Blog

Tag: insider threat

What good is a secure island if you’re left stranded? Former Secure Islands customers want to know, since their data protection software has finally reached end-of-life support after the company was acquired by Microsoft a few years back. The good news: they have more options than they may have thought.

*

As a startup, Secure Islands Technologies Ltd. was a success story. Not so much for some of its early customers, we hear.

Two brothers, Aki and Yuval Eldar, founded Secure Islands in 2006 in Jerusalem. Microsoft acquired the company for $150 million in 2015 and made its technology an essential building block for Microsoft’s Azure Information Protection (AIP, part of the Microsoft Information Protection framework MIP). Six years later, to Secure Islands customers who decided AIP wasn’t for them, it may seem as if they are stuck.

So far, so predictable. As far as startup exits go, you’ve heard the stories. The outcome can be ugly: early customers are left holding the bag, with nowhere to turn. It can also be a blessing in disguise: for example, when IT discovers alternatives that show how far a technology has come elsewhere since its nascent stage.

Such happy endings happen. Take enterprise-level Digital Information Rights Management (DRM), for example. Also referred to as Information Rights Management (IRM) sometimes, it has come a long way since the aughts. This development is good news for organizations looking for AIP alternatives.

No happy endings on security islands

Information protection solutions of the past were difficult to deploy and scale. Workflows slowed down. Productivity suffered. That said, today, we see a different picture. The success of solutions such as Fasoo Enterprise DRM triggered a resurgence of the category, primarily for three reasons: 

  • Mature Enterprise DRM solutions ensure comprehensive data protection that extends far beyond one or two document ecosystems

Fasoo Enterprise DRM, for example, covers more than 230 document formats, including images, CAD files created with forty different applications, and old Microsoft Office documents that even AIP cannot encrypt. This approach extends beyond Microsoft Office or  Adobe PDF files and prevents the creation of “security islands” that leave critical documents unprotected.

 

 

  • Centralized policy management and control beats having to deputize (and train) your end users as security experts.

AIP uses Secure Islands technology to categorize documents, which can result in certain limitations. Depending on a company’s Microsoft licensing level, users may have to manually label the documents they import or create and decide what protection and permissions to assign.

Other limitations concern larger organizations that deal with high volumes of unstructured data daily, such as financial institutions and globally operating law firms. AIP limits the number of sensitivity labels per organization to 500 for labels that assign encryption specifying the users and permissions.

Another issue in these industries is AIP’s lack of SDKs to facilitate integration with iManage and other Enterprise Content Management (ECM) platforms. In organizations that need to encrypt files across thousands of file-sharing folders and subfolders, this means they would have to apply an AIP label to each manually just for simple encryption.

Fasoo Enterprise DRM represents a different, “file-centric, people-centric” approach that enables organizations to preserve and support proven and efficient workflows. Policies defined by IT automatically determine at the point of creation who can access a protected document and how. Exceptions are handled flexibly and “on the fly”, for example by granting a provisional permission on a temporary basis.

  • Document protection in the cloud requires a mature enterprise DRM solution.

Cloud collaboration plays an important role in selecting an enterprise DRM solution. Companies now looking for alternatives to AIP are clear about this point: they want document protection that travels with the file and doesn’t end at their organization’s IT perimeter.

Their old information protection technology was devised years ago, with no consideration yet for the cloud. One consequence is that it can only protect sensitive documents on a computer or mobile device. Once the file is uploaded to the cloud outside the Microsoft ecosystem, document protection is lost.

In contrast, Fasoo Enterprise DRM ensures that persistent security remains with documents, pictures, audio, video, and 3D CAD drawings regardless of their location, whether in the cloud or on a flash drive. Senders can set a validity period or revoke access immediately, even after distribution. The organization remains in control of sensitive files at rest, in use, and in motion – no matter where they may end up. 

Worried about your document protection getting stuck on a security island? In summary, these three rules will help you not to miss the boat: 

1. Document protection worth its name requires properly protecting all confidential documents that need protecting, not just those preferred by one solution vendor. 2. If “automatic labeling” was the promise, you’ll hate seeing it turn into manual labor over a few hundred or thousand file-sharing folders. 3. No company is a secure island; the cloud is real, and so is the need for document protection in the cloud. 

Contact the Fasoo team to find out more!

Remote worker in home office settingGartner predicted that roughly 50 % of knowledge workers worldwide should be logging in remotely by now. More remote work puts more sensitive data at risk, which increasingly also impacts manufacturing companies. Check out the following ten tips to ramp up your document protection program in 2022.

*

Quick question: What do automated ransomware campaigns conducted by external attackers have in common with data theft committed by corporate insiders?

In the light of recent incident reports, I can think of three answers off the bat – at a minimum:

 

  • In both categories, incidents are on the rise.
  • Both target sensitive data, since more ransomware attacks begin with stealing confidential documents for extortion or sale on the dark web before encrypting the victim’s data.
  • Both increasingly exploit work-from-home data security weaknesses.

 

Examples of the latter include unsecured WiFi networks, unmanaged devices, and endpoint vulnerabilities. At the same time, IT lacks visibility into the online activities of remote employees and contractors.

In a nutshell, this example shows how remote work has become the primary source of risk to digital assets in the enterprise. Now the Omicron variant is pushing even more organizations (back) into remote or hybrid work arrangements.

