Blog

Tag: DRM

What good is a secure island if you’re left stranded? Former Secure Islands customers want to know, since their data protection software has finally reached end-of-life support after the company was acquired by Microsoft a few years back. The good news: they have more options than they may have thought.

*

As a startup, Secure Islands Technologies Ltd. was a success story. Not so much for some of its early customers, we hear.

Two brothers, Aki and Yuval Eldar, founded Secure Islands in 2006 in Jerusalem. Microsoft acquired the company for $150 million in 2015 and made its technology an essential building block for Microsoft’s Azure Information Protection (AIP, part of the Microsoft Information Protection framework MIP). Six years later, to Secure Islands customers who decided AIP wasn’t for them, it may seem as if they are stuck.

So far, so predictable. As far as startup exits go, you’ve heard the stories. The outcome can be ugly: early customers are left holding the bag, with nowhere to turn. It can also be a blessing in disguise: for example, when IT discovers alternatives that show how far a technology has come elsewhere since its nascent stage.

Such happy endings happen. Take enterprise-level Digital Information Rights Management (DRM), for example. Also referred to as Information Rights Management (IRM) sometimes, it has come a long way since the aughts. This development is good news for organizations looking for AIP alternatives.

No happy endings on security islands

Information protection solutions of the past were difficult to deploy and scale. Workflows slowed down. Productivity suffered. That said, today, we see a different picture. The success of solutions such as Fasoo Enterprise DRM triggered a resurgence of the category, primarily for three reasons: 

  • Mature Enterprise DRM solutions ensure comprehensive data protection that extends far beyond one or two document ecosystems

Fasoo Enterprise DRM, for example, covers more than 230 document formats, including images, CAD files created with forty different applications, and old Microsoft Office documents that even AIP cannot encrypt. This approach extends beyond Microsoft Office or  Adobe PDF files and prevents the creation of “security islands” that leave critical documents unprotected.

 

 

  • Centralized policy management and control beats having to deputize (and train) your end users as security experts.

AIP uses Secure Islands technology to categorize documents, which can result in certain limitations. Depending on a company’s Microsoft licensing level, users may have to manually label the documents they import or create and decide what protection and permissions to assign.

Other limitations concern larger organizations that deal with high volumes of unstructured data daily, such as financial institutions and globally operating law firms. AIP limits the number of sensitivity labels per organization to 500 for labels that assign encryption specifying the users and permissions.

Another issue in these industries is AIP’s lack of SDKs to facilitate integration with iManage and other Enterprise Content Management (ECM) platforms. In organizations that need to encrypt files across thousands of file-sharing folders and subfolders, this means they would have to apply an AIP label to each manually just for simple encryption.

Fasoo Enterprise DRM represents a different, “file-centric, people-centric” approach that enables organizations to preserve and support proven and efficient workflows. Policies defined by IT automatically determine at the point of creation who can access a protected document and how. Exceptions are handled flexibly and “on the fly”, for example by granting a provisional permission on a temporary basis.

  • Document protection in the cloud requires a mature enterprise DRM solution.

Cloud collaboration plays an important role in selecting an enterprise DRM solution. Companies now looking for alternatives to AIP are clear about this point: they want document protection that travels with the file and doesn’t end at their organization’s IT perimeter.

Their old information protection technology was devised years ago, with no consideration yet for the cloud. One consequence is that it can only protect sensitive documents on a computer or mobile device. Once the file is uploaded to the cloud outside the Microsoft ecosystem, document protection is lost.

In contrast, Fasoo Enterprise DRM ensures that persistent security remains with documents, pictures, audio, video, and 3D CAD drawings regardless of their location, whether in the cloud or on a flash drive. Senders can set a validity period or revoke access immediately, even after distribution. The organization remains in control of sensitive files at rest, in use, and in motion – no matter where they may end up. 

Worried about your document protection getting stuck on a security island? In summary, these three rules will help you not to miss the boat: 

1. Document protection worth its name requires properly protecting all confidential documents that need protecting, not just those preferred by one solution vendor. 2. If “automatic labeling” was the promise, you’ll hate seeing it turn into manual labor over a few hundred or thousand file-sharing folders. 3. No company is a secure island; the cloud is real, and so is the need for document protection in the cloud. 

Contact the Fasoo team to find out more!

Graphic: Top 5 Document Protection Blog Posts of 2021Which blog posts about document security and protection attracted the most visitors to the Fasoo website in 2021?

Let’s face it: the ins and outs of Digital Rights Management (DRM) in the enterprise don’t exactly make for blog topics that get most people’s juices flowing.

The good news is that content that draws on the insights shared by Fasoo’s longtime, recent, and not-yet customers can overcome this hurdle. Readers interested in Enterprise DRM clearly prefer blog posts that answer relevant questions and provide hands-on advice for IT decision-makers and their teams.

Which Fasoo blog posts hit a nerve in 2021? These were the Top 5:

*

# 5: Your questions about Fasoo Enterprise DRM vs. Microsoft AIP, answered

“How does Fasoo Enterprise DRM (Fasoo EDRM) compare to Microsoft Azure Information Protection (AIP)?” In one version or another, this was one of the most frequently asked questions the Fasoo team had to answer in 2021. 

