How Fasoo Improves Cloud Security

The enterprise is moving to the cloud to ease collaboration for partners and employees. The cloud enables work-from-home and hybrid working models and enhances productivity.

But the cloud is vulnerable to human error and misguided settings, putting your data at risk of unauthorized access. According to Gartner, preventable misconfigurations and end-user mistakes cause more than 99% of cloud breaches. Cloud providers use a flavor of security. But data needs its own protection.

What’s the risk of storing data in the cloud?

End-users share Dropbox links and credentials from personal smartphones via Wi-Fi hotspots. They email documents to friends and unauthorized third parties. You’d no more send your data out into the world without policies, access controls, and encryption than send a child out into the cold without a coat. But if you leave security to the cloud, who knows where your data ends up.

Amazon S3 buckets include unlimited storage. But weak settings leave default credentials intact, granting limitless access to criminal hackers who automatically search and exploit bucket links. When criminal hackers kidnap your files, cloud cyber defenses seldom follow behind. You need centralized control with enterprise security that wraps your data and sticks with it.

Enterprises work with many cloud providers, passing data from one environment to the next, one job to the next. You may have some visibility when you pass data directly to the cloud. But what happens when that cloud routes your data to other cloud environments for processing? It’s one thing to entrust your child to someone you know; it’s another to let them hand her off to someone they know.

Cloud providers may offer security policies, identity and access controls, and encryption for data in transit and at rest. But those stop short where the cloud ends, leaving your intellectual property (IP) open to theft by criminal hackers and exploitation by unscrupulous competitors.

How do I protect my sensitive data in the cloud?

Enterprise Digital Rights Management (EDRM) eases moving to the cloud, binding location-agnostic security controls to unstructured data. EDRM embeds encryption, persistent IDs, and access control policies with sensitive documents. Your custom controls travel with your files into unmanaged, unsecured environments.

EDRM maintains data governance policies and controls on your confidential documents whether you move them to Salesforce, Box, Microsoft Azure, or AWS. You can track documents in and beyond the cloud, maintain access controls, and change granular permissions and privileges at any point using centralized policy management.

You don’t have to care what cloud has your data; EDRM keeps it safe when cloud security fails. If the cloud provider has a breach, so what? EDRM maintains the security policies, controls, and enforcements you’ve set in motion, no matter who has your data.

You can ease moving to the cloud by mitigating your risk. The Discovery Classification Tool (DCT) identifies old, redundant, and obsolete data. You can delete obsolete files and duplicates and archive data you must keep, reducing your attack surface, data management requirements, and cloud costs. Then use EDRM to apply policies and encryption to the data you use, and move it to the cloud.

Chat with the Fasoo team and discover how your peers deploy Enterprise DRM in the cloud.

Top 5 Reasons You Need Enterprise Digital Rights Management

Corporate data is the lifeblood of business and because of remote work and constant competitive pressures, it is more vulnerable than ever. Protecting that data while still making it available to those who need it is why many organizations are turning to Enterprise Digital Rights Management (EDRM).

Information security, privacy, regulatory compliance, and data governance requirements drive how we manage corporate data. Business requires us to share sensitive information with employees, contractors, business partners, and customers, but we need a way to do it securely without impacting everyone’s productivity.

The realities of today mean that many of us may work from any location at any time, using any device. Outsourced functions range from finance and human resources (HR) to design and manufacturing. If you outsource manufacturing or finance to a third party, how do you define your corporate boundary for data, since your sensitive information is in the hands of a business partner? Add to this the real threat of external hackers and insider threats from employees, contractors, and the third parties you use for key business functions.

How do you protect the most important information in your business?

Here are 5 reasons why you should seriously consider Enterprise DRM as part of your information security, data governance, and compliance strategy.

Protect Your Intellectual Property

Intellectual property (IP) is a critical asset for your business. It lets you create unique products and services that drive revenue. It differentiates you from the competition and keeps your customers coming back. If this information accidentally or deliberately leaks, you can suffer financial loss and possibly go out of business.

EDRM protects your intellectual property from unauthorized access and controls what an authorized user can do with it. You can grant or block a user’s ability to view, edit, print, copy, and even take a screen capture of the information. You can control derivatives of documents since people share IP in PDF or other common formats with both internal and external recipients. Since you have a complete audit trail of user and document activity, you know if someone accessed the documents inside or outside your network. You can also revoke access or change permissions after you distribute a document if the sensitivity of the information changes or those who should have access to it.

Protect Customer Data

Any business that deals with personal information or takes credit cards must protect it from unauthorized access. Regulations such as GDPR, CCPA, HIPAA, PCI DSS, and other numerous laws mandate that third-party data is under strict control and only authorized people can access it. Violations can result in hefty fines and cause major legal and business problems.