Additional factors exacerbate the crisis going into 2022. The automotive industry and its supply chains feel the impact. Key employees leverage the “Great Reset” in the industry and leave to join competitors, sometimes taking trade secrets with them. IT teams struggle with staff shortages and often only learn about what happened when it’s too late.

Does this sound familiar?

 

10 tips to boost your remote work document protection

 

Get ready for 2022 with our ten tips on how to protect unstructured data in remote work settings:

 

  1. Identify the threat.
  2. Beware intellectual property theft by insiders. In more than 50 % of documented IP theft cases, the perpetrators were current or former employees or contractors. In addition, when external attackers exfiltrate sensitive information, employee negligence often plays a role.

     

  3. Identify what’s most at risk.
  4. In most innovation-driven companies, trade secrets are stored in the form of unstructured data. Think confidential Microsoft Office documents, CAD/CAE files, digital images, or PDFs. They come in various (legacy) formats and are often scattered across the organization and along its supply chain. Securing them will be an uphill battle, especially in remote work environments, without the right strategy.

     

  5. Identify your data protection strategy.
  6. The push into remote and hybrid work environments requires a comprehensive approach to data protection, rather than merely a mix of device-centric endpoint and data loss prevention (DLP) solutions. Recognizing this, more technology companies are adopting a data-centric security model.

    With sensitive documents, this means they remain protected regardless of where a file resides or with whom it is shared. The data-centric model ensures document protection independently of networks, servers, locations, and devices, such as unmanaged home office printers.

     

  7. Protect data throughout its lifecycle.
  8. Digital Right Management (DRM, sometimes also referred to as Information Rights Management, IRM) is based on the data-centric security model at the core of any Zero Trust strategy. Fasoo Enterprise DRM (EDRM) enables organizations to persistently protect, control and track sensitive documents at rest, in transit, and in use. Encryption, flexible policies, and granular controls govern how and by whom a file can be viewed, edited, printed, and shared within the organization’s IT perimeter and outside – like in the home office.

     

  9. Protect sensitive files without exceptions.
  10. Does the Enterprise DRM solution you’re evaluating support all industry-relevant CAD and CAE applications? In the automotive industry, support for tools such as AutoCAD, CATIA, or PTC Creo (and many more) and a broad range of PDF file formats is considered essential to ensure future-proof document protection.

     

  11. Protect workflows and productivity.
  12. Some information protection solutions lack centralized policy management. This shortcoming is known to slow down workflows to a trickle, especially when remote contributors are involved. Fasoo combines central control options with flexible exception management. Exception approval for accessing particular documents from the home office, for example, can be delegated to managers or coworkers instead of waiting for IT.

     

  13. Control confidential data wherever it goes.
  14. A supplier’s design engineer working from home is requesting remote access to sensitive documents? With Enterprise DRM, it’s just another day in the office. Gartner analysts describe DRM as “one of the only mechanisms for retaining control of unstructured data transferred to business partners in secure collaboration scenarios.”

     

  15. Control print.
  16. Fasoo takes a printer-agnostic approach to secure printing. This approach eliminates most challenges that commonly arise in remote work environments with home printers or print drivers. It enables data owners to centrally set and manage print rules for printing on-premises or remotely and watermark unauthorized printouts. Fasoo Smart Print also lets you set print protection policies for plain documents not secured by EDRM.

     

  17. Control the screen.
  18. Concerned about a remote team member capturing sensitive data on a screen during an internal Zoom or Skype call presentation? Enterprise DRM provides a screen security component, Fasoo Smart Screen, enabling IT to block and monitor screen capture attempts. For deterrence, it can also imprint documents with a watermark that contains tell-tale user-specific information.

     

  19. Control data without alienating workers.
  20. Fasoo’s centralized policy management enables flexible, people-centric document protection across organizational boundaries. Everyone who needs to can keep tabs on documents’ whereabouts and protection status, without risking privacy complaints and lawsuits from home office workers. Fasoo Enterprise DRM integrates with all leading federated authentication services, enabling IT to automatically revoke access to EDRM-protected documents once an employee leaves.

 

Contact the Fasoo team and find out how others in your industry deploy Enterprise DRM in remote and hybrid work environments.

Which industries have the highest potential for remote work? Finance and insurance, says McKinsey & Company. There’s a catch, however. How can organizations realize this potential without compromising data security and privacy? 

*

The consultancy found that three-quarters of activities in these sectors can be done remotely without a loss of productivity. Information security wasn’t part of the study. So what are the implications from a data protection perspective?

That’s where things get dicey. The forced rush into hybrid and remote work arrangements and the sorry state of remote work security have bank CISOs and compliance officers on edge. Some – mostly larger – financial institutions have mastered the transformation more effectively than others. What’s their secret? 

Before we answer that question, let’s first take a quick step back in time. In 2015, a Morgan Stanley insider downloaded confidential information on 730,000 of the investment bank’s wealth management clients to his personal laptop and posted a sample for sale online. Back then, it could have served as a wake-up call.

Today, it almost seems like quaint history, because not many heeded that call. The shift to Work-from-Home (WFH) due to COVID-19 has taken the insider threat to unstructured data to a whole new level.

Battlezone home office: Data protection reset required?

