Blog

Tag: data protection

DLP needs EDRM to control data-in-use and protect documents everywhere

Data loss prevention (DLP) solutions focus on the movement of sensitive data. They analyze document content and user behavior patterns and can restrict the movement of information based on preset criteria. With the move to remote work, traditional DLP solutions can’t safeguard sensitive data since it’s difficult to monitor all the locations users can send and store documents.

While DLP is good at finding sensitive data in files, it can’t control access to the data inside. Once a user has access, they can copy and paste the data anywhere. If someone shares a sensitive document with a business partner or customer, DLP has no visibility to that document and can’t control access to it.

Enterprise Digital Rights Management (EDRM) focuses on protecting sensitive data in documents. It automatically encrypts files and controls file access privileges dynamically at rest, in use, and in motion. It provides visibility and control regardless of where the document travels.

Four ways EDRM enhances DLP

 

1. Protects Sensitive Data Wherever It Travels

DLP is a perimeter-based solution that stops the movement of data. By blocking ingress and egress points, you can stop users from copying sensitive documents to a USB drive, a collaboration solution, or the cloud. This presents challenges as security teams try to block all the locations a document can go. With many people working from home and using personal devices (BYOD), this is becoming almost unmanageable.

EDRM takes a file-centric approach to security. It applies encryption, access control, and document usage rights that travel with the file everywhere. Controls are always enforced regardless of location or device. You know your sensitive data is safe even if users access files on new devices or share data with customers, partners, and other third parties.

 

2. Enforces Consistent Controls Across Cloud Environments

You probably have numerous perimeter security solutions across your internal networks, cloud services, and endpoints. This creates inconsistent policies that leave security and privacy gaps. Gartner projects that “through 2025, more than 99% of cloud breaches will have a root cause of preventable misconfigurations or mistakes by end-users.”

With EDRM you set safeguards centrally and retain ultimate control over who can access the data and how. Cloud administrators and end-users can’t remove the protections which remain with the file no matter where the data resides or who accesses it. This simplifies your security controls and eliminates a major reason for a data breach in today’s multi-cloud environment.

Learn more about how to implement consistent data protection controls in the cloud.

 

3. Controls Data-In-Use to Minimize Risk from Insider Threats

Once a verified user gains access to a file, that sensitive corporate data can go anywhere. Users can copy, cut, and paste sensitive data into new file formats, share it in collaboration applications, and store and print sensitive files on personal devices. Someone may not be malicious but accidentally may share sensitive data. How many times have you accidentally emailed a file to the wrong person?

EDRM can apply a broad range of file permissions to control data-in-use. If a user only needs to read a document, you can prevent them from sharing or printing it. If that user needs to edit the file, you can change permissions and allow them to edit, but restrict copying the data to an email or other insecure location. Controlling what a user can do when a file is open stops data breaches by insiders in today’s world of leavers and joiners.

Learn more about how to minimize insider threats.

 

4. File Visibility Ensures Security

Visibility is lost in today’s hybrid workplace because users can store and access data on just about any device and in any location, many not in your control. Traditional DLP and network tools create a patchwork approach to data visibility with some organizations employing over 40 IT and security tools to trace sensitive data.

Advanced EDRM solutions use a file-centric approach to embed a unique ID in each file. It makes the file self-reporting, logging all access and actions taken on the file. This also applies to copies and derivatives, like PDFs. The file is “never lost” and is constantly monitored providing essential feedback for adaptive control and access decisions.

 

EDRM Makes DLP Stronger

By adding EDRM, you can protect your sensitive data regardless of its location and control that all important data in use. This is critical to stop both malicious and accidental insider threats. It lets you sleep at night knowing that your sensitive data is protected, controlled, and monitored at all times.

 

RELATED READING
Learn more about EDRM.
Learn more about how to improve traditional DLP systems.

You Need Data-Aware Protection MechanismsData breaches pose one of the greatest threats to business and government.  With the recent data breach at Equifax magnifying the problem of data loss in businesses and the public sector, it’s time for organizations to think hard about using data-aware protection to safeguard sensitive information.

The ever-changing cybersecurity landscape requires organizations to evolve beyond merely protecting the network perimeter and end-points to implementing protections on the data.  When data breaches are successful, the costs can be staggering.  How much will it cost Equifax to offer credit monitoring to millions of people?  What makes these data breaches so disheartening is that many could be avoided or mitigated by modernizing legacy IT systems and protecting information at the data or document level.

While years of investment have helped strengthen network and end-point security, the data continues to leak.  Attacks continue to breach the perimeter and insiders have accidentally or intentionally distributed sensitive information to unauthorized recipients.  Phishing attacks and other social engineering are getting more sophisticated so that traditional perimeter security detection and prevention is becoming ineffective.

Situations like the Equifax data breach point to many organizations not even doing the basics around security.  Default passwords, running old software and not patching systems are some of the most common reasons for data breaches.  Equifax even had references on its website to the Netscape browser which has not been in use in almost 10 years.  Some of this may be that IT departments are overwhelmed with daily tasks or have outsourced portions of their IT and security activities to third parties.  Experian hired a third party to do a risk assessment of their infrastructure following the last breach. It seems the assessment and remediation efforts were not that effective.

Rather than solely focusing on the perimeter, protection mechanisms that are data-aware provide much stronger risk mitigation.  The encryption of digital files using enterprise digital rights management (DRM) is the best way to thwart hackers or insider threats.  Some organizations are also using attribute-based access control (ABAC) to limit access to specific data in databases or other information systems.  Combining audit information from the ABAC system with the DRM-protected document interactions provides insights into who accessed sensitive data, when and from where.  Since data protected by DRM can be dynamically controlled, incident response programs benefit from the ability to completely revoke access to sensitive information, even after it has left the organization.

