Blog

Tag: encryption

Fasoo zero trust data security platform protects your sensitive unstructured dataZero Trust is a major trend in 2022 and one that affects public and private sector organizations alike.  Last year when the Biden administration in the US issued its Executive Order on Improving the Nation’s Cybersecurity, zero trust was a major component of this initiative.

Organizations implement traditional perimeter-based security strategies on the assumption that the perimeter is secure inside.  Zero trust assumes that no person or device inside or outside of an organization is trusted.  It is a system that requires thorough verification of all users, data, and devices, and allows only minimal privileges.

The concept of zero trust is not new.  It was suggested in 2010 by analyst John Kindervag of Forrester Research to denote stricter cybersecurity programs and access control within corporations.

Now 12 years later, security experts agree that a zero-trust-based security strategy is needed, not perimeter-based security.  The reason is simple.  The environment is changing.
 

Why zero-trust now?

The pandemic-driven transition to a hybrid workplace has become the norm.  As telecommuting and remote work becomes common, concerns about perimeter-based security are growing more than ever before.  This is because the boundaries of the work environment have become blurred, driven in part by the increased adoption of mobile and cloud services.  This will inevitably lead to a security vacuum.

The environment surrounding data security faces a variety of changes, including cyber warfare caused by the conflict between Russia and Ukraine, cyberattacks on companies by hacker groups like Lapsus$, and numerous incidents of corporate data breaches by trusted insiders.

In this environment, it is natural for zero-trust-based solutions to be in the spotlight.  It’s the data itself that we need to protect, so we need a data-driven security system that can safely protect our data in a rapidly changing environment.

 

Zero Trust Data Security

Protecting sensitive data first requires identifying it, classifying or labeling it, and then determining who should have access to it.  This requires constant authentication and verification of user identity.  Fasoo’s zero-trust approach to safeguarding sensitive unstructured data goes beyond just access controls.  It layers three powerful security methods to achieve a strong, proactive first-line defense again external and insider threats.

  • Encryption
  • Adaptive Access Control
  • Control Data in Use

 

Cloud misconfigurations, user errors, and work from home environments all expose sensitive files to breaches that access control alone can’t prevent.  A true zero-trust approach secures the file at all times – at rest, in transit, and while in use – and continuously monitors user, device, and other contexts to adaptively evaluate access permissions.
 

Encrypt Files

The best way to protect a sensitive file is to encrypt it.  It ensures files are protected while at rest and in transit no matter the location or network.  This sets the foundation for a zero-trust approach on which other safeguards build.

  • Automatically discover, classify and encrypt sensitive files when created or modified, all transparent to the user. User errors are eliminated and workflows are uninterrupted.
  • Encryption keys are centrally held and controlled by the company – not by the user, cloud provider, or any other third party. This is increasingly important in hybrid and multi-cloud workplaces as privacy regulations become more proscriptive regarding data residency and access rights.

 
Encrypted files ensure any exfiltration of sensitive information is safe from misuse.  Many privacy regulations exempt encrypted file exfiltration from breach reporting or significantly reduce any fines.  It all negates one of the worst risks related to today’s ransomware threats – exploitation of exfiltrated data.
 

Apply Access Control

User verification is enforced each time the file is accessed and incorporates contextual information about the user and device to dynamically adapt to grant or deny access.

  • User access to a sensitive document is automatically applied as part of the initial discovery process with presets that are centrally configured and provide flexible and practical settings. Individual users, departments, roles in the organization, and “all internal share” are examples of preset alternatives.
  • Fasoo enables a range of other elements, including device identity, time of day, and geolocation to be assessed as part of its adaptive zero-trust access approach. This dynamic linking of multiple verification points ensures the highest degree of trust can be enforced for sensitive data.

 

While centralized control of document access is the default, the platform provides flexibility so that document owners can unilaterally change access, if business needs dictate.  This allows those closest to the data to make security decisions without needing to involve security or IT.  Continuous monitoring of user behavior reports such exceptions for line manager and compliance team inspection.  Such analytics are also applied to continuous monitoring of device and location information.
 

