Blog

Protect-First Approach To Data-Centric Security
Sensitive Unstructured Data

Three predominant data-centric security
methods


DOWNLOADABLE RESOURCES

There are three predominant methods in the market today to prevent loss and unauthorized access to sensitive unstructured data. Each is different and the best way to compare and contrast the methods is to understand what a vendor’s solution looks to defend and the primary data-centric tools used.

METHOD Image
Data Flow-Centric
Image
Location-Centric
Image
File-Centric

DEFENDS

Data at Ingress/Egress Points

Folders, File Shares, Disk, Cloud Files

TOOLS

 

Data Loss Prevention

Identity & Access Management
Behavior Analytics

Persistent Encryption
Identity & Access Management

Today, with increasing threats and the consequential impacts of a data breach, more organizations are adopting a file-centric method as the foundation of their data-centric architectures.  It’s the only method that truly denies unauthorized access to your sensitive data no matter how it flows or the location it resides.  This protect-first foundation recognizes that if data isn’t properly protected – your entire house crumbles. 

A file-centric method works as a frontline defense and can be deployed in combination with other methods to achieve a fortified, cohesive data-centric security architecture.  Understanding the key distinctions between the methods helps you navigate vendor engagements and build a protect-first architecture that best fits your needs

Image Data Flow-Centric

These solutions defend sensitive data at corporate infrastructure ingress and egress points and use data loss prevention (DLP) tools to stop data leakage. Ingress and egress points include servers, networks end-points, and cloud services.

Today, the majority of businesses have deployed DLP as point solutions – known as Integrated DLP (e.g., network DLP, email-server DLP, or end-point DLP) while few have scaled to a full enterprise DLP deployment (e.g., a full solution suite across all points).

Data flow-centric characteristics:

DEFENDS:

Prevents data from leaking by intervening with the use or movement of data.

TOOLS:

Content matching that actively looks for regular expressions, defined strings, keywords, patterns or data dictionaries.

Additional tools that can be used include fingerprinting (indexing) and image recognition.

DLP solutions set up rules that specify conditions, actions and exceptions. The tools filter messages and files based on their content and prompt corrective measures. They can simply alert a user that an action may be risky or completely block the action. Examples include alerting when sharing sensitive data through email and restricting the copying of sensitive files onto a USB drive.

Many organizations have implemented email DLP since this is the most obvious ingress/egress point prone to unauthorized exchanges of sensitive data. While there are measured improvements, security and IT administrators still have challenges when implementing and operating DLP  solutions, such as:

  • Rules are complex and create thousands of initial false alerts.
  • Concerns over disrupting user workflows causes administrators to loosen controls and implement few blocking mechanisms.
  • Alerts burden administrators and backlogs might take weeks or months to address.

Too often businesses have inappropriate expectations for DLP.  It works - but many underestimate the complexities and resources needed to build, tune, and manage policies to fit your environment. You should anticipate iterative refinement of rules and alert resolution.

KEY INSIGHT:

Data flow-centric solutions are good at reducing risk but not a strong, protect-first approach. They don’t defend the data itself, but only how it flows in your organization. Any leakage exposes the data to unauthorized disclosure.

Image Location-Centric

These solutions defend sensitive data storage locations. They look for gaps and inconsistencies in identity and access management (IAM) and apply user behavior analytics (UBA) to reduce the risk of unauthorized disclosure of sensitive data. Locations include folders, file-shares, disks, and cloud services.

Location-centric characteristics:

DEFENDS:

Folder, file-share or disk from unauthorized access and suspicious usage.

TOOLS:

Analysis of IAM settings and policies to find discrepancies and obsolete controls.

UBA to monitor and detect anomalous events.

Unlike DLP solutions that query and assess content repetitively, location-centric solutions pre-process, classify, and tag sensitive data. These tags flag where sensitive content is located within your IT data architecture and use:

  • IAM tools: Find excessive, outdated, or inconsistent user permissions and non-existing passwords, evaluate access controls and authorization processes plus search any Active Directory structures to discover discrepancies.
  • UBA tools: Monitor privilege and end user access to detect anomalous behaviors (unusual mailbox activity, large number of failed attempts to access a folder, or excessive downloads of files to a portable storage device).

