Like digital rights management (DRM) for the enterprise, data loss prevention (DLP) solutions have recently seen a resurgence. Both aim to protect sensitive documents against leakage and exfiltration. Those looking to deploy or expand one or the other frequently weigh DRM vs. DLP. But how helpful is this “either/or” perspective really?
Do you know where all your sensitive PDF files are stored? How well are they protected, and who can access them?
Answering these questions becomes more urgent as unstructured data now accounts for about 80% of business data inventories. Adobe’s platform-independent PDF files make up a large share of that.
So how can you protect PDF files from prying eyes and against unauthorized editing, printing, copying, or screenshots? You have several options to pick from:
How to stop intellectual property leakage and theft in manufacturing?
That was the topic of a discussion hosted by Fasoo at the 2021 Apex Assembly Tech Leaders Northeast Summit. CTO Ron Arden spoke with Hillary Fehr, Senior Cyber Security Researcher with GE Gas Power, and Chris Babie, Staff Cyber Security Researcher with GE Gas Power, about the challenges of IP protection in the manufacturing enterprise.
In Part 1 of this conversation, IP Protection: “We need a tool with a wider scope”, we focused on how to protect sensitive CAD files, 3D-PDFs and other PDF file formats, in addition to the wide variety of Microsoft Office and other documents typically found in innovation-driven manufacturing companies.
In this post, Ron, Hillary and Chris zoom in on additional insider threats and risks introduced through the rise of the cloud and the rapid shift to work-from-home due to COVID-19.
What advice do the GE security researchers have for IT leaders in manufacturing companies looking to update their document protection program? Find out in Part 2 of the conversation:
*
Global manufacturers in innovation-driven industries are ramping up their document protection against intellectual property theft.
Can you guess what tops their priority list when selecting or expanding enterprise-wide digital rights management (DRM)? Here’s a hint.
No matter if your company is an automotive OEM, Tier 1-3 supplier, or a small engineering studio that serves component manufacturers across various industries: all eyes are on you.
The eyes of commercial spies, that is.
Intellectual property (IP) theft, most of it on behalf of China, damages the US economy to the tune of about $500 billion a year, says the FBI. Automotive, aerospace, and other innovation-driven tech companies are bearing the brunt of commercial espionage efforts.
What do the nation-states and competitors behind the IP theft have in common? They all rely on a secret weapon: company insiders.
The rising wave of industrial espionage and intellectual property theft has manufacturers on edge. Are you tasked with finding the right Enterprise Digital Rights Management (EDRM) solution for your company?
Check out these five tips from IP protection experts in manufacturing.
*
Are you looking into EDRM solutions to ramp up your organization’s IP protection? Congratulations, buckle up and hold on for the ride.
Because this is mission-critical to your company’s future, it’s only natural that you feel the pressure to dot all the I’s and cross all the T’s. The tips below will help you zoom in on the essentials quickly.
Data breaches make headlines every day and companies across the globe struggle to meet changing privacy regulations, such as the California Consumer Privacy Act (CCPA), the upcoming California Privacy Rights Act (CPRA) and of course, the General Data Protection Regulation (GDPR).
Data security is very high on the list of corporate priorities with most concentrating on protecting databases containing personally identifiable information (PII). Sensitive information subject to privacy or industry regulations is not found or stored solely in structured databases, but in unstructured files like Microsoft Office documents, PDFs, images, and computer-aided design (CAD) drawings.
Leading organizations are discovering how a protect first, file-centric approach fortifies data security and enhances data visibility to comply with privacy regulations like GDPR and CCPA. Now, learn how this approach simplifies implementation and operations to fast track your security and privacy initiatives.
Today’s Data Loss Prevention (DLP) and data security analytics solutions are challenging to deploy and manage. These solutions repetitively apply complicated rules and analytics at each location where data travels to identify misuse.
Common shortfalls include:
A protect first approach takes a more direct path to safeguarding files that contain sensitive data. At its core is a file-centric technology. A file with sensitive data is discovered, classified and secured the moment it’s created. This one time detect and secure method:
By working at the file level, this approach creates a sequence of efficiencies that simplify and streamline data discovery, classification, protection, audit and policy management. When deployed as an integrated platform, the approach delivers a high degree of automation with centralized controls.