Control over Data

Insider threats expose a major gap in many declared zero-trust solutions.  Once a verified insider gains access to the file, it’s a free pass to use corporate sensitive data.  Joiners and leavers in a transient workforce, work from home environments, and supply chain collaboration opens the door for inadvertent or malicious insider data breaches.

  • True zero-trust requires control over usage as well as access. Forward, cut and paste, copy, print, and screen capture are examples of the many ways insiders can maliciously or unintentionally expose sensitive information to unauthorized parties.
  • Usage controls must consider the sensitivity of the data, and the context in which it’s being used and enable a wide range of permissions, from restricting actions to watermarking files, to address insider threats.

 

Fasoo enables a comprehensive set of file permissions to control what authorized users can and can’t do with a document in use.  Central pre-set policies can be implemented at the user, department, or organization-wide level as well as by role (all Directors) or project (M&A, Drug Approval).

Proactive control over data usage is essential to a true zero-trust approach.

Talk with us about how Fasoo Data Security will strengthen your zero-trust initiatives.

Protect data in the cloud with Fasoo encryption, access control and in-use protectionThe enterprise is moving to the cloud to ease collaboration for partners and employees. The cloud enables work-from-home and hybrid working models and enhances productivity.

But the cloud is vulnerable to human error and misguided settings, putting your data at risk of unauthorized access. According to Gartner, preventable misconfigurations and end-user mistakes cause more than 99% of cloud breaches. Cloud providers use a flavor of security. But data needs its own protection.

What’s the risk of storing data in the cloud?

End-users share Dropbox links and credentials from personal smartphones via Wi-Fi hotspots. They email documents to friends and unauthorized third parties. You’d no more send your data out into the world without policies, access controls, and encryption than send a child out into the cold without a coat. But if you leave security to the cloud, who knows where your data ends up.

Amazon S3 buckets include unlimited storage. But weak settings leave default credentials intact, granting limitless access to criminal hackers who automatically search and exploit bucket links. When criminal hackers kidnap your files, cloud cyber defenses seldom follow behind. You need centralized control with enterprise security that wraps your data and sticks with it.

Enterprises work with many cloud providers, passing data from one environment to the next, one job to the next. You may have some visibility when you pass data directly to the cloud. But what happens when that cloud routes your data to other cloud environments for processing? It’s one thing to entrust your child to someone you know; it’s another to let them hand her off to someone they know.

Cloud providers may offer security policies, identity and access controls, and encryption for data in transit and at rest. But those stop short where the cloud ends, leaving your intellectual property (IP) open to theft by criminal hackers and exploitation by unscrupulous competitors.

How do I protect my sensitive data in the cloud?

Enterprise Digital Rights Management (EDRM) eases moving to the cloud, binding location-agnostic security controls to unstructured data. EDRM embeds encryption, persistent IDs, and access control policies with sensitive documents. Your custom controls travel with your files into unmanaged, unsecured environments.

EDRM maintains data governance policies and controls on your confidential documents whether you move them to Salesforce, Box, Microsoft Azure, or AWS. You can track documents in and beyond the cloud, maintain access controls, and change granular permissions and privileges at any point using centralized policy management.

You don’t have to care what cloud has your data; EDRM keeps it safe when cloud security fails. If the cloud provider has a breach, so what? EDRM maintains the security policies, controls, and enforcements you’ve set in motion, no matter who has your data.

You can ease moving to the cloud by mitigating your risk. The Discovery Classification Tool (DCT) identifies old, redundant, and obsolete data. You can delete obsolete files and duplicates and archive data you must keep, reducing your attack surface, data management requirements, and cloud costs. Then use EDRM to apply policies and encryption to the data you use, and move it to the cloud.

Chat with the Fasoo team and discover how your peers deploy Enterprise DRM in the cloud.

