Blog

Tag: data-centric security

What good is a secure island if you’re left stranded? Former Secure Islands customers want to know, since their data protection software has finally reached end-of-life support after the company was acquired by Microsoft a few years back. The good news: they have more options than they may have thought.

*

As a startup, Secure Islands Technologies Ltd. was a success story. Not so much for some of its early customers, we hear.

Two brothers, Aki and Yuval Eldar, founded Secure Islands in 2006 in Jerusalem. Microsoft acquired the company for $150 million in 2015 and made its technology an essential building block for Microsoft’s Azure Information Protection (AIP, part of the Microsoft Information Protection framework MIP). Six years later, to Secure Islands customers who decided AIP wasn’t for them, it may seem as if they are stuck.

So far, so predictable. As far as startup exits go, you’ve heard the stories. The outcome can be ugly: early customers are left holding the bag, with nowhere to turn. It can also be a blessing in disguise: for example, when IT discovers alternatives that show how far a technology has come elsewhere since its nascent stage.

Such happy endings happen. Take enterprise-level Digital Information Rights Management (DRM), for example. Also referred to as Information Rights Management (IRM) sometimes, it has come a long way since the aughts. This development is good news for organizations looking for AIP alternatives.

No happy endings on security islands

Information protection solutions of the past were difficult to deploy and scale. Workflows slowed down. Productivity suffered. That said, today, we see a different picture. The success of solutions such as Fasoo Enterprise DRM triggered a resurgence of the category, primarily for three reasons: 

  • Mature Enterprise DRM solutions ensure comprehensive data protection that extends far beyond one or two document ecosystems

Fasoo Enterprise DRM, for example, covers more than 230 document formats, including images, CAD files created with forty different applications, and old Microsoft Office documents that even AIP cannot encrypt. This approach extends beyond Microsoft Office or  Adobe PDF files and prevents the creation of “security islands” that leave critical documents unprotected.

 

 

  • Centralized policy management and control beats having to deputize (and train) your end users as security experts.

AIP uses Secure Islands technology to categorize documents, which can result in certain limitations. Depending on a company’s Microsoft licensing level, users may have to manually label the documents they import or create and decide what protection and permissions to assign.

Other limitations concern larger organizations that deal with high volumes of unstructured data daily, such as financial institutions and globally operating law firms. AIP limits the number of sensitivity labels per organization to 500 for labels that assign encryption specifying the users and permissions.

Another issue in these industries is AIP’s lack of SDKs to facilitate integration with iManage and other Enterprise Content Management (ECM) platforms. In organizations that need to encrypt files across thousands of file-sharing folders and subfolders, this means they would have to apply an AIP label to each manually just for simple encryption.

Fasoo Enterprise DRM represents a different, “file-centric, people-centric” approach that enables organizations to preserve and support proven and efficient workflows. Policies defined by IT automatically determine at the point of creation who can access a protected document and how. Exceptions are handled flexibly and “on the fly”, for example by granting a provisional permission on a temporary basis.

  • Document protection in the cloud requires a mature enterprise DRM solution.

Cloud collaboration plays an important role in selecting an enterprise DRM solution. Companies now looking for alternatives to AIP are clear about this point: they want document protection that travels with the file and doesn’t end at their organization’s IT perimeter.

Their old information protection technology was devised years ago, with no consideration yet for the cloud. One consequence is that it can only protect sensitive documents on a computer or mobile device. Once the file is uploaded to the cloud outside the Microsoft ecosystem, document protection is lost.

In contrast, Fasoo Enterprise DRM ensures that persistent security remains with documents, pictures, audio, video, and 3D CAD drawings regardless of their location, whether in the cloud or on a flash drive. Senders can set a validity period or revoke access immediately, even after distribution. The organization remains in control of sensitive files at rest, in use, and in motion – no matter where they may end up. 

Worried about your document protection getting stuck on a security island? In summary, these three rules will help you not to miss the boat: 

1. Document protection worth its name requires properly protecting all confidential documents that need protecting, not just those preferred by one solution vendor. 2. If “automatic labeling” was the promise, you’ll hate seeing it turn into manual labor over a few hundred or thousand file-sharing folders. 3. No company is a secure island; the cloud is real, and so is the need for document protection in the cloud. 

Contact the Fasoo team to find out more!

Graphic: Top 5 Document Protection Blog Posts of 2021Which blog posts about document security and protection attracted the most visitors to the Fasoo website in 2021?

Let’s face it: the ins and outs of Digital Rights Management (DRM) in the enterprise don’t exactly make for blog topics that get most people’s juices flowing.

The good news is that content that draws on the insights shared by Fasoo’s longtime, recent, and not-yet customers can overcome this hurdle. Readers interested in Enterprise DRM clearly prefer blog posts that answer relevant questions and provide hands-on advice for IT decision-makers and their teams.

Which Fasoo blog posts hit a nerve in 2021? These were the Top 5:

*

# 5: Your questions about Fasoo Enterprise DRM vs. Microsoft AIP, answered

“How does Fasoo Enterprise DRM (Fasoo EDRM) compare to Microsoft Azure Information Protection (AIP)?” In one version or another, this was one of the most frequently asked questions the Fasoo team had to answer in 2021. 

It’s a tricky one. After all, Microsoft AIP was developed primarily with the document ecosystem of Microsoft Office plus a few third-party file formats in mind. Fasoo DRM, on the other hand, provides document protection at scale and for more than 200 file formats in large organizations and along their supply chain.

Image shows a Minivan vs. Ford Super Duty Pickup Truck Tableau

Photo sources: Dreamstime / Ford

So can you compare the two at all? We tried. Let’s just say minivans keep us moving, but for serious business, you may want to consider a  super-duty truck.

It seems like many readers have been looking for answers to EDRM-vs.-AIP-related questions. Did you miss the post?

Check it out here:

FAQ: 5 Top Questions About Fasoo Enterprise DRM vs. Microsoft AIP

# 4: IP theft prevention: a step-by-step guide for the automotive industry

In vehicle and component manufacturing companies, most sensitive information is stored and managed digitally. Examples are:

How can you protect digital assets against intellectual property (IP) theft? Without adequate – data-centric – protection, trade secrets can end up with a competitor or a foreign government in a matter of minutes, even seconds: on a USB device, say, or uploaded to a personal cloud storage account from an unmanaged remote work laptop.

