Blog

Tag: DLP

DLP needs EDRM to control data-in-use and protect documents everywhere

Data loss prevention (DLP) solutions focus on the movement of sensitive data. They analyze document content and user behavior patterns and can restrict the movement of information based on preset criteria. With the move to remote work, traditional DLP solutions can’t safeguard sensitive data since it’s difficult to monitor all the locations users can send and store documents.

While DLP is good at finding sensitive data in files, it can’t control access to the data inside. Once a user has access, they can copy and paste the data anywhere. If someone shares a sensitive document with a business partner or customer, DLP has no visibility to that document and can’t control access to it.

Enterprise Digital Rights Management (EDRM) focuses on protecting sensitive data in documents. It automatically encrypts files and controls file access privileges dynamically at rest, in use, and in motion. It provides visibility and control regardless of where the document travels.

Four ways EDRM enhances DLP

 

1. Protects Sensitive Data Wherever It Travels

DLP is a perimeter-based solution that stops the movement of data. By blocking ingress and egress points, you can stop users from copying sensitive documents to a USB drive, a collaboration solution, or the cloud. This presents challenges as security teams try to block all the locations a document can go. With many people working from home and using personal devices (BYOD), this is becoming almost unmanageable.

EDRM takes a file-centric approach to security. It applies encryption, access control, and document usage rights that travel with the file everywhere. Controls are always enforced regardless of location or device. You know your sensitive data is safe even if users access files on new devices or share data with customers, partners, and other third parties.

 

2. Enforces Consistent Controls Across Cloud Environments

You probably have numerous perimeter security solutions across your internal networks, cloud services, and endpoints. This creates inconsistent policies that leave security and privacy gaps. Gartner projects that “through 2025, more than 99% of cloud breaches will have a root cause of preventable misconfigurations or mistakes by end-users.”

With EDRM you set safeguards centrally and retain ultimate control over who can access the data and how. Cloud administrators and end-users can’t remove the protections which remain with the file no matter where the data resides or who accesses it. This simplifies your security controls and eliminates a major reason for a data breach in today’s multi-cloud environment.

Learn more about how to implement consistent data protection controls in the cloud.

 

3. Controls Data-In-Use to Minimize Risk from Insider Threats

Once a verified user gains access to a file, that sensitive corporate data can go anywhere. Users can copy, cut, and paste sensitive data into new file formats, share it in collaboration applications, and store and print sensitive files on personal devices. Someone may not be malicious but accidentally may share sensitive data. How many times have you accidentally emailed a file to the wrong person?

EDRM can apply a broad range of file permissions to control data-in-use. If a user only needs to read a document, you can prevent them from sharing or printing it. If that user needs to edit the file, you can change permissions and allow them to edit, but restrict copying the data to an email or other insecure location. Controlling what a user can do when a file is open stops data breaches by insiders in today’s world of leavers and joiners.

Learn more about how to minimize insider threats.

 

4. File Visibility Ensures Security

Visibility is lost in today’s hybrid workplace because users can store and access data on just about any device and in any location, many not in your control. Traditional DLP and network tools create a patchwork approach to data visibility with some organizations employing over 40 IT and security tools to trace sensitive data.

Advanced EDRM solutions use a file-centric approach to embed a unique ID in each file. It makes the file self-reporting, logging all access and actions taken on the file. This also applies to copies and derivatives, like PDFs. The file is “never lost” and is constantly monitored providing essential feedback for adaptive control and access decisions.

 

EDRM Makes DLP Stronger

By adding EDRM, you can protect your sensitive data regardless of its location and control that all important data in use. This is critical to stop both malicious and accidental insider threats. It lets you sleep at night knowing that your sensitive data is protected, controlled, and monitored at all times.

 

RELATED READING
Learn more about EDRM.
Learn more about how to improve traditional DLP systems.

EDRM deployments on the riseA resurgence of interest in Enterprise Digital Rights Management (EDRM) is trending as cloud, mobile, work-from-home (WFH), personal devices (BYOD) and collaboration platforms create new coverage gaps in traditional data protection approaches.

Gartner reports that EDRM technology, a core solution of Fasoo’s Zero Trust Data Security Platform, entered the “Plateau of Productivity” stage across three of its Hype Cycle Reports. In this Hype Cycle stage:

“the innovation has demonstrated real-world productivity and benefits, and
more organizations feel comfortable with the greatly reduced level of risk.”

Quick Glance Back

Many security veterans recall that EDRM was one of the first data-centric tools to run the gauntlet of operational deployments. IT professionals familiar with network tools were unprepared for the more involved engagement required with business units and end users to protect sensitive data.