It’s a tricky one. After all, Microsoft AIP was developed primarily with the document ecosystem of Microsoft Office plus a few third-party file formats in mind. Fasoo DRM, on the other hand, provides document protection at scale and for more than 200 file formats in large organizations and along their supply chain.

Image shows a Minivan vs. Ford Super Duty Pickup Truck Tableau

Photo sources: Dreamstime / Ford

So can you compare the two at all? We tried. Let’s just say minivans keep us moving, but for serious business, you may want to consider a  super-duty truck.

It seems like many readers have been looking for answers to EDRM-vs.-AIP-related questions. Did you miss the post?

Check it out here:

FAQ: 5 Top Questions About Fasoo Enterprise DRM vs. Microsoft AIP

# 4: IP theft prevention: a step-by-step guide for the automotive industry

In vehicle and component manufacturing companies, most sensitive information is stored and managed digitally. Examples are:

How can you protect digital assets against intellectual property (IP) theft? Without adequate – data-centric – protection, trade secrets can end up with a competitor or a foreign government in a matter of minutes, even seconds: on a USB device, say, or uploaded to a personal cloud storage account from an unmanaged remote work laptop.

And they do. 2021 was marked by the “Great Reset” in the automotive industry. Employees working from home or leaving for a competitor (or both) posed the biggest threat to their company’s proprietary information. How to prevent intellectual property theft in the automotive sector? Many blog visitors turned to our 10-step guide here:

IP Theft in the Automotive Industry: 10 Tips to Counter the Insider Threat

# 3: Important enterprise DRM terms, explained

Enterprise-level DRM can be confusing. The – often niche-specific – solutions of the past were expensive, complex to deploy, and difficult to scale. As a result, IT teams weren’t exactly gung-ho about exploring today’s DRM-based information protection.

This has changed. Enterprise DRM solutions have come a long way, which has caused a resurgence of the category and considerable change in perceptions. In 2021, this trend had more IT professionals asking about specifics. 

So we dedicated 2021 to cutting through the fog of related terms and acronyms for this growing audience. A timely decision, judging by our blog traffic numbers. The Enterprise DRM Glossary became the 3rd-most frequented post of 2021:

Enterprise DRM Glossary

# 2: PDF security – an oxymoron?

You would think that 28 years after Adobe first introduced its platform-independent “secure” PDF file format, all related document protection questions should be settled. Far from it, as you may know.

Yet PDF files are making up a large share of unstructured business data. Do you know how well all your sensitive PDFs are protected? If the answer is no, consider yourself in good company.

According to a 2021 report, researchers who analyzed publicly accessible PDF files of 75 government security agencies identified only seven that had removed sensitive information before publishing. Ouch.

This data point doesn’t make you feel better? In that case, the # 2 on our Top-5 list of document protection blog posts provides relief. It gives a hands-on introduction to various approaches to securing PDF documents against unauthorized access, including editing, printing, copying, or screenshots:

Document Protection: How to Secure a PDF

# 1: DRM vs. DLP – a false dichotomy?

And the winner is… Boasting not one, but two industry acronyms in the headline, the chart-topper on this Top 5 list defied headline writing best practices and search engine odds in 2021.

DRM and DLP – Data Loss Protection – both aim to protect sensitive documents against leakage and exfiltration. They are frequently weighed against each other, but that doesn’t explain why this blog post piqued that much curiosity.

Maybe it’s because it fundamentally questioned the traditional “either/or” perspective? If you haven’t read it yet, you can find it here:

Enterprise DRM and DLP: Comparison Made Simple

 

DLP (the traffic cop) vs. DRM (the armored truck)Like digital rights management (DRM) for the enterprise, data loss prevention (DLP) solutions have recently seen a resurgence. Both aim to protect sensitive documents against leakage and exfiltration. Those looking to deploy or expand one or the other frequently weigh DRM vs. DLP. But how helpful is this “either/or” perspective really?

For starters, it risks missing one crucial difference between these two approaches to document protection. Other than DRM, DLP isn’t designed to protect information once it makes it outside an organization’s IT perimeter.

By definition, that’s precisely the scenario DLP purports to prevent in the first place. So this wouldn’t be a problem if DLP worked reliably 100 % of the time. But it doesn’t. Why? 

One answer is that DLP still requires a high degree of human intervention or supervision. This fact doesn’t take away from the advantages of document security automation. I’ll get into the details below. But first, let’s back up a moment and look at the definition of DRM vs. DLP.  

 

What’s the main difference between DRM and DLP?

DRM (a.k.a. IRM, for Information Rights Management) automatically encrypts files and controls file access privileges dynamically at rest, in use, and in motion. 

DLP analyzes document content and user behavior patterns and can restrict movement of information based on preset criteria.

I’ve written about DRM vs. DLP on this blog before, in 2014. While little has changed about the definitions, cloud services and remote work have become ubiquitous since – and IT perimeters more blurred.