And they do. 2021 was marked by the “Great Reset” in the automotive industry. Employees working from home or leaving for a competitor (or both) posed the biggest threat to their company’s proprietary information. How to prevent intellectual property theft in the automotive sector? Many blog visitors turned to our 10-step guide here:

IP Theft in the Automotive Industry: 10 Tips to Counter the Insider Threat

# 3: Important enterprise DRM terms, explained

Enterprise-level DRM can be confusing. The – often niche-specific – solutions of the past were expensive, complex to deploy, and difficult to scale. As a result, IT teams weren’t exactly gung-ho about exploring today’s DRM-based information protection.

This has changed. Enterprise DRM solutions have come a long way, which has caused a resurgence of the category and considerable change in perceptions. In 2021, this trend had more IT professionals asking about specifics. 

So we dedicated 2021 to cutting through the fog of related terms and acronyms for this growing audience. A timely decision, judging by our blog traffic numbers. The Enterprise DRM Glossary became the 3rd-most frequented post of 2021:

Enterprise DRM Glossary

# 2: PDF security – an oxymoron?

You would think that 28 years after Adobe first introduced its platform-independent “secure” PDF file format, all related document protection questions should be settled. Far from it, as you may know.

Yet PDF files are making up a large share of unstructured business data. Do you know how well all your sensitive PDFs are protected? If the answer is no, consider yourself in good company.

According to a 2021 report, researchers who analyzed publicly accessible PDF files of 75 government security agencies identified only seven that had removed sensitive information before publishing. Ouch.

This data point doesn’t make you feel better? In that case, the # 2 on our Top-5 list of document protection blog posts provides relief. It gives a hands-on introduction to various approaches to securing PDF documents against unauthorized access, including editing, printing, copying, or screenshots:

Document Protection: How to Secure a PDF

# 1: DRM vs. DLP – a false dichotomy?

And the winner is… Boasting not one, but two industry acronyms in the headline, the chart-topper on this Top 5 list defied headline writing best practices and search engine odds in 2021.

DRM and DLP – Data Loss Protection – both aim to protect sensitive documents against leakage and exfiltration. They are frequently weighed against each other, but that doesn’t explain why this blog post piqued that much curiosity.

Maybe it’s because it fundamentally questioned the traditional “either/or” perspective? If you haven’t read it yet, you can find it here:

Enterprise DRM and DLP: Comparison Made Simple

Remote worker in home office settingGartner predicted that roughly 50 % of knowledge workers worldwide should be logging in remotely by now. More remote work puts more sensitive data at risk, which increasingly also impacts manufacturing companies. Check out the following ten tips to ramp up your document protection program in 2022.

*

Quick question: What do automated ransomware campaigns conducted by external attackers have in common with data theft committed by corporate insiders?

In the light of recent incident reports, I can think of three answers off the bat – at a minimum:

 

  • In both categories, incidents are on the rise.
  • Both target sensitive data, since more ransomware attacks begin with stealing confidential documents for extortion or sale on the dark web before encrypting the victim’s data.
  • Both increasingly exploit work-from-home data security weaknesses.

 

Examples of the latter include unsecured WiFi networks, unmanaged devices, and endpoint vulnerabilities. At the same time, IT lacks visibility into the online activities of remote employees and contractors.

In a nutshell, this example shows how remote work has become the primary source of risk to digital assets in the enterprise. Now the Omicron variant is pushing even more organizations (back) into remote or hybrid work arrangements.

Additional factors exacerbate the crisis going into 2022. The automotive industry and its supply chains feel the impact. Key employees leverage the “Great Reset” in the industry and leave to join competitors, sometimes taking trade secrets with them. IT teams struggle with staff shortages and often only learn about what happened when it’s too late.

Does this sound familiar?

 

10 tips to boost your remote work document protection

 

Get ready for 2022 with our ten tips on how to protect unstructured data in remote work settings:

 

  1. Identify the threat.
  2. Beware intellectual property theft by insiders. In more than 50 % of documented IP theft cases, the perpetrators were current or former employees or contractors. In addition, when external attackers exfiltrate sensitive information, employee negligence often plays a role.

     

  3. Identify what’s most at risk.
  4. In most innovation-driven companies, trade secrets are stored in the form of unstructured data. Think confidential Microsoft Office documents, CAD/CAE files, digital images, or PDFs. They come in various (legacy) formats and are often scattered across the organization and along its supply chain. Securing them will be an uphill battle, especially in remote work environments, without the right strategy.

     

  5. Identify your data protection strategy.
  6. The push into remote and hybrid work environments requires a comprehensive approach to data protection, rather than merely a mix of device-centric endpoint and data loss prevention (DLP) solutions. Recognizing this, more technology companies are adopting a data-centric security model.

    With sensitive documents, this means they remain protected regardless of where a file resides or with whom it is shared. The data-centric model ensures document protection independently of networks, servers, locations, and devices, such as unmanaged home office printers.

     

  7. Protect data throughout its lifecycle.
  8. Digital Right Management (DRM, sometimes also referred to as Information Rights Management, IRM) is based on the data-centric security model at the core of any Zero Trust strategy. Fasoo Enterprise DRM (EDRM) enables organizations to persistently protect, control and track sensitive documents at rest, in transit, and in use. Encryption, flexible policies, and granular controls govern how and by whom a file can be viewed, edited, printed, and shared within the organization’s IT perimeter and outside – like in the home office.

     

  9. Protect sensitive files without exceptions.
  10. Does the Enterprise DRM solution you’re evaluating support all industry-relevant CAD and CAE applications? In the automotive industry, support for tools such as AutoCAD, CATIA, or PTC Creo (and many more) and a broad range of PDF file formats is considered essential to ensure future-proof document protection.

     

  11. Protect workflows and productivity.
  12. Some information protection solutions lack centralized policy management. This shortcoming is known to slow down workflows to a trickle, especially when remote contributors are involved. Fasoo combines central control options with flexible exception management. Exception approval for accessing particular documents from the home office, for example, can be delegated to managers or coworkers instead of waiting for IT.

     

  13. Control confidential data wherever it goes.
  14. A supplier’s design engineer working from home is requesting remote access to sensitive documents? With Enterprise DRM, it’s just another day in the office. Gartner analysts describe DRM as “one of the only mechanisms for retaining control of unstructured data transferred to business partners in secure collaboration scenarios.”