EDRM controls how employees, contractors, and business partners use this sensitive information. It can prevent sharing the data with unauthorized users by controlling access, screen captures, and adding visible watermarks to both printed documents and those viewed on a screen or mobile device. Since third-party data typically has a shelf life, you can limit access to a specific time and revoke access to any distributed files immediately, regardless of location.

Protect Your Customer’s Intellectual Property

You may also be a steward of your customer’s intellectual property. Manufacturing and business services organizations commonly have sensitive designs or client data that is worth stealing. An organization’s supply chain can be the weakest link in its security which makes it an easy target for hackers and trusted insiders. Your customers trust you with keeping their intellectual property safe and out of the hands of their competitors.

Enterprise DRM protects your customer’s intellectual property from unauthorized access. You can automatically encrypt and assign access controls to sensitive documents as you save them. If different groups use this information, you can easily limit access based on projects or customers. If an employee working with one customer’s data accidentally shares it with another customer, you are protected since only authorized users can see and use the data. This provides built-in safeguards for those people working on multiple projects.

Protect Employee Privacy

HR, Finance, and other departments have a lot of sensitive employee data, including social security and insurance numbers, health information, salary data, and the results of drug tests or criminal background checks. Controlling its access and distribution is part of the social and legal compact any employee has with her or his employer.

Enterprise digital rights management can limit access to private information by controlling the users and groups that can see it. You can control access dynamically through your identity access management (IAM) system so that as roles change in your company, so do access rights. For information you share with outside service providers, you can provide read-only copies that you can revoke at any time. Only recipients granted access can see the data, so your employees and outside providers can’t share the data with unauthorized users.

Provide Audit Trails

Regulatory compliance is a requirement for many businesses to prove they can manage critical information in a way that ensures chain of custody and proof that only authorized users had access. Compliance is not just a matter of the law but is generally considered good business practice. Compliant companies can prove they take information security and governance seriously and can use this as a selling point to their customers.

Enterprise digital rights management provides an audit trail of all user and file activities to ensure a chain of custody of information for electronic discovery and proves that only authorized users have access to sensitive data. This helps your organization understand the flow of important information and simplifies eDiscovery in the event of litigation. Since many regulations require you to prove to a regulator that you meet their requirements for protecting privacy, audit trails are easily available in downloadable reports.

Enterprise DRM can help you meet information security, regulatory compliance, and data governance objectives, ensure privacy and protect the digital assets of your company. It is the best way to protect your most important business information and get a good night’s sleep.

To learn more, download our Enterprise DRM whitepaper.

3 Reasons Why Enterprise DRM Saves the Day on a Deserted Island

What good is a secure island if you’re left stranded? Former Secure Islands customers want to know, since their data protection software has finally reached end-of-life support after the company was acquired by Microsoft a few years back. The good news: they have more options than they may have thought.

As a startup, Secure Islands Technologies Ltd. was a success story. Not so much for some of its early customers, we hear.

Two brothers, Aki and Yuval Eldar, founded Secure Islands in 2006 in Jerusalem. Microsoft acquired the company for $150 million in 2015 and made its technology an essential building block for Microsoft’s Azure Information Protection (AIP, part of the Microsoft Information Protection framework MIP). Six years later, to Secure Islands customers who decided AIP wasn’t for them, it may seem as if they are stuck.

So far, so predictable. As far as startup exits go, you’ve heard the stories. The outcome can be ugly: early customers are left holding the bag, with nowhere to turn. It can also be a blessing in disguise: for example, when IT discovers alternatives that show how far a technology has come elsewhere since its nascent stage.

Such happy endings happen. Take enterprise-level Digital Information Rights Management (DRM), for example. Also referred to as Information Rights Management (IRM) sometimes, it has come a long way since the aughts. This development is good news for organizations looking for AIP alternatives.

No happy endings on security islands

Information protection solutions of the past were difficult to deploy and scale. Workflows slowed down. Productivity suffered. That said, today, we see a different picture. The success of solutions such as Fasoo Enterprise DRM triggered a resurgence of the category, primarily for three reasons:

Mature Enterprise DRM solutions ensure comprehensive data protection that extends far beyond one or two document ecosystems.

Fasoo Enterprise DRM, for example, covers more than 230 document formats, including images, CAD files created with forty different applications, and old Microsoft Office documents that even AIP cannot encrypt. This approach extends beyond Microsoft Office or Adobe PDF files and prevents the creation of “security islands” that leave critical documents unprotected.

Centralized policy management and control beats having to deputize (and train) your end users as security experts.

