Blog

Tag: information rights management

Protect data in the cloud with Fasoo encryption, access control and in-use protectionThe enterprise is moving to the cloud to ease collaboration for partners and employees. The cloud enables work-from-home and hybrid working models and enhances productivity.

But the cloud is vulnerable to human error and misguided settings, putting your data at risk of unauthorized access. According to Gartner, preventable misconfigurations and end-user mistakes cause more than 99% of cloud breaches. Cloud providers use a flavor of security. But data needs its own protection.

What’s the risk of storing data in the cloud?

End-users share Dropbox links and credentials from personal smartphones via Wi-Fi hotspots. They email documents to friends and unauthorized third parties. You’d no more send your data out into the world without policies, access controls, and encryption than send a child out into the cold without a coat. But if you leave security to the cloud, who knows where your data ends up.

Amazon S3 buckets include unlimited storage. But weak settings leave default credentials intact, granting limitless access to criminal hackers who automatically search and exploit bucket links. When criminal hackers kidnap your files, cloud cyber defenses seldom follow behind. You need centralized control with enterprise security that wraps your data and sticks with it.

Enterprises work with many cloud providers, passing data from one environment to the next, one job to the next. You may have some visibility when you pass data directly to the cloud. But what happens when that cloud routes your data to other cloud environments for processing? It’s one thing to entrust your child to someone you know; it’s another to let them hand her off to someone they know.

Cloud providers may offer security policies, identity and access controls, and encryption for data in transit and at rest. But those stop short where the cloud ends, leaving your intellectual property (IP) open to theft by criminal hackers and exploitation by unscrupulous competitors.

How do I protect my sensitive data in the cloud?

Enterprise Digital Rights Management (EDRM) eases moving to the cloud, binding location-agnostic security controls to unstructured data. EDRM embeds encryption, persistent IDs, and access control policies with sensitive documents. Your custom controls travel with your files into unmanaged, unsecured environments.

EDRM maintains data governance policies and controls on your confidential documents whether you move them to Salesforce, Box, Microsoft Azure, or AWS. You can track documents in and beyond the cloud, maintain access controls, and change granular permissions and privileges at any point using centralized policy management.

You don’t have to care what cloud has your data; EDRM keeps it safe when cloud security fails. If the cloud provider has a breach, so what? EDRM maintains the security policies, controls, and enforcements you’ve set in motion, no matter who has your data.

You can ease moving to the cloud by mitigating your risk. The Discovery Classification Tool (DCT) identifies old, redundant, and obsolete data. You can delete obsolete files and duplicates and archive data you must keep, reducing your attack surface, data management requirements, and cloud costs. Then use EDRM to apply policies and encryption to the data you use, and move it to the cloud.

Chat with the Fasoo team and discover how your peers deploy Enterprise DRM in the cloud.

 

Protect your sensitive data with Enterprise DRMCorporate data is the lifeblood of business and because of remote work and constant competitive pressures, it is more vulnerable than ever.  Protecting that data while still making it available to those who need it is why many organizations are turning to Enterprise Digital Rights Management (EDRM).

Information security, privacy, regulatory compliance, and data governance requirements drive how we manage corporate data.  Business requires us to share sensitive information with employees, contractors, business partners, and customers, but we need a way to do it securely without impacting everyone’s productivity.

The realities of today mean that many of us may work from any location at any time, using any device.  Outsourced functions range from finance and human resources (HR) to design and manufacturing.  If you outsource manufacturing or finance to a third party, how do you define your corporate boundary for data, since your sensitive information is in the hands of a business partner?  Add to this the real threat of external hackers and insider threats from employees, contractors, and the third parties you use for key business functions.

How do you protect the most important information in your business?

Here are 5 reasons why you should seriously consider Enterprise DRM as part of your information security, data governance, and compliance strategy.

Protect Your Intellectual Property

Intellectual property (IP) is a critical asset for your business.  It lets you create unique products and services that drive revenue.  It differentiates you from the competition and keeps your customers coming back.  If this information accidentally or deliberately leaks, you can suffer financial loss and possibly go out of business.

EDRM protects your intellectual property from unauthorized access and controls what an authorized user can do with it.  You can grant or block a user’s ability to view, edit, print, copy, and even take a screen capture of the information.  You can control derivatives of documents since people share IP in PDF or other common formats with both internal and external recipients.  Since you have a complete audit trail of user and document activity, you know if someone accessed the documents inside or outside your network.  You can also revoke access or change permissions after you distribute a document if the sensitivity of the information changes or those who should have access to it.