     

  15. Control print.
  16. Fasoo takes a printer-agnostic approach to secure printing. This approach eliminates most challenges that commonly arise in remote work environments with home printers or print drivers. It enables data owners to centrally set and manage print rules for printing on-premises or remotely and watermark unauthorized printouts. Fasoo Smart Print also lets you set print protection policies for plain documents not secured by EDRM.

     

  17. Control the screen.
  18. Concerned about a remote team member capturing sensitive data on a screen during an internal Zoom or Skype call presentation? Enterprise DRM provides a screen security component, Fasoo Smart Screen, enabling IT to block and monitor screen capture attempts. For deterrence, it can also imprint documents with a watermark that contains tell-tale user-specific information.

     

  19. Control data without alienating workers.
  20. Fasoo’s centralized policy management enables flexible, people-centric document protection across organizational boundaries. Everyone who needs to can keep tabs on documents’ whereabouts and protection status, without risking privacy complaints and lawsuits from home office workers. Fasoo Enterprise DRM integrates with all leading federated authentication services, enabling IT to automatically revoke access to EDRM-protected documents once an employee leaves.

 

Contact the Fasoo team and find out how others in your industry deploy Enterprise DRM in remote and hybrid work environments.

Image shows wall-mounted home office surveillance camerasRemote work is putting sensitive data at risk. That we can all agree on. Traditional endpoint protection frequently fails. So what about stronger surveillance of remote employees at home? 

*

Let’s monitor the heck out of them, shall we?

That seems to be the approach of some financial services firms whose remote workers handle sensitive financial data and Personally Identifiable Information (PII). Is remote work surveillance a good idea? 

Perhaps, if your organization is craving attention – from the Washington Post, for example – for all the wrong reasons: privacy concerns, lawsuits, alienated employees and contractors. 

“Excessive surveillance,” writes ZD Net’s Owen Hughes, “is having profoundly negative effects on the workforce.”

But does it work?

 

Why monitor employees at home?

You see, that’s the other catch: it may not be worth the effort and expenses. Digital surveillance, warns Tech Target’s ComputerWeekly (UK), may “increase enterprise risk” by “forcing remote workers towards shadow IT.”

In short, excessive work-from-home surveillance doesn’t only erode trust and productivity. It also results in weaker data protection and employees leaving for the competition. 

What’s not to love? Perhaps you agree: pretty much everything, if you value your employees and work culture.

The tips below favor a non-creepy approach that is more sustainable: 

 

5 data protection tips for maintaining trust in the Zero Trust era  

Fasoo’s data-centric security model maximizes document protection – not the surveillance of the people handling them from home. Fasoo enables IT to secure and keep tabs on sensitive unstructured data throughout the document lifecycle, instead of putting employees and contractors under home office surveillance.

  • Stay vigilant; keep watching. 

Fasoo Enterprise DRM lets your organization automatically assign file protection without user intervention at the point of creation. Encryption and policies keep the document secured even when it is shared outside the organization by mistake.

Efficient document protection with Fasoo enables your organization to continuously monitor, log, and flexibly change who’s accessing confidential files and how. 

 

  • Turn your employees’ bedroom nooks into secure print stations.

What would it take, aside from nationwide lease, maintenance, and insurance contracts? The kids giving up their bedroom? A two-camera surveillance system? 

Or, less creepy: You deploy Fasoo Smart Print as your organization’s remote network of monitored print stations. Regardless of which physical or virtual printer is used – including the old inkjet in the bedroom nook – IT remains fully in control.

A granular audit trail includes the text or image of the actual printed content. It ensures visibility into all print activities that involve EDRM-secured documents.

 

  • Intervene when they take a snapshot.

How do you keep remote employees, in the privacy of their home, from using the Print Screen key, screenshots, or a smartphone to take pictures of confidential information?

Install more spyware and observation cameras? Think about the possible impact on your workforce retention rate in the “great resignation” era.

Here’s a less heavy-handed approach that’s more efficient than excessive remote work surveillance. Deploy Smart Screen, Fasoo’s on-screen document protection. It enables IT to block and monitor screen capture attempts. Administrators can monitor all screen capture attempts and even view an image of the targeted areas.

It may be impossible to keep a determined person from taking photos with a smartphone or camera outside a high-security office area or designated data room. That’s why effective deterrence is essential. Fasoo Smart Screen enables admins to imprint sensitive documents with a visible “smart” watermark that contains tell-tale user-specific information.

 

  • Keep tabs on them outside work and after hours.

On your files, that is. Shareholders, customers, and regulators expect you to protect confidential financial information and PII throughout the document lifecycle. Password-based document protection or Data Loss Protection (DLP) solutions, for example, cannot provide this level of security. 

DLP aims to prevent data exfiltration, but files can still make it beyond your organization’s IT perimeter: on a USB stick, for instance, or via a personal cloud storage account.

With Fasoo Enterprise DRM, encryption and policy settings apply regardless of where the document lands and prevent unauthorized access. A confidential file remains protected even in the wrong hands.

  

  • Always and immediately involve higher-ups, IT, and HR… 

…when (former) employees attempt to access specific documents. Sounds ridiculous, right?

Well, that’s because it is. Yet, some Information Rights Management (IRM) solutions expect data owners to relinquish control over individual documents to a degree that poses challenges for organizations with many users and constantly changing roles.

Workflows become work trickles. People find shortcuts. Overall data security suffers.

Fasoo’s centralized policy management capabilities allow for flexible, people-centric exception handling. It integrates with all leading federated authentication systems, minimizing risk when employees change departments or leave the company.

This approach ensures that everyone who needs to be is in the loop about a file’s security – the document creator, supervisors, IT, and HR. No home office surveillance required. 

*

 

Zero Trust makes sense. Until it doesn’t.

Would you make Zero Trust your People & Culture or HR slogan? Let’s face it: You need a Zero Trust strategy to secure your data. As a tagline for your work culture, on the other hand, it would be a less than ideal pick.

With Fasoo Enterprise DRM, you don’t have to sacrifice trust and productivity by setting up remote work surveillance bridgeheads in your employees’ homes.

As a cornerstone of your Zero Trust strategy, Fasoo empowers your organization to maintain its work culture and trust within the team while still ensuring maximum data protection.