Add to that the dramatic rise of (AWS) data leaks, insider threats (such as IP theft), and double-extortion ransomware attacks. Taken together, these trends explain why the main difference between DRM and DLP has become more pronounced recently.

In a nutshell, it’s the difference between a traffic cop and an armored truck. As for the cop part, I’m not the first to draw this analogy; DLP has been compared to an officer posted at an exit ramp before.

In this analogy, only traffic identified as legitimate is waved through and allowed to leave the main drag (i.e., your network) and race off into uncontrolled territory. A police officer may check a car’s license plates, ask for ID, and scan the vehicle’s interior before giving someone permission to pass through.

Image for DRM / DLP comparison: DLP works like a police checkpoint

Traditional DLP works in a similar way. It scans files, detects data patterns, and automatically enforces appropriate actions using contextual awareness to avoid data loss. However, the similarities don’t end here.

 

DLP’s biggest weakness

DLP also faces three significant challenges similar to those of a roadblock cop:

 

    • How can you accurately establish which traffic to allow through and handle the task effectively and expediently, before the exit point becomes a bottleneck?
       
    • What about all the exits not covered? With DLP, those would be USB drives, SaaS file sharing applications, such as Google Drive or Dropbox, or enterprise messaging apps, such as Slack or Microsoft Teams.  Think of them as equivalents of the service road turnoff some locals (i.e., insiders) know and use to avoid a roadblock.  
    • And, last but not least, what happens with the traffic that should never have made it past the checkpoint, but somehow did so anyway? Most companies need to share sensitive data with external contacts, like vendors or customers. A common occurrence is that a confidential document is mistakenly sent to the “wrong” person in a company whose email domain is safelisted as a recipient.

     

    “Not my problem anymore,” says the (DLP) cop. What’s gone is gone, even if it ends up in the wrong hands.  With the first two issues on this shortlist, data loss prevention products have been struggling from the beginning. As for the third item, it exposes DLP’s biggest weakness.

    Here’s what I mean: By promoting a solipsistic focus on internal file downloads and sharing, DLP creates a false sense of security. In reality, once sensitive information moves beyond the point of egress, an organization loses all visibility and control over what happens with its sensitive data.

     

    Has DLP been a failure? 

    I wouldn’t go that far. If that were the case, why did Gartner analysts expect about 90 % of organizations to have “at least one form of integrated DLP” in place by this year? That’s an increase from 50% in 2017. 

    While DLP wasn’t the panacea that marketers made it out to be, it still has its place. In the enterprise, DLP has helped establish a baseline for document protection. One example is tagging documents that contain personally identifiable information (PII) to ensure compliance with GDPR [PDF], the General Data Protection Regulation of the European Union.

    DLP deployments require IT and other stakeholders (compliance teams, data owners) to take stock of sensitive information across the board and categorize it. The downside is that it also demands constant tweaking and fine-tuning of filters and policies. 

    If your business deploys DLP, you learned the hard way that most of this burden falls on IT. DLP filters are notorious for generating “false positives”. They are known to cause workflow breakdowns because of mistakenly flagged files. The DLP filter may, for example, identify a 16-digit internal reference number in a document as a credit card number and prevent the file from getting shared. 

    In 2021, DLP describes more a mindset than a unified approach or one specific method to stop data leakage or exfiltration. But DLP modules and add-ons have become part of the point solutions mix. They complement particular applications or tools, such as cloud security services or Microsoft AIP

    And like with many point solutions, blindspots and coverage gaps remain* that you can drive a truck through. Which brings us back to the armored truck. 

     

    Armored truck for confidential data

    If we understand DLP as the cop who creates a bottleneck sorting out which traffic can pass, we can think of enterprise DRM as the equivalent of an armored truck.  Tethered to a C3 (command, control, and communication) center, it can only be unlocked by dispatchers at a remote location.

    In other words, whatever neighborhood the vehicle ends up in once it’s past the exit point, the load remains secure. The owner maintains control over the cargo and who can access it. 

    With Fasoo Enterprise DRM, the C3 center would be the Fasoo server. The cargo is your sensitive data locked down with Fasoo encryption. And the dispatcher would be Enterprise DRM’s centrally managed policy settings.

    So what happens to DLP in this picture? My main point here is that you don’t have to bother with interrogating file content once it is encrypted by Enterprise DRM. That doesn’t mean your existing DLP deployment becomes irrelevant. 

     

    DRM + DLP for the win

    Case in point: sensitive emails. DRM doesn’t automatically encrypt any outgoing email, for example. DLP, on the other hand, can flag content inside of emails for extra protection, or to prevent a message from leaving the organization altogether. 

    Another advantage of DLP is that it helps IT teams gain and maintain a baseline understanding of how sensitive data moves through their network. With adequate calibration, it serves as a low-investment, yet efficient tool for data risk discovery.

    From a pure document security perspective, DRM fills in the remaining blanks. It gives us peace of mind that confidentiality and compliance remain ensured for any file that finds its way past the egress point. Or, to put it differently – if you ran a bank, would you feel comfortable having a bicycle courier handle the money transports?

    Nope, you’d leave it to the pros with proper equipment.