Protect Customer Data

Any business that deals with personal information or takes credit cards must protect it from unauthorized access.  Regulations such as GDPR, CCPA, HIPAA, PCI DSS, and other numerous laws mandate that third-party data is under strict control and only authorized people can access it.  Violations can result in hefty fines and cause major legal and business problems.

EDRM controls how employees, contractors, and business partners use this sensitive information.  It can prevent sharing the data with unauthorized users by controlling access, screen captures, and adding visible watermarks to both printed documents and those viewed on a screen or mobile device.  Since third-party data typically has a shelf life, you can limit access to a specific time and revoke access to any distributed files immediately, regardless of location.

Protect Your Customer’s Intellectual Property

You may also be a steward of your customer’s intellectual property.  Manufacturing and business services organizations commonly have sensitive designs or client data that is worth stealing.  An organization’s supply chain can be the weakest link in its security which makes it an easy target for hackers and trusted insiders.  Your customers trust you with keeping their intellectual property safe and out of the hands of their competitors.

Enterprise DRM protects your customer’s intellectual property from unauthorized access.  You can automatically encrypt and assign access controls to sensitive documents as you save them.  If different groups use this information, you can easily limit access based on projects or customers.  If an employee working with one customer’s data accidentally shares it with another customer, you are protected since only authorized users can see and use the data.  This provides built-in safeguards for those people working on multiple projects.

Protect Employee Privacy

HR, Finance, and other departments have a lot of sensitive employee data, including social security and insurance numbers, health information, salary data, and the results of drug tests or criminal background checks.  Controlling its access and distribution is part of the social and legal compact any employee has with her or his employer.

Enterprise digital rights management can limit access to private information by controlling the users and groups that can see it.  You can control access dynamically through your identity access management (IAM) system so that as roles change in your company, so do access rights.  For information you share with outside service providers, you can provide read-only copies that you can revoke at any time.  Only recipients granted access can see the data, so your employees and outside providers can’t share the data with unauthorized users.

Provide Audit Trails

Regulatory compliance is a requirement for many businesses to prove they can manage critical information in a way that ensures chain of custody and proof that only authorized users had access.  Compliance is not just a matter of the law but is generally considered good business practice.  Compliant companies can prove they take information security and governance seriously and can use this as a selling point to their customers.

Enterprise digital rights management provides an audit trail of all user and file activities to ensure a chain of custody of information for electronic discovery and proves that only authorized users have access to sensitive data. This helps your organization understand the flow of important information and simplifies eDiscovery in the event of litigation.  Since many regulations require you to prove to a regulator that you meet their requirements for protecting privacy, audit trails are easily available in downloadable reports.

 

Enterprise DRM can help you meet information security, regulatory compliance, and data governance objectives, ensure privacy and protect the digital assets of your company.  It is the best way to protect your most important business information and get a good night’s sleep.

To learn more, download our Enterprise DRM whitepaper.

What good is a secure island if you’re left stranded? Former Secure Islands customers want to know, since their data protection software has finally reached end-of-life support after the company was acquired by Microsoft a few years back. The good news: they have more options than they may have thought.

*

As a startup, Secure Islands Technologies Ltd. was a success story. Not so much for some of its early customers, we hear.

Two brothers, Aki and Yuval Eldar, founded Secure Islands in 2006 in Jerusalem. Microsoft acquired the company for $150 million in 2015 and made its technology an essential building block for Microsoft’s Azure Information Protection (AIP, part of the Microsoft Information Protection framework MIP). Six years later, to Secure Islands customers who decided AIP wasn’t for them, it may seem as if they are stuck.

So far, so predictable. As far as startup exits go, you’ve heard the stories. The outcome can be ugly: early customers are left holding the bag, with nowhere to turn. It can also be a blessing in disguise: for example, when IT discovers alternatives that show how far a technology has come elsewhere since its nascent stage.

Such happy endings happen. Take enterprise-level Digital Information Rights Management (DRM), for example. Also referred to as Information Rights Management (IRM) sometimes, it has come a long way since the aughts. This development is good news for organizations looking for AIP alternatives.