EDRM was too often deployed in a decentralized manner forcing users to decide how to implement the wide-ranging capabilities. Improper policy decisions set restrictive enforcement measures that overwhelmed business processes and had a negative impact on worker productivity.

Today, most organizations have a better understanding of the unique challenges to secure and control sensitive data and overcome these earlier missteps. EDRM uses centralized policies, implements capabilities without user interaction, enforces adaptive security, and does not interrupt workflows.

Moving Forward

The ease of EDRM deployments isn’t the only reason for its resurgence. Industry experts also note:

1. EDRM closes DLP coverage gaps triggered by the hybrid workplace

2. EDRM capabilities are essential to Zero Trust Data Security

 

EDRM and DLP

The Gartner Hype Cycle for Cloud Security findings is a good example of where DLP falls short in today’s hybrid and multi-cloud environments. DLP can’t enforce rules at all locations where data may travel, often outside of enterprise controls like WFH or files shared with supply chain partners. And here’s another wake-up call from the Gartner report:

“Through 2025, more than 99% of cloud breaches will have a root cause of preventable misconfigurations or mistakes by end-users.”

With EDRM, you are in control of your data no matter where it travels or who accesses it. That’s because EDRM safeguards – encryption, user access, and data-in-use controls – travel with the file itself. Safeguards are persistently enforced no matter the location. This eliminates misconfiguration and end-user mistakes.

Learn more about “Why DLP Needs EDRM

 

EDRM and Zero Trust

Zero Trust is all about explicit risk assessments. It’s an approach that requires thorough verification of all users, data, and devices, and allows only minimal privileges.

Analysts and many organizations recognize that EDRM is now foundational to Zero Trust Data Security. Its core functionality enables the assignment of minimal privileges to sensitive data and the ability to dynamically grant increasing levels of explicit access. It encrypts, restricts user access, controls the use of data, monitors data, and employs adaptive measures based on context-aware user and device behavior.

Learn more about “How EDRM and Fasoo Enable Zero Trust Data Security

 

A New Perspective on EDRM

EDRM has come a long way since those first projects, and you can feel comfortable deploying this robust technology to protect and control your sensitive data. EDRM also sets you on a path to fortify your existing DLP infrastructure and move to a true Zero Trust Data Security capability.

Fasoo, an EDRM pioneer for the past 20 years with over 2,000 customers and millions of users, has been at the forefront of simplifying EDRM deployments and operational demands. Today, these EDRM capabilities are one of many data-centric tools consolidated into Fasoo’s industry-leading Zero Trust Data Security Platform. This purpose-built, highly automated, centrally managed, data-centric platform lets organizations secure their data better and more easily.

Learn more about “Fasoo’s Data Security Platform

 

Three ways to update your DLP to Zero Trust standards with FasooOrganizations are working to bring existing security capabilities up to date with Zero Trust standards.  An organization’s path to Zero Trust Data Security often starts with an existing DLP solution set.

Zero Trust is all about explicit risk assessments, monitoring, and control.  One that extends beyond just managing access to data but to control how you use the data.  An approach that uses continuous monitoring to make dynamic, explicit decisions each time a user accesses sensitive files.

Traditional DLP falls short of these standards.

Here are three essential capabilities to bring your existing data security up to Zero Trust standards.

1. Centrally Apply File Encryption

DLP solutions monitor data – Allow/Block – but the sensitive data itself is left unprotected.

Zero Trust principles dictate stronger measures like file encryption. This eliminates implicit access to files and sets a clear reference point to make Zero Trust explicit access decisions.

Zero Trust Data Security also cares about “who” encrypts the file. Many solutions rely on the user to encrypt sensitive files and in some cases, a user sets a password. This can lead to errors in protecting data and requires the encryptor – your employees – to grant access to your own critical data.

A centralized policy platform is foundational to Zero Trust Data Security. With centrally enforced policies, a file with sensitive data can be automatically encrypted when created or modified, all transparent to the user. It lifts the burden from the user, eliminates errors, and keeps workflows moving.

This also gives you control over the encryption keys – not the user, cloud provider, or any other third party. This is increasingly important in hybrid and multi-cloud workplaces as privacy regulations become more proscriptive regarding data residency and access rights.

Consistently and proactively centrally applied file encryption is a big step toward achieving Zero Trust Data Security.

 

2. Control Data-In-Use

Insider threats expose a major gap in DLP solutions. It’s the poster child example for implicit trust that Zero Trust looks to eliminate.