AIP uses Secure Islands technology to categorize documents, which can result in certain limitations. Depending on a company’s Microsoft licensing level, users may have to manually label the documents they import or create and decide what protection and permissions to assign.

Other limitations concern larger organizations that deal with high volumes of unstructured data daily, such as financial institutions and globally operating law firms. AIP limits the number of sensitivity labels per organization to 500 for labels that assign encryption specifying the users and permissions.

Another issue in these industries is AIP’s lack of SDKs to facilitate integration with iManage and other Enterprise Content Management (ECM) platforms. In organizations that need to encrypt files across thousands of file-sharing folders and subfolders, this means they would have to apply an AIP label to each manually just for simple encryption.

Fasoo Enterprise DRM represents a different, “file-centric, people-centric” approach that enables organizations to preserve and support proven and efficient workflows. Policies defined by IT automatically determine at the point of creation who can access a protected document and how. Exceptions are handled flexibly and “on the fly”, for example by granting a provisional permission on a temporary basis.

Document protection in the cloud requires a mature enterprise DRM solution.

Cloud collaboration plays an important role in selecting an enterprise DRM solution. Companies now looking for alternatives to AIP are clear about this point: they want document protection that travels with the file and doesn’t end at their organization’s IT perimeter.

Their old information protection technology was devised years ago, with no consideration yet for the cloud. One consequence is that it can only protect sensitive documents on a computer or mobile device. Once the file is uploaded to the cloud outside the Microsoft ecosystem, document protection is lost.

In contrast, Fasoo Enterprise DRM ensures that persistent security remains with documents, pictures, audio, video, and 3D CAD drawings regardless of their location, whether in the cloud or on a flash drive. Senders can set a validity period or revoke access immediately, even after distribution. The organization remains in control of sensitive files at rest, in use, and in motion – no matter where they may end up.

Worried about your document protection getting stuck on a security island? In summary, these three rules will help you not to miss the boat:

1. Document protection worth its name requires properly protecting all confidential documents that need protecting, not just those preferred by one solution vendor. 2. If “automatic labeling” was the promise, you’ll hate seeing it turn into manual labor over a few hundred or thousand file-sharing folders. 3. No company is a secure island; the cloud is real, and so is the need for document protection in the cloud.

Contact the Fasoo team to find out more!

The Top 5 Document Protection Blog Posts of 2021

Which blog posts about document security and protection attracted the most visitors to the Fasoo website in 2021?

Let’s face it: the ins and outs of Digital Rights Management (DRM) in the enterprise don’t exactly make for blog topics that get most people’s juices flowing.

The good news is that content that draws on the insights shared by Fasoo’s longtime, recent, and not-yet customers can overcome this hurdle. Readers interested in Enterprise DRM clearly prefer blog posts that answer relevant questions and provide hands-on advice for IT decision-makers and their teams.

Which Fasoo blog posts hit a nerve in 2021? These were the Top 5:

# 5: Your questions about Fasoo Enterprise DRM vs. Microsoft AIP, answered

“How does Fasoo Enterprise DRM (Fasoo EDRM) compare to Microsoft Azure Information Protection (AIP)?” In one version or another, this was one of the most frequently asked questions the Fasoo team had to answer in 2021.

It’s a tricky one. After all, Microsoft AIP was developed primarily with the document ecosystem of Microsoft Office plus a few third-party file formats in mind. Fasoo DRM, on the other hand, provides document protection at scale and for more than 200 file formats in large organizations and along their supply chain.

Image shows a Minivan vs. Ford Super Duty Pickup Truck Tableau

Photo sources: Dreamstime / Ford

So can you compare the two at all? We tried. Let’s just say minivans keep us moving, but for serious business, you may want to consider a super-duty truck.

It seems like many readers have been looking for answers to EDRM-vs.-AIP-related questions. Did you miss the post?

Check it out here:

FAQ: 5 Top Questions About Fasoo Enterprise DRM vs. Microsoft AIP

# 4: IP theft prevention: a step-by-step guide for the automotive industry

In vehicle and component manufacturing companies, most sensitive information is stored and managed digitally. Examples are:

CAD drawings,
digital image files,
sales documents in Microsoft Office,
Adobe PDF files in various formats.

How can you protect digital assets against intellectual property (IP) theft? Without adequate – data-centric – protection, trade secrets can end up with a competitor or a foreign government in a matter of minutes, even seconds: on a USB device, say, or uploaded to a personal cloud storage account from an unmanaged remote work laptop.