No happy endings on security islands

Information protection solutions of the past were difficult to deploy and scale. Workflows slowed down. Productivity suffered. That said, today, we see a different picture. The success of solutions such as Fasoo Enterprise DRM triggered a resurgence of the category, primarily for three reasons: 

  • Mature Enterprise DRM solutions ensure comprehensive data protection that extends far beyond one or two document ecosystems

Fasoo Enterprise DRM, for example, covers more than 230 document formats, including images, CAD files created with forty different applications, and old Microsoft Office documents that even AIP cannot encrypt. This approach extends beyond Microsoft Office or  Adobe PDF files and prevents the creation of “security islands” that leave critical documents unprotected.

 

 

  • Centralized policy management and control beats having to deputize (and train) your end users as security experts.

AIP uses Secure Islands technology to categorize documents, which can result in certain limitations. Depending on a company’s Microsoft licensing level, users may have to manually label the documents they import or create and decide what protection and permissions to assign.

Other limitations concern larger organizations that deal with high volumes of unstructured data daily, such as financial institutions and globally operating law firms. AIP limits the number of sensitivity labels per organization to 500 for labels that assign encryption specifying the users and permissions.

Another issue in these industries is AIP’s lack of SDKs to facilitate integration with iManage and other Enterprise Content Management (ECM) platforms. In organizations that need to encrypt files across thousands of file-sharing folders and subfolders, this means they would have to apply an AIP label to each manually just for simple encryption.

Fasoo Enterprise DRM represents a different, “file-centric, people-centric” approach that enables organizations to preserve and support proven and efficient workflows. Policies defined by IT automatically determine at the point of creation who can access a protected document and how. Exceptions are handled flexibly and “on the fly”, for example by granting a provisional permission on a temporary basis.

  • Document protection in the cloud requires a mature enterprise DRM solution.

Cloud collaboration plays an important role in selecting an enterprise DRM solution. Companies now looking for alternatives to AIP are clear about this point: they want document protection that travels with the file and doesn’t end at their organization’s IT perimeter.

Their old information protection technology was devised years ago, with no consideration yet for the cloud. One consequence is that it can only protect sensitive documents on a computer or mobile device. Once the file is uploaded to the cloud outside the Microsoft ecosystem, document protection is lost.

In contrast, Fasoo Enterprise DRM ensures that persistent security remains with documents, pictures, audio, video, and 3D CAD drawings regardless of their location, whether in the cloud or on a flash drive. Senders can set a validity period or revoke access immediately, even after distribution. The organization remains in control of sensitive files at rest, in use, and in motion – no matter where they may end up. 

Worried about your document protection getting stuck on a security island? In summary, these three rules will help you not to miss the boat: 

1. Document protection worth its name requires properly protecting all confidential documents that need protecting, not just those preferred by one solution vendor. 2. If “automatic labeling” was the promise, you’ll hate seeing it turn into manual labor over a few hundred or thousand file-sharing folders. 3. No company is a secure island; the cloud is real, and so is the need for document protection in the cloud. 

Contact the Fasoo team to find out more!

 

Photo: Federal Courthouse in Portland, OR

Global manufacturers in innovation-driven industries are ramping up their document protection against intellectual property theft.

Can you guess what tops their priority list when selecting or expanding enterprise-wide digital rights management (DRM)? Here’s a hint.

But first, a quick look at the court dockets. Did you hear about that lawsuit filed by Intel in February against a former employee who joined Microsoft?

Talk about an IP theft textbook case. Intel accuses [PDF] a former product marketing engineer of exfiltrating “highly confidential, proprietary, and trade secret information” on his way out the door – to Microsoft.

So far, so common. That’s true even in the most security-conscious companies, as this most recent example shows. It highlights how a combination of three factors poses mounting risks to the IP of many tech and manufacturing companies: 

  • blurred IT and security perimeters with a plethora of unmanaged (storage) devices,
  • increasing competition, coopetition, and fluctuation of engineers and other key personnel with access to trade secrets between competitors,
  • the inability to centrally monitor, control, and police how employees access sensitive documents, especially when they leave the company.

It’s at that point where the IP protection capability mentioned in the title of this post can make all the difference; we’ll get to that in a minute. But first, let’s look at what allegedly happened when the Intel engineer left the company after ten years in January 2020.