We have reached a critical point in data security.  We can either take the necessary steps to protect the data or cross our fingers and hope there will not be another major breach.  That’s like hoping it doesn’t rain.  It sounds great, but the reality is the next storm is around the corner.

 

Photo credit Merrill College of Journalism

Healthcare Data Breaches and Flash Drives, Still?

Healthcare data breach due to misplaced flash drives seem to be a rising trend as recently another case was reported on August 7, 2015. Lawrence General Hospital in Massachusetts reported that a flash drive was missing. Even though it had very limited patient information, it did include lab testing information such as patient names, lab testing codes and slide identification numbers. Letters to about 2,000 patients were sent out, and have yet to locate the flash drive. According to their website, the misplaced flash drive was “unencrypted”.

How many times have we heard this type of data breach occur and appear on our news feed?

In July, OhioHealth had reported a similar data breach, after discovering that a flash drive had gone missing. Approximately 1,000 patients’ data became vulnerable, and about 30 or so Social Security numbers were compromised. As in the previous mentioned data breach this flash drive was “unencrypted” well. In addition, in South Carolina, a safe containing two flash drives and two hard drives containing EMS patients’ Social Security numbers, patient names and addresses and clinical information were stolen, and you guessed it, the flash drives were unencrypted.

It is not enough just to reinforce staff training and education on the “importance” of handling patient information securely, the data itself must be protected persistently no matter where it goes. By the results of these three incidents, it should now be without a doubt considered that flash drives carrying sensitive information including PHI (Protected Health Information) and other limited patient information to be encrypted with data-centric security.

By adding context aware data protection to your security framework, you can guarantee that only authorized people can access sensitive PHI no matter where it is. By encrypting this data and applying persistent security policies to it, even if the data leaves your network in a flash drive such as in this case, it is still protected and always under the appropriate control.

As breaches of this nature continue to occur, it is important that healthcare providers continue to emphasize not only the importance of health data secure but also for the healthcare organizations themselves to make sure that they have the appropriate data security to protect against external and internal threats on all of their devices, especially on flash drives.

 

Photo credit by: Custom USB

Bigger Problem than Compliance? The answer? Data Protection! Although compliance has always topped data breach protection, this year, preventing data breaches and protecting intellectual property are all considered more important in driving data protection. However, it is both of these together that makes a data breach protection solution so robust.

Meeting and demonstrating compliance is the start to a more secure organization. Last year in particular with the spike in data breaches caused by the theft or loss of sensitive information pushed the government to push for numerous legislative requirements and standards-based protocols from NIST (National Institute of Standards and Technology).

Federal government agencies are required to follow endpoint security obligations and protocols and even more so with national security agencies who communicate classified information.

The security challenge for organizations can be seen in two ways: Threats can come externally or internally from within the organization. Data leaks and network instability can have disastrous consequences, regardless of their source. As a result, security can be implemented to block entry of unauthorized users and prohibit the exit of confidential data, among other things. However, the more important and sure way of protecting your data is to protect the data itself.

Whether we are dealing with insider threats or external hackers, even if they steal the files that contain data, it must be a standard and mandate to have the data itself encrypted to avoid use of the data from unauthorized users.

Fasoo Enterprise DRM (Digital Rights Management) is a file-based security solution that prevents the exposure of sensitive and confidential files by trusted insiders, business partners, customers and unauthorized people. This solution also protects, controls, and traces sensitive files containing intellectual property, trade secrets, PII, and more. It maintains file protection and prevents unintended information disclosure no matter where it is.

Remember, although compliance is the start to having a secure organization, data protection is needed to provide robust protection against data from being exposed.

Photo Credit: Tom Woodward

Are these Proposded Privacy Laws Enough?

President Obama announced that he would propose laws aimed at protecting data after a horrendous year in cyber securitycybersecurity and data protection. Although all the facts are not all there yet, three new laws are being proposed. These laws will be addressed later this month at the president’s State of the Union. Already so far, information security experts are praising the attention President Obama is bringing to security issues with these proposals.

Among the proposals, the Personal Data Notification and Protection Act would require companies to notify customers within 30 days from the discovery of a data breach that their information had been compromised. Also, another proposal is the bringing back an upgraded version of the “Consumer Privacy Bill of Rights”, which gives internet users the right to control what data is collected and how their data is shared. The last proposed law, is the Student Data Privacy Act, which will prohibit tech companies from profiting from data collected on students in schools.

Although those of us in the information security industry know this is going in the right direction, based on the information provided, this is not enough protection. From some believing that 30 days is too long, to not enough security being announced in these proposals, all feel that this falling short of where it needs to be. Many are hoping that Congress will hopefully create standards that companies will have to meet in order to collect personal information from consumers.

One state to really note is New Jersey, who announced that they will require by law that patient health data be encrypted. Therefore even if the data is stolen, it will be encrypted no matter where it is. The bill states, ““A health insurance carrier shall not compile or maintain computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.”

Such solutions as digital rights management, provide file-based security to prevent the exposure of sensitive, confidential and personal information against internal and external threats, as the data itself is protected throughout its whole life. This level of where the security of this information should be, should also be set by the government, as this will play a big role in securing personal data regardless if it stolen.

All of us know that these laws will face very little to no opposition, because of the horrible year we just had in terms of data breaches. Isn’t it time to get prepared ahead of time and protect your data now?

 

Photo Credit: Alan Cleaver

Categories
Book a meeting