 

Image shows business team watching comparison chart presentationHow does Fasoo Enterprise DRM (Fasoo EDRM) compare to Microsoft Azure Information Protection (AIP)?

The first solution is a digital rights management platform to protect documents at scale in large organizations and along their supply chain.

The latter was developed primarily to protect the document ecosystem of MS Office plus a few third-party file formats.

 

Can you compare them at all?  It’s a common question we get, so let’s try.

*

“We’re looking at our options for securing documents across the whole organization, including our worldwide subsidiaries and supply chain. What advantages would we have from choosing Fasoo Enterprise DRM over Azure Information Protection (AIP) by Microsoft?”

I have to admit, each time we receive an email like that, we cringe a little.  It’s a bit like asking us to compare a Ford F-series pickup truck (America’s most popular car in 2020) and a Chrysler minivan (the best-selling minivan during the same year), on the grounds that they both have four wheels and can take a load.

We welcome such questions, though, because they give us an excellent opportunity to clear up some confusion. Read on for a few of our answers.

 

MS AIP vs. Fasoo comparison: Frequently Asked Questions (FAQ)  

Image shows a Minivan vs. Ford Super Duty Pickup Truck Tableau

 

Minivans keep us moving, but heavy-duty tasks require different means.
Photo sources: Dreamstime / Ford   

The confusion is understandable. The early and often niche-focused enterprise-level DRM solutions of the past were considered expensive, complex to deploy, and difficult to scale. As a result, many IT teams today still lack hands-on experience with modern DRM-based information protection capabilities at scale.

Fast-forward to 2021: Enterprise DRM solutions have matured significantly over the past decade. This has caused a considerable change in perceptions and is credited with the recent resurgence of enterprise DRM. 

Combined with the shift towards a data-centric information security approach, this development now has more information security leaders asking about the specific strengths of enterprise DRM. Here are five frequently asked questions involving Fasoo EDRM and AIP:

 

1. How many file formats does Fasoo support compared to AIP?

Microsoft file protection supports approximately 20 file types. AIP modifies file extensions for non-Office files types (txt to ptxt, jpeg to pjpeg, bmp to pbmp). This can cause issues with third-party applications and firewalls.

Fasoo supports more than 230 file formats, including a broad range of PDF files, plus any less common file format based on a niche application that a customer might use. All formats Fasoo supports can be opened in their native application. It does not modify file extensions, which means applications that rely on native file extensions for scanning or other purposes keep working. 

 

2. How does Fasoo EDRM protect CAD files in comparison to AIP?

AIP does not support protection of CAD files while in use. Fasoo protects CAD files while at rest, in transit, and in use.  By integrating directly with over forty different CAD applications, Fasoo EDRM allows users to interact with CAD files as they normally do while maintaining strong protection of the data.

 

3. How strong is Fasoo’s encryption compared to MS AIP?

AIP is limited to AES 128-bit encryption for Office files because Office 2010 cannot support AES

256-bit encryption. Other file types use 256-bit. Microsoft does not support encryption for Office 2007. It recommends upgrading to Office 2016 for ease of deployment and management.

Fasoo uses multi-layered encryption for all file types, including AES 256-bit encryption for all file payloads. This is important for compliance with certain regulations. Fasoo supports Microsoft Office 2007, 2010, 2013, 2016, 2019, and 365.

 

4. How do the document tracking and monitoring capabilities of Fasoo compare with those of MS AIP?

AIP currently has no centralized report portal for usage, adoption, or document activities. It also doesn’t provide a method for tracking AIP user licenses. Microsoft recommends editing the registry to remove access to functions from specific users designated as “consumers only” of AIP-protected files.

Fasoo provides centralized reporting on all document and user activities in a web-based console. Thresholds can alert administrators to anomalous and potentially suspicious activity. Fasoo EDRM also tracks all licensed users in a web-based, centralized console. 