What did he allegedly do, and how? The company alleges that on his last day on the job, the employee downloaded roughly 3,900 files from a company computer “to a personal Seagate FreeAgent GoFlex USB drive.”

Bar chart image with IT Security Alert Fatigue research results
Insider threats: How can almost 4,000 sensitive files get downloaded from a company-issued computer to an unmanaged device without anyone noticing? One possible – and common – explanation is alert fatigue. Data Source: Cloud Security Alliance

 

3,900 confidential files walk out the door at Intel

Hm, what? And he walked out the door with it where, and why? Fast forward to February 2021:

In the federal court filing [PDF], the plaintiff claims that the defendant – now Principal of Strategic Planning in Microsoft’s Cloud and Artificial Intelligence department – “used the confidential information and trade secrets he misappropriated […] in head-to-head negotiations with Intel concerning customized product design and pricing for significant volumes of Xeon processors.”

Ouch. Yes, these are only allegations so far. They yet have to be proven in court. 

But however the jury finds in the end, the court filing is remarkable for what it reveals between the lines. Intel’s lawyers credit Microsoft and its forensic investigators for helping to unearth the “full breadth” of the alleged deeds.

Which gets us to the main point of this post: 

 

Was this IP protection failure preventable?

Granted, hindsight is 20/20. Yet from an IP protection perspective,  one could argue that all of this would have been entirely preventable. 

How do we know, you ask? Coming right up, it’s all laid out right there in the court filing. Intel, if we believe the lawyers, had insufficient visibility into and no control over an (ex-) employee’s access and use of sensitive proprietary files. And indirectly, the company admits as much. 

For example, the lawsuit alleges that once at Microsoft, the former Intel employee “accessed, viewed, opened or otherwise interacted with more than one-hundred documents taken from Intel […] at least 114 times” from his company-issued Microsoft Surface laptop.

Mind you, Microsoft’s helpful forensic investigators unearthed these (incomplete) insights only after the fact, according to Intel’s grateful lawyers.

Had the individual files been encrypted and their use governed by centralized policy management from the get-go, the engineer’s access would have ended with his tenure at Intel.

 

The case for DRM with centralized policy management

Cases like this should not come as a surprise. We’ve seen a rising wave of similar insider-related incidents over the past three years. The tech and mobility industries are bearing the brunt of the attacks.

The threat has caused more IT leaders to deploy enterprise DRM (also known as Information Rights Management, IRM). This file-centric, people-centric, and platform-agnostic approach enables organizations to protect unstructured data at rest, in transit, and in use.

Think MS Office documents, PDF files, images, or CAD designs, for instance. They are encrypted at the point of creation. The protection applies wherever a file is stored or moves to, inside or outside the organization’s perimeter.

File use can be monitored, access policies and permission levels centrally managed by IT, risk officers, and HR, and flexibly adjusted on a granular level by the data owner.

Let’s take a product design file protected by Fasoo Enterprise DRM, for example. It will check back in the background with a central Fasoo server when someone tries to access it. Does this user still have the proper authorization to open, copy, download, or print the document?

If not, it doesn’t matter if a former employee took it home on a portable hard drive or USB stick – IP protection is ensured. The document is worthless for whatever that person wants to do with it, locked with FIPS 140-2 level encryption that meets the requirements of the Cryptographic Module Validation Program (CMVP) of the US government. 

 

Nothing to see here after HR and IT flip the switch

In summary, file-centric document protection makes IP “misappropriation,” as alleged in the case brought by Intel, impossible.

Overview image: File-centric encryption and control with Fasoo Enterprise DRM

Centralized yet flexible and painless policy and exception management are among the top priorities for document protection program leaders when choosing an enterprise DRM solution, they tell us. Fasoo Enterprise DRM empowers IT, in coordination with HR, to set and change document use policies in sync with users’ employment lifecycle, from onboarding to the last day at work.

One global technology manufacturer that is leveraging enterprise DRM to protect its IP is Fasoo customer ZF Group. This automotive industry supplier with 240 locations in 41 countries now deploys Fasoo Enterprise DRM to secure critical IP, such as CAD drawings and process information, across its global tech centers.

“Before, we had a few incidents where engineers with years of insider knowledge and access to documents left and joined a competitor,” said Markus Fischer, VP Engineering at ZF Group’s Active Safety Systems division in Livonia, Michigan.