 

Contact the Fasoo team to find out more.

M&A Leaks: Image shows a leaking bucketMergers and acquisition (M&A) activities pose major document protection challenges for all parties involved. Leaked or stolen data has caused bidding wars, broken deals, cost millions of dollars in damages, and ruined reputations. How can M&A teams ensure maximum document security without impeding productivity?

*

Merger and acquisition teams typically range in size from a handful of members in smaller or medium-sized organizations to several hundred internal contributors at enterprise scale. That’s on the buyer’s side as well as on the seller’s teams and includes investment banks or Private Equity (PE) firms. 

This headcount, however, doesn’t yet include external contributors. Think research analysts, M&A advisories, outside legal counsel, data protection and privacy compliance consultants, and IT integration specialists. Most of them are involved at one stage or another of the M&A process.

Since the beginning of the COVID-19 pandemic, many internal and external M&A team members have accessed sensitive documents from their home offices. On tight deadlines, they collect, create, review, edit, and share sensitive data that can make or break a deal – or kill it, if that data falls into the wrong hands.

 

M&A activities at an all-time high – and deal leaks, too

The shift to remote and hybrid work is a powerful driver behind banks and their corporate clients leveraging enterprise-level Digital Rights Management (DRM) to secure M&A-relevant unstructured data. The reasons quickly become clear when we look at a real-life example. 

A global automotive component manufacturer is planning with its investment bank the acquisition of a publicly traded semiconductor design and manufacturing company.

Table Overview: Deal Leaks by Sector

Source: SS&C Intralinks 2020 M&A Leaks Report[PDF]

 

It’s high season for M&As, and the planned deal seems like a match made in heaven. Yet from an M&A security perspective, the timing couldn’t be worse. M&A leaks have been spiking recently, according to the SS&C Intralinks 2020 M&A Leaks Report [PDF]. This development means all new M&As face an unprecedented challenge. 

 

The challenge: Remote work amplifies M&A security risks

We’ve highlighted document security risks for banks and financial firms resulting from remote work before. The threat level is even more elevated for members of the extended M&A team who work from home. Preparation and execution of most mergers and acquisitions involve a wide variety of confidential documents – in some cases, thousands of them. 

Niche vendors of M&A tool platforms tout the cloud-based Virtual Data Room (VDR) as the solution. Such “deal rooms” have become a fixture in the M&A space. At the same time, data protection experts say that VDRs instill a false sense of security – comparable, perhaps, to standard M&A non-disclosure agreements.

These critics point to the weak – often password-based – security of VDRs and specialized M&A document management systems that can too easily be circumvented. Deal administrators and IT lament interoperability issues with other cloud storage services, as well as manageability and scalability problems.

 

The solution: data-centric M&A security

Enterprise DRM enables IT to strengthen M&A security instead. Fasoo Enterprise DRM, for example, enables data owners to protect confidential content through all stages of a merger or acquisition.

Bar chart: M&A cost distribution, by phase (IBM)

Source: IBM Benchmark Insights: Assessing Cyber Risk in M&A

 

In our example, we focus on negotiations, due diligence, transaction execution, and implementation. These are the M&A stages where data breaches and deal leaks can be most damaging and costly. 

Let’s take a closer look at how the acquirer, its bank, and the acquisition target leverage EDRM to maximize document protection. Enterprise DRM’s data-centric security enables IT and deal administrators to protect, control, and track sensitive data on a per-document basis, on any device, at any time.

 

M&A and beyond: document lifecycle protection

Fasoo encrypts confidential files at the point of creation or before they get uploaded to a VDR, for example. This protection applies throughout the entire document lifecycle, regardless of which M&A platform any contributing organization may be using.

 

  • Negotiations: Centralized policy management enables M&A data owners and deal administrators to remain in control. Fasoo Enterprise DRM lets them flexibly adjust who can access, edit, print, or share sensitive content – including remote workers.

    This phase usually involves a high amount of various
    Microsoft Office document formats and Adobe PDF files. Dynamic permission control enables deal administrators to assign and revoke file access permissions for reviewers on a temporary basis, for example, to facilitate more than one bidding round.

 

  • Due diligence: In our example, the due diligence document list includes (among others)  intellectual property (IP) files, tax records, financial planning P&L documents, electronic design automation (EDA) diagrams, facility blueprints, tax filings, HR records, and all sorts of legal PDFs.Throughout the document review process and beyond, data owners and deal administrators centrally manage who has access to sensitive content. Context-aware and hardware-agnostic secure print and pull print capabilities prevent the unauthorized printing of Personal Identifiable Information (PII) at a home office printer or in a shared workspace, for example. Secure screen and watermarking features (“Fasoo Smart Screen”) block or deter screen capture attempts across all applications, including in Virtual Desktop Infrastructure (VDI) environments and browsers.

 

  • Post-transaction / implementation: M&A security professionals warn that the post-merger integration of the acquired company with the buy-side is fraught with data protection and compliance risks that can cost the acquirer millions or even billions of dollars. Data breaches are one main reason for the high M&A failure rate.In our example, the acquirer already has Enterprise DRM in place across its global organization, not unlike this Fasoo customer in the same industry. This means trade secrets, personnel PII, even sensitive records exported from databases are automatically detected, classified, prioritized and encrypted when they enter the buyer company’s environment from the acquired company.

During each M&A stage and long thereafter, Enterprise DRM provides persistent protection and consistent tracking. A document usage audit trail keeps IT, compliance managers, and financial regulators in the loop. 

After all, “digital M&A became the new norm” during the pandemic, according to the consultants at Bain & Company. This year, more dealmakers discovered the power of Enterprise DRM. They use it to prevent M&A leaks and data breaches from becoming a new norm, too.

 

Which industries have the highest potential for remote work? Finance and insurance, says McKinsey & Company. There’s a catch, however. How can organizations realize this potential without compromising data security and privacy? 

*

The consultancy found that three-quarters of activities in these sectors can be done remotely without a loss of productivity. Information security wasn’t part of the study. So what are the implications from a data protection perspective?

That’s where things get dicey. The forced rush into hybrid and remote work arrangements and the sorry state of remote work security have bank CISOs and compliance officers on edge. Some – mostly larger – financial institutions have mastered the transformation more effectively than others. What’s their secret? 