    So, the armored van it is. In summary, deploying an enterprise-scale DRM solution enables your organization to protect its existing DLP investments. It helps you tie up loose ends in a global, multi-cloud, work-from-anywhere IT environment.  

    By combining both methods, you can play to DLP’s actual strengths. Examples include spotting suspicious activities and patterns that indicate possible insider threats, or flagging files – including emails – for DRM protection before they can leave the organization. 

    That way, you don’t have to rely exclusively on the overwhelmed cop at the exit ramp anymore. 

    Would you like to learn more about how Fasoo Enterprise DRM and DLP work together for maximum protection of unstructured data? Connect with our experts!  

    ###

    *For a comprehensive overview, I recommend the post Insider Threat Management: Part 1 – 7 Reasons Not to Settle for DLP on the blog of cybersecurity company Proofpoint.

     

Image shows business team watching comparison chart presentationHow does Fasoo Enterprise DRM (Fasoo EDRM) compare to Microsoft Azure Information Protection (AIP)?

The first solution is a digital rights management platform to protect documents at scale in large organizations and along their supply chain.

The latter was developed primarily to protect the document ecosystem of MS Office plus a few third-party file formats.

 

Can you compare them at all?  It’s a common question we get, so let’s try.

*

“We’re looking at our options for securing documents across the whole organization, including our worldwide subsidiaries and supply chain. What advantages would we have from choosing Fasoo Enterprise DRM over Azure Information Protection (AIP) by Microsoft?”

I have to admit, each time we receive an email like that, we cringe a little.  It’s a bit like asking us to compare a Ford F-series pickup truck (America’s most popular car in 2020) and a Chrysler minivan (the best-selling minivan during the same year), on the grounds that they both have four wheels and can take a load.

We welcome such questions, though, because they give us an excellent opportunity to clear up some confusion. Read on for a few of our answers.

 

MS AIP vs. Fasoo comparison: Frequently Asked Questions (FAQ)  

Image shows a Minivan vs. Ford Super Duty Pickup Truck Tableau

 

Minivans keep us moving, but heavy-duty tasks require different means.
Photo sources: Dreamstime / Ford   

The confusion is understandable. The early and often niche-focused enterprise-level DRM solutions of the past were considered expensive, complex to deploy, and difficult to scale. As a result, many IT teams today still lack hands-on experience with modern DRM-based information protection capabilities at scale.

Fast-forward to 2021: Enterprise DRM solutions have matured significantly over the past decade. This has caused a considerable change in perceptions and is credited with the recent resurgence of enterprise DRM. 

Combined with the shift towards a data-centric information security approach, this development now has more information security leaders asking about the specific strengths of enterprise DRM. Here are five frequently asked questions involving Fasoo EDRM and AIP:

 

1. How many file formats does Fasoo support compared to AIP?

Microsoft file protection supports approximately 20 file types. AIP modifies file extensions for non-Office files types (txt to ptxt, jpeg to pjpeg, bmp to pbmp). This can cause issues with third-party applications and firewalls.

Fasoo supports more than 230 file formats, including a broad range of PDF files, plus any less common file format based on a niche application that a customer might use. All formats Fasoo supports can be opened in their native application. It does not modify file extensions, which means applications that rely on native file extensions for scanning or other purposes keep working. 

 

2. How does Fasoo EDRM protect CAD files in comparison to AIP?

AIP does not support protection of CAD files while in use. Fasoo protects CAD files while at rest, in transit, and in use.  By integrating directly with over forty different CAD applications, Fasoo EDRM allows users to interact with CAD files as they normally do while maintaining strong protection of the data.

 

3. How strong is Fasoo’s encryption compared to MS AIP?

AIP is limited to AES 128-bit encryption for Office files because Office 2010 cannot support AES

256-bit encryption. Other file types use 256-bit. Microsoft does not support encryption for Office 2007. It recommends upgrading to Office 2016 for ease of deployment and management.

Fasoo uses multi-layered encryption for all file types, including AES 256-bit encryption for all file payloads. This is important for compliance with certain regulations. Fasoo supports Microsoft Office 2007, 2010, 2013, 2016, 2019, and 365.

 

4. How do the document tracking and monitoring capabilities of Fasoo compare with those of MS AIP?

AIP currently has no centralized report portal for usage, adoption, or document activities. It also doesn’t provide a method for tracking AIP user licenses. Microsoft recommends editing the registry to remove access to functions from specific users designated as “consumers only” of AIP-protected files.

Fasoo provides centralized reporting on all document and user activities in a web-based console. Thresholds can alert administrators to anomalous and potentially suspicious activity. Fasoo EDRM also tracks all licensed users in a web-based, centralized console. 

 

5. How are Fasoo’s policy and exception management different from AIP’s?

This question comes up frequently because Microsoft AIP relies on individual users to make security policy decisions on how to protect documents. This approach requires IT and data owners to relinquish control over individual documents to a degree that poses challenges for organizations with many users and constantly changing roles.

Fasoo can automatically assign file protection without user intervention. It provides centralized policy management and exception handling capabilities. This “file-centric, people-centric” approach allows the organization to determine who can access a protected document, rather than relying on the document creator to make that decision. Users with permissions are empowered to extend access rights and permissions to other users as needed.