Here’s how organizations use the protect first approach to keep their security and privacy projects on a fast track.
Discover and Learn
Build informed policy decisions by keeping initial discovery general by looking for file extensions like docx, xlsx, jpg, and dwg to start gaining insights in advance of more complex security and privacy scans.
Prioritize Inventory
Focus on your active data first - files that were accessed in the past year, what is it, where is it going, who is accessing it, and how is it being used. This is likely your most valuable and vulnerable inventory.
Classification
Focus on security needs first. Employ a single fundamental - if it’s sensitive, secure it. Find and protect the most prevalent and common forms of sensitive content first for quick wins.
Protect, Not Alert
Secure the data itself. Eliminate repetitive content and analytic scans at every sever, cloud service, application, or device. No ensuing alerts to burden security administrators so they can concentrate on more pressing security matters.
Platform Solution
Automate and centralize processes. Apply polices and controls across your entire unstructured data inventory with minimal operational overhead or disruption to business workflows.
Now let’s take a more detailed look at how each these activities can keep your project moving.
Discover to Learn
Keep initial discovery simple to gain a first-pass understanding of your data inventory and where security gaps exist
Searching for common file extensions will provide valuable insights into the kind of sensitive information you have and where it is located. The discovery tool searches file shares, desktops, laptops, other endpoints and mapped drives. This snapshot will give you the location of all files, volume of file types you have, who the file owner is, which department it belongs to, and the last date it was accessed.
Use basic insights to formulate priorities
By focusing on the primary goal – to safeguard sensitive unstructured data - you might quickly find that files owned by Human Resources (HR), Research and Development (R&D) or Finance have spread outside their designated file storage locations. If these sensitive files are on employees' laptops, on removable drives or are shared with third parties, the data is at high risk of exposure and should be assessed as an early priority target.
KEY INSIGHT:
Too often projects lose momentum as governance, legal, compliance, IT and security work across multiple departments to gather requirements and develop policies. Overcome inertia and engage with your data inventory to help drive informed policies.
Divide and Conquer
Focus on data that your organization currently generates, accesses and shares. Set older, dated inventory on a separate remediation path. Finally, assess all data for its value, especially “dark” and redundant, obsolete or trivial (ROT) data.
As a general rule, data less than one year old often represents less than 25% of corporate data
Current and active data is typically what matters to your business today and likely the most valuable to threat actors. Target this subset of data first and use the experience to fine tune your policies. Move this current data onto downstream classification and protection processes first to get sensitive data protected and under control as quickly as possible.
Set dated inventory on a separate path
Consider various remediation paths for older inventory to limit its risk exposure while prioritizing current data. Data discovered in unauthorized locations should immediately be moved to approved file-shares. For departments known to deal with a large amount of sensitive data (e.g., legal, audit, HR), use bulk folder-based or in place encryption methods to protect the data inventory in the interim.
They can’t steal what you don’t have
As much as 52% of data stored by organization is “dark” data, the value of which is undetermined and 33% is redundant, obsolete or trivial (ROT). Data discovery will surface all files for review and the deep visibility enabled by a file-based method will identify duplicates and file derivatives (i.e., files that are renamed or format has changed). Eliminate ROT immediately and engage data owners to assess dark data.
KEY INSIGHT:
Simply discovering the basic facts about your unstructured data will help you decide on the best path to address and prioritize your data security and privacy requirements.
Classification
Don’t get side-tracked by diverse data stakeholder interests
There’s a wide range of information governance purposes that impact your data, and security and privacy are just one part. It includes:
Stakeholders will understand the negative impact to their brand and punitive privacy penalties arising from a data breach and why a protect first approach makes sense. Ensure your tool selection can support all stakeholder needs and commit to revisit their requirements after enacting your initial data security and privacy safeguards.
Straightforward security measures makes classification simpler
Classification cues downstream tools to invoke controls. Security that relies on multiple factors to cue controls, like DLP and data analytics, adds complexity to classification.
Keep classification simple. If its sensitive, secure it. This enables you to eliminate complexity and streamline classification efforts.