 

5. How are Fasoo’s policy and exception management different from AIP’s?

This question comes up frequently because Microsoft AIP relies on individual users to make security policy decisions on how to protect documents. This approach requires IT and data owners to relinquish control over individual documents to a degree that poses challenges for organizations with many users and constantly changing roles.

Fasoo can automatically assign file protection without user intervention. It provides centralized policy management and exception handling capabilities. This “file-centric, people-centric” approach allows the organization to determine who can access a protected document, rather than relying on the document creator to make that decision. Users with permissions are empowered to extend access rights and permissions to other users as needed.

*

Will it fit and grow with your mission?

In summary, most inquiries we get about Microsoft AIP vs. Fasoo boil down to a single general question: How does a dedicated solution for securing documents in large organizations stack up against an assemblage of document protection components designed with a focus on MS Office applications and file formats?

My answer, in a nutshell: It’s difficult to compare a Ford F-450 Super Duty truck and a Chrysler Pacifica minivan. To stay with the analogy for a moment, deciding between work truck and family van becomes much easier when we ask this question:

Will it fit the mission? 

###

Do you have questions about any of the items above or related topics?
Contact the Fasoo team here.

Protect data on laptops from terminated employees I read a Tweet recently from “Accidental CISO” about collecting laptops from terminated employees during the pandemic that I deemed retweetable (if that is a word).  Some comments focused more on the hardware – how to get it back – but this got me thinking more about what is actually on the hardware. What sensitive information, like intellectual property, might reside on them?  It also made me think, in a situation like this, how the potential for insider theft is far greater.

Files containing IP can be either printed on home printers, sent over email to personal accounts, saved on a USB stick, screen captured and so on.  These are not necessarily actions of malice, but obvious desperation to assist with the basic need for employment.

It reminded me of a webinar we did in 2019, Close the Gap on Insider Threat: Granular Access Controls and Behavior Analytics, where we focused on the best way to protect and control unstructured data without having to think about where it is located, who is accessing it or how it is being used.  It’s part of a 3-part series, so check out the other two.

In my last post, I talked about how many companies are not prepared to suddenly support a remote workforce and provided some thoughts on things you can do.  But this tweet brings to the surface the extent of how unpreparedness can lead to (and this is going to sound weird) intentional, non-malicious behavior.

I encourage you to think about it, watch, and at the very least, start putting a plan in place to protect and control your unstructured business critical information.  The time is now to do your best research so when you are ready to pull the trigger on your unstructured data security project, you will be able to hit the ground running.

Contact us if you want to talk about any of this and in the meantime, stay safe and healthy!

 

Photo credit Ian Sane

 

steal this passwordHow many times have you seen passwords attached to monitors on sticky notes?  How about people who use the password “password” or “123456”?  With a lot of us having to work from home because of COVID-19, data security and privacy has become more important than ever, since we are not in the protective confines of an office and many of us may have to use our home computers.

In 2020 we have a lot of great technology to access our computers, tablets and phones.  You can access my phone with my face and your laptop with your thumb, but they are all still based on an initial password.  We’ve all read stories about using strong passwords and how easy it is to guess people’s passwords.  The fatal flaw in the system is that we need something that isn’t obvious, but something that we can remember.  Some of the simplest methods of creating a more complex password is to use upper and lower case alphanumerics plus a symbol.

There is a great site that can help you understand this.  Go to http://howsecureismypassword.net/ and type in combinations of letters, numbers and symbols to see what it tells you.  Another great site to help generate a stronger password is https://www.safetydetectives.com/password-meter/.  These are not foolproof methods of choosing a password, but will give you a good idea of what is secure and what’s not.

Here are a few examples.  If you use “password”, a person or program will crack my password and access my information in seconds.  If you add some symbols into it and use “pa$$word”, it would take a desktop PC about 3 minutes to crack it using a brute force attack.  If you add a capital letter, a few symbols and a phrase  after it to make it “Pa$$wordiseasy123”, it will take more time to crack than the history of the universe.  You can see by adding some simple variety the job of stealing your password becomes harder.

Here are a few easy to remember tips for passwords:

  1. Don’t use a simple word or phrase, like password or 123456
  2. Use at least 10 characters, but preferably 12 or more
  3. Use upper & lower case letters, numbers and symbols in your password
  4. Use something that you can remember, so you aren’t tempted to write it down
  5. Don’t write your password on a sticky note and put it on your monitor

There are many systems, such as biometrics, smart cards and single sign on systems based on SAML and OAuth, that are more sophisticated than using passwords, but many of these still use passwords as the basis for them.  Fortunately these are becoming more ubiquitous across computer systems and websites, but the simple password still rules.

Until we come up with another authentication system as simple and ubiquitous as the password, we are stuck with them.  Make sure you use a little common sense when choosing yours.  Here are some more tips on choosing a strong password.

regulatory complianceI sure hope so!  Well, the one year anniversary of GDPR is upon us and the challenge of effective, easily managed data security and regulatory compliance is palpable.  So, what did Fasoo do? We developed Data Radar (well, it has been around for a long time now) to deliver a unified unstructured data security and privacy approach that addresses the challenge of the evolving, complex compliance regulations like GDPR and CCPA across verticals ranging from healthcare to finance to manufacturing.

Data Radar is worth investigating if you want a solution that can automate unstructured data discovery, classification, protection, tracking, and compliance reporting. It’s got some cool unique features like:

It’s file-centric, meaning it doesn’t matter where it is because it isn’t chasing locations!

It encrypts and can apply access control, meaning the data itself is secure and only those with a valid need can see what it is.  So if it gets lost, stolen, sent to someone who does not have access, it is both private and secure!

It “Tags” the file by embedding a unique identifier which provides visibility, tracking and audit reporting capability.  You can see who, what, when and where that file has been!

It gives you easy automated expiration power!  You set the date for expiring the data and it’s gone!  No need for manual tracking and destruction of data.  You decide when it is no longer part of your unstructured sensitive data footprint.   Now you can concentrate on other important things.

You’ll hear more about it in the first of 3 webinars on Thursday June 6th at 1:30 pm.  Register by clicking here !

unstructured data securityThanks to all of you who responded to my last blog post regarding unstructured data security and privacy topics you’d like to hear more about. Here’s a sampling:

Why do so many data loss prevention projects either stall or de-scope? Why with significant industry expenditures in the space do we continue to experience record-breaking instances of data breaches and exfiltration? What are the latest methodologies and technologies security and privacy executives should consider implementing to protect their sensitive data and comply with stricter and pervasive privacy regulations such as GDPR and CCPA?

Whew, that’s a lot of ground to cover – but, it confirms the complexities that surround unstructured data challenges and the uncertainties security and risk professionals face as they consider ways to attack the problem.

So, here’s what I am going to try and do over the next 90 days – between this blog, our upcoming webinars and my session (Tuesday the 18th @ 10:45 am, Potomac A, Ballroom level) at Gartner’s Security and Risk Management conference next month (oh, and come visit our booth #563)  – essentially, offer an insider’s playbook to implementing an unstructured data security program while enabling privacy controls.  Whether migrating from existing DLP point solutions or wondering where your unstructured data lives today, my goal is to provide a life-cycle perspective as to the best methodologies and how to avoid the pitfalls that have plagued enterprise projects.  Learn ways to streamline, simplify and fast-track your unstructured data project to protect it and comply with privacy regulations.

Fasten your seat belts and stay tuned!

Data security Deborah Kish expert joins Fasoo

Me! After over 20 years with leading IT consultancy, Gartner, I am excited to announce that I have recently joined data security vendor Fasoo. At Gartner, my focus on enterprise data security and compliance challenges, products and technologies led me to really understand the significance of the “Wild Wild West” nature of unstructured data. On average, I advised 30 CISOs and CIOs and other security professionals every month on the challenges they face with respect to data security and privacy.