As a result, insiders – often working remotely – now account for more than 50 % of data breaches in the financial sector, according to security research. Several terabytes of sensitive data have been ransacked or leaked from more banks and financial services or law firms since that 2015 data breach. Think Pandora Papers, the confidential documents including supposedly secure PDF files, images, emails, and spreadsheets from 14 financial service companies offshore. 

Bank CISOs and compliance officers we talk to are more worried than ever about the lack of visibility and loss of control over sensitive proprietary data when employees are working from home. 

Or take Jeremy Baumruk, who heads up Professional Services at Xamin. His company manages IT security for more than 50 U.S. banks. In early 2020, he told the American Bankers Association’s Banking Journal: “When an employee is using their own computer, IT has almost no control.”

18 months later, research shows: that warning about remote work security still stands. Industry experts point to misconfigured VPNs, insufficiently secured home WiFi networks, unmanaged personal devices, personal cloud storage services, and unmonitored home office printers.

Remote Work Security - infographic excerpt

Source: Tessian (Infographic)

Remote work hasn’t only exacerbated the insider risks posed by negligence or disgruntled employees. Cybercriminals on the outside have taken notice, too. They wage automated campaigns that increase the pressure on banks to take decisive countermeasures. 

Many recognize that the traditional, device-centric emphasis on IT perimeter defenses – Data Loss Prevention tools (DLP), firewalls, endpoint protection – cannot ensure adequate protection. Recent threat reports confirm: attackers are busy exploiting the remote work blindspots and endpoint vulnerabilities to the fullest.

 

Document theft-as-a-service: Search. Scoop up. Siphon off.

As a result, credit unions, investment banks, and mortgage lenders, and their remote workers, are bearing the brunt of automated ransomware campaigns right now. In the first half of this year alone, banks experienced a 1,318% year-over-year increase in ransomware attacks, reports cybersecurity firm TrendMicro in its 2021 Midyear Security Roundup.

What does this have to do with document protection? There’s a direct and significant connection. New ransomware variants don’t merely encrypt the victim’s business-critical data and demand a ransom for unlocking it. The latest exploit kits are also optimized for data exfiltration.

In other words, they are designed to search for, scoop up, and siphon off sensitive information, which is then used for more elaborate extortion schemes. Only last week, the FBI sent out this Private Industry Notification [PDF]. It describes how perpetrators specifically target confidential documents about planned mergers and acquisitions, to release them on the internet if the victim doesn’t pay up.

So why have some financial institutions been less impacted than others by data leaks and theft during their shift to remote work? 

Identify, protect, control  – with Enterprise DRM

One answer is that they didn’t bide their time until the next data breach. Instead, more banks launched a “digital transformation” that some say is long overdue for the industry as a whole. One pillar of their strategy is shifting to a data-centric security model, enabling them to protect their data at rest, in use, and in transit.

Bank CISOs recognize that the traditional, device-centric emphasis on IT perimeter defenses – Data Loss Prevention (DLP), firewalls, endpoint protection – cannot ensure adequate protection anymore.

Instead, they leverage Enterprise Digital Rights Management solutions such as Fasoo to identify, encrypt, and oversee the access to unstructured data at the file level. This way, sensitive documents remain protected against unauthorized access if leaked or exfiltrated, no matter how that happens.

The Fasoo Enterprise DRM framework follows a three-way approach to ensure gapless document protection and remote work security:

    • Identify: Fasoo automatically identifies data worth protecting, from legacy repositories to newly created documents, which are secured at the point of creation. Unlike DLP, which is limited to tagging such information for protection within the organization’s IT perimeter, Fasoo sets the foundation for protecting and controlling confidential data anywhere, on any device.

 

    • Protect: Enterprise DRM provides an additional layer of security by combining FIPS 140-2 validated encryption and access control. This approach helps organizations minimize and mitigate risks such as data leaks, insider threats, and advanced persistent threats (APT).

 

    • Control: Fasoo enables banks to assert control over their confidential data through the entire document lifecycle, based on flexible and people-friendly central policy management.

 

Boost for remote work security and productivity in banking

This control transcends the digital domain. Fasoo’s printer-agnostic secure print capabilities (Fasoo Smart Print), for example, enable organizations to apply print protection and watermarks for plain and DRM-secured documents alike. Its screen security component (Fasoo Smart Screen) applies screen watermarks to applications and URLs to block screen capture attempts of sensitive data and monitors all screen capture attempts.

“Enterprise DRM is working great for us,” says the CISO of an S&P Top 100 global bank, a Fasoo customer. “It gives us a quick at-a-glance look at all our sensitive data and enables us to assert control wherever it goes.”

Would you like to learn more about how organizations in the financial sector, from community banks to global financial institutions, leverage Enterprise DRM to secure their digital transformation?

Connect with our industry experts here. 

###

 

DLP (the traffic cop) vs. DRM (the armored truck)Like digital rights management (DRM) for the enterprise, data loss prevention (DLP) solutions have recently seen a resurgence. Both aim to protect sensitive documents against leakage and exfiltration. Those looking to deploy or expand one or the other frequently weigh DRM vs. DLP. But how helpful is this “either/or” perspective really?

For starters, it risks missing one crucial difference between these two approaches to document protection. Other than DRM, DLP isn’t designed to protect information once it makes it outside an organization’s IT perimeter.

By definition, that’s precisely the scenario DLP purports to prevent in the first place. So this wouldn’t be a problem if DLP worked reliably 100 % of the time. But it doesn’t. Why? 