And they do. 2021 was marked by the “Great Reset” in the automotive industry. Employees working from home or leaving for a competitor (or both) posed the biggest threat to their company’s proprietary information. How to prevent intellectual property theft in the automotive sector? Many blog visitors turned to our 10-step guide here:

IP Theft in the Automotive Industry: 10 Tips to Counter the Insider Threat

# 3: Important enterprise DRM terms, explained

Enterprise-level DRM can be confusing. The – often niche-specific – solutions of the past were expensive, complex to deploy, and difficult to scale. As a result, IT teams weren’t exactly gung-ho about exploring today’s DRM-based information protection.

This has changed. Enterprise DRM solutions have come a long way, which has caused a resurgence of the category and considerable change in perceptions. In 2021, this trend had more IT professionals asking about specifics.

So we dedicated 2021 to cutting through the fog of related terms and acronyms for this growing audience. A timely decision, judging by our blog traffic numbers. The Enterprise DRM Glossary became the 3rd-most frequented post of 2021:

Enterprise DRM Glossary

# 2: PDF security – an oxymoron?

You would think that 28 years after Adobe first introduced its platform-independent “secure” PDF file format, all related document protection questions should be settled. Far from it, as you may know.

Yet PDF files are making up a large share of unstructured business data. Do you know how well all your sensitive PDFs are protected? If the answer is no, consider yourself in good company.

According to a 2021 report, researchers who analyzed publicly accessible PDF files of 75 government security agencies identified only seven that had removed sensitive information before publishing. Ouch.

This data point doesn’t make you feel better? In that case, the # 2 on our Top-5 list of document protection blog posts provides relief. It gives a hands-on introduction to various approaches to securing PDF documents against unauthorized access, including editing, printing, copying, or screenshots:

Document Protection: How to Secure a PDF

# 1: DRM vs. DLP – a false dichotomy?

And the winner is… Boasting not one, but two industry acronyms in the headline, the chart-topper on this Top 5 list defied headline writing best practices and search engine odds in 2021.

DRM and DLP – Data Loss Protection – both aim to protect sensitive documents against leakage and exfiltration. They are frequently weighed against each other, but that doesn’t explain why this blog post piqued that much curiosity.

Maybe it’s because it fundamentally questioned the traditional “either/or” perspective? If you haven’t read it yet, you can find it here:

Enterprise DRM and DLP: Comparison Made Simple

The IP Protection Capability More Manufacturing IT Leaders Wish They Had

Global manufacturers in innovation-driven industries are ramping up their document protection against intellectual property theft.

Can you guess what tops their priority list when selecting or expanding enterprise-wide digital rights management (DRM)? Here’s a hint.

But first, a quick look at the court dockets. Did you hear about that lawsuit filed by Intel in February against a former employee who joined Microsoft?

Talk about an IP theft textbook case. Intel accuses [PDF] a former product marketing engineer of exfiltrating “highly confidential, proprietary, and trade secret information” on his way out the door – to Microsoft.

So far, so common. That’s true even in the most security-conscious companies, as this most recent example shows. It highlights how a combination of three factors poses mounting risks to the IP of many tech and manufacturing companies:

blurred IT and security perimeters with a plethora of unmanaged (storage) devices,
increasing competition, coopetition, and fluctuation of engineers and other key personnel with access to trade secrets between competitors,
the inability to centrally monitor, control, and police how employees access sensitive documents, especially when they leave the company.

It’s at that point where the IP protection capability mentioned in the title of this post can make all the difference; we’ll get to that in a minute. But first, let’s look at what allegedly happened when the Intel engineer left the company after ten years in January 2020.

What did he allegedly do, and how? The company alleges that on his last day on the job, the employee downloaded roughly 3,900 files from a company computer “to a personal Seagate FreeAgent GoFlex USB drive.”

Bar chart image with IT Security Alert Fatigue research results — Insider threats: How can almost 4,000 sensitive files get downloaded from a company-issued computer to an unmanaged device without anyone noticing? One possible – and common – explanation is alert fatigue. *Data Source: Cloud Security Alliance*

3,900 confidential files walk out the door at Intel

Hm, what? And he walked out the door with it where, and why? Fast forward to February 2021:

In the federal court filing [PDF], the plaintiff claims that the defendant – now Principal of Strategic Planning in Microsoft’s Cloud and Artificial Intelligence department – “used the confidential information and trade secrets he misappropriated […] in head-to-head negotiations with Intel concerning customized product design and pricing for significant volumes of Xeon processors.”

Ouch. Yes, these are only allegations so far. They yet have to be proven in court.

But however the jury finds in the end, the court filing is remarkable for what it reveals between the lines. Intel’s lawyers credit Microsoft and its forensic investigators for helping to unearth the “full breadth” of the alleged deeds.

Which gets us to the main point of this post:

Was this IP protection failure preventable?

Granted, hindsight is 20/20. Yet from an IP protection perspective, one could argue that all of this would have been entirely preventable.

How do we know, you ask? Coming right up, it’s all laid out right there in the court filing. Intel, if we believe the lawyers, had insufficient visibility into and no control over an (ex-) employee’s access and use of sensitive proprietary files. And indirectly, the company admits as much.

For example, the lawsuit alleges that once at Microsoft, the former Intel employee “accessed, viewed, opened or otherwise interacted with more than one-hundred documents taken from Intel […] at least 114 times” from his company-issued Microsoft Surface laptop.

Mind you, Microsoft’s helpful forensic investigators unearthed these (incomplete) insights only after the fact, according to Intel’s grateful lawyers.

Had the individual files been encrypted and their use governed by centralized policy management from the get-go, the engineer’s access would have ended with his tenure at Intel.

The case for DRM with centralized policy management

Cases like this should not come as a surprise. We’ve seen a rising wave of similar insider-related incidents over the past three years. The tech and mobility industries are bearing the brunt of the attacks.

The threat has caused more IT leaders to deploy enterprise DRM (also known as Information Rights Management, IRM). This file-centric, people-centric, and platform-agnostic approach enables organizations to protect unstructured data at rest, in transit, and in use.

Think MS Office documents, PDF files, images, or CAD designs, for instance. They are encrypted at the point of creation. The protection applies wherever a file is stored or moves to, inside or outside the organization’s perimeter.

File use can be monitored, access policies and permission levels centrally managed by IT, risk officers, and HR, and flexibly adjusted on a granular level by the data owner.

Let’s take a product design file protected by Fasoo Enterprise DRM, for example. It will check back in the background with a central Fasoo server when someone tries to access it. Does this user still have the proper authorization to open, copy, download, or print the document?

If not, it doesn’t matter if a former employee took it home on a portable hard drive or USB stick – IP protection is ensured. The document is worthless for whatever that person wants to do with it, locked with FIPS 140-2 level encryption that meets the requirements of the Cryptographic Module Validation Program (CMVP) of the US government.

Nothing to see here after HR and IT flip the switch

In summary, file-centric document protection makes IP “misappropriation,” as alleged in the case brought by Intel, impossible.

Centralized yet flexible and painless policy and exception management are among the top priorities for document protection program leaders when choosing an enterprise DRM solution, they tell us. Fasoo Enterprise DRM empowers IT, in coordination with HR, to set and change document use policies in sync with users’ employment lifecycle, from onboarding to the last day at work.

One global technology manufacturer that is leveraging enterprise DRM to protect its IP is Fasoo customer ZF Group. This automotive industry supplier with 240 locations in 41 countries now deploys Fasoo Enterprise DRM to secure critical IP, such as CAD drawings and process information, across its global tech centers.

“Before, we had a few incidents where engineers with years of insider knowledge and access to documents left and joined a competitor,” said Markus Fischer, VP Engineering at ZF Group’s Active Safety Systems division in Livonia, Michigan.

“As a company, you spend years training engineers in the ways you do things, and they get access to your most intimate know-how and process knowledge,” he explained. “You cannot just block them; they need it. But you also need to be able to quickly adjust access privileges on a granular level, without delay.”

“It’s a fine line to walk,” Markus told us. “You have to find the right balance between maximum IP protection on one side, and productivity on the other. Fasoo helps us maintain this balance.”

To learn more about how to prevent intellectual property theft and leakage in manufacturing and supply chain environments while maintaining a competitive edge, watch our Fireside Chat at Apex Assembly Tech Leaders Northeast Summit on March 30th, 2021 with GE Gas Power cybersecurity researchers Hillary Fehr and Christopher Babie.

Collecting Laptops From Terminated Employees? Protect Unstructured Data

I read a Tweet recently from “Accidental CISO” about collecting laptops from terminated employees during the pandemic that I deemed retweetable (if that is a word). Some comments focused more on the hardware – how to get it back – but this got me thinking more about what is actually on the hardware. What sensitive information, like intellectual property, might reside on them? It also made me think, in a situation like this, how the potential for insider theft is far greater.

Files containing IP can be either printed on home printers, sent over email to personal accounts, saved on a USB stick, screen captured and so on. These are not necessarily actions of malice, but obvious desperation to assist with the basic need for employment.

It reminded me of a webinar we did in 2019, Close the Gap on Insider Threat: Granular Access Controls and Behavior Analytics, where we focused on the best way to protect and control unstructured data without having to think about where it is located, who is accessing it or how it is being used. It’s part of a 3-part series, so check out the other two.

In my last post, I talked about how many companies are not prepared to suddenly support a remote workforce and provided some thoughts on things you can do. But this tweet brings to the surface the extent of how unpreparedness can lead to (and this is going to sound weird) intentional, non-malicious behavior.