“As a company, you spend years training engineers in the ways you do things, and they get access to your most intimate know-how and process knowledge,” he explained. “You cannot just block them; they need it. But you also need to be able to quickly adjust access privileges on a granular level, without delay.”

“It’s a fine line to walk,” Markus told us. “You have to find the right balance between maximum IP protection on one side, and productivity on the other. Fasoo helps us maintain this balance.”

*

To learn more about how to prevent intellectual property theft and leakage in manufacturing and supply chain environments while maintaining a competitive edge, watch our Fireside Chat at Apex Assembly Tech Leaders Northeast Summit on March 30th, 2021 with GE Gas Power cybersecurity researchers Hillary Fehr and Christopher Babie.

Protect Trade Secrets against Insider ThreatsInsider threat has been an issue for many years, but the consequences of these events have a strong and long-term impact on your business.

If competitive advantage isn’t enough reason to protect sensitive data, how about the legal costs?

The risk posed by insiders is again, in the spotlight as Anthony Levandowski, a founding engineer at Google’s autonomous vehicle project, now known as Waymo after it was spun off in 2016, is convicted and sentenced to 18 months in prison. After 3 long years of legal proceedings where Levandowski was charged with stealing trade secrets by downloading 9.7 GB of confidential files, he was sentenced to 18 months in prison and ordered to pay over $178 million in fines to Google.

Justice Served for Trade Secret Laws, But Levandowski’s Actions Have Significant Collateral Damage

Levandowski founded Otto, another autonomous vehicle technology company, after leaving Google, which was acquired shortly thereafter by Uber. A year-long legal battle ensued with Waymo claiming damages of $1.9 billion. A guilty verdict against Uber could have delayed its own self-driving initiatives for years.

Surprisingly, five days into the high-profile trial, the companies settled for relatively small payment by Uber to Google of $245 million. The back story for the small settlement is that Google is an early investor in Uber, both recognized the damage to their brand reputation, and the cost of an extended trial was not appealing.

And It’s Not Over Yet

In an article by TechCrunch the apology by Levandowski is noted, but a lawsuit by Levandowski against Uber for $4 billion to cover his legal fees has now been filed.   Uber allegedly promised indemnity to Mr. Levandowski in anticipation that Google would sue him for entering a relationship with a competitor. The trickle-down effect means potentially more payout and certainly more litigation fees affecting an additional company, Uber.

Insider Threats Come In Many Forms

Insider threats don’t all have the high profile of Levandowski nor the same origins. In his case, it was malicious and seemingly not for any real personal gain. Insider threat often involves documents emailed to private email accounts, using USB and other storage devices and copied onto personal devices.

According to InfoSecurity Magazine, employee errors represent over 60% of the insider incidents, and in today’s climate with remote workforces, innocent errors are more likely to occur.

Most Breaches Involve Documents In The Form of Unstructured Data

The information Levandowski had taken was in unstructured document format; blueprints, design files, and testing documentation. He did not steal information from structured databases where most businesses emphasize security.

Stop Insider Threat with Strong Protection and Behavior Analytics

IP that you just can’t afford to lose needs strong protection. It’s not good enough to simply prevent it from leaking through data loss prevention, because it can still get out. You need granular access control over the files, where they are encrypted and access is controlled. This is best done with enterprise digital rights management tools.

And you will generally want to have behavior monitoring in place as well so that you can identify any anomalies and identify someone who may be attempting to take information for malicious use or as a career move.

Protect data on laptops from terminated employees I read a Tweet recently from “Accidental CISO” about collecting laptops from terminated employees during the pandemic that I deemed retweetable (if that is a word).  Some comments focused more on the hardware – how to get it back – but this got me thinking more about what is actually on the hardware. What sensitive information, like intellectual property, might reside on them?  It also made me think, in a situation like this, how the potential for insider theft is far greater.

Files containing IP can be either printed on home printers, sent over email to personal accounts, saved on a USB stick, screen captured and so on.  These are not necessarily actions of malice, but obvious desperation to assist with the basic need for employment.

It reminded me of a webinar we did in 2019, Close the Gap on Insider Threat: Granular Access Controls and Behavior Analytics, where we focused on the best way to protect and control unstructured data without having to think about where it is located, who is accessing it or how it is being used.  It’s part of a 3-part series, so check out the other two.