One answer is that DLP still requires a high degree of human intervention or supervision. This fact doesn’t take away from the advantages of document security automation. I’ll get into the details below. But first, let’s back up a moment and look at the definition of DRM vs. DLP.  

 

What’s the main difference between DRM and DLP?

DRM (a.k.a. IRM, for Information Rights Management) automatically encrypts files and controls file access privileges dynamically at rest, in use, and in motion. 

DLP analyzes document content and user behavior patterns and can restrict movement of information based on preset criteria.

I’ve written about DRM vs. DLP on this blog before, in 2014. While little has changed about the definitions, cloud services and remote work have become ubiquitous since – and IT perimeters more blurred.

Add to that the dramatic rise of (AWS) data leaks, insider threats (such as IP theft), and double-extortion ransomware attacks. Taken together, these trends explain why the main difference between DRM and DLP has become more pronounced recently.

In a nutshell, it’s the difference between a traffic cop and an armored truck. As for the cop part, I’m not the first to draw this analogy; DLP has been compared to an officer posted at an exit ramp before.

In this analogy, only traffic identified as legitimate is waved through and allowed to leave the main drag (i.e., your network) and race off into uncontrolled territory. A police officer may check a car’s license plates, ask for ID, and scan the vehicle’s interior before giving someone permission to pass through.

Image for DRM / DLP comparison: DLP works like a police checkpoint

Traditional DLP works in a similar way. It scans files, detects data patterns, and automatically enforces appropriate actions using contextual awareness to avoid data loss. However, the similarities don’t end here.

 

DLP’s biggest weakness

DLP also faces three significant challenges similar to those of a roadblock cop:

 

    • How can you accurately establish which traffic to allow through and handle the task effectively and expediently, before the exit point becomes a bottleneck?
       
    • What about all the exits not covered? With DLP, those would be USB drives, SaaS file sharing applications, such as Google Drive or Dropbox, or enterprise messaging apps, such as Slack or Microsoft Teams.  Think of them as equivalents of the service road turnoff some locals (i.e., insiders) know and use to avoid a roadblock.  
    • And, last but not least, what happens with the traffic that should never have made it past the checkpoint, but somehow did so anyway? Most companies need to share sensitive data with external contacts, like vendors or customers. A common occurrence is that a confidential document is mistakenly sent to the “wrong” person in a company whose email domain is safelisted as a recipient.

     

    “Not my problem anymore,” says the (DLP) cop. What’s gone is gone, even if it ends up in the wrong hands.  With the first two issues on this shortlist, data loss prevention products have been struggling from the beginning. As for the third item, it exposes DLP’s biggest weakness.

    Here’s what I mean: By promoting a solipsistic focus on internal file downloads and sharing, DLP creates a false sense of security. In reality, once sensitive information moves beyond the point of egress, an organization loses all visibility and control over what happens with its sensitive data.

     

    Has DLP been a failure? 

    I wouldn’t go that far. If that were the case, why did Gartner analysts expect about 90 % of organizations to have “at least one form of integrated DLP” in place by this year? That’s an increase from 50% in 2017. 

    While DLP wasn’t the panacea that marketers made it out to be, it still has its place. In the enterprise, DLP has helped establish a baseline for document protection. One example is tagging documents that contain personally identifiable information (PII) to ensure compliance with GDPR [PDF], the General Data Protection Regulation of the European Union.

    DLP deployments require IT and other stakeholders (compliance teams, data owners) to take stock of sensitive information across the board and categorize it. The downside is that it also demands constant tweaking and fine-tuning of filters and policies. 

    If your business deploys DLP, you learned the hard way that most of this burden falls on IT. DLP filters are notorious for generating “false positives”. They are known to cause workflow breakdowns because of mistakenly flagged files. The DLP filter may, for example, identify a 16-digit internal reference number in a document as a credit card number and prevent the file from getting shared. 

    In 2021, DLP describes more a mindset than a unified approach or one specific method to stop data leakage or exfiltration. But DLP modules and add-ons have become part of the point solutions mix. They complement particular applications or tools, such as cloud security services or Microsoft AIP

    And like with many point solutions, blindspots and coverage gaps remain* that you can drive a truck through. Which brings us back to the armored truck. 

     

    Armored truck for confidential data

    If we understand DLP as the cop who creates a bottleneck sorting out which traffic can pass, we can think of enterprise DRM as the equivalent of an armored truck.  Tethered to a C3 (command, control, and communication) center, it can only be unlocked by dispatchers at a remote location.

    In other words, whatever neighborhood the vehicle ends up in once it’s past the exit point, the load remains secure. The owner maintains control over the cargo and who can access it. 

    With Fasoo Enterprise DRM, the C3 center would be the Fasoo server. The cargo is your sensitive data locked down with Fasoo encryption. And the dispatcher would be Enterprise DRM’s centrally managed policy settings.

    So what happens to DLP in this picture? My main point here is that you don’t have to bother with interrogating file content once it is encrypted by Enterprise DRM. That doesn’t mean your existing DLP deployment becomes irrelevant. 

     

    DRM + DLP for the win

    Case in point: sensitive emails. DRM doesn’t automatically encrypt any outgoing email, for example. DLP, on the other hand, can flag content inside of emails for extra protection, or to prevent a message from leaving the organization altogether. 