Before we answer that question, let’s first take a quick step back in time. In 2015, a Morgan Stanley insider downloaded confidential information on 730,000 of the investment bank’s wealth management clients to his personal laptop and posted a sample for sale online. Back then, it could have served as a wake-up call.

Today, it almost seems like quaint history, because not many heeded that call. The shift to Work-from-Home (WFH) due to COVID-19 has taken the insider threat to unstructured data to a whole new level.

Battlezone home office: Data protection reset required?

As a result, insiders – often working remotely – now account for more than 50 % of data breaches in the financial sector, according to security research. Several terabytes of sensitive data have been ransacked or leaked from more banks and financial services or law firms since that 2015 data breach. Think Pandora Papers, the confidential documents including supposedly secure PDF files, images, emails, and spreadsheets from 14 financial service companies offshore. 

Bank CISOs and compliance officers we talk to are more worried than ever about the lack of visibility and loss of control over sensitive proprietary data when employees are working from home. 

Or take Jeremy Baumruk, who heads up Professional Services at Xamin. His company manages IT security for more than 50 U.S. banks. In early 2020, he told the American Bankers Association’s Banking Journal: “When an employee is using their own computer, IT has almost no control.”

18 months later, research shows: that warning about remote work security still stands. Industry experts point to misconfigured VPNs, insufficiently secured home WiFi networks, unmanaged personal devices, personal cloud storage services, and unmonitored home office printers.

Remote Work Security - infographic excerpt

Source: Tessian (Infographic)

Remote work hasn’t only exacerbated the insider risks posed by negligence or disgruntled employees. Cybercriminals on the outside have taken notice, too. They wage automated campaigns that increase the pressure on banks to take decisive countermeasures. 

Many recognize that the traditional, device-centric emphasis on IT perimeter defenses – Data Loss Prevention tools (DLP), firewalls, endpoint protection – cannot ensure adequate protection. Recent threat reports confirm: attackers are busy exploiting the remote work blindspots and endpoint vulnerabilities to the fullest.

 

Document theft-as-a-service: Search. Scoop up. Siphon off.

As a result, credit unions, investment banks, and mortgage lenders, and their remote workers, are bearing the brunt of automated ransomware campaigns right now. In the first half of this year alone, banks experienced a 1,318% year-over-year increase in ransomware attacks, reports cybersecurity firm TrendMicro in its 2021 Midyear Security Roundup.

What does this have to do with document protection? There’s a direct and significant connection. New ransomware variants don’t merely encrypt the victim’s business-critical data and demand a ransom for unlocking it. The latest exploit kits are also optimized for data exfiltration.

In other words, they are designed to search for, scoop up, and siphon off sensitive information, which is then used for more elaborate extortion schemes. Only last week, the FBI sent out this Private Industry Notification [PDF]. It describes how perpetrators specifically target confidential documents about planned mergers and acquisitions, to release them on the internet if the victim doesn’t pay up.

So why have some financial institutions been less impacted than others by data leaks and theft during their shift to remote work? 

Identify, protect, control  – with Enterprise DRM

One answer is that they didn’t bide their time until the next data breach. Instead, more banks launched a “digital transformation” that some say is long overdue for the industry as a whole. One pillar of their strategy is shifting to a data-centric security model, enabling them to protect their data at rest, in use, and in transit.

Bank CISOs recognize that the traditional, device-centric emphasis on IT perimeter defenses – Data Loss Prevention (DLP), firewalls, endpoint protection – cannot ensure adequate protection anymore.

Instead, they leverage Enterprise Digital Rights Management solutions such as Fasoo to identify, encrypt, and oversee the access to unstructured data at the file level. This way, sensitive documents remain protected against unauthorized access if leaked or exfiltrated, no matter how that happens.

The Fasoo Enterprise DRM framework follows a three-way approach to ensure gapless document protection and remote work security:

    • Identify: Fasoo automatically identifies data worth protecting, from legacy repositories to newly created documents, which are secured at the point of creation. Unlike DLP, which is limited to tagging such information for protection within the organization’s IT perimeter, Fasoo sets the foundation for protecting and controlling confidential data anywhere, on any device.

 

    • Protect: Enterprise DRM provides an additional layer of security by combining FIPS 140-2 validated encryption and access control. This approach helps organizations minimize and mitigate risks such as data leaks, insider threats, and advanced persistent threats (APT).

 

    • Control: Fasoo enables banks to assert control over their confidential data through the entire document lifecycle, based on flexible and people-friendly central policy management.

 

Boost for remote work security and productivity in banking

This control transcends the digital domain. Fasoo’s printer-agnostic secure print capabilities (Fasoo Smart Print), for example, enable organizations to apply print protection and watermarks for plain and DRM-secured documents alike. Its screen security component (Fasoo Smart Screen) applies screen watermarks to applications and URLs to block screen capture attempts of sensitive data and monitors all screen capture attempts.

“Enterprise DRM is working great for us,” says the CISO of an S&P Top 100 global bank, a Fasoo customer. “It gives us a quick at-a-glance look at all our sensitive data and enables us to assert control wherever it goes.”

Would you like to learn more about how organizations in the financial sector, from community banks to global financial institutions, leverage Enterprise DRM to secure their digital transformation?

Connect with our industry experts here. 

###

Image shows business team watching comparison chart presentationHow does Fasoo Enterprise DRM (Fasoo EDRM) compare to Microsoft Azure Information Protection (AIP)?

The first solution is a digital rights management platform to protect documents at scale in large organizations and along their supply chain.

The latter was developed primarily to protect the document ecosystem of MS Office plus a few third-party file formats.

 

Can you compare them at all?  It’s a common question we get, so let’s try.

*

“We’re looking at our options for securing documents across the whole organization, including our worldwide subsidiaries and supply chain. What advantages would we have from choosing Fasoo Enterprise DRM over Azure Information Protection (AIP) by Microsoft?”

I have to admit, each time we receive an email like that, we cringe a little.  It’s a bit like asking us to compare a Ford F-series pickup truck (America’s most popular car in 2020) and a Chrysler minivan (the best-selling minivan during the same year), on the grounds that they both have four wheels and can take a load.

We welcome such questions, though, because they give us an excellent opportunity to clear up some confusion. Read on for a few of our answers.