Location-centric solutions are easier to implement than rules-based data flow-centric solutions because the tools are non-intrusive and use system log and UBA. Location-centric solutions place priority on data visibility and are superior to many approaches when it comes to privacy compliance, audit and reporting requirements.

However, drawbacks with location-centric solutions include:

  • IAM and UBA tools are location-specific. Once a file is removed from the location and downloaded to laptops or endpoints, you lose visibility of the data.
  • Folder management becomes a challenge at scale as a single terabyte can spread to over 50,000 folders. Keeping access lists current and monitoring user activity across millions of folders is burdensome.
  • Like data flow-centric solutions, the alerts place significant demands on administrators’ workloads and their ability to respond in a timely manner.

While obfuscation tools are not native to these solutions, some do use data encryption while the data resides and is used within a particular location. However, when files are downloaded to endpoints, stored in personal cloud accounts, and shared outside the location - protection, visibility and control is lost.

KEY INSIGHT:

Location-centric solutions use a “least privilege” approach as the foundation for their data protection method – not a “protect-first” approach. Critical gaps arise when data is moved from its original location, and lacking persistent encryption, expose your sensitive unstructured data to a breach.

Image File-Centric

In contrast to the other methods, persistent encryption and IAM are tied to and travel with the file. This is independent of networks, severs, locations and devices. 

File-centric characteristics:

DEFENDS:

Office documents, CAD/CAE files, PDF, plain text, other digital media file types.

TOOLS:

Encryption is persistent, centrally managed and enforced at the file level.

IAM is assigned and enforced at the file level

The method uses data classification tags to:

  • Encrypt the file contents: If exfiltrated, the sensitive data is obfuscated and is of no value to threat actors.
  • Restrict file access to only authorized users: Users can be an individual, departments, business unit or defined by role or title.

File-centric solutions were historically used for very specific use cases but today are experiencing a market resurgence. Modern solutions take advantage of the latest in software tools like RESTful APIs and open operating system standards to work transparently across the enterprise. Centralized policies ensure access and protection are consistently applied across all networks, file-shares, devices, end-points and cloud services.

And when it comes to denying access to sensitive content, the file-centric method is by far the best "protect-first" approach. Here's how leading analyst are advising clients:

  • Despite extensive DLP coverage there are “gaps in data flows where data can leak” and “the better answer is a strategy focused on securing the data itself.”
  • Encryption is entering a “Golden Age.” Due to the growing concerns of data theft, privacy and government surveillance, security pros are increasingly using all forms of encryption throughout their digital businesses.
  • “Identity” is the new perimeter in a world of distributed Software as a Service (SaaS) and other cloud-based services. Centralized administration and control of access to data must be maintained by the business, not service providers.

Look for file-centric solutions that automate discovery, classification and encryption in a single instantaneous step without user intervention. This improves productivity and consistency in application of policies.

KEY INSIGHT:

File-centric solutions use a “protect-first” approach as the foundation of their data protection method. Persistent access control and encryption remains with the file throughout its life-cycle. Most privacy regulations exempt loss of encrypted files from breach reporting or alternatively, impose significantly reduced penalties.


Protect-First,
File-Centric
Approach

Organizations struggle to distinguish between data-centric solutions from different vendors as they search for the best way to safeguard their sensitive unstructured data.   Data-centric security encompasses a wide range of processes and tools, many with overlapping functions and focused to different end goals.  Adding to this confusion has been a flurry of gap-filling point solutions (e.g., CASB, end-point protection) launched to address today’s cloud and mobility adoption. 

And despite significant investments in traditional data flow and location-centric methods, data breaches today are at all time highs. 