At Fasoo, I will lead marketing and product strategies in the unstructured data security and privacy space and will do this through a series of webinars, white papers and blog posts. My mission is to provide end user organizations insights into how Fasoo’s extensive suite of product capabilities can help meet data security and privacy goals because arming your organization with the right tools is an important step toward protecting unstructured data. I will also help guide organizations through the file and people centric approach that will foster stronger unstructured data security and privacy controls.

I’ve often said in my previous role at Gartner, “It has never been a more important time to be a data security analyst” and that translates to my passion to wanting to help organizations get this problem under control. I hope you will join me in the journey. Stay tuned.

By Deborah Kish – EVP Research & Marketing

Is Encryption Really That Hard?The problem today is sensitive information is leaking from organizations like a dripping faucet.  The recent Equifax data breach is just the latest example of a constant barrage of leaks in the news.  All the experts say the best way to stop data leaks is by encrypting sensitive data.

So why isn’t everyone doing it?   What’s the problem?  New regulations are now in place that mandate encrypting sensitive data, NYDFS part 500 and GDPR being two of the most visible.

It’s not like using an Enigma machine to manually encrypt a message.  Today’s encryption mechanisms are easy to use and fit into the daily work of employees everywhere.

Let’s break the world into structured data which sits in a database and unstructured data which lives in documents.  I’ll start with data in databases.  All major database systems allow you to encrypt the database files or encrypt data inside the database.  Transparent Data Encryption (TDE), column-level and field-level encryption are all examples of methods of protecting the data.  Other methods including hashing are common with passwords, but could be used with other information.

Even though most of us think that all stolen or leaked data is in a database, the reality is that about 80% of the information we use is in documents.  Methods for encrypting documents run from a simple password you can use inside an application like Adobe Acrobat to Enterprise Digital Rights Management (EDRM).  In between are endpoint encryption to encrypt files at rest on a hard drive, encrypting file systems that can assign access rights to files while they are in a particular location or transport security like SSL/TLS.

On the database side, many of the reasons for not using encryption are because applications may have to be rewritten or there might be some performance issues.  Realities for not doing it are more likely that developers and administrators haven’t thought it was necessary.  Many organizations assume there is enough protection at the perimeter or on devices, so they don’t bother with the data.

The same thinking frequently applies to documents.  People assume with all the perimeter controls and endpoint encryption that things are covered.  This works sometimes, but if someone can get to your documents, they can copy them elsewhere and have complete access to what’s inside.

Implementing EDRM that provides document encryption with access and permission controls is the only real way to protect the content inside documents at all times.  All a user has to do is save the document they work on and a security policy can automatically encrypt it and apply granular permission controls.  Impact to productivity is minimal, since you can let everyone in your organization do everything they already do with their documents, but ensure that if a document got into the wrong hands, it is inaccessible.  Users go about their daily activities and most don’t even realize the encryption is there.  You don’t think about it, it just does it’s job.

It’s the same as shopping securely online.  It just happens in the background and you don’t think much about it.

Encrypting data should be the rule, not the exception.  Just like you lock your house when you leave, lock your data.  It’s easy and keeps you safe and out of the headlines.

Fasoo Moderates Panel on Cybersecurity and Your CompanyBill Blake, Senior Vice President and CCO (Chief Customer Officer) of Fasoo, moderated a panel discussion on Cybersecurity on September 13, 2017 at Harter Secrest & Emery LLP in Rochester, NY.  The event entitled Cyber Security & Your Company – What You Need to Know Now featured industry leaders and experts from The Bonadio Group, Fasoo, Lawley, and Harter Secrest & Emery LLP discuss how, when, and why to plan for a cyber attack.