*

Will it fit and grow with your mission?

In summary, most inquiries we get about Microsoft AIP vs. Fasoo boil down to a single general question: How does a dedicated solution for securing documents in large organizations stack up against an assemblage of document protection components designed with a focus on MS Office applications and file formats?

My answer, in a nutshell: It’s difficult to compare a Ford F-450 Super Duty truck and a Chrysler Pacifica minivan. To stay with the analogy for a moment, deciding between work truck and family van becomes much easier when we ask this question:

Will it fit the mission? 

###

Do you have questions about any of the items above or related topics?
Contact the Fasoo team here.

 

Photo: Federal Courthouse in Portland, OR

Global manufacturers in innovation-driven industries are ramping up their document protection against intellectual property theft.

Can you guess what tops their priority list when selecting or expanding enterprise-wide digital rights management (DRM)? Here’s a hint.

But first, a quick look at the court dockets. Did you hear about that lawsuit filed by Intel in February against a former employee who joined Microsoft?

Talk about an IP theft textbook case. Intel accuses [PDF] a former product marketing engineer of exfiltrating “highly confidential, proprietary, and trade secret information” on his way out the door – to Microsoft.

So far, so common. That’s true even in the most security-conscious companies, as this most recent example shows. It highlights how a combination of three factors poses mounting risks to the IP of many tech and manufacturing companies: 

  • blurred IT and security perimeters with a plethora of unmanaged (storage) devices,
  • increasing competition, coopetition, and fluctuation of engineers and other key personnel with access to trade secrets between competitors,
  • the inability to centrally monitor, control, and police how employees access sensitive documents, especially when they leave the company.

It’s at that point where the IP protection capability mentioned in the title of this post can make all the difference; we’ll get to that in a minute. But first, let’s look at what allegedly happened when the Intel engineer left the company after ten years in January 2020.

What did he allegedly do, and how? The company alleges that on his last day on the job, the employee downloaded roughly 3,900 files from a company computer “to a personal Seagate FreeAgent GoFlex USB drive.”

Bar chart image with IT Security Alert Fatigue research results
Insider threats: How can almost 4,000 sensitive files get downloaded from a company-issued computer to an unmanaged device without anyone noticing? One possible – and common – explanation is alert fatigue. Data Source: Cloud Security Alliance

 

3,900 confidential files walk out the door at Intel

Hm, what? And he walked out the door with it where, and why? Fast forward to February 2021:

In the federal court filing [PDF], the plaintiff claims that the defendant – now Principal of Strategic Planning in Microsoft’s Cloud and Artificial Intelligence department – “used the confidential information and trade secrets he misappropriated […] in head-to-head negotiations with Intel concerning customized product design and pricing for significant volumes of Xeon processors.”

Ouch. Yes, these are only allegations so far. They yet have to be proven in court. 

But however the jury finds in the end, the court filing is remarkable for what it reveals between the lines. Intel’s lawyers credit Microsoft and its forensic investigators for helping to unearth the “full breadth” of the alleged deeds.

Which gets us to the main point of this post: 

 

Was this IP protection failure preventable?

Granted, hindsight is 20/20. Yet from an IP protection perspective,  one could argue that all of this would have been entirely preventable. 

How do we know, you ask? Coming right up, it’s all laid out right there in the court filing. Intel, if we believe the lawyers, had insufficient visibility into and no control over an (ex-) employee’s access and use of sensitive proprietary files. And indirectly, the company admits as much. 

For example, the lawsuit alleges that once at Microsoft, the former Intel employee “accessed, viewed, opened or otherwise interacted with more than one-hundred documents taken from Intel […] at least 114 times” from his company-issued Microsoft Surface laptop.

Mind you, Microsoft’s helpful forensic investigators unearthed these (incomplete) insights only after the fact, according to Intel’s grateful lawyers.

Had the individual files been encrypted and their use governed by centralized policy management from the get-go, the engineer’s access would have ended with his tenure at Intel.

 

The case for DRM with centralized policy management

Cases like this should not come as a surprise. We’ve seen a rising wave of similar insider-related incidents over the past three years. The tech and mobility industries are bearing the brunt of the attacks.

The threat has caused more IT leaders to deploy enterprise DRM (also known as Information Rights Management, IRM). This file-centric, people-centric, and platform-agnostic approach enables organizations to protect unstructured data at rest, in transit, and in use.

Think MS Office documents, PDF files, images, or CAD designs, for instance. They are encrypted at the point of creation. The protection applies wherever a file is stored or moves to, inside or outside the organization’s perimeter.

File use can be monitored, access policies and permission levels centrally managed by IT, risk officers, and HR, and flexibly adjusted on a granular level by the data owner.

Let’s take a product design file protected by Fasoo Enterprise DRM, for example. It will check back in the background with a central Fasoo server when someone tries to access it. Does this user still have the proper authorization to open, copy, download, or print the document?

If not, it doesn’t matter if a former employee took it home on a portable hard drive or USB stick – IP protection is ensured. The document is worthless for whatever that person wants to do with it, locked with FIPS 140-2 level encryption that meets the requirements of the Cryptographic Module Validation Program (CMVP) of the US government. 

 

Nothing to see here after HR and IT flip the switch

In summary, file-centric document protection makes IP “misappropriation,” as alleged in the case brought by Intel, impossible.

Overview image: File-centric encryption and control with Fasoo Enterprise DRM

Centralized yet flexible and painless policy and exception management are among the top priorities for document protection program leaders when choosing an enterprise DRM solution, they tell us. Fasoo Enterprise DRM empowers IT, in coordination with HR, to set and change document use policies in sync with users’ employment lifecycle, from onboarding to the last day at work.

One global technology manufacturer that is leveraging enterprise DRM to protect its IP is Fasoo customer ZF Group. This automotive industry supplier with 240 locations in 41 countries now deploys Fasoo Enterprise DRM to secure critical IP, such as CAD drawings and process information, across its global tech centers.

“Before, we had a few incidents where engineers with years of insider knowledge and access to documents left and joined a competitor,” said Markus Fischer, VP Engineering at ZF Group’s Active Safety Systems division in Livonia, Michigan.

“As a company, you spend years training engineers in the ways you do things, and they get access to your most intimate know-how and process knowledge,” he explained. “You cannot just block them; they need it. But you also need to be able to quickly adjust access privileges on a granular level, without delay.”

“It’s a fine line to walk,” Markus told us. “You have to find the right balance between maximum IP protection on one side, and productivity on the other. Fasoo helps us maintain this balance.”

*

To learn more about how to prevent intellectual property theft and leakage in manufacturing and supply chain environments while maintaining a competitive edge, watch our Fireside Chat at Apex Assembly Tech Leaders Northeast Summit on March 30th, 2021 with GE Gas Power cybersecurity researchers Hillary Fehr and Christopher Babie.

Protect data on laptops from terminated employees I read a Tweet recently from “Accidental CISO” about collecting laptops from terminated employees during the pandemic that I deemed retweetable (if that is a word).  Some comments focused more on the hardware – how to get it back – but this got me thinking more about what is actually on the hardware. What sensitive information, like intellectual property, might reside on them?  It also made me think, in a situation like this, how the potential for insider theft is far greater.

Files containing IP can be either printed on home printers, sent over email to personal accounts, saved on a USB stick, screen captured and so on.  These are not necessarily actions of malice, but obvious desperation to assist with the basic need for employment.

It reminded me of a webinar we did in 2019, Close the Gap on Insider Threat: Granular Access Controls and Behavior Analytics, where we focused on the best way to protect and control unstructured data without having to think about where it is located, who is accessing it or how it is being used.  It’s part of a 3-part series, so check out the other two.

In my last post, I talked about how many companies are not prepared to suddenly support a remote workforce and provided some thoughts on things you can do.  But this tweet brings to the surface the extent of how unpreparedness can lead to (and this is going to sound weird) intentional, non-malicious behavior.

I encourage you to think about it, watch, and at the very least, start putting a plan in place to protect and control your unstructured business critical information.  The time is now to do your best research so when you are ready to pull the trigger on your unstructured data security project, you will be able to hit the ground running.

Contact us if you want to talk about any of this and in the meantime, stay safe and healthy!

 

Photo credit Ian Sane

 

You Need Data-Aware Protection MechanismsData breaches pose one of the greatest threats to business and government.  With the recent data breach at Equifax magnifying the problem of data loss in businesses and the public sector, it’s time for organizations to think hard about using data-aware protection to safeguard sensitive information.

The ever-changing cybersecurity landscape requires organizations to evolve beyond merely protecting the network perimeter and end-points to implementing protections on the data.  When data breaches are successful, the costs can be staggering.  How much will it cost Equifax to offer credit monitoring to millions of people?  What makes these data breaches so disheartening is that many could be avoided or mitigated by modernizing legacy IT systems and protecting information at the data or document level.

While years of investment have helped strengthen network and end-point security, the data continues to leak.  Attacks continue to breach the perimeter and insiders have accidentally or intentionally distributed sensitive information to unauthorized recipients.  Phishing attacks and other social engineering are getting more sophisticated so that traditional perimeter security detection and prevention is becoming ineffective.

Situations like the Equifax data breach point to many organizations not even doing the basics around security.  Default passwords, running old software and not patching systems are some of the most common reasons for data breaches.  Equifax even had references on its website to the Netscape browser which has not been in use in almost 10 years.  Some of this may be that IT departments are overwhelmed with daily tasks or have outsourced portions of their IT and security activities to third parties.  Experian hired a third party to do a risk assessment of their infrastructure following the last breach. It seems the assessment and remediation efforts were not that effective.

Rather than solely focusing on the perimeter, protection mechanisms that are data-aware provide much stronger risk mitigation.  The encryption of digital files using enterprise digital rights management (DRM) is the best way to thwart hackers or insider threats.  Some organizations are also using attribute-based access control (ABAC) to limit access to specific data in databases or other information systems.  Combining audit information from the ABAC system with the DRM-protected document interactions provides insights into who accessed sensitive data, when and from where.  Since data protected by DRM can be dynamically controlled, incident response programs benefit from the ability to completely revoke access to sensitive information, even after it has left the organization.