    Another advantage of DLP is that it helps IT teams gain and maintain a baseline understanding of how sensitive data moves through their network. With adequate calibration, it serves as a low-investment, yet efficient tool for data risk discovery.

    From a pure document security perspective, DRM fills in the remaining blanks. It gives us peace of mind that confidentiality and compliance remain ensured for any file that finds its way past the egress point. Or, to put it differently – if you ran a bank, would you feel comfortable having a bicycle courier handle the money transports?

    Nope, you’d leave it to the pros with proper equipment.

    So, the armored van it is. In summary, deploying an enterprise-scale DRM solution enables your organization to protect its existing DLP investments. It helps you tie up loose ends in a global, multi-cloud, work-from-anywhere IT environment.  

    By combining both methods, you can play to DLP’s actual strengths. Examples include spotting suspicious activities and patterns that indicate possible insider threats, or flagging files – including emails – for DRM protection before they can leave the organization. 

    That way, you don’t have to rely exclusively on the overwhelmed cop at the exit ramp anymore. 

    Would you like to learn more about how Fasoo Enterprise DRM and DLP work together for maximum protection of unstructured data? Connect with our experts!  

    ###

    *For a comprehensive overview, I recommend the post Insider Threat Management: Part 1 – 7 Reasons Not to Settle for DLP on the blog of cybersecurity company Proofpoint.

     

 

Photo: Federal Courthouse in Portland, OR

Global manufacturers in innovation-driven industries are ramping up their document protection against intellectual property theft.

Can you guess what tops their priority list when selecting or expanding enterprise-wide digital rights management (DRM)? Here’s a hint.

But first, a quick look at the court dockets. Did you hear about that lawsuit filed by Intel in February against a former employee who joined Microsoft?

Talk about an IP theft textbook case. Intel accuses [PDF] a former product marketing engineer of exfiltrating “highly confidential, proprietary, and trade secret information” on his way out the door – to Microsoft.

So far, so common. That’s true even in the most security-conscious companies, as this most recent example shows. It highlights how a combination of three factors poses mounting risks to the IP of many tech and manufacturing companies: 

  • blurred IT and security perimeters with a plethora of unmanaged (storage) devices,
  • increasing competition, coopetition, and fluctuation of engineers and other key personnel with access to trade secrets between competitors,
  • the inability to centrally monitor, control, and police how employees access sensitive documents, especially when they leave the company.

It’s at that point where the IP protection capability mentioned in the title of this post can make all the difference; we’ll get to that in a minute. But first, let’s look at what allegedly happened when the Intel engineer left the company after ten years in January 2020.

What did he allegedly do, and how? The company alleges that on his last day on the job, the employee downloaded roughly 3,900 files from a company computer “to a personal Seagate FreeAgent GoFlex USB drive.”

Bar chart image with IT Security Alert Fatigue research results
Insider threats: How can almost 4,000 sensitive files get downloaded from a company-issued computer to an unmanaged device without anyone noticing? One possible – and common – explanation is alert fatigue. Data Source: Cloud Security Alliance

 

3,900 confidential files walk out the door at Intel

Hm, what? And he walked out the door with it where, and why? Fast forward to February 2021:

In the federal court filing [PDF], the plaintiff claims that the defendant – now Principal of Strategic Planning in Microsoft’s Cloud and Artificial Intelligence department – “used the confidential information and trade secrets he misappropriated […] in head-to-head negotiations with Intel concerning customized product design and pricing for significant volumes of Xeon processors.”

Ouch. Yes, these are only allegations so far. They yet have to be proven in court. 

But however the jury finds in the end, the court filing is remarkable for what it reveals between the lines. Intel’s lawyers credit Microsoft and its forensic investigators for helping to unearth the “full breadth” of the alleged deeds.

Which gets us to the main point of this post: 

 

Was this IP protection failure preventable?

Granted, hindsight is 20/20. Yet from an IP protection perspective,  one could argue that all of this would have been entirely preventable. 

How do we know, you ask? Coming right up, it’s all laid out right there in the court filing. Intel, if we believe the lawyers, had insufficient visibility into and no control over an (ex-) employee’s access and use of sensitive proprietary files. And indirectly, the company admits as much. 

For example, the lawsuit alleges that once at Microsoft, the former Intel employee “accessed, viewed, opened or otherwise interacted with more than one-hundred documents taken from Intel […] at least 114 times” from his company-issued Microsoft Surface laptop.

Mind you, Microsoft’s helpful forensic investigators unearthed these (incomplete) insights only after the fact, according to Intel’s grateful lawyers.

Had the individual files been encrypted and their use governed by centralized policy management from the get-go, the engineer’s access would have ended with his tenure at Intel.

 

The case for DRM with centralized policy management

Cases like this should not come as a surprise. We’ve seen a rising wave of similar insider-related incidents over the past three years. The tech and mobility industries are bearing the brunt of the attacks.

The threat has caused more IT leaders to deploy enterprise DRM (also known as Information Rights Management, IRM). This file-centric, people-centric, and platform-agnostic approach enables organizations to protect unstructured data at rest, in transit, and in use.

Think MS Office documents, PDF files, images, or CAD designs, for instance. They are encrypted at the point of creation. The protection applies wherever a file is stored or moves to, inside or outside the organization’s perimeter.

File use can be monitored, access policies and permission levels centrally managed by IT, risk officers, and HR, and flexibly adjusted on a granular level by the data owner.

Let’s take a product design file protected by Fasoo Enterprise DRM, for example. It will check back in the background with a central Fasoo server when someone tries to access it. Does this user still have the proper authorization to open, copy, download, or print the document?

If not, it doesn’t matter if a former employee took it home on a portable hard drive or USB stick – IP protection is ensured. The document is worthless for whatever that person wants to do with it, locked with FIPS 140-2 level encryption that meets the requirements of the Cryptographic Module Validation Program (CMVP) of the US government. 

 

Nothing to see here after HR and IT flip the switch

In summary, file-centric document protection makes IP “misappropriation,” as alleged in the case brought by Intel, impossible.

Overview image: File-centric encryption and control with Fasoo Enterprise DRM

Centralized yet flexible and painless policy and exception management are among the top priorities for document protection program leaders when choosing an enterprise DRM solution, they tell us. Fasoo Enterprise DRM empowers IT, in coordination with HR, to set and change document use policies in sync with users’ employment lifecycle, from onboarding to the last day at work.

One global technology manufacturer that is leveraging enterprise DRM to protect its IP is Fasoo customer ZF Group. This automotive industry supplier with 240 locations in 41 countries now deploys Fasoo Enterprise DRM to secure critical IP, such as CAD drawings and process information, across its global tech centers.

“Before, we had a few incidents where engineers with years of insider knowledge and access to documents left and joined a competitor,” said Markus Fischer, VP Engineering at ZF Group’s Active Safety Systems division in Livonia, Michigan.

“As a company, you spend years training engineers in the ways you do things, and they get access to your most intimate know-how and process knowledge,” he explained. “You cannot just block them; they need it. But you also need to be able to quickly adjust access privileges on a granular level, without delay.”

“It’s a fine line to walk,” Markus told us. “You have to find the right balance between maximum IP protection on one side, and productivity on the other. Fasoo helps us maintain this balance.”

*

To learn more about how to prevent intellectual property theft and leakage in manufacturing and supply chain environments while maintaining a competitive edge, watch our Fireside Chat at Apex Assembly Tech Leaders Northeast Summit on March 30th, 2021 with GE Gas Power cybersecurity researchers Hillary Fehr and Christopher Babie.

Define a Practical Data Governance Plan for Unstructured DataThe phrase “It takes a Village to raise a child” is true.  But it is also true that it takes a team to develop a data governance and policy management strategy!

Teamwork is important when developing a data security strategy. As part of that process, data governance and policy management needs to be part of the equation. It’s becoming more and more clear that organizations struggle with policy management – particularly with unstructured data. The very nature of unstructured data leaves it vulnerable to exposure and loss. Insider threat is of particular concern because while hackers typically attack structured databases, your employees and other valued insiders are accessing those databases on a regular basis. The insiders can download sensitive information into spreadsheets and reports. They are accessing your intellectual property, such as product designs and roadmaps. It’s the insiders that will walk off with those designs and sell them to your competition or bring it to a competitor to jumpstart the next phase of their career. The loss of this information will not only cost you revenue, but can also result in a regulatory fine. Who can afford that?

It’s really important to work as a team to:

  • Define a Practical Data Governance Plan for Unstructured Data
  • Identify Use Cases & Conduct Workflow Reviews
  • Turn Use Cases Into Unified and Centralized Policies
  • Develop a Change Management Plan

In Fasoo’s next webinar, Why Leadership and Data Governance is Critical to Policy Management, Ron Arden and Deborah Kish will call out these steps and provide insights to what the best practices around the teamwork that will help you get to a better data governance and policy management strategy.  The last of our 3 part webinar will be September 18th at 2 pm.  You won’t want to miss it.

Photo credit Anna Samoylova

Work as a team for unstructured data securityLast week, Fasoo sponsored and participated in the ISMG Cybersecurity Summit in New York City.   It was a great event, well attended and in the Theater District and the ISMG folks were awesome to work with!

As part of our sponsorship, Fasoo had a 10 minute Tech Spotlight where, rather than providing a “death by powerpoint” tech dump, we thought it would be good to get everyone thinking about working together as a team with respect to their data security initiatives by following the example of geese. Below is the recap for the greater audience.

When geese fly south for the winter or are moving from one pond or lake to another, they do so in a V formation.  There is a bunch of science around this, but to make a long story short they:

  • Flap their wings to ensure better lift and a more efficient flight
  • They take turns leading the way to ensure each have had a break
  • They stick with each other in times of trouble

Geese are sensible in that they share the responsibility of working together as a “team” to help them get to their destination efficiently and meet the goal of the journey!  For the purposes of this post, we equate the journey to better data security across all businesses.

Many organizations’ stakeholders (C-Level, business unit leaders etc.) don’t talk to one another with respect to how they need to handle data security. Each has their own agenda, process, budget, ideas and such, but much more can be accomplished when working together.  Understanding each others’ goals and coming up with a plan on which to execute.  And so, think about the flock of geese and their relocation journey (to the south, from body of water to body of water) the way you should think about your data security projects and initiatives.  Work as a team.  Talk to one another and get on the same page. Talk about your data and make a plan with the goal toward protecting it and creating a stronger data security strategy that, as a company, you can achieve.  Understand each other’s goals and ensure that you reach them.

Now, some geese –  you may or may not know – get what is called “angel wings” – they are little tufts of feathers sticking out of the side of the wings.  It is usually caused by a poor diet (i.e. bread – please don’t feed geese bread – it is no good for them) – so for the purpose of this blog, an incomplete or non existent data security strategy – but it leaves them unable to fly and vulnerable to attack from a predator (much like data to a hacker or thief without a good strategy), and ultimately –  left behind.

Like the geese, work together and make sure that your journey toward stronger data security is attained. And keep in mind, things don’t happen overnight. There will be disagreements and things might feel as if they are going nowhere.  But don’t give up!

The upside?  There are many, but great things can come of working together as a team because, you will find that by talking to one another, you’ll discover commonalities across the organization about how data is collected, handled, and used making the journey simpler than you think.   And if you feel that your organization is NOT talking?  Be the thought leader or pioneer for your company or business unit.  Start the conversation.  I’ll help you!

Bring your ideas to the table and don’t let your business be the goose that wound up with angel wings, left behind and vulnerable to attack.

Photo credit Vivek Kumar

Granular access controls are important to protect unstructured dataIn our last post, we said “Without granular access controls, you can’t prevent a user from copying data from a file and pasting it into an email, for example. If you only encrypt a file and do not prevent copy and paste or printing, a user can easily compromise security.” And we meant it.

Now,  you might be asking yourself “What does it mean… granular access controls?” And the answer is simple.

Granular permissions or access controls means you grant specific permissions or enable actions when a user opens a file.  This means you can either allow or prevent a person from doing things in a file when it is open – or “in use” – and since data in use is really difficult to protect, wouldn’t it make sense to add this layer of protection?  By applying granular access controls, you can prevent someone from copying and pasting, taking a screen shot, or printing based on the classification of the file and security policy applied to it.  Users can be either granted or denied specific actions when a document is open.

Intellectual property is extremely valuable to your business, but it is really vulnerable to theft.  Think about your product design plans or maybe your trade secrets or product roadmaps.  Anyone could copy and paste that information into an email and send it to anyone, take a screen shot and text it to a friend or print it and walk out the door with a piece of paper.  If you’ve followed our first webinar “Overcoming Unstructured Data Security and Privacy Choke Points“, you will hopefully be thinking about getting your first line of defense, or your foundation built.  In our next webinar,  “How Granular Access Controls and User Behavior Analytics Close the Gap on Insider Threat” on Wednesday, August 7, 2019 at 11:30 am EST, we “get granular” about granular access controls.

 

Photo credit Kelli McClintock

Protect against insider threatsPicture it.  Your employees access sensitive and confidential customer information every day so they can do their jobs. Once the data leaves the protected confines of an information repository, file share or cloud-based service, your authorized users can share it with anyone, do anything with it and compromise your customer’s confidential information or your intellectual property.  As a result, you may be subject to regulatory fines, not to mention losing customers because they can’t trust you to maintain their confidentiality. And as for IP?  It could get in the hands of your competition, threatening your business.

What do you need to do?  You need to persistently protect confidential data so that customer information and your IP is protected regardless of where it goes and who has it.  Through a file-centric approach, you need to close the security gap that allows you to share sensitive data with unauthorized users by applying granular access controls to sensitive data.  Without granular access controls, you can’t prevent a user from copying data from a file and pasting it into an email, for example.  If you only encrypt a file and do not prevent copy and paste or printing, a user can easily compromise security. 

Picture it.  When you hire an employee, you are trusting them to always have the best interest of the company at heart. The employee trusts that the company will help them reach their goals in terms of career and advancement. Trust should be a two way street.  But in the former, it isn’t always black and white, because we know two things:

  1.  No one is infallible
  2.  Malice exists

To elaborate further… not so much on “No one is infallible” because we all know, mistakes happen.  Information can be accidentally sent to the wrong person through email either internal or external to the organization.   But for the sake of statistics and surveys, IBM recently published a study and cites that “…inadvertent breaches from human error and system glitches were still the cause for nearly half  (49%) of the data breaches in the report, costing companies over $3 million. 

But maliciousness, unfortunately is a reality.  Clear examples of why data may fall victim to exposure include:

  • The employee who gets let go   
  • The employee who leaves the organization because they feel they are being treated unfairly
  • The employee who decides they can advance their career by taking intellectual property or trade secrets to the competition 

As an organization, you can mitigate these risks by applying granular access controls and utilizing user behavior analytics.  This is the topic of my next webinar, “How Granular Access Controls and User Behavior Analytics Close the Gap on Insider Threat” on Wednesday, August 7, 2019 at 11:30 am EST.   If you have an interest in protecting your sensitive and private data, you should.

Photo credit Arlington Research 

Can You Stop Former Employees Taking Your Data?It’s a good question and one that many organizations don’t think about thoroughly.  You take a lot of time onboarding an employee by doing background checks, checking references, and determining what information systems and data access the person needs to do her or his job.  You may have a comprehensive provisioning system that grants access to all applications and data.

But how about when someone leaves?  It’s great that you de-provision access the INSTANT someone becomes a former employee, but how do you protect the confidential data she or he may have been taking out each night for the last few weeks?  Organizations spend a lot of money guarding against cyberattacks from hackers and other external people, but many don’t do enough to protect their data from threats of former employees.