Quick classification win
Our experience has shown that the majority of sensitive content can be found by searching for the most common sensitive data types using basic and proven filters the 80/20 rule. Like:
Organizations too often start by scanning volumes of unstructured data using multiple and complex filters to meet a full range of governance requirements. Instead, use proven filters first to find the majority of your sensitive content, keep false-positives to a minimum and then layer on more specific searches.
KEY INSIGHT:
Don’t let the classification process turn into an academic exercise. Keep a protect first priority to get your data safeguarded as fast as possible.
Protect, Not Alert
Today’s DLP and employee monitoring don’t secure the data itself: they monitor data (who has access, where the files are stored, etc.) and alert on misuse but don't secure the sensitive files themselves.
Monitor alert approach overwhelms staff
Security and IT professionals must actively administer and respond to thousands of alerts to implement today’s solutions. Complex rules and analytics generate a high percentage of false-positives and the tools often lack the context to prioritize incidents for administrator actions. Already burdened, security and IT are falling behind and will continue to be less effective as data volumes grow.
A better approach is to automatically secure sensitive data with strong protection from the start and for its lifecycle. There won’t be repetitive content, analytics scans or ensuing alerts. Your data is truly protected from a breach and valuable resources are available for more productive purposes.
Protect the file, not the locations
Traditional solutions implement rules and analytics at each location where data may reside or travel. It’s become increasingly challenging and complicated to scale these solutions with today’s cloud environments, mobile workforces and explosion of endpoint devices.
Rather than struggle to control every network, server, cloud service or endpoint device that interacts with their data, protect the data itself. Eliminate multiple implementations and costly administration.
Platform Approach
A protect first, file-centric approach creates a sequence of efficiencies that simplify and streamlines document security through data discovery, classification, protection, audit and policy management. It uniquely enables a purpose-built, automated data-centric platform that enforces centralized policies across your entire data inventory.
Eliminate complexity and inconsistency
You quickly lose control of sensitive files governed by a patch work of policies spread across networks, cloud services and devices.
Centralize policy management and manage security, access control, and privacy settings all in one platform and enforce actions immediately that updates across your entire sensitive data inventory.
Automate
It’s essential that privacy and security measures don’t disrupt end user workflows. It must be transparent and seamless with controls applied consistently, in real-time and across the entire enterprise. Automate these processes with a file-centric platform:
Eliminate tool sprawl and achieve lowest Total Cost of Ownership
Deploying point solutions to close each emerging security and privacy gap, at each location data travels, is inefficient and adds operational complexity.
Consolidate multiple security and privacy tools with a platform that’s location-agnostic, efficient to administer and layers seamlessly with current infrastructure.
KEY INSIGHT:
The best path to operationalize data security and privacy is to employ highly automated processes and centralized controls that place the burden on the technology and not the end user.
One of the biggest challenges you can face is working with multiple stakeholders and departments is the time it takes to resolve data security and privacy issues. With everyone having an agenda or priority – your initiatives can languish or stall.
Use a protect first, file-centric approach to streamline and operationalize your sensitive data initiatives with:
1.
Discover to Learn
2.
Divide and Conquer
3.
Classification
4.
Protect, Not Alert
5.
Platform Approach
Sign up for emails on new Sensitive Unstructured Data articles
Never miss an insight. We’ll email you when new articles are published on this topic.
Three predominant data-centric security
methods
There are three predominant methods in the market today to prevent loss and unauthorized access to sensitive unstructured data. Each is different and the best way to compare and contrast the methods is to understand what a vendor’s solution looks to defend and the primary data-centric tools used.
| METHOD |  Data Flow-Centric |
 Location-Centric |
 File-Centric |
|---|---|---|---|
|
DEFENDS |
Data at Ingress/Egress Points |
Folders, File Shares, Disk, Cloud | Files |
|
TOOLS
|
Data Loss Prevention |
Identity & Access Management |
Persistent Encryption |
Today, with increasing threats and the consequential impacts of a data breach, more organizations are adopting a file-centric method as the foundation of their data-centric architectures. It’s the only method that truly denies unauthorized access to your sensitive data no matter how it flows or the location it resides. This protect-first foundation recognizes that if data isn’t properly protected – your entire house crumbles.
A file-centric method works as a frontline defense and can be deployed in combination with other methods to achieve a fortified, cohesive data-centric security architecture. Understanding the key distinctions between the methods helps you navigate vendor engagements and build a protect-first architecture that best fits your needs
Data Flow-Centric
These solutions defend sensitive data at corporate infrastructure ingress and egress points and use data loss prevention (DLP) tools to stop data leakage. Ingress and egress points include servers, networks end-points, and cloud services.
Today, the majority of businesses have deployed DLP as point solutions – known as Integrated DLP (e.g., network DLP, email-server DLP, or end-point DLP) while few have scaled to a full enterprise DLP deployment (e.g., a full solution suite across all points).
Data flow-centric characteristics:
DEFENDS:
Prevents data from leaking by intervening with the use or movement of data.
TOOLS:
Content matching that actively looks for regular expressions, defined strings, keywords, patterns or data dictionaries.
Additional tools that can be used include fingerprinting (indexing) and image recognition.
DLP solutions set up rules that specify conditions, actions and exceptions. The tools filter messages and files based on their content and prompt corrective measures. They can simply alert a user that an action may be risky or completely block the action. Examples include alerting when sharing sensitive data through email and restricting the copying of sensitive files onto a USB drive.
Many organizations have implemented email DLP since this is the most obvious ingress/egress point prone to unauthorized exchanges of sensitive data. While there are measured improvements, security and IT administrators still have challenges when implementing and operating DLP solutions, such as:
Too often businesses have inappropriate expectations for DLP. It works - but many underestimate the complexities and resources needed to build, tune, and manage policies to fit your environment. You should anticipate iterative refinement of rules and alert resolution.
KEY INSIGHT:
Data flow-centric solutions are good at reducing risk but not a strong, protect-first approach. They don’t defend the data itself, but only how it flows in your organization. Any leakage exposes the data to unauthorized disclosure.
Location-Centric
These solutions defend sensitive data storage locations. They look for gaps and inconsistencies in identity and access management (IAM) and apply user behavior analytics (UBA) to reduce the risk of unauthorized disclosure of sensitive data. Locations include folders, file-shares, disks, and cloud services.
Location-centric characteristics:
DEFENDS:
Folder, file-share or disk from unauthorized access and suspicious usage.
TOOLS:
Analysis of IAM settings and policies to find discrepancies and obsolete controls.
UBA to monitor and detect anomalous events.
Unlike DLP solutions that query and assess content repetitively, location-centric solutions pre-process, classify, and tag sensitive data. These tags flag where sensitive content is located within your IT data architecture and use:
Location-centric solutions are easier to implement than rules-based data flow-centric solutions because the tools are non-intrusive and use system log and UBA. Location-centric solutions place priority on data visibility and are superior to many approaches when it comes to privacy compliance, audit and reporting requirements.
However, drawbacks with location-centric solutions include:
While obfuscation tools are not native to these solutions, some do use data encryption while the data resides and is used within a particular location. However, when files are downloaded to endpoints, stored in personal cloud accounts, and shared outside the location - protection, visibility and control is lost.
KEY INSIGHT:
Location-centric solutions use a “least privilege” approach as the foundation for their data protection method – not a “protect-first” approach. Critical gaps arise when data is moved from its original location, and lacking persistent encryption, expose your sensitive unstructured data to a breach.
File-Centric
In contrast to the other methods, persistent encryption and IAM are tied to and travel with the file. This is independent of networks, severs, locations and devices.
File-centric characteristics:
DEFENDS:
Office documents, CAD/CAE files, PDF, plain text, other digital media file types.
TOOLS:
Encryption is persistent, centrally managed and enforced at the file level.
IAM is assigned and enforced at the file level
The method uses data classification tags to:
File-centric solutions were historically used for very specific use cases but today are experiencing a market resurgence. Modern solutions take advantage of the latest in software tools like RESTful APIs and open operating system standards to work transparently across the enterprise. Centralized policies ensure access and protection are consistently applied across all networks, file-shares, devices, end-points and cloud services.
And when it comes to denying access to sensitive content, the file-centric method is by far the best "protect-first" approach. Here's how leading analyst are advising clients:
Look for file-centric solutions that automate discovery, classification and encryption in a single instantaneous step without user intervention. This improves productivity and consistency in application of policies.