In my last post, I talked about how many companies are not prepared to suddenly support a remote workforce and provided some thoughts on things you can do.  But this tweet brings to the surface the extent of how unpreparedness can lead to (and this is going to sound weird) intentional, non-malicious behavior.

I encourage you to think about it, watch, and at the very least, start putting a plan in place to protect and control your unstructured business critical information.  The time is now to do your best research so when you are ready to pull the trigger on your unstructured data security project, you will be able to hit the ground running.

Contact us if you want to talk about any of this and in the meantime, stay safe and healthy!

 

Photo credit Ian Sane

 

Can You Stop Former Employees Taking Your Data?It’s a good question and one that many organizations don’t think about thoroughly.  You take a lot of time onboarding an employee by doing background checks, checking references, and determining what information systems and data access the person needs to do her or his job.  You may have a comprehensive provisioning system that grants access to all applications and data.

But how about when someone leaves?  It’s great that you de-provision access the INSTANT someone becomes a former employee, but how do you protect the confidential data she or he may have been taking out each night for the last few weeks?  Organizations spend a lot of money guarding against cyberattacks from hackers and other external people, but many don’t do enough to protect their data from threats of former employees.

While an employee or contractor, many people create and use a lot of documents that contain intellectual property, financial data, employee and customer information.  Given the nature of work today, these documents are stored on laptops, mobile devices, in cloud services, and all over your organization.  In fact 70 percent of organizations do not know the location of confidential information, according to a study by the Ponemon Institute entitled “Risky Business: How Company Insiders Put High Value Information at Risk”.

A recent survey by OneLogin found that 47 percent of organizations admit that one in every 10 data breaches were tied directly to former employees.  We don’t want to stop employees from working where they want and when they want, but it’s important to control access to the documents they use, regardless of location.

The best way to control access to documents is to encrypt them and apply permission controls that limit what an authorized user can do with the document.  This applies to documents created at the desktop, reports run from databases and documents downloaded from information systems and document repositories.  The controls are persistent and even apply to all derivatives of the documents, so no matter how many copies are out there, they are controlled and managed.

When an employee leaves the organization, you only need to remove their access in one place and all sensitive documents are inaccessible.  That person now becomes an unauthorized user.  It doesn’t matter if the document is in a cloud service, on their home PC, in email or on a thumb drive.  You don’t have to go looking for them, because once you de-provision the employee, their access is gone for all documents.  If they try to open them, they see a bunch of random characters.

While controlling system access is important, controlling access to the documents that contain your sensitive data is more important.  Applying controls on the documents themselves ensures you can turn off that access with a click of a mouse the moment an employee becomes a former employee.

 

 

Photo credit ThoroughlyReviewed

4 Reasons You Need Enterprise Digital Rights ManagementIn today’s business world, information security, regulatory compliance and data governance requirements are driving a top to bottom change in how we manage corporate data.  As the walls of an organization blur, new business models make the definition of employee, business partner and corporate information difficult to define.

Many companies allow employees to work from any location at anytime using any device.  Outsourced functions today range from design to manufacturing to finance and human resources.  If I outsource manufacturing or finance to a third party, how do I define my corporate boundary for data, since my sensitive information is in the hands of a business partner?  Add to this the real threat of external hackers and insider threats from employees, contractors and the third parties I use for key business functions.

How do you protect the most important information in your business?

Here are 4 reasons why you should seriously consider enterprise digital rights management (EDRM) as part of your file security, data governance and compliance strategy.

Protect Intellectual Property

Intellectual property (IP) is a critical asset for your business.  It lets you create unique products and services that drive your revenue.  It differentiates you from the competition and keeps your customers coming back.  If this information accidentally or deliberately leaks, you can suffer financial loss and possibly go out of business.

EDRM protects your intellectual property from unauthorized access and controls what an authorized user can do with it.  You can enable or prevent the ability to view, edit, print, copy and even take a screen capture of the information.  You can control derivatives of documents, since people share IP in PDF or other common formats with both internal and external recipients.  Since you have a complete audit trail of user and document activity, you know if someone accessed the documents inside or outside your network.  You can also revoke access or change permissions after you distribute a document, if the sensitivity of information changes or those who should have access to it.

Protect Third-party Data

Any business that takes credit cards or deals with personal information must protect it from unauthorized access.  Regulations such as HIPAA, PCI and numerous data breach laws mandate that third-party data is under strict control and only authorized people can access it.  Violations can result in hefty fines and cause major legal and business problems.

