Blog

Tag: PII

 

DLP (the traffic cop) vs. DRM (the armored truck)Like digital rights management (DRM) for the enterprise, data loss prevention (DLP) solutions have recently seen a resurgence. Both aim to protect sensitive documents against leakage and exfiltration. Those looking to deploy or expand one or the other frequently weigh DRM vs. DLP. But how helpful is this “either/or” perspective really?

For starters, it risks missing one crucial difference between these two approaches to document protection. Other than DRM, DLP isn’t designed to protect information once it makes it outside an organization’s IT perimeter.

By definition, that’s precisely the scenario DLP purports to prevent in the first place. So this wouldn’t be a problem if DLP worked reliably 100 % of the time. But it doesn’t. Why? 

One answer is that DLP still requires a high degree of human intervention or supervision. This fact doesn’t take away from the advantages of document security automation. I’ll get into the details below. But first, let’s back up a moment and look at the definition of DRM vs. DLP.  

 

What’s the main difference between DRM and DLP?

DRM (a.k.a. IRM, for Information Rights Management) automatically encrypts files and controls file access privileges dynamically at rest, in use, and in motion. 

DLP analyzes document content and user behavior patterns and can restrict movement of information based on preset criteria.

I’ve written about DRM vs. DLP on this blog before, in 2014. While little has changed about the definitions, cloud services and remote work have become ubiquitous since – and IT perimeters more blurred.

Add to that the dramatic rise of (AWS) data leaks, insider threats (such as IP theft), and double-extortion ransomware attacks. Taken together, these trends explain why the main difference between DRM and DLP has become more pronounced recently.

In a nutshell, it’s the difference between a traffic cop and an armored truck. As for the cop part, I’m not the first to draw this analogy; DLP has been compared to an officer posted at an exit ramp before.

In this analogy, only traffic identified as legitimate is waved through and allowed to leave the main drag (i.e., your network) and race off into uncontrolled territory. A police officer may check a car’s license plates, ask for ID, and scan the vehicle’s interior before giving someone permission to pass through.

Image for DRM / DLP comparison: DLP works like a police checkpoint

Traditional DLP works in a similar way. It scans files, detects data patterns, and automatically enforces appropriate actions using contextual awareness to avoid data loss. However, the similarities don’t end here.

 

DLP’s biggest weakness

DLP also faces three significant challenges similar to those of a roadblock cop:

 

    • How can you accurately establish which traffic to allow through and handle the task effectively and expediently, before the exit point becomes a bottleneck?
       
    • What about all the exits not covered? With DLP, those would be USB drives, SaaS file sharing applications, such as Google Drive or Dropbox, or enterprise messaging apps, such as Slack or Microsoft Teams.  Think of them as equivalents of the service road turnoff some locals (i.e., insiders) know and use to avoid a roadblock.  
    • And, last but not least, what happens with the traffic that should never have made it past the checkpoint, but somehow did so anyway? Most companies need to share sensitive data with external contacts, like vendors or customers. A common occurrence is that a confidential document is mistakenly sent to the “wrong” person in a company whose email domain is safelisted as a recipient.

     

    “Not my problem anymore,” says the (DLP) cop. What’s gone is gone, even if it ends up in the wrong hands.  With the first two issues on this shortlist, data loss prevention products have been struggling from the beginning. As for the third item, it exposes DLP’s biggest weakness.

    Here’s what I mean: By promoting a solipsistic focus on internal file downloads and sharing, DLP creates a false sense of security. In reality, once sensitive information moves beyond the point of egress, an organization loses all visibility and control over what happens with its sensitive data.

     

    Has DLP been a failure? 

    I wouldn’t go that far. If that were the case, why did Gartner analysts expect about 90 % of organizations to have “at least one form of integrated DLP” in place by this year? That’s an increase from 50% in 2017. 

    While DLP wasn’t the panacea that marketers made it out to be, it still has its place. In the enterprise, DLP has helped establish a baseline for document protection. One example is tagging documents that contain personally identifiable information (PII) to ensure compliance with GDPR [PDF], the General Data Protection Regulation of the European Union.

    DLP deployments require IT and other stakeholders (compliance teams, data owners) to take stock of sensitive information across the board and categorize it. The downside is that it also demands constant tweaking and fine-tuning of filters and policies. 

    If your business deploys DLP, you learned the hard way that most of this burden falls on IT. DLP filters are notorious for generating “false positives”. They are known to cause workflow breakdowns because of mistakenly flagged files. The DLP filter may, for example, identