Tag: permission control

Fasoo encryption and permission control can eliminate business risk by stopping a data breachOne harrowing statistic from our recent Ponemon study, “Risky Business: How Company Insiders Put High Value Information at Risk,” is that 56 percent of the respondents said they do not educate their employees on the protection of files containing confidential information.  Reporter Karen Epper Hoffman referenced this statistic in her SC Magazine eBook contribution, “Locking it down,” and included insight on encryption from Fasoo customer Jay Rudd, IT manager, General Plastics and Composites LP. With organizations not taking the proper precautions through education, they are not doing themselves any favors in preventing the leakage of high-value information.

As Jay Rudd noted, “The persistent, file-based encryption approach is becoming more popular in the wake of recent attacks where the malicious attacker was able to bypass traditional security measures and access confidential information.”

Where traditional security systems are failing, encryption and other additional security measures can fill the gap to further protect sensitive data from ending up in the wrong hands and resulting in a potentially catastrophic outcome. We live in a time where breaches happen so often they almost seem to be inevitable, making the “all hands on deck” approach crucial to minimizing risk.

Encryption in particular protects data whether it is accessed internally or externally. If a malicious attacker were to gain access to the data—whether customer data, trade secrets, financial information, or personal information—it would be rendered useless because of the added layer of security encryption offers.

Adding permission controls to encryption ensures that you not only protect the data at rest and in motion, but you can limit user actions as they use data.  If you can prevent a user from editing, printing or take a screen shot of sensitive information, you have closed the gap of traditional security by really controlling its access.

As we’ve seen in the past year, no industry escapes from targeted attackers. From healthcare to Hollywood, every organization must consider this next level of protection against those who wish to do harm.

Fix a broken chain of custody of your confidential dataCompanies share a lot of confidential data with third parties.  Who is responsible for keeping that data secure?  Is it the originating company or the third party?  Or both?

This week American Express sent letters to card holders about a possible data breach.  According to reports “an unauthorized person or group accessed the system of a third-party service provider prompting American Express to warn customers that card member information may have been compromised.” The company said, “It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure.”  So is American Express to blame for this incident or is the service provider to blame?

This breach is another example of a broken chain of custody with confidential data.  American Express may have strong protections for its confidential data, but when it relinquishes control to another party that has weak controls, hackers know how to exploit the situation.  This is the same issue I talked about last year on the weakest link in the supply chain.

Think about the vulnerability of your data within your supply chain.  You may have the best security that money can buy, but once it leaves the confines of your environment, the information is out of your control.  You have to rely on the security systems of your partners to protect your information.  Unless you’ve done a security audit on those partners and are satisfied they will maintain your confidential data safely, you are vulnerable.  Hackers prefer to target the weakest link in the chain and they know smaller providers of large companies are easier targets.

This is where persistent security comes into play.  If you have strong encryption and permission controls on your confidential data, you can limit access to it regardless of where it is.  One of our customers uses our applications to exchange PCI with a third party.  The file can only be accessed a limited number of times on specific computers.  After that, the file is useless.  If someone tried to steal the file, they can’t read the data inside.  The result is no data breach.

Ultimately American Express is responsible for its card holders data, regardless of where it is.  You can best protect your confidential data throughout your supply chain by encrypting it and controlling its access at all times.  That’s better than welding your broken chain.


Photo credit Brian Smithson

What Are Privileged Users Doing With Your Data?Data breaches caused by internal users resulted in 43 percent of the data loss in organizations, with half of those breaches intentional, according to a new study on data exfiltration from Intel Security.  Internal users include employees, contractors, and third-party suppliers.  Many of these people are privileged users who have legitimate access to sensitive information.

Customer information, employee information and intellectual property were the top targets for internal users; they were also the top targets for external hackers.  Microsoft Office, text and PDF documents were the most common format of data stolen by internal users, probably because these documents are stored on employee devices and easily accessible file shares, and many organizations place few controls on the data once it is no longer in a database.  Since 80% of an organization’s data is unstructured content, it makes sense that insiders would target these types of documents.

Perhaps the most interesting part of the survey is how data was taken.  60 percent of information was stolen using electronic means, like file transfer and email, but 40 percent was stolen using physical media.  The most common approach was on laptops, tablets or USB drives.  Mobile phones were involved in 15 percent of physical thefts, but printed copies, CDs, DVDs, and faxes are still being used to extract data from companies.

While perimeter-based security still seems to be the focus for stopping this type of data exfiltration, it is obviously not getting the job done.  DLP and intrusion detection and prevention technologies are valuable for focusing on data and its movement through a network, but it doesn’t help when a privileged user has access to sensitive data.  If I need to access PII or PHI as part of my job, these technologies will not stop me from accessing the information.

So how do you stop this problem?

Determine who should have access to sensitive data and apply strong encryption and permission controls to the documents containing that sensitive data.  Once implemented you need to monitor access to those documents to determine a baseline of normal behavior so you can understand when someone deviates from the norm.  You should monitor who is viewing, editing and printing documents and if they are doing something that isn’t typical for them.

Privileged users need access to sensitive documents, but you need to control who can access them and what they can do with them.  Applying access and permission controls ensures that if someone exfiltrates sensitive data, it is rendered useless to external parties.  Applying these controls and monitoring document usage helps you predict and deter insider threats before they cause harm.

How do you stop privileged users from exfiltrating sensitive data?


Photo credit GotCredit

Book a meeting