We have reached a critical point in data security.  We can either take the necessary steps to protect the data or cross our fingers and hope there will not be another major breach.  That’s like hoping it doesn’t rain.  It sounds great, but the reality is the next storm is around the corner.

 

Photo credit Merrill College of Journalism

Digital Rights Management Helps the FDIC Proactively Address Cyber SecurityThe Federal Deposit Insurance Corporation (FDIC) will implement Digital Rights Management (DRM) software to prevent unauthorized redistribution of digital information.  This is in reaction to security incidents where departing employees accidentally took sensitive files on portable media.  According to numerous studies, trusted insiders pose a greater risk to sensitive information than hackers and cybercriminals.

I applaud the FDIC for taking this key initiative to proactively protect and control its most sensitive information.  DRM will help prevent unauthorized access and distribution of sensitive files regardless of location or device.  It can limit a user’s ability to view, edit and print and can even limit the validity time for accessing sensitive information.  This applies to both internal and external users.

As a bit of background, Lawrence Gross, Chief Information Officer and Chief Privacy Officer of the FDIC, recently spoke to a congressional subcommittee on its program to identify, analyze, report, and remediate security incidents.  The criteria used to determine the severity of an incident is based on the risk of harm it poses to individuals or entities supervised by the FDIC.  The agency uses guidelines from the Office of Management and Budget (OMB), which recently changed its definition of what is a major incident.

As a result the FDIC upgraded the incidents where departing employees inadvertently downloaded personally identifiable information (PII) to thumb drives and other portable media.  The CIO’s initial judgment was these were inadvertent and posed minimal risk.  The new guidelines changed that, hence the reevaluation.

As part of its remediation efforts, the FDIC is conducting an end-to-end assessment of the FDIC IT Security and Privacy Programs in addition to implementing the Digital Rights Management software.  The agency will also eliminate the ability of employees or contractors to download to portable media, but there are cases when certain employees still need to do that as part of their job.  The CIO said the FDIC is working to identify and implement alternative means to securely exchange data with outside organizations, like state banking departments, by the end of 2016.

The CIO is planning to implement technology that also can help securely share information with external organizations.  DRM can protect information shared with third parties and provide the same level of protection the agency needs for its internal employees.  Rather than using two systems, the FDIC should leverage the same system for both purposes.

Implementing DRM also provides a proactive approach to data security, rather than reactive technologies that identify issues after they happened.  By protecting the data as its created, it helps mitigate the risks of data exfiltration that is becoming more common as both hackers and insider threats pose a risk to valuable information from government and the private sector.

 

Photo credit Josh Bancroft

Use the Fasoo Data Security Framework to Stop the Data BreachesThere is a lot happening lately in the financial sector to help stem the tide of constant data breaches.  This week a financial industry coalition in the US is promoting a campaign called “Stop The Data Breaches” to encourage people to get their members of congress to pass The Data Security Act of 2015 (H.R. 2205 and S. 961).

The effort is backed by seven trade groups, including the American Bankers Association, the Consumer Bankers Association, the Credit Union National Association and the National Association of Federal Credit Unions (NAFCU).  By running online and print ads, they are trying to get Congress to enact this important legislation that would protect consumer data.

A few weeks ago, on May 12, 2016, the Federal Deposit Insurance Corporation (FDIC) was in front of a Congressional Subcommittee to answer if Americans can trust the FDIC to protect their private banking information. One of the interesting outcomes was the FDIC announcing a new cyber security initiative after 5 more breaches. Part of this initiative is the implementation of Digital Rights Management technology to locate, recall and/or render data useless when appropriate. This new development should have a major impact on the financial sector who will follow suit if they have not implemented this type of data-centric and people-centric security approach already.

According to a National Association of Federal Credit Unions (NAFCU) survey, the average cost of a merchant data breach in 2014 was near a quarter of a million dollars, while some breach costs reached tens of millions.  Passing the pending federal legislation will help improve the security posture of financial institutions and any organization that handles personally identifiable and financial information.  It requires any entity that handles sensitive personal and financial data to protect that data. It builds upon existing legislation and replaces the current patchwork of inconsistent state data security and breach notification laws with a clearly defined, uniform set of standards.

Consumer data remains vulnerable. Security should not be an afterthought. Rather than pointing fingers at who is responsible for consumer data security, everyone should protect consumer data. Below is a short list of 3 key steps you may want to use as your Security Blueprint for your data:

•   Find your sensitive data and classify it.

•   Implement usage policies to limit who can access it and what they can do with it.

•   Monitor usage to detect unusual behavior.

This is a good start to help Stop the Data Breaches.  Call, write, email or text your legislator today to get them to pass The Data Security Act of 2015.

“Clerical Error” in Georgia Results in Data Breach of 6 Million Voters

Clerical Error in Georgia Results in Data Breach of 6 Million Voters

A class action lawsuit was filed by two Georgia women alleging a massive data breach when Secretary of State Brian Kemp’s office released personally identifiable information (PII) of voters, including Social Security numbers, to the media, political parties and other paying subscribers.