I encourage you to think about it, watch, and at the very least, start putting a plan in place to protect and control your unstructured business critical information. The time is now to do your best research so when you are ready to pull the trigger on your unstructured data security project, you will be able to hit the ground running.

Photo credit Ian Sane

Fasoo shows unstructured data security at Gartner SRM 2018

This year at the Gartner Security & Risk Management Summit in National Harbor, MD there was a lot of focus on reducing business risk through improved cybersecurity that focuses on protecting data as users create and share it. One area of concern to many organizations is how to find and protect sensitive data without impacting how employees and customers work. Data protection regulations, like GDPR, are making things more complicated, but companies need to balance security with productivity.

At the Fasoo booth, a lot of people talked about issues with combining different technologies that still focus more on protecting the location of data rather than the data itself. One executive from a manufacturing company talked about how her DLP system can tell them that sensitive documents were shared with external parties, but can’t really control their access or stop them from going out. This is a common concern as companies use DLP, CASB and other technologies that can’t control access everywhere.

On Tuesday, June 5, 2018, John Herring, President & CEO of Fasoo, Inc. and Ron Arden, Executive Vice President and COO of Fasoo, Inc., presented “Unstructured Data Solutions Journey”. John talked about the challenges of balancing data security and productivity and how many of the traditional approaches of securing the data perimeter haven’t met the hype. By securing the data itself, you don’t need to worry about where it goes, since it’s always protected and tracked. He presented how some of Fasoo’s customers have overcome the challenges with a holistic approach to discover, classify, protect and track sensitive manufacturing data and information subject to regulatory control using Fasoo Data Radar and Wrapsody.

Fasoo presentation on protecting unstructured data at GSRM 2018

Ron showed how in three quick steps with Wrapsody an organization can securely collaborate when creating a product quote while limiting access to specific people and making it easy to ensure they each have the latest version. With a few clicks of a mouse a sales manager encrypted a spreadsheet, applied access control to it, provided an audit trail and automatically synchronized the latest version to a central location. As the operations manager updates the quote and shares it with a customer, the process is easy for all parties to get the latest information and ensure the entire process is secure regardless of who has the document and where they open it.

During the course of the summit, a lot of attendees and analysts came to the Fasoo booth to understand the best ways to comply with new regulations and how to protect sensitive data from both internal and external threats. Visitors were very impressed by how the Fasoo Data Security Framework can help them achieve those goals by discovering, encrypting and controlling their sensitive data.

Attendees at the session and at the booth were excited to see that Fasoo technology is very robust, balances security with usability and integrates with an organization’s existing infrastructure. A common strategy is to make the technology almost invisible to users unless they try to violate a security policy. I remember one person saying, “I was a little skeptical during your presentation, but convinced once I saw it in action.”

Is Encryption Really That Hard?

The problem today is sensitive information is leaking from organizations like a dripping faucet. The recent Equifax data breach is just the latest example of a constant barrage of leaks in the news. All the experts say the best way to stop data leaks is by encrypting sensitive data.

So why isn’t everyone doing it? What’s the problem? New regulations are now in place that mandate encrypting sensitive data, NYDFS part 500 and GDPR being two of the most visible.

It’s not like using an Enigma machine to manually encrypt a message. Today’s encryption mechanisms are easy to use and fit into the daily work of employees everywhere.

Let’s break the world into structured data which sits in a database and unstructured data which lives in documents. I’ll start with data in databases. All major database systems allow you to encrypt the database files or encrypt data inside the database. Transparent Data Encryption (TDE), column-level and field-level encryption are all examples of methods of protecting the data. Other methods including hashing are common with passwords, but could be used with other information.

Even though most of us think that all stolen or leaked data is in a database, the reality is that about 80% of the information we use is in documents. Methods for encrypting documents run from a simple password you can use inside an application like Adobe Acrobat to Enterprise Digital Rights Management (EDRM). In between are endpoint encryption to encrypt files at rest on a hard drive, encrypting file systems that can assign access rights to files while they are in a particular location or transport security like SSL/TLS.

On the database side, many of the reasons for not using encryption are because applications may have to be rewritten or there might be some performance issues. Realities for not doing it are more likely that developers and administrators haven’t thought it was necessary. Many organizations assume there is enough protection at the perimeter or on devices, so they don’t bother with the data.

The same thinking frequently applies to documents. People assume with all the perimeter controls and endpoint encryption that things are covered. This works sometimes, but if someone can get to your documents, they can copy them elsewhere and have complete access to what’s inside.