Enterprise digital rights management controls how employees and business partners use this sensitive information.  It can prevent sharing the data with unauthorized users by controlling access, screen captures and adding visible watermarks to both printed documents and those viewed on a screen or mobile device.  The person sharing the sensitive content can restrict access to a trusted browser-based viewer, which prevents a user from downloading it.  Since third-party data may have a shelf life, you can limit access to a specific time and revoke access to any distributed files immediately, regardless of location.

Protect Employee Privacy

HR and other departments have a lot of sensitive employee data, including social security numbers, health information, and the results of drug tests or criminal background checks.  Controlling its access and distribution is part of the social and legal compact any employee has with her or his employer.

Enterprise digital rights management can limit access to private information by controlling the users and groups that can see it.  You can control access dynamically through your internal access management system so that as roles change in your company, so do access rights.

Provide Audit Trails

Regulatory compliance is a requirement for many businesses to prove they can manage critical information in a way that ensures change of custody and proof that only authorized users had access.  Compliance is not just a matter of the law, but is generally considered good business practice.  Compliant companies can prove they take information security and management seriously and can use this as a selling point to their customers.

Enterprise digital rights management provides an audit trail of all user and file activities to ensure chain of custody of information for electronic discovery. This helps your organization understand the flow of important information and simplifies eDiscovery in the event of litigation.

 

Enterprise DRM can help you meet information security, regulatory compliance and data governance objectives, ensure privacy, and protect the digital assets of your company.  It is the best way to protect your most important business information and get a good night’s sleep.

 

Photo credit Jason Baker

Follow Up: Data Encryption is the Answer

Even after suffering from a devastating data breach, National Association of Federal Credit Unions (NAFCU) is dismissing the idea that the data encryption rule should be implemented. Instead, they are saying the credit unions should follow best practices and look into other ways than encryption.

Just to refresh your memory, at the end of 2014, the National Credit Union Administration (NCUA) suffered a data breach when one of their own had lost a thumb drive containing personal credit union member information during a routine audit. That included names, addresses, Social Security numbers and account numbers for around 1,600 members worth around $13 million.

However, those in the security industry know that encryption especially with information rights management is distinctively the reasonable choice to protect your data, as Debbie Matz, the Board Chairman for the NCUA said, “We are contemplating a rule, which would require encryption…” Matz said. “Short of requiring it, we’re really struggling trying to figure out how to prevent data breaches. That’s a very fundamental thing to do, to make sure that if the data is lost or stolen that members’ confidential information is protected.”

Sooner or later as can be seen in New Jersey, New York, and will look to be extended to other states, the NCUA will not have any choice, but to encrypt or apply the best security measures to protect the data itself no matter where it is. Organizational policies, training and regulations of security policies to abide by, just doesn’t cut it as proven in the countless headlines of data breaches.

With the correct data security, and the ability to protect data of others should be the viewed with the utmost importance From insider threats (both malicious or by accident) to external hackers, even if stolen the data must not be that easy to access like in such cases as we have seen in the headlines.

To be able to share your files that contain these kinds of data, the concern that it will get stolen must disappear. How much longer must we worry about these cases? In this case, you don’t have to worry at all due to knowing you can implement Fasoo Enterprise DRM (digital rights management) and be able to set permissions relating to accessing the documents.

 

Photo Credit: Chris Potter

Spike in Data Breaches Affects Public Confidence

The recent spike in data breaches this year, 24,000 news stories to be exact, has led to record low levels of confidence amongst the public about data security, according to Deloitte. Last year alone, only 5,474 data breach news stores were reported, and even less in 2012 with 4,023. This number alone does not mean a greater number of data breaches, but the increase in news stories has definitely raised the awareness amongst the public. Most of the reports have essentially been negative and have constantly brought awareness and have pushed even the government to be involved in creating reforms to put greater emphasis on making sure that organizations are accountable for the security of customers’ personally identifiable information (PII).

These statistics and information on data breaches alone have made majority of consumers have little to no confidence that organizations will keep their personal information safe from harm. It also does not help that privacy policies or terms and conditions are too hard to understand as it is not in plain English, the confidence level continues to drop.

Is it not time for organizations and consumers to be on the same page in understanding that consumer information needs to be protected, and that consumers need to know how their information is being protected in the simplest terms possible? In addition to insider threats, which accounts for such data breaches such as loss of devices containing PII, consumers and organization must continue to worry about hackers stealing files with PII data on them.

