fehr, Senior Cyber Security Researcher with GE Gas Power, and Chris Babie, Staff Cyber Security Researcher with GE Gas Power, about the challenges of IP protection in the manufacturing enterprise. 

In Part 1 of this conversation, IP Protection: “We need a tool with a wider scope”, we focused on how to protect sensitive CAD files, 3D-PDFs and other PDF file formats, in addition to the wide variety of Microsoft Office and other documents typically found in innovation-driven manufacturing companies.

In this post, Ron, Hillary and Chris zoom in on additional insider threats and risks introduced through the rise of the cloud and the rapid shift to work-from-home due to COVID-19.

What advice do the GE security researchers have for IT leaders in manufacturing companies looking to update their document protection program? Find out in Part 2 of the conversation:

*

Ron Arden: With everybody being remote, all of a sudden new threat vectors are appearing. There are things you didn’t even think about before. Somebody is going to copy something to their private OneDrive or their Dropbox account because it’s convenient. It’s easy to move stuff around. We all used to copy things to our USB drives, but now it’s just as easy to go to a cloud service. You know employees are just working along, and they’re not really worried about all of this.

Chris Babie: Exactly. Most of it is amiss on our [the IT security] side. If we told [engineers] the proper running rules, they wouldn’t perform that risky activity. People want to back up their data. Right now, there’s no help desk for them. I think people don’t want their productivity to dip. That’s a perfect example of the “I need to make sure my data is safe, hey, let me move it to my desktop” kind of thing. We need an answer for that now.

“A ton of new risk has bubbled up”

Hillary Fehr: And engineering machines, which typically were in a lab environment in the business before, now are in somebody’s home. That’s a whole other layer of risk that was never there. 

Chris Babie: We kind of knew that our “walls” in the manufacturing environment were okay. Now you’re worried about “does a virus now get on that machine?”, “is the home network protected?” It’s not even a data protection issue alone anymore. It’s also a home networking issue. A ton of new risk has bubbled up.

Ron Arden: Chris, what was your experience with other solutions that you use to protect and control sensitive documents?

Chris Babie: I think one thing that every solution struggles with in our world is scale. If you think about 300,000 folks, millions of transactions every single day, all these different mediums for transacting data. We already touched on the complex file types [see Part 1, IP Protection: “We need a tool with a wider scope”].

Our value is not driven by the standard stuff. It’s more in part files, CAD drawings. We were finding certain populations really love mobile. That’s just how they work. They’re very busy, they’re traveling, and it would work great on the endpoint. And then it would fall down.

We cover all these different complex workflows. Finding a solution that works everywhere is very challenging. It worked well when it was a standard workflow, very cookie-cutter. But we don’t do cookie-cutter at GE. 

This image announces a Fireside Chat on IP Protection in Manufacturing, with Fasoo CTO Ron Arden and GE Gas Power security researchers Hillary Fehr and Chris Babie

I talked about our vast network. I need a solution that works if it gets sent to an organization with 500,000 people and a supplier with three folks, and they’re more of like a mom-and-pop shop. We have a whole spectrum. We kind of cover everything, in terms of file types, network entity types… 

How do you find something that works everywhere? It’s a challenge.

Wanted: IP protection that “works everywhere”

Hillary Fehr: It’s got to be adaptable, especially with business requirements and environments. We know how quickly those can change. Last year was a big indicator of your ability to really pivot and adjust your priorities and approach, based on new risks that come up in the business.

Chris Babie: We touched on user experience. That’s literally everything —the main bucket. If the user experience wasn’t there… – people do not like change. They just don’t. 

We need to make sure that however they are working today, the technology works. That’s getting really hard to find with all these new solutions, cloud storage… It’s critical if we’re going to bring anything in-house.

Ron Arden: As you said, we all hate change. If we initiate the change, that’s different, but when the change is brought down on us – no. You got a job to do. The person who is creating the next generation of turbines has to focus on that. They cannot waste their time learning a new tool and completely changing their workflow.