Implementing EDRM that provides document encryption with access and permission controls is the only real way to protect the content inside documents at all times. All a user has to do is save the document they work on and a security policy can automatically encrypt it and apply granular permission controls. Impact to productivity is minimal, since you can let everyone in your organization do everything they already do with their documents, but ensure that if a document got into the wrong hands, it is inaccessible. Users go about their daily activities and most don’t even realize the encryption is there. You don’t think about it, it just does it’s job.

It’s the same as shopping securely online. It just happens in the background and you don’t think much about it.

Encrypting data should be the rule, not the exception. Just like you lock your house when you leave, lock your data. It’s easy and keeps you safe and out of the headlines.

You Need Data-Aware Protection Mechanisms

Data breaches pose one of the greatest threats to business and government. With the recent data breach at Equifax magnifying the problem of data loss in businesses and the public sector, it’s time for organizations to think hard about using data-aware protection to safeguard sensitive information.

The ever-changing cybersecurity landscape requires organizations to evolve beyond merely protecting the network perimeter and end-points to implementing protections on the data. When data breaches are successful, the costs can be staggering. How much will it cost Equifax to offer credit monitoring to millions of people? What makes these data breaches so disheartening is that many could be avoided or mitigated by modernizing legacy IT systems and protecting information at the data or document level.

While years of investment have helped strengthen network and end-point security, the data continues to leak. Attacks continue to breach the perimeter and insiders have accidentally or intentionally distributed sensitive information to unauthorized recipients. Phishing attacks and other social engineering are getting more sophisticated so that traditional perimeter security detection and prevention is becoming ineffective.

Situations like the Equifax data breach point to many organizations not even doing the basics around security. Default passwords, running old software and not patching systems are some of the most common reasons for data breaches. Equifax even had references on its website to the Netscape browser which has not been in use in almost 10 years. Some of this may be that IT departments are overwhelmed with daily tasks or have outsourced portions of their IT and security activities to third parties. Experian hired a third party to do a risk assessment of their infrastructure following the last breach. It seems the assessment and remediation efforts were not that effective.

Rather than solely focusing on the perimeter, protection mechanisms that are data-aware provide much stronger risk mitigation. The encryption of digital files using enterprise digital rights management (DRM) is the best way to thwart hackers or insider threats. Some organizations are also using attribute-based access control (ABAC) to limit access to specific data in databases or other information systems. Combining audit information from the ABAC system with the DRM-protected document interactions provides insights into who accessed sensitive data, when and from where. Since data protected by DRM can be dynamically controlled, incident response programs benefit from the ability to completely revoke access to sensitive information, even after it has left the organization.

We have reached a critical point in data security. We can either take the necessary steps to protect the data or cross our fingers and hope there will not be another major breach. That’s like hoping it doesn’t rain. It sounds great, but the reality is the next storm is around the corner.

Photo credit Merrill College of Journalism

Fasoo Helps Customers with Compliance at Gartner Security and Risk Management Summit 2017

This year at the Gartner Security & Risk Management Summit in National Harbor, MD there was a lot of focus on managing and mitigating risk to a business and how to improve cybersecurity through data-centric protection. One area of concern to many organizations is how to comply with some of the newer cybersecurity and data protection regulations, like GDPR, as governments are trying to improve customer and business data security.

With all the recent malware, ransomware and data breaches, there was obviously a focus on how to prevent harm to one’s business. As businesses move more into the realm of digital business, the concept of trust is becoming a larger issue. If your customers do not trust you with their data, they will be less likely to do business with you.

On Tuesday June 12, 2017, John Herring, President & CEO of Fasoo, Inc., Dr. Larry Ponemon of the Ponemon Institute, and Ron Arden, Executive Vice President and COO of Fasoo, Inc., presented “Do You Have a Pathway to Data Security Compliance?”. John talked about the challenges of complying with the new NYDFS 23 NYCRR 500 cybersecurity regulation that affects any business regulated under banking, insurance and financial services laws in New York. This applies to organizations doing business in NY and also affects third party service providers of those organizations.

Dr. Ponemon presented recent research from his study “Countdown to Compliance: Are financial services firms prepared for NYDFS 23 NYCRR 500?”. Some of the key findings from the survey include:

60 percent of respondents believe this regulation will be more difficult to implement than GLBA, HIPAA, PCI DSS and SOX
Over 50 percent do not have a formal cybersecurity program
68 percent believe that the inability to know where high value data assets are located will pose a significant challenge

Ron discussed a six step plan to encrypt and control unstructured data or data in files that is a key component of meeting the NYDFS, GDPR and other data protection and privacy regulations. The session had about 150 people in it and many of them asked specific questions about who is affected, how do you work with your service providers to ensure they are protecting your sensitive data, and how to really provide complete control of your information regardless of its location.