Protecting data with file encryption with data centric solutions such as information rights management (otherwise known as digital rights management or DRM) can protect the data persistently no matter where it goes, whether it is within the organization or stolen by hackers outside of the organization. Even when devices are stolen or lost and they are in the wrong hands, unauthorized access will not be allowed or access can be revoked in order to prevent another data breach from occurring.

Restoring public confidence should be the number one priority task for all organizations. With an executive order from the President, and also severe penalties from the FCC, to new laws being passed regarding data security, don’t be caught unprepared without the complete data security solution to protect consumer data from being accessed by unauthorized people.

 

Photo Credit: Otto Kristensen

Former Employees Stealing Corporate Data

We hear of a lot of insider threats these days with disgruntled employees who have been fired but earlier this month, a former COO of an on demand startup left the company due to tensions with the founders and landed a job with their competition to aid in the company’s international growth. The issue here is that before he left, the former executive has been accused of copying a treasure of confidential data to his cloud account to be able to be used to solicit employees from his former company. Even though his account was shut down following his departure, it has been perceived that there is no supportable evidence that the former COO still has those confidential documents.

It can be seen that this kind of insider threat was a planned malicious insider attack involving stealing sensitive company information. The insider saw opportunity to benefit from this and the former company had little they could do in order revoke his privileges from access those files. It has been said in many headlines in in the past, it is all about protecting the data, and that even means being able to revoke access to those sensitive files that contain confidential data. In this case, it was not possible and thus lead to a big legal case between the two parties.

With the FBI and Department of Homeland Security sending out warnings to all organizations in regards to insider threats, no single organization is safe from malicious and even more so accidental insider threats. So even with all the things they tell you to look for, or policies and rules that are assigned, will be of no use if your sensitive files are not encrypted with information rights management or digital rights management.

Even if files are lost or get into the wrong hands, unauthorized access is prevented and sensitive information is not exposed. Since files are automatically secured as they are saved, you can be assured that no one can access files leaked through any unauthorized disclosure to people inside or outside your organizations, especially in cases of insider threats. It is time that no more data breaches such as those caused by insider threats reach the headlines.

Don’t be caught in a situation where you can protect your own files from these kinds of risks. It is up to you to mitigate these situations by have the proper data-centric solution to prevent cases like these.

Photo Credit: Karri Huhtanen

The Dangers of Insider Threats in Critical Infrastructure

It is scary enough that intelligence officials say cyber security no trumps terrorism as the No. 1 threat to the U.S. With the most recent data breach attacks on the White House and Office of Personnel Management, this is just the tip of concern for the federal government. However, it gets even scarier when these breaches are insider threats on the nation’s critical infrastructure.

Based on research from a recent article, in April 2011, a lone water treatment employee allegedly shut down operating systems at a wastewater utility in Arizona in an attempt to cause sewage backup to damage equipment and create a buildup of methane gas. Luckily, automatic safety features prevented this from happening without an incident. Earlier that year, an employee recently fired from a US natural gas company also closed a valve, disrupting gas service to nearly 3,000 customers for an hour.


There is so much sensitive information that is vital to the country’s infrastructure, and with the concern of this information being in the hands of unauthorized users, retail data breaches such as Target and Home Depot are considered to be small compared to what can happen, without the proper security of this information.

These days, to reduce costs unqualified vendors, contractors and trusted business partners get privileged access to critical infrastructure facilities. The use of cloud services, remote work and Web technologies within critical infrastructure organization further increase the problem if the sensitive information is not secured. This is not only for outside hackers, but for trusted employees and contractors who can get their information stolen or provided to unauthorized users intentionally.

With the recent warnings provided by the Department of Homeland Security (DHS) it is important that the data is protected, as to stop using these outside vendors will be too costly to replace. Eliminate the risk with data-centric solutions such as information rights management or otherwise known as digital rights management.

In contrast with conventional security solutions, these solutions can protect the data persistently wherever they are. This is the only complete and effective solution that protects against unwanted data breaches, especially from insiders to the nation’s critical infrastructure.

Photo Credit: Jonathan Brodsky

Categories
fasoo_logo
Contact Us
Your data security journey starts from here!
See how Fasoo can help your data privacy and security.