Adopt a protect-first, file-centric method for your data security architecture. Establish this strong frontline defense to deny any unauthorized access to sensitive unstructured data, no matter how it is used, with whom it is shared, or where it is located. Then, use this foundation to integrate other data-centric methods and tools to architect a data security infrastructure that meets your organization’s governance, risk and compliance mandates.   

Fasoo products span the life-cycle of sensitive unstructured data to discover, classify, protect, monitor, control, track and expire access to content wherever it travels or resides. Our unified solution enables users to securely collaborate internally and externally with sensitive information while consistently meeting corporate governance and regulatory requirements. Our file centric approach using encryption with a unique identifier allows organizations to have more visibility and control over unstructured data without interrupting workflows. We’ve engaged in this journey with over 1,500 enterprises to field data-centric solutions that proactively protect corporate brand, competitive position and meet increasing regulatory demands.

Six trends impacting your sensitive data right now


Explore the latest article
 
 

Sign up for emails on new Sensitive Unstructured Data articles

Never miss an insight. We’ll email you when new articles are published on this topic.


     
    Six Vulnerable Points In Your Data Security Architecture and How You Can Protect Them
    Sensitive Unstructured Data

    Do you know where you are most vulnerable? Now is the time to check these key trends:


    DOWNLOADABLE RESOURCES

    1.


    Hybrid and Multi-Cloud

    2.


    Privacy

    3.


    Insider Threat

    4.


    Security Gaps

    5.


    Remote Workforce

    6.


    Third-Party Collaboration

    1. Hybrid and Multi-Cloud Environment

    According to Flexera’s “State of the Cloud, 2020 Report”, organizations use an average of 2.2 public and private cloud providers. This exposes your data to the following risks:

    Image

    Identity and Access Management (IAM): You may have heard the phrase, “identity is the new perimeter”. This “new perimeter” is the intersection of users, devices, and cloud services. Due to the COVID-19 pandemic and increasing regulations, many companies across the globe have had to reconsider how much access their employees have to their systems, applications, and data.

    Image

    Security: Educate your Governance, Risk and Compliance (GRC), IT security, and Human Resources (HR) teams on the latest risks and make sure they have the data-centric tools they need to combat them. Ultimately, a breach will significantly impact your organization’s reputation and finances.

    Image

    Data Residency: Cloud environments are boundless and can be located anywhere in the world. Legal and regulatory requirements are imposed on data in the country or region it resides. Review where your sensitive unstructured data is stored (on or off-premise) and make updates accordingly.

    SOLUTION CONSIDERATION:

    A data-centric approach identifies files and secures them in a centralized management system to provide consistency across all channels. Using discovery tools helps locate your data and classifies it with specific tags to control their cloud location.

     

    2. Privacy

    Today’s privacy regulations demand greater visibility and control over an individual’s data.

    Regulation types include:

    • Responding to the Rights of Individuals: Regulations such as General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) give individuals greater rights to their personal data. Data subject and consent rights must be associated with all information collected on an individual.
    • Access and Revoke: Every file access (system and user) must be traced for data collected. Individuals can elect how and when their data is used. The “right to be forgotten” requires total removal of all data and most transactions. Your organization’s staffing department must respond promptly to any individual privacy and audit requests. Breach notifications timelines are tightened (GDPR and CCPA is 72 hours).

    SOLUTION CONSIDERATION:

    Deep visibility tools accumulate access information during the entire lifecycle of the sensitive unstructured data. You should avoid traditional tools that provide limited visibility and require forensic action to correlate and search across multiple log files.

     

    3. Insider Threat

    While external threats from hackers and cybercriminals make the headlines, trusted insiders can pose a greater threat to your sensitive unstructured data. A traditional security infrastructure focuses on external threats using firewalls, anti-malware, intrusion detection, and other security solutions. These solutions may not prevent an employee, contractor or third party vendor with access from sharing it with unauthorized users.

    There are three types of insider threats that require your attention:

    1.


    Accidental: An employee or contractor may accidentally share a document with the wrong person exposing sensitive data. Once out of the person’s control, the information could go anywhere, violating privacy regulations and compromising your competitive position.

    2.


    Negligence: An IT or security administrator forgets to apply a security patch or update to a firewall rule, exposing your sensitive unstructured data to theft. This is most likely an oversight, since many IT and security groups are overworked and understaffed. Another example would be for a user to deliberately circumvent security policies.

    3.


    Malicious: Employees, contractors or partners who want to harm your organization or make money selling valuable information to competitors. This type of insider threat is difficult to stop because many have a legitimate need to access sensitive unstructured data.

    SOLUTION CONSIDERATION:

    Encrypt files and apply rights management to decrease the likelihood of unauthorized users accessing your sensitive unstructured data. If hackers and cybercriminals exfiltrate protected sensitive data, it will be useless to them. The same goes for employees or contractors who want to take sensitive data.

     

    4. Security Gaps

    Despite significant investments in security infrastructure and the deployment of data loss prevention capabilities, breaches are at all-time highs. Threat actors have greater success exfiltrating information on endpoints and servers where sensitive unstructured data is common.

    What you need to acknowledge and have teams address:

    • Beyond prevention: Data Loss Prevention (DLP) blocks and prevents sensitive data activities but doesn’t protect the data itself. Data breaches continue. Organizations and regulators are recommending the increased use of encryption to address the challenge.
    • Not a breach: Many regulations take into account if encrypted data was considered a breach or not. Fines can be significantly reduced depending on the status.
    • Ransomware: While companies may still be subject to disruption, often the most significant risk is sensitive data being exposed to the public or provided to others for financial gain. Data protected with encryption eliminates this risk. Encryption is mandated in modern-day regulations such as GDPR, CCPA, and New York State Department of Financial Services (23 NYCRR 500).

    SOLUTION CONSIDERATION:

    Enhance existing DLP investments by encrypting files with sensitive data. Use centralized encryption key management to maintain protection and control wherever the file travels.

     

    5. Remote Workforce

    This is a significant trend that’s been recently accelerated by COVID-19. Security and privacy implemented in corporate offices can’t be replicated at each home. Review your current policies to see if they address:

    Image

    Home office/Virtual Workspaces: Work is more likely to happen on unmanaged and shared devices, over insecure networks, and in unauthorized or non-compliant apps.

    Image

    Increased downloads: Slow network traffic, the convenience of working and sharing files - all result in increased volumes of sensitive unstructured data on endpoints.

    Image

    Insider threat: Unintentional errors disclosing sensitive content increases without safety precautions. Malicious intent from at risk employees with access to home-based, non-sanctioned portable drives and printers is particularly concerning.

    SOLUTION CONSIDERATION:

    Use strong data-in-use tools like rights management capabilities that restrict printing and storing content on removable media.

     

    6. Secure Third-Party Collaboration

    Customer information shared with others remains your responsibility, regardless of who leaks the data. The challenges here are:

    Image

    Loss of control: Once outside your organization, highly sensitive information can be shared either unknowingly or for improper business advantage that hurts your competitiveness.

    Image

    Screen sharing: Zoom, Skype, WebEx, Google Chat and Google Meet, Microsoft Teams, Free Conference Call, and similar applications expose sensitive information to screen capture by others.

    Image

    End of project: Sensitive information often remains with third parties long after the project or relationship ends, often unprotected.

    SOLUTION CONSIDERATION:

    Deploy agentless browser collaboration with file tracking and protection. Screen blocking of sensitive information during collaboration sessions prevents losing sensitive data. Revoke access of sensitive files if shared with third parties once no longer needed.

     

    Proactive organizations stay ahead of these vulnerabilities by acting early to evaluate the impact of safeguarding their sensitive unstructured data.
     


    Recommended best practices include:



     

    1.


    Update GRC policies to reflect new guidance

    2.


    Perform security gap analysis of current infrastructure

    3.


    Implement employee awareness training as new risk and threat vectors emerge

    Educate and empower your organization to stay one step ahead of hackers, cybercriminals, threat actors, and those with malicious intent.

     

    What Unstructured Data is Sensitive?


    Explore the latest article
     
     

    Sign up for emails on new Sensitive Unstructured Data articles

    Never miss an insight. We’ll email you when new articles are published on this topic.


       
      It Takes a Village to Raise a Child, Right? It Takes a Team to Develop a Data Governance Strategy!
      Cybersecurity Data breach Data security Insider threat Print security Privacy

      Define a Practical Data Governance Plan for Unstructured DataThe phrase “It takes a Village to raise a child” is true.  But it is also true that it takes a team to develop a data governance and policy management strategy!

      Teamwork is important when developing a data security strategy. As part of that process, data governance and policy management needs to be part of the equation. It’s becoming more and more clear that organizations struggle with policy management – particularly with unstructured data. The very nature of unstructured data leaves it vulnerable to exposure and loss. Insider threat is of particular concern because while hackers typically attack structured databases, your employees and other valued insiders are accessing those databases on a regular basis. The insiders can download sensitive information into spreadsheets and reports. They are accessing your intellectual property, such as product designs and roadmaps. It’s the insiders that will walk off with those designs and sell them to your competition or bring it to a competitor to jumpstart the next phase of their career. The loss of this information will not only cost you revenue, but can also result in a regulatory fine. Who can afford that?

      Geese at the ISMG Cybersecurity Summit in New York? It’s all about teamwork!
      Cybersecurity Data breach Data security Insider threat Print security Privacy Secure collaboration

      Work as a team for unstructured data securityLast week, Fasoo sponsored and participated in the ISMG Cybersecurity Summit in New York City.   It was a great event, well attended and in the Theater District and the ISMG folks were awesome to work with!

      As part of our sponsorship, Fasoo had a 10 minute Tech Spotlight where, rather than providing a “death by powerpoint” tech dump, we thought it would be good to get everyone thinking about working together as a team with respect to their data security initiatives by following the example of geese. Below is the recap for the greater audience.

      Getting Granular: Why You Need Granular Access Controls
      Cybersecurity Data breach Data security Insider threat Print security Privacy Secure collaboration

      Granular access controls are important to protect unstructured dataIn our last post, we said “Without granular access controls, you can’t prevent a user from copying data from a file and pasting it into an email, for example. If you only encrypt a file and do not prevent copy and paste or printing, a user can easily compromise security.” And we meant it.

      Now,  you might be asking yourself “What does it mean… granular access controls?” And the answer is simple.

      Granular permissions or access controls means you grant specific permissions or enable actions when a user opens a file.  This means you can either allow or prevent a person from doing things in a file when it is open – or “in use” – and since data in use is really difficult to protect, wouldn’t it make sense to add this layer of protection?  By applying granular access controls, you can prevent someone from copying and pasting, taking a screen shot, or printing based on the classification of the file and security policy applied to it.  Users can be either granted or denied specific actions when a document is open.

      Your Sensitive Data is at Risk: How Do You Manage Insider Threats?
      Cybersecurity Data breach Data security Insider threat Print security Privacy

      Protect against insider threatsPicture it.  Your employees access sensitive and confidential customer information every day so they can do their jobs. Once the data leaves the protected confines of an information repository, file share or cloud-based service, your authorized users can share it with anyone, do anything with it and compromise your customer’s confidential information or your intellectual property.  As a result, you may be subject to regulatory fines, not to mention losing customers because they can’t trust you to maintain their confidentiality. And as for IP?  It could get in the hands of your competition, threatening your business.

      What do you need to do?  You need to persistently protect confidential data so that customer information and your IP is protected regardless of where it goes and who has it.  Through a file-centric approach, you need to close the security gap that allows you to share sensitive data with unauthorized users by applying granular access controls to sensitive data.  Without granular access controls, you can’t prevent a user from copying data from a file and pasting it into an email, for example.  If you only encrypt a file and do not prevent copy and paste or printing, a user can easily compromise security. 

      Live Webinar: Overcoming Unstructured Data Security and Privacy Choke Points

      Why do so many data loss prevention projects either stall or de-scope? Why with significant industry expenditures in the space do we continue to experience record-breaking instances of data breaches and exfiltration? What are the latest methodologies and technologies security and privacy executives should consider to protect their sensitive data and comply with ever-increasing and pervasive privacy regulations such as GDPR and CCPA.

      Join Deborah Kish, former Gartner data security analyst, as she shares insights gleaned from hundreds of sessions with CISO, CIO, CDO, CPO and CCOs to offer an insider’s playbook to implementing an unstructured data security and privacy program. Whether migrating from existing DLP point solutions or wondering where your unstructured data lives today, Deborah will provide a life-cycle perspective as to the best methodologies and how to avoid the pitfalls that have plagued enterprise projects.

      Register for this webinar and learn how:

      • A file-centric approach overcomes data leakage shortfalls of traditional approaches and best meets new privacy requirements
      • Aligning data classification with your data protection methods will put your projects on the fast track
      • Automation and integration of discovery, classification, access control and file-based encryption is your best first line defense
      Can You Stop Former Employees Taking Your Data?
      Cybersecurity Data breach Insider threat

      Can You Stop Former Employees Taking Your Data?It’s a good question and one that many organizations don’t think about thoroughly.  You take a lot of time onboarding an employee by doing background checks, checking references, and determining what information systems and data access the person needs to do her or his job.  You may have a comprehensive provisioning system that grants access to all applications and data.

      But how about when someone leaves?  It’s great that you de-provision access the INSTANT someone becomes a former employee, but how do you protect the confidential data she or he may have been taking out each night for the last few weeks?  Organizations spend a lot of money guarding against cyberattacks from hackers and other external people, but many don’t do enough to protect their data from threats of former employees.

      Fasoo Hits Nerve with Message of Security, Governance and Productivity at RSA 2017
      Cybersecurity Data breach Data security News

      Fasoo Hits Nerve with Message of Security, Governance and Productivity at RSA 2017After two days at the 2017 RSA Conference in San Francisco, it looks like Fasoo’s message of Security, Governance and Productivity is hitting a nerve with security professionals, analysts, executives and other attendees.  As the regulatory and business climate change to overcome constant threats to businesses and the data they use to drive profitability, companies are looking for a more comprehensive and practical approach to providing secure ways to conduct business.

      An interesting theme at this year’s show is Business Driven Security.  I think the convergence of business and security is finally coming to a head as boards and executives realize they must think of security solutions as a business driver that helps mitigate business risk so they can propel their businesses forward.

      One main focus this year is helping financial organizations comply with the New York State Department of Financial Services (NYS DFS) cybersecurity regulations.  Fasoo employees spoke to numerous banks and mortgage companies at the booth that are affected by this new regulation to encrypt nonpublic data and provide clear access control and audit trails.  The Fasoo Data Security Framework can help protect sensitive data from getting into the wrong hands and help meet this comprehensive regulation.

      Sometimes Employees Are Just As Much of a Risk as Malicious Attackers
      Cybersecurity Data breach Insider threat

      US House Recommends 'Zero-Trust' Model for Insider Data AccessData from our Ponemon study, “Risky Business: How Company Insiders Put High Value Information at Risk,” was recently cited in Tara Seal’s Infosecurity Magazine article, “US House Recommends ‘Zero-Trust’ Model for Insider Data Access.” The article referenced the statistic that 72 percent of surveyed organizations are not confident in their ability to manage or control employee access to confidential documents and files. This leads to the actions of careless employees being the primary cause of data breaches, rather than malicious attackers.

      The US House has recommended that federal agencies invoke a “zero-trust” system to keep personal, confidential data out of the hands of foreign attackers . The House views government employees as just as big a risk to their organizations as they do malicious attackers — a consideration that all organizations would benefit from adopting. While “zero-trust” sounds a bit harsh, there are multiple ways that these federal agencies can implement security measures to reduce the employee risk they fear so much.