 

MS AIP vs. Fasoo comparison: Frequently Asked Questions (FAQ)  

Image shows a Minivan vs. Ford Super Duty Pickup Truck Tableau

 

Minivans keep us moving, but heavy-duty tasks require different means.
Photo sources: Dreamstime / Ford   

The confusion is understandable. The early and often niche-focused enterprise-level DRM solutions of the past were considered expensive, complex to deploy, and difficult to scale. As a result, many IT teams today still lack hands-on experience with modern DRM-based information protection capabilities at scale.

Fast-forward to 2021: Enterprise DRM solutions have matured significantly over the past decade. This has caused a considerable change in perceptions and is credited with the recent resurgence of enterprise DRM. 

Combined with the shift towards a data-centric information security approach, this development now has more information security leaders asking about the specific strengths of enterprise DRM. Here are five frequently asked questions involving Fasoo EDRM and AIP:

 

1. How many file formats does Fasoo support compared to AIP?

Microsoft file protection supports approximately 20 file types. AIP modifies file extensions for non-Office files types (txt to ptxt, jpeg to pjpeg, bmp to pbmp). This can cause issues with third-party applications and firewalls.

Fasoo supports more than 230 file formats, including a broad range of PDF files, plus any less common file format based on a niche application that a customer might use. All formats Fasoo supports can be opened in their native application. It does not modify file extensions, which means applications that rely on native file extensions for scanning or other purposes keep working. 

 

2. How does Fasoo EDRM protect CAD files in comparison to AIP?

AIP does not support protection of CAD files while in use. Fasoo protects CAD files while at rest, in transit, and in use.  By integrating directly with over forty different CAD applications, Fasoo EDRM allows users to interact with CAD files as they normally do while maintaining strong protection of the data.

 

3. How strong is Fasoo’s encryption compared to MS AIP?

AIP is limited to AES 128-bit encryption for Office files because Office 2010 cannot support AES

256-bit encryption. Other file types use 256-bit. Microsoft does not support encryption for Office 2007. It recommends upgrading to Office 2016 for ease of deployment and management.

Fasoo uses multi-layered encryption for all file types, including AES 256-bit encryption for all file payloads. This is important for compliance with certain regulations. Fasoo supports Microsoft Office 2007, 2010, 2013, 2016, 2019, and 365.

 

4. How do the document tracking and monitoring capabilities of Fasoo compare with those of MS AIP?

AIP currently has no centralized report portal for usage, adoption, or document activities. It also doesn’t provide a method for tracking AIP user licenses. Microsoft recommends editing the registry to remove access to functions from specific users designated as “consumers only” of AIP-protected files.

Fasoo provides centralized reporting on all document and user activities in a web-based console. Thresholds can alert administrators to anomalous and potentially suspicious activity. Fasoo EDRM also tracks all licensed users in a web-based, centralized console. 

 

5. How are Fasoo’s policy and exception management different from AIP’s?

This question comes up frequently because Microsoft AIP relies on individual users to make security policy decisions on how to protect documents. This approach requires IT and data owners to relinquish control over individual documents to a degree that poses challenges for organizations with many users and constantly changing roles.

Fasoo can automatically assign file protection without user intervention. It provides centralized policy management and exception handling capabilities. This “file-centric, people-centric” approach allows the organization to determine who can access a protected document, rather than relying on the document creator to make that decision. Users with permissions are empowered to extend access rights and permissions to other users as needed.

*

Will it fit and grow with your mission?

In summary, most inquiries we get about Microsoft AIP vs. Fasoo boil down to a single general question: How does a dedicated solution for securing documents in large organizations stack up against an assemblage of document protection components designed with a focus on MS Office applications and file formats?

My answer, in a nutshell: It’s difficult to compare a Ford F-450 Super Duty truck and a Chrysler Pacifica minivan. To stay with the analogy for a moment, deciding between work truck and family van becomes much easier when we ask this question:

Will it fit the mission? 

###

Do you have questions about any of the items above or related topics?
Contact the Fasoo team here.

 

Photo: Federal Courthouse in Portland, OR

Global manufacturers in innovation-driven industries are ramping up their document protection against intellectual property theft.

Can you guess what tops their priority list when selecting or expanding enterprise-wide digital rights management (DRM)? Here’s a hint.

But first, a quick look at the court dockets. Did you hear about that lawsuit filed by Intel in February against a former employee who joined Microsoft?

Talk about an IP theft textbook case. Intel accuses [PDF] a former product marketing engineer of exfiltrating “highly confidential, proprietary, and trade secret information” on his way out the door – to Microsoft.

So far, so common. That’s true even in the most security-conscious companies, as this most recent example shows. It highlights how a combination of three factors poses mounting risks to the IP of many tech and manufacturing companies: 

  • blurred IT and security perimeters with a plethora of unmanaged (storage) devices,
  • increasing competition, coopetition, and fluctuation of engineers and other key personnel with access to trade secrets between competitors,
  • the inability to centrally monitor, control, and police how employees access sensitive documents, especially when they leave the company.

It’s at that point where the IP protection capability mentioned in the title of this post can make all the difference; we’ll get to that in a minute. But first, let’s look at what allegedly happened when the Intel engineer left the company after ten years in January 2020.

What did he allegedly do, and how? The company alleges that on his last day on the job, the employee downloaded roughly 3,900 files from a company computer “to a personal Seagate FreeAgent GoFlex USB drive.”

Bar chart image with IT Security Alert Fatigue research results
Insider threats: How can almost 4,000 sensitive files get downloaded from a company-issued computer to an unmanaged device without anyone noticing? One possible – and common – explanation is alert fatigue. Data Source: Cloud Security Alliance

 

3,900 confidential files walk out the door at Intel

Hm, what? And he walked out the door with it where, and why? Fast forward to February 2021:

In the federal court filing [PDF], the plaintiff claims that the defendant – now Principal of Strategic Planning in Microsoft’s Cloud and Artificial Intelligence department – “used the confidential information and trade secrets he misappropriated […] in head-to-head negotiations with Intel concerning customized product design and pricing for significant volumes of Xeon processors.”

Ouch. Yes, these are only allegations so far. They yet have to be proven in court. 

But however the jury finds in the end, the court filing is remarkable for what it reveals between the lines. Intel’s lawyers credit Microsoft and its forensic investigators for helping to unearth the “full breadth” of the alleged deeds.