KEY INSIGHT:
File-centric solutions use a “protect-first” approach as the foundation of their data protection method. Persistent access control and encryption remains with the file throughout its life-cycle. Most privacy regulations exempt loss of encrypted files from breach reporting or alternatively, impose significantly reduced penalties.
Organizations struggle to distinguish between data-centric solutions from different vendors as they search for the best way to safeguard their sensitive unstructured data. Data-centric security encompasses a wide range of processes and tools, many with overlapping functions and focused to different end goals. Adding to this confusion has been a flurry of gap-filling point solutions (e.g., CASB, end-point protection) launched to address today’s cloud and mobility adoption.
And despite significant investments in traditional data flow and location-centric methods, data breaches today are at all time highs.
Adopt a protect-first, file-centric method for your data security architecture. Establish this strong frontline defense to deny any unauthorized access to sensitive unstructured data, no matter how it is used, with whom it is shared, or where it is located. Then, use this foundation to integrate other data-centric methods and tools to architect a data security infrastructure that meets your organization’s governance, risk and compliance mandates.
Fasoo products span the life-cycle of sensitive unstructured data to discover, classify, protect, monitor, control, track and expire access to content wherever it travels or resides. Our unified solution enables users to securely collaborate internally and externally with sensitive information while consistently meeting corporate governance and regulatory requirements. Our file centric approach using encryption with a unique identifier allows organizations to have more visibility and control over unstructured data without interrupting workflows. We’ve engaged in this journey with over 1,500 enterprises to field data-centric solutions that proactively protect corporate brand, competitive position and meet increasing regulatory demands.
Sign up for emails on new Sensitive Unstructured Data articles
Never miss an insight. We’ll email you when new articles are published on this topic.
Organizations need better visibility into the use and movement of their sensitive data to meet privacy regulations and safeguard content.
The best approach is a self-reporting file method, one that automatically traces, gathers and records all document interactions without reliance on disparate network, application, and device logs.
The same technology that enables self-reporting files is the foundation of a powerful data security approach – a file-centric method. Bridge both privacy and security gaps with a file-centric method that delivers deep data visibility and a strong front line defense for your sensitive data.
Traditional security and network tools create a patchwork approach to data visibility that is inadequate, impractical, and unsustainable.
You need visibility to know where your data is, who is using it, and how it changes throughout its lifecycle. Discovery and classification tools are a good start to find data and tag it for downstream controls. However, to maintain control, you need deep visibility to track data as it travels, is accessed and transforms into other file types throughout its lifecycle.
Cybersecurity and privacy teams are challenged to keep track of sensitive files. A file will be accessed by multiple systems, applications and devices as users share it internally and with external parties. With over 40 different security and IT operations tools used in a typical business, organizations struggle as they work to accumulate, correlate, and report file interactions.
This challenge grows as data visibility is often obscured when documents travel within the organization or shared externally to the organization and change either through duplication or revisions. Without proper data visibility, you can miss the moment sensitive information is shared, moved to a different location, changed, or deleted.
You must also have visibility into sensitive file interactions for data breach investigations and to comply with privacy regulations. Details must be readily available to support incident response teams; and privacy regulations like GDPR and CCPA compel businesses to report on all data they hold regarding an individual within a specified period or be subject to fine.
KEY INSIGHT:
Faced with millions of files and countless interactions across global networks with thousands of end points, organizations need a new way to track data use and movement.
Visibility gaps widen as three trends stress legacy infrastructure
IT, security and privacy professionals are working to address widening visibility gaps and overcome the risk posed by:
Data proliferation is staggering, and unstructured data is rapidly growing, estimated to be 80% of a business’s data inventory. Unstructured data is routinely undermanaged and is hard to control and track as users take sensitive files from controlled repositories, store them on laptops, endpoints, and cloud services and share them in collaboration applications both internally and with external parties.
COVID-19 rapidly expanded the remote workforce and dissolved corporate perimeters. Sensitive data now resides on more unmanaged and shared devices. It travels on insecure networks and is used in unauthorized or non-compliant apps. All this is obscured from corporate oversight.
Privacy regulations have vaulted individual rights to the forefront. Right to be informed; right to be forgotten; and data residency all impose new demands on data visibility, tracing, control and reporting.
KEY INSIGHT:
Regulatory agencies and corporate Governance, Risk and Compliance (GRC) teams increasingly focus on the visibility gap of sensitive unstructured data and the actions of security, compliance and IT professionals to close these gaps.
Self-reporting files use an embedded ID technology to trace and record all interactions
Legacy security and privacy data architecture lack the deep data visibility and persistent tracking needed to meet today’s requirements.
Data loss prevention (DLP) and identity and access management (IAM) solutions designed for perimeter security lose track of data migrated to the cloud and when downloaded by remote workers. Privacy and legal e-discovery applications may have file mapping features, but they are siloed, don’t track all interactions, and the multiple datasets are disconnected and incomplete.
A unique ID that’s embedded and travels with the file enables persistent tracing and self-reporting of interactions throughout the file’s lifecycle. By using this method, it:
An organization’s existing data-centric tools perform better with an embedded ID approach. Discovery scans lack the intelligence to relate file derivatives that are copied or duplicated.
With an embedded ID, derivatives of an original file, whether duplicated or renamed, inherit the parent ID tag and all its security and governance policies.
An embedded ID reduces tool sprawl by negating the need for tracking tools fielded with each security, privacy and legal e-discovery application. All applications benefit from a single source of truth for file tracing and interactions.
KEY INSIGHT:
Using an embedded ID for deeper visibility, tracking and reporting at the file level is the best way to achieve sustainable and auditable processes and better safeguard sensitive data.
File Derivatives
Data changes throughout its lifecycle: As the original file copied and renamed or saved in a different format.
Discovery scans find sensitive unstructured data but lack: The means in subsequent scans to relate derivatives to a previously scanned file.
Missing derivative traceability compromises: Privacy compliance and increases the organization's threat surface as redundant sensitive data is unnecessarily retained across multiple locations.
With an embedded ID: Derivative files inherit the same file ID as the original, making visibility, security classifications and handling controls consistent across your IT infrastructure.
Individual Data Rights
Tracing of individual information: Requires persistent visibility and reporting in order to comply with modern day privacy regulations.
Responding to Data Subject Access Request ("DSAR") requires: Organizations to find all customer information and report in a specific period of time (e.g., 30 days).
Any file associated with an individual: Must be accounted for throughout its lifecycle.
An embedded ID: Eliminates the time-consuming task of file forensics. It provides a single source of truth that offers current deep data visibility, letting organizations meet today’s demanding individual information rights regulations.
Control at 3rd Parties
Businesses lose data visibility: When they share files outside the corporate network with supply-chain vendors, external legal and financial professionals.
Regulators make you responsible to ensure data is appropriately safeguarded: Breaches of your data while in custody of a third-party requires you to report the breach.
Secure and compliant sharing means: You extend the same visibility and controls that exist within your managed networks to any third parties.
An embedded ID provides the same activity tracking as if the files were internal: Enabling additional controls to set a file expiration date and revoke access at any time to third party locations. This feature is a key compliance component to the individual regulatory "rights to be informed and forgotten".
User Behavior Monitoring
Who is accessing your data, how it is being used, and where it is being moved: Are critical inputs for monitoring solutions focusing on detecting data misuse and policy violations.
Data transfers to removable drives and large uploads to cloud services outside of your organization: May be an early warning sign of malicious insider threat intent.
User behavior (UB) analytics are most effective when: Data visibility tools provide a full perspective of user activities across all applications and storage locations.
An embedded ID: Provides the highest granularity of data activity to drive UB analytics leading to earlier detection of insider threats. These data insights cue security methods, such as restricting the copy of data to removable drives.
A file-centric method with embedded ID is the best choice for data visibility. The same method enables a protect-first security approach that protects the data itself with encryption and access controls and eliminates redundant and overlapping tools implemented at multiple network and end-points.
Bridge both worlds and close privacy and security gaps with a file-centric method that delivers deep data visibility and a strong front-line defense for your sensitive data.
Sign up for emails on new Sensitive Unstructured Data articles
Never miss an insight. We’ll email you when new articles are published on this topic.