With DLP, once a verified user gains access to the file, it’s a free pass to use corporate sensitive data. Users can copy, cut, and paste sensitive data into new file formats; share the data across multiple collaboration applications; and store and print sensitive files on personal (BYOD) devices.

DLP binary actions, full or no access, are no longer enough. Zero Trust principles are based on a continuous, explicit risk assessment that takes a least-privilege approach to access and use. It considers the sensitivity of the data and the context in which it’s being used.

Zero Trust Data Security requires the availability of a broader range of file permissions to control data-in-use. For example, a user that only needs to read a document should be restricted from extracting or sharing the data. Allowing a user to edit a file, but restricting copy or print, are other examples of granular document controls. Disabling screen sharing when displaying sensitive data, and print watermarking are other necessary capabilities in a Zero Trust world.

Upgrading DLP with granular document rights controls provides the data-in-use options that enable Zero Trust Data Security.

 

3. Monitoring Depends on Visibility

The ability to continuously monitor data activities so you can make explicit decisions each time someone tries to access sensitive files is central to a Zero Trust approach. How you use data, how it moves about, and what users do with it is an essential input to an explicit model.

However, traditional DLP and network tools create a patchwork approach to data visibility with some organizations employing over 40 IT and security tools to trace data. Visibility is also thwarted in today’s hybrid workplace by cloud and work-from-home environments where data can be stored in unauthorized locations and devices.

To move toward Zero Trust Data Security, you should upgrade your DLP solutions with a file-centric approach, making the file itself the source of reporting. A unique ID embedded in each file logs every access (network/application/individual), what was done with the file, and other context-aware information like device and geographical location.

Implement a file-centric approach to achieve the visibility necessary to enable Zero Trust Data Security.

 

Update DLP to Zero Trust Data Security

Implementing a Zero Trust approach to an existing security model is gradual.  The Fasoo Data Security Platform helps you achieve success without ripping out your current DLP infrastructure.  This protects your existing investment but gives you true Zero Trust Data Security to meet your governance and regulatory requirements.

Data Loss Prevention, Classification and Persistent Data SecurityTechnology advancements and rapid digitization of corporate information has made it easier for modern companies to conduct everyday business transactions. Today, business data is easier to access and share, giving companies the opportunity to reach more customers and conduct business quicker. At the same time, the unprecedented volumes of data created, accessed, shared, stored and the variety of sources is forcing companies to re-evaluate their cyber-security approach.  The collaborative nature of how business is done has extended the corporate perimeter. As a result, companies are seeing an ever increasing need for higher visibility into data, how their users access and use it and the secure it using encryption.

Users at a typical company today have 10 times the applications they had 10 years ago and they use multiple devices to create and use data and documents.  Data is proliferating – users are localizing data that is kept in company repositories, copies of data is everywhere, users are converting files to other formats, sharing them via file shares and virtual printers, copying them to portable devices, and emailing them.

Many companies that have turned to Data Loss Prevention (DLP) and encryption technologies in recent years have come quickly to the realization that some things are missing once the implementations and deployments of these technologies are completed. They realize that the DLP solution is missing the mark. They realize they don’t have a handle on where their “unstructured” data is, and worst yet if this data contains sensitive information. They realize they need to understand their data, who creates it, who uses it, its correct format, who the owner of it is and who its steward is. They realize that sensitive data must be protected end-to-end through its entire life-cycle, not just at rest, and in motion but in use to ensure there are no security gaps.

Data classification is a technology many are turning to in hopes of optimizing their DLP investments. This is a very effective complementary technology if it is deployed correctly. However, it quickly becomes a real challenge when too many classifications are put in place. Furthermore, as users are given the ability to make a determination as to what classification to apply, the door is opened to the good old “user mistakes”. It is a wiser approach to have the data classification defined at the “administrator” level rather than getting into a mess by giving users this type of control.

Another technology that is popular these days is software that crawls around to help companies get insight on where their unstructured sensitive data is. When asked, most companies say they know where their sensitive data is, but lately this has been changing and many companies are admitting that unstructured data and copy data are a big security problem. The effort for sensitive data discovery goes hand in hand with most data projects in most companies that are realigning their security posture.

Lastly, most companies implementing data classification will have limited deployments and tangible benefits without bringing into the picture persistent data-centric security as well. Persistent data-centric security brings security to the data itself at creation time rather than the security of networks, servers, devices, or applications. With this type of a security approach, access policy for authorized users travels with the data itself regardless of where the data is and what network or device it is on.

With implementing technologies for data discovery, data classification and persistent security, companies are empowered to better protect their data without  costly and painful headaches.

Categories
Book a meeting