And like you said, Chris: If you go out to GE’s smaller suppliers, they work the way they work. I mean, you might be able to impose some things on them. Still, they want to work the way they want to work. Mobile is extremely important today. Working with a flexible solution is key.

Adaptability is key, because the tool should adapt to you. You shouldn’t have to force yourself to adapt to the tool because that never works. People just get annoyed, and they don’t use it. 

I’d like to wrap up with one last item. Hillary, what advice would you give to people listening in?

Hillary Fehr: I would say you need to know where your data is. You need to have a strong process for identifying your data, tracking it, understanding the movement, how that data is used.

Until you have that, you really don’t know where you have sensitive data and how to protect it. Once you have a good understanding of what that data movement looks like and where that data is, you can start to build your approach to data protection.

Data protection is about auditability, too

Like we mentioned before, it’s also important to listen to the business because things are changing all the time. So you need to understand the business processes and be adaptable as they change and as the business priorities change.

You need to have standards and best practices in place. Not only to outline the do’s and don’ts for your end users, but also from an auditability perspective. It gives you legs to stand on.

Ron Arden: Chris, your advice? 

Chris Babie: We touched on it – communication and education. In the insider threat space, we wouldn’t see a dominant portion of the [insider threat] activity if we were simply upfront with them on how people are supposed to work, and how data is supposed to transact.

To anyone implementing a solution, I would say: Try to get really close to the business. Do you understand all the different use cases you’re going to encounter? 

At least in our world, there’s all this function overlap. If you’re going to implement anything, it cannot be in a silo. There needs to be a major partnership with the business. Everyone has to have a seat at the table before we go in any direction.

Hillary Fehr: That’s a good point, Chris. I think relationship management is a big part of getting their buy-in, too, and building out your process – because your data owners are the ones that understand your data and can help you to identify the best approach to protecting it.

Chris Babie: Having some of these basic “101” items – assets inventory, knowing your environment – gives you a head start, especially at our scale. It can be very challenging, as you can imagine.

Hillary Fehr: You have churn of employees and contractors, and people who may have known where the data was – years ago – are no longer with the company. That’s where you need to partner with the business and the functional areas to get to the heart of where things are and what they do with them.

Ron Arden: In essence, what you’ve been saying is that you need a solution that is location agnostic, because you have a lot of systems. Some would be legacy; some might be brand new. In the cloud, on people’s phones, home devices, engineering workstations…

So you can’t rely on a perimeter. There’s no perimeter anymore. It’s everywhere. I’m guessing you probably even have storage assets that you don’t even know about because somebody put a server somewhere in a room and nobody remembers what’s there, and then all of a sudden you find out something of value is sitting on that device.

Hillary Fehr: Or an endpoint in their bottom drawer of their desk.

Chris Babie (chuckles): I can confirm that our data is everywhere. Most organizations need to shift towards that [location agnostic] model. There’s zero perimeter today. Our data is all over the world, in every system imaginable. How do we make sure it’s protected wherever it goes? 

“Shift towards location-agnostic model” of data protection

Ron Arden: We have some customers with scenarios where they have to feed the data to machines. Those systems tend to be older, because of the cost of those types of machines. So you might even have a Windows XP machine that’s connected to one of these devices with important process information on it. 

It’s sensitive information. If you’ve got a contractor or a person who just ups and leaves the business and says, “Hey, this might be really cool for me to take to my next company,” you’re never going to know that, and something very important walks out of the door.

*

Do the scenarios mentioned in this conversation sound familiar? Most innovation-driven manufacturing companies face similar challenges, due to remote work demands under COVID. This explains why manufacturers increasingly rely on a file-centric approach to protecting intellectual property.

Fasoo Enterprise DRM comes with centralized policy management and granular controls baked in that can be adjusted flexibly by the data owner. This approach enables large organizations to provide maximum protection – across the enterprise and its supply chain – against insider threats and IP exfiltration at scale, while maintaining workflows and productivity.

Watch Ron Arden’s complete Apex Summit Fireside Chat with GE Gas Power’s Hillary Fehr and Chris Babie here

###

 

The transcript of this conversation has been shortened and edited for clarity and the blog format.

Categories
Book a meeting