During the course of the summit, a lot of attendees and analysts came to the Fasoo booth to understand the best ways to comply with these new regulations and how to protect sensitive data from both internal and external threats. Visitors were very impressed by how the Fasoo Data Security Framework can help them achieve those goals by discovering, encrypting and controlling their sensitive data.

One interesting presentation by John Girard and Brian Reed from Gartner focused on information-centric security practices and the best ways to protect your business information. While Gartner and most of the security industry recommends a layered approach to security, when it comes to protecting information in files, John and Brian said that EDRM is the only solution that can really protect it. This is an important recognition that in the game of information protection and thwarting malicious or inadvertent attempts to steal sensitive data, perimeter solutions cannot meet the requirements as well as EDRM.

Attendees at the session and at the booth were excited to see that Fasoo technology is very robust, balances security with usability and integrates with an organization’s existing infrastructure. I remember one person saying, “I was a little skeptical during your presentation, but convinced once I saw it in action.”

You Really Need Persistent Data Protection

Despite significant security investments made by organizations, data breaches of sensitive information continue at an alarming rate. There are many contributing factors to this situation such as the ever increasing rate of data collection as well as cloud computing, outdated security standards and controls, and flawed applications with security vulnerabilities.

Today’s bad guys are well funded, skilled and organized. When they set their sights on something like personal health information (PHI) or intellectual property (IP), they are quite effective at getting at the crown jewels.

For so long, organizations have spent their money, resources and time on traditional approaches like network, device and application security. While these fundamental security measures are still necessary, relying on them solely isn’t enough today.

Businesses need to fundamentally change their approach to security and focus more on the data layer itself. A good way to start down this path is to discover and classify sensitive data. Unfortunately, many companies still do not have an inventory on their unstructured data – files and documents. They say they do and they believe they do, but in reality, there are bits and pieces of sensitive information copied on desktops, devices, and file shares. There are multiple copies scattered all around.

Once a company gets a handle on its sensitive data, then it can think about classifying it. Classification will help an organization encrypt certain types of data in storage, in transit and/or while the data is in use by authorized users. In some cases, there may not be any need to encrypt public data as it might not contain sensitive information. Many people emphasize the need for classification due to shortcomings in data loss prevention (DLP) tools. Surely data classification can make DLP more effective. However, in larger environments there are far too many other applications and use-cases that can benefit from data/file classification.

Based on the type of classification, certain data may only need protection using simple encryption while in storage or while in transit, or they can be protected by more sophisticated solutions like enterprise digital rights management (EDRM) to control not only who can access the data, but how authorized users can use the sensitive data and for how long. Businesses can monitor activity by user and have real-time ability to detect deviations that differ from normal user activities or processes.

Today, many companies in the financial services industry are leading the way as they implement additional layers of security to their existing postures by implementing persistent data security and ensuring that sensitive information is protected all the time, regardless of location.

We are reminded again and again as we read daily about the data breaches in the news that protecting sensitive data is a complex challenge. It requires a layered data protection strategy, time, money, resources and management support. Implementing individual data-centric solutions without a comprehensive framework can lead to critical gaps in the security posture of an enterprise. Traditional measures must be supplemented with persistent data-centric security to stop the loss of sensitive information.

Photo credit reynermedia

Data-Centric Security in the Boardroom

With so many high profile data breaches in the public eye recently, cyber security is now front and center in many organizations. Globally cyber attacks and data leaks are daily threats to organizations, reminding everyone that we are all potential targets. Attorneys are warning about potential individual liability for corporate directors who do not take appropriate responsibility for oversight of cyber security while investors and regulators are pushing boards to step up their oversight. As a result, corporate boards have woken up to the call that they must address cyber security issues on their front lines, as it is no longer just an Information Technology issue.

A “belt and braces” approach to security must stop at the top – boards must start by focusing their own communications and materials as part of their comprehensive cyber risk management. Communications through insecure means, loss or theft of board computing devices, lack or occasional encryption of board communications, and printed copies of board documents can result in loss of intellectual property, client lists or commercially sensitive business data, legal expenses, loss of reputation and time loss.

In this digital age boards must have structures in place to safeguard their information from cyber security threats. Data-centric security can be a sure way to help boardroom materials and communications. By encrypting sensitive board files and applying persistent security policies to protect them regardless of where they are or their format. Below are some of the advantages to data-centric security:

• Encryption and policy based control of board files

• Ability to securely share files

• Granular control of who can View, Edit, Print and take a Screen Capture

• Ability to limit access time and number of devices

• Ability to revoke access to sensitive files immediately regardless of location

• Ability to trace and control user and file activities in real-time

Considering the significant impact posed by a potential cyber breach, boardroom engagement with cyber risk management must be a top priority starting with the securing of the board’s own communications and board materials.