Which gets us to the main point of this post: 

 

Was this IP protection failure preventable?

Granted, hindsight is 20/20. Yet from an IP protection perspective,  one could argue that all of this would have been entirely preventable. 

How do we know, you ask? Coming right up, it’s all laid out right there in the court filing. Intel, if we believe the lawyers, had insufficient visibility into and no control over an (ex-) employee’s access and use of sensitive proprietary files. And indirectly, the company admits as much. 

For example, the lawsuit alleges that once at Microsoft, the former Intel employee “accessed, viewed, opened or otherwise interacted with more than one-hundred documents taken from Intel […] at least 114 times” from his company-issued Microsoft Surface laptop.

Mind you, Microsoft’s helpful forensic investigators unearthed these (incomplete) insights only after the fact, according to Intel’s grateful lawyers.

Had the individual files been encrypted and their use governed by centralized policy management from the get-go, the engineer’s access would have ended with his tenure at Intel.

 

The case for DRM with centralized policy management

Cases like this should not come as a surprise. We’ve seen a rising wave of similar insider-related incidents over the past three years. The tech and mobility industries are bearing the brunt of the attacks.

The threat has caused more IT leaders to deploy enterprise DRM (also known as Information Rights Management, IRM). This file-centric, people-centric, and platform-agnostic approach enables organizations to protect unstructured data at rest, in transit, and in use.

Think MS Office documents, PDF files, images, or CAD designs, for instance. They are encrypted at the point of creation. The protection applies wherever a file is stored or moves to, inside or outside the organization’s perimeter.

File use can be monitored, access policies and permission levels centrally managed by IT, risk officers, and HR, and flexibly adjusted on a granular level by the data owner.

Let’s take a product design file protected by Fasoo Enterprise DRM, for example. It will check back in the background with a central Fasoo server when someone tries to access it. Does this user still have the proper authorization to open, copy, download, or print the document?

If not, it doesn’t matter if a former employee took it home on a portable hard drive or USB stick – IP protection is ensured. The document is worthless for whatever that person wants to do with it, locked with FIPS 140-2 level encryption that meets the requirements of the Cryptographic Module Validation Program (CMVP) of the US government. 

 

Nothing to see here after HR and IT flip the switch

In summary, file-centric document protection makes IP “misappropriation,” as alleged in the case brought by Intel, impossible.

Overview image: File-centric encryption and control with Fasoo Enterprise DRM

Centralized yet flexible and painless policy and exception management are among the top priorities for document protection program leaders when choosing an enterprise DRM solution, they tell us. Fasoo Enterprise DRM empowers IT, in coordination with HR, to set and change document use policies in sync with users’ employment lifecycle, from onboarding to the last day at work.

One global technology manufacturer that is leveraging enterprise DRM to protect its IP is Fasoo customer ZF Group. This automotive industry supplier with 240 locations in 41 countries now deploys Fasoo Enterprise DRM to secure critical IP, such as CAD drawings and process information, across its global tech centers.

“Before, we had a few incidents where engineers with years of insider knowledge and access to documents left and joined a competitor,” said Markus Fischer, VP Engineering at ZF Group’s Active Safety Systems division in Livonia, Michigan.

“As a company, you spend years training engineers in the ways you do things, and they get access to your most intimate know-how and process knowledge,” he explained. “You cannot just block them; they need it. But you also need to be able to quickly adjust access privileges on a granular level, without delay.”

“It’s a fine line to walk,” Markus told us. “You have to find the right balance between maximum IP protection on one side, and productivity on the other. Fasoo helps us maintain this balance.”

*

To learn more about how to prevent intellectual property theft and leakage in manufacturing and supply chain environments while maintaining a competitive edge, watch our Fireside Chat at Apex Assembly Tech Leaders Northeast Summit on March 30th, 2021 with GE Gas Power cybersecurity researchers Hillary Fehr and Christopher Babie.

Protect data on laptops from terminated employees I read a Tweet recently from “Accidental CISO” about collecting laptops from terminated employees during the pandemic that I deemed retweetable (if that is a word).  Some comments focused more on the hardware – how to get it back – but this got me thinking more about what is actually on the hardware. What sensitive information, like intellectual property, might reside on them?  It also made me think, in a situation like this, how the potential for insider theft is far greater.

Files containing IP can be either printed on home printers, sent over email to personal accounts, saved on a USB stick, screen captured and so on.  These are not necessarily actions of malice, but obvious desperation to assist with the basic need for employment.

It reminded me of a webinar we did in 2019, Close the Gap on Insider Threat: Granular Access Controls and Behavior Analytics, where we focused on the best way to protect and control unstructured data without having to think about where it is located, who is accessing it or how it is being used.  It’s part of a 3-part series, so check out the other two.

In my last post, I talked about how many companies are not prepared to suddenly support a remote workforce and provided some thoughts on things you can do.  But this tweet brings to the surface the extent of how unpreparedness can lead to (and this is going to sound weird) intentional, non-malicious behavior.

I encourage you to think about it, watch, and at the very least, start putting a plan in place to protect and control your unstructured business critical information.  The time is now to do your best research so when you are ready to pull the trigger on your unstructured data security project, you will be able to hit the ground running.

Contact us if you want to talk about any of this and in the meantime, stay safe and healthy!

 

Photo credit Ian Sane

 

Fasoo shows unstructured data security at Gartner SRM 2018

This year at the Gartner Security & Risk Management Summit in National Harbor, MD there was a lot of focus on reducing business risk through improved cybersecurity that focuses on protecting data as users create and share it.  One area of concern to many organizations is how to find and protect sensitive data without impacting how employees and customers work.  Data protection regulations, like GDPR, are making things more complicated, but companies need to balance security with productivity.

At the Fasoo booth, a lot of people talked about issues with combining different technologies that still focus more on protecting the location of data rather than the data itself.  One executive from a manufacturing company talked about how her DLP system can tell them that sensitive documents were shared with external parties, but can’t really control their access or stop them from going out.  This is a common concern as companies use DLP, CASB and other technologies that can’t control access everywhere.