Allegations include that the unauthorized information released in October in the voter lists also contained dates of birth and drivers’ license numbers.   Kemp’s office responded this was due to a clerical error where information was put in the wrong file and sent to 12 recipients on a disk.  It is unclear if it was an internal error or the fault of an outside contractor that caused the private information to be included in the file.


Challenge

Once private and confidential information leaves the protected confines of an information repository, file share or cloud-based service, authorized users can share it with anyone, do anything with it and compromise confidential information. Persistent data-centric security protects confidential data so that private information is protected regardless of where it goes or who has it.


Fasoo Solution

Advantages

Fasoo Enterprise DRM (EDRM) protects sensitive information through strong encryption and applies persistent security policies to protect it regardless of where it is or its format.  Once the data is protected, you can safely share it through email, USB drive, CD, external portal or any file sharing site.File access is tracked in real time for precise auditing and access can be revoked instantly.  If there is an assumption that unauthorized people have access to sensitive information, the person who shared the information or an administrator can immediately revoke access to those unauthorized users.

That protects against an “oops” moment when a “clerical error” causes a data breach and affects millions of people.  Fasoo EDRM truly protects and controls sensitive information while at rest, in motion and in use.

  • Securely share sensitive files internally or externally
  • Revoke access to shared files containing private information immediately regardless of location
  • Control who can View, Edit, Print and take a Screen Capture
  • Limit access time and number of devices
  • Trace and control user and file activities in real-time
  • Apply or modify existing security policies using content aware protection

Massive PHI Breach at Children’s Medical Clinics of East Texas

Children's Medical Clinics HIPAA violationAn employee of the Children’s Medical Clinics with a retaliatory agenda to cause damage to the clinic’s reputation, stole and improperly disclosed the confidential data of 16,000 patients. Notification letters were sent to affected people to inform them that an employee took paper records from the facility and sent screenshots of electronic patient records to a former clinic employee. The Office for Civil Rights (OCR) health data breach portal indicates patient names, dates of birth, diagnostic information and treatment information were disclosed.


Challenge

Your employees access sensitive and confidential patient information daily so they can do their jobs. Without persistent data-centric security, they can devise creative ways to defeat traditional perimeter based security measures. They can change the name of a sensitive file before printing it to avoid detection by security systems or make screen captures of sensitive information. If you are in healthcare, you need to protect printed PHI and other sensitive information from easily leaving your premises.  This is a HIPAA violation and can result in massive fines and legal action.


Fasoo Solution

Advantages

Fasoo can block printing or require approval prior to printing a document if the document contains sensitive information. Each printout can be forced to contain a visible watermark showing who printed it, including company logo, user name, IP address, time, date and other identifying information. This allows you to know the source of a potential data breach and deters people from inappropriate behavior when handling sensitive patient information. This solution works with any physical or virtual printer eliminating problems of using different printers or printer drivers. A full audit trail of all print activities, including the text or image of the actual printed content, ensures complete control of your printing environment. In addition, Fasoo can prevent screen captures. These features reduce risk of exposing patient information.
  • Restrict printing documents with PHI or other sensitive information
  • Require authentication prior to retrieving a printout
  • Apply dynamic watermarks to printouts without user intervention
  • Trace and manage printing activities, including the actual content of documents in text or image format
  • Limit printing to virtual printers
  • Control who can View, Edit, Print and take a Screen Capture

Former Morgan Stanley Financial Adviser Guilty In Connection with Data Breach

Stop Unauthorized Use of Confidential DataA former employee of Morgan Stanley pleaded guilty to stealing confidential data from about 730,000 customer accounts. He copied names, addresses, account numbers, investment information and other data to his home computer so he could work on it.

While improperly accessing the information, he was interviewing for a new job with two Morgan Stanley competitors.


Challenge

Your employees access sensitive and confidential customer information so they can do their jobs. Once the data leaves the protected confines of an information repository, file share or cloud-based service, your authorized users can share it with anyone, do anything with it and compromise your customer’s confidential information. You may be subject to fines, not to mention losing customers because they can’t trust you to maintain their confidentiality.

You need to persistently protect confidential data so that customer information is protected regardless of where it goes and who has it.


Fasoo Solution

Fasoo Enterprise DRM protects customer information by encrypting the files and applying persistent security policies to protect them regardless of where they are or their format. Once the data is protected, you can safely share sensitive files through email, USB drive, external portal or any file sharing site. File access is tracked in real time for precise auditing and you can revoke access instantly.

Fasoo Enterprise DRM not only ensures that you meet financial regulations and safeguards customer confidentiality, but truly protects and controls sensitive information while at rest, in motion and in use.

Advantages

  • Encrypt customer information to meet consumer and data protection legislation
  • Securely share files internally or externally
  • Control who can View, Edit, Print and take a Screen Capture
  • Limit access time and number of devices
  • Revoke access to shared files immediately regardless of location
  • Trace and control user and file activities in real-time
Categories
Book a meeting