While an employee or contractor, many people create and use a lot of documents that contain intellectual property, financial data, employee and customer information.  Given the nature of work today, these documents are stored on laptops, mobile devices, in cloud services, and all over your organization.  In fact 70 percent of organizations do not know the location of confidential information, according to a study by the Ponemon Institute entitled “Risky Business: How Company Insiders Put High Value Information at Risk”.

A recent survey by OneLogin found that 47 percent of organizations admit that one in every 10 data breaches were tied directly to former employees.  We don’t want to stop employees from working where they want and when they want, but it’s important to control access to the documents they use, regardless of location.

The best way to control access to documents is to encrypt them and apply permission controls that limit what an authorized user can do with the document.  This applies to documents created at the desktop, reports run from databases and documents downloaded from information systems and document repositories.  The controls are persistent and even apply to all derivatives of the documents, so no matter how many copies are out there, they are controlled and managed.

When an employee leaves the organization, you only need to remove their access in one place and all sensitive documents are inaccessible.  That person now becomes an unauthorized user.  It doesn’t matter if the document is in a cloud service, on their home PC, in email or on a thumb drive.  You don’t have to go looking for them, because once you de-provision the employee, their access is gone for all documents.  If they try to open them, they see a bunch of random characters.

While controlling system access is important, controlling access to the documents that contain your sensitive data is more important.  Applying controls on the documents themselves ensures you can turn off that access with a click of a mouse the moment an employee becomes a former employee.

 

 

Photo credit ThoroughlyReviewed

Fasoo Hits Nerve with Message of Security, Governance and Productivity at RSA 2017After two days at the 2017 RSA Conference in San Francisco, it looks like Fasoo’s message of Security, Governance and Productivity is hitting a nerve with security professionals, analysts, executives and other attendees.  As the regulatory and business climate change to overcome constant threats to businesses and the data they use to drive profitability, companies are looking for a more comprehensive and practical approach to providing secure ways to conduct business.

An interesting theme at this year’s show is Business Driven Security.  I think the convergence of business and security is finally coming to a head as boards and executives realize they must think of security solutions as a business driver that helps mitigate business risk so they can propel their businesses forward.

One main focus this year is helping financial organizations comply with the New York State Department of Financial Services (NYS DFS) cybersecurity regulations.  Fasoo employees spoke to numerous banks and mortgage companies at the booth that are affected by this new regulation to encrypt nonpublic data and provide clear access control and audit trails.  The Fasoo Data Security Framework can help protect sensitive data from getting into the wrong hands and help meet this comprehensive regulation.

Other attendees were very interested in providing a more secure way of collaborating with documents.  It’s clear that organizations need to secure their data and protect against cyber attacks, but if employees and partners aren’t productive, business comes to a halt.  Productivity drives innovation and Wrapsody is a great way to let people share ideas securely as they drive their businesses.

Of course what would RSA be without some fun?  Our hourly presentations are very lively and attendees are entered into a drawing for an Amazon Echo.  We gave one away on Tuesday and will at the end of each day.  Aside from the prize, a lot of people were very interested in how Fasoo can really protect sensitive information from getting outside their companies and either cause them to go afoul of regulators or hurt their bottom line.  Encrypting and always controlling information is the best way to meet regukatory requirements and protect your intellectual property.

If you haven’t already, stop by booth S1239 on the show floor to see how we can help your business.

US House Recommends 'Zero-Trust' Model for Insider Data AccessData from our Ponemon study, “Risky Business: How Company Insiders Put High Value Information at Risk,” was recently cited in Tara Seal’s Infosecurity Magazine article, “US House Recommends ‘Zero-Trust’ Model for Insider Data Access.” The article referenced the statistic that 72 percent of surveyed organizations are not confident in their ability to manage or control employee access to confidential documents and files. This leads to the actions of careless employees being the primary cause of data breaches, rather than malicious attackers.

The US House has recommended that federal agencies invoke a “zero-trust” system to keep personal, confidential data out of the hands of foreign attackers . The House views government employees as just as big a risk to their organizations as they do malicious attackers — a consideration that all organizations would benefit from adopting. While “zero-trust” sounds a bit harsh, there are multiple ways that these federal agencies can implement security measures to reduce the employee risk they fear so much.

Bill Blake, president of Fasoo, Inc., was quoted in the article saying “What should be concerning to C-level executives and corporate boards is that most organizations have no idea where mission-critical information is located on the corporate network, who has access and what they are doing with that information.  Deploying DRM solutions is a first step. Beyond that, organizations must be vigilant in applying and enforcing security policies as well as knowing where the organization’s most valuable information is located at all times.”

The first step to reducing the risk is to take control over all employee access and permissions. The second step is to consistently monitor and follow up on these protocols. How many employees really need access to sensitive data? For the employees who do access it, what are they doing with it? Who are they sharing it with? An organization that places security as a top priority should be able to easily answer these questions.

Deploying technology to help discover, protect and control confidential data at all times would be the next logical step once the organization can answer these questions.  Limiting access to select groups is important, but having a way to dynamically change that access and even revoke it on information already shared provides a more robust approach to protection.  Auditing and monitoring is key to understanding changing business requirements, since roles and responsibilities are always changing.  Coupling policy changes with technology that can enforce those policies provides the best way to invoke a “zero-trust” system.

Think of sensitive data as a toddler at the park…you must always keep an eye on it, even if from afar.

Categories
fasoo_logo
Contact Us
Your data security journey starts from here!
See how Fasoo can help your data privacy and security.