On Tuesday, June 5, 2018, John Herring, President & CEO of Fasoo, Inc. and Ron Arden, Executive Vice President and COO of Fasoo, Inc., presented “Unstructured Data Solutions Journey”.  John talked about the challenges of balancing data security and productivity and how many of the traditional approaches of securing the data perimeter haven’t met the hype.  By securing the data itself, you don’t need to worry about where it goes, since it’s always protected and tracked.  He presented how some of Fasoo’s customers have overcome the challenges with a holistic approach to discover, classify, protect and track sensitive manufacturing data and information subject to regulatory control using Fasoo Data Radar and Wrapsody.

Fasoo presentation on protecting unstructured data at GSRM 2018

Ron showed how in three quick steps with Wrapsody an organization can securely collaborate when creating a product quote while limiting access to specific people and making it easy to ensure they each have the latest version.  With a few clicks of a mouse a sales manager encrypted a spreadsheet, applied access control to it, provided an audit trail and automatically synchronized the latest version to a central location.  As the operations manager updates the quote and shares it with a customer, the process is easy for all parties to get the latest information and ensure the entire process is secure regardless of who has the document and where they open it.

During the course of the summit, a lot of attendees and analysts came to the Fasoo booth to understand the best ways to comply with new regulations and how to protect sensitive data from both internal and external threats.  Visitors were very impressed by how the Fasoo Data Security Framework can help them achieve those goals by discovering, encrypting and controlling their sensitive data.

Attendees at the session and at the booth were excited to see that Fasoo technology is very robust, balances security with usability and integrates with an organization’s existing infrastructure.  A common strategy is to make the technology almost invisible to users unless they try to violate a security policy.  I remember one person saying, “I was a little skeptical during your presentation, but convinced once I saw it in action.”

Ron Arden presenting on NYDFS compliance at RSS 2017Ron Arden, Executive Vice President & COO, Fasoo, Inc. spoke to security professionals and executives on how to meet the data-centric requirements of the NYDFS 23 NYCRR 500 cybersecurity regulations for financial services organizations at the 2017 Rochester Security Summit at the Rochester Hyatt in Rochester, NY.

Ron delivered a presentation entitled “Do You Have a Pathway to Data Security and Compliance?” as part of the risk and compliance track during the October 19 – 20, 2017 event.  With deadlines approaching for some of the more challenging components of the NYDFS cybersecurity regulations, timing was right as Ron reviewed results from the recent Ponemon Institute survey on NYDFS readiness and Fasoo’s approach to help meet the technical challenges of protecting unstructured data or data stored in files.  This is an area that most organizations are struggling with, since about 80 percent of their information is not in databases, but is in office documents.

Conversations during the presentation ran from concerns about meeting regulatory compliance to those trying to protect intellectual property from walking out the door.  One financial services company is in process of locating and classifying all files trying to decide what is sensitive and what is not.  Ron suggested thinking about all files as sensitive and encrypting them upon creation.  If you spend a lot of time determining what is and what is not sensitive, you may miss something and cause more problems.  If you need to remove the encryption to share with someone externally, it’s easier to make an exception for that rather than expecting users to decide on the sensitivity of a file.  That causes breakdowns in workflows and burdens users unnecessarily.  Plus you may not meet the NYDFS requirement to encrypt all nonpublic information.

Bill Blake, Senior Vice President of Fasoo, and Ron joined security partner Brite Computers in a booth during the vendor focused times during the 2-day event.  Brite and Fasoo have had great 
RSS 2017 after party
success over the years bringing security technology and a customer-focused approach to solving business problems to numerous customers in a variety of industries.  The initiatives helping customers become compliant with the NYDFS regulations is the just latest.

Brite also had an RSS after party on Thursday evening to meet with customers and partners in a more relaxed setting.  It was held in the newly renovated Center City Terrace & Lounge and allowed everyone to take advantage of the unseasonably warm weather.  It was great to get to meet a lot of Brite’s current customers and talk to them about how Fasoo can help them address many of their security and compliance issues.

The event this year showed the continuing need for data-centric security solutions as companies try to mitigate the risk of both external hackers and insider threats to their most sensitive data.  Complying with regulations is important, but the main goal of these regulations is to protect sensitive data from leaking or being stolen by unauthorized people.  Stopping this has become a main focus of many CISOs and boards.

Can You Stop Former Employees Taking Your Data?It’s a good question and one that many organizations don’t think about thoroughly.  You take a lot of time onboarding an employee by doing background checks, checking references, and determining what information systems and data access the person needs to do her or his job.  You may have a comprehensive provisioning system that grants access to all applications and data.

But how about when someone leaves?  It’s great that you de-provision access the INSTANT someone becomes a former employee, but how do you protect the confidential data she or he may have been taking out each night for the last few weeks?  Organizations spend a lot of money guarding against cyberattacks from hackers and other external people, but many don’t do enough to protect their data from threats of former employees.

While an employee or contractor, many people create and use a lot of documents that contain intellectual property, financial data, employee and customer information.  Given the nature of work today, these documents are stored on laptops, mobile devices, in cloud services, and all over your organization.  In fact 70 percent of organizations do not know the location of confidential information, according to a study by the Ponemon Institute entitled “Risky Business: How Company Insiders Put High Value Information at Risk”.

A recent survey by OneLogin found that 47 percent of organizations admit that one in every 10 data breaches were tied directly to former employees.  We don’t want to stop employees from working where they want and when they want, but it’s important to control access to the documents they use, regardless of location.

The best way to control access to documents is to encrypt them and apply permission controls that limit what an authorized user can do with the document.  This applies to documents created at the desktop, reports run from databases and documents downloaded from information systems and document repositories.  The controls are persistent and even apply to all derivatives of the documents, so no matter how many copies are out there, they are controlled and managed.

When an employee leaves the organization, you only need to remove their access in one place and all sensitive documents are inaccessible.  That person now becomes an unauthorized user.  It doesn’t matter if the document is in a cloud service, on their home PC, in email or on a thumb drive.  You don’t have to go looking for them, because once you de-provision the employee, their access is gone for all documents.  If they try to open them, they see a bunch of random characters.

While controlling system access is important, controlling access to the documents that contain your sensitive data is more important.  Applying controls on the documents themselves ensures you can turn off that access with a click of a mouse the moment an employee becomes a former employee.

 

 

Photo credit ThoroughlyReviewed

Categories
fasoo_logo
Contact Us
Your data security journey starts from here!
See how Fasoo can help your data privacy and security.