The event was part of a continuing dialog with organizations on the needs for stricter cybersecurity controls in the wake of the ever growing threat of data breaches and threats to business operations.  Recent data breaches at Equifax, Verizon and others show that any organization is vulnerable to external attacks or insider threats.  Regulations and legislation, such as the New York NYDFS 23 NYCRR 500 cybersecurity regulations and GDPR in Europe, are causing businesses to improve their security posture to protect business and customer information.

Paul Greene, an attorney with Harter Secrest & Emery LLP, started the event with some opening remarks and Bill Blake got right into the discussion questions which hit on a number of cybersecurity topics, including how to prepare for a cyber attack, the role of insurance in your incident response plan and how the newest cybersecurity regulations and laws affect your business.

High on the list was a discussion of the recent Equifax data breach and how it affects businesses and consumers.  This lead to a discussion and questions about risk assessments and how they are critical to improving your cyber security posture.

Carl Cadregari, an Executive Vice President at The Bonadio Group, talked about the frequency of doing a risk assessment.  This is not something you can do once.  The threat landscape is constantly changing and the needs of your business are evolving, so you need to continually assess your risk and the best ways to mitigate it.  Carl said that finding your most sensitive data and encrypting it is one of the best ways to ensure you are protected.  If a hacker gets encrypted files, they won’t be able to use them.  In many cases this may not be considered a data breach, so you don’t need to report it.

While most of us think about technical solutions, legal ones are as important as well, since a cybersecurity event is not a breach until your attorney says it is.  Paul Greene mentioned “It’s important to involve counsel in your Risk Assessment process because it allows you to have a full and frank discussion about any shortcomings you may find, without worrying that those discussions can be used against you.  That’s the protection of the attorney-client privilege, it allows for that “oh [expletive]” moment when you discover something that may be really bad, without the worry that those communications will be used against you.”

Reggie Dejean, a Specialty Insurance Director from Lawley Insurance, talked about the crucial role of insurance in any cyber compliance program.  He said, “Cybersecurity insurance can help mitigate the financial loss that occurs when, not if, a data breach happens to a company. These policies can help cover some of the costs which include forensics, credit monitoring, notifying those affected, public relations and more. In today’s world, any size company is susceptible to a cyber breach, so cyber intrusion insurance can help reduce your risk and costs.”

Bill Blake brought up printing as a risk that many organizations don’t think about.  There tends to be a focus on digital assets, but if someone prints sensitive information, there is still the same liability when it comes to regulation and the law.  Numerous audience members asked if protection of sensitive data extends to paper files and the general consensus is that it does.  Preventing printing to minimize risk is clearly a good strategy when applicable, but masking sensitive data and applying visible watermarks are also good strategies to help eliminate sensitive data on paper and allow you to trace the information back to the person that printed it.

Another big discussion was around risk in the supply chain.  An audience member from a bank said they share a lot of information with Equifax and was wondering if the bank is liable because of the Equifax data breach.  Under the NYDFS 23 NYCRR 500 cybersecurity regulations an organization is responsible for the security of data it shares with its supply chain.  Whether the bank needs to inform authorities of a breach in its supply chain is unclear, but it is ultimately responsible for its data.  Third and fourth party protection will come from both technical and legal remedies.  You need air tight legal agreements to mitigate your risk, but encrypting and controlling your shared information is the best solution to supply chain risk.

The event finished with questions from attendees on the most challenging areas in their companies for compliance.  One bit of advice from the panel was to remember that companies should focus on protecting their sensitive information.  While many can get caught up in the minutiae of plans and reporting, it is imperative to focus on protecting the data which drives the business.

You Need Data-Aware Protection MechanismsData breaches pose one of the greatest threats to business and government.  With the recent data breach at Equifax magnifying the problem of data loss in businesses and the public sector, it’s time for organizations to think hard about using data-aware protection to safeguard sensitive information.

The ever-changing cybersecurity landscape requires organizations to evolve beyond merely protecting the network perimeter and end-points to implementing protections on the data.  When data breaches are successful, the costs can be staggering.  How much will it cost Equifax to offer credit monitoring to millions of people?  What makes these data breaches so disheartening is that many could be avoided or mitigated by modernizing legacy IT systems and protecting information at the data or document level.

While years of investment have helped strengthen network and end-point security, the data continues to leak.  Attacks continue to breach the perimeter and insiders have accidentally or intentionally distributed sensitive information to unauthorized recipients.  Phishing attacks and other social engineering are getting more sophisticated so that traditional perimeter security detection and prevention is becoming ineffective.

Situations like the Equifax data breach point to many organizations not even doing the basics around security.  Default passwords, running old software and not patching systems are some of the most common reasons for data breaches.  Equifax even had references on its website to the Netscape browser which has not been in use in almost 10 years.  Some of this may be that IT departments are overwhelmed with daily tasks or have outsourced portions of their IT and security activities to third parties.  Experian hired a third party to do a risk assessment of their infrastructure following the last breach. It seems the assessment and remediation efforts were not that effective.

Rather than solely focusing on the perimeter, protection mechanisms that are data-aware provide much stronger risk mitigation.  The encryption of digital files using enterprise digital rights management (DRM) is the best way to thwart hackers or insider threats.  Some organizations are also using attribute-based access control (ABAC) to limit access to specific data in databases or other information systems.  Combining audit information from the ABAC system with the DRM-protected document interactions provides insights into who accessed sensitive data, when and from where.  Since data protected by DRM can be dynamically controlled, incident response programs benefit from the ability to completely revoke access to sensitive information, even after it has left the organization.

We have reached a critical point in data security.  We can either take the necessary steps to protect the data or cross our fingers and hope there will not be another major breach.  That’s like hoping it doesn’t rain.  It sounds great, but the reality is the next storm is around the corner.

 

Photo credit Merrill College of Journalism

Can You Stop Former Employees Taking Your Data?It’s a good question and one that many organizations don’t think about thoroughly.  You take a lot of time onboarding an employee by doing background checks, checking references, and determining what information systems and data access the person needs to do her or his job.  You may have a comprehensive provisioning system that grants access to all applications and data.

But how about when someone leaves?  It’s great that you de-provision access the INSTANT someone becomes a former employee, but how do you protect the confidential data she or he may have been taking out each night for the last few weeks?  Organizations spend a lot of money guarding against cyberattacks from hackers and other external people, but many don’t do enough to protect their data from threats of former employees.

While an employee or contractor, many people create and use a lot of documents that contain intellectual property, financial data, employee and customer information.  Given the nature of work today, these documents are stored on laptops, mobile devices, in cloud services, and all over your organization.  In fact 70 percent of organizations do not know the location of confidential information, according to a study by the Ponemon Institute entitled “Risky Business: How Company Insiders Put High Value Information at Risk”.

A recent survey by OneLogin found that 47 percent of organizations admit that one in every 10 data breaches were tied directly to former employees.  We don’t want to stop employees from working where they want and when they want, but it’s important to control access to the documents they use, regardless of location.

The best way to control access to documents is to encrypt them and apply permission controls that limit what an authorized user can do with the document.  This applies to documents created at the desktop, reports run from databases and documents downloaded from information systems and document repositories.  The controls are persistent and even apply to all derivatives of the documents, so no matter how many copies are out there, they are controlled and managed.

When an employee leaves the organization, you only need to remove their access in one place and all sensitive documents are inaccessible.  That person now becomes an unauthorized user.  It doesn’t matter if the document is in a cloud service, on their home PC, in email or on a thumb drive.  You don’t have to go looking for them, because once you de-provision the employee, their access is gone for all documents.  If they try to open them, they see a bunch of random characters.

While controlling system access is important, controlling access to the documents that contain your sensitive data is more important.  Applying controls on the documents themselves ensures you can turn off that access with a click of a mouse the moment an employee becomes a former employee.

 

 

Photo credit ThoroughlyReviewed

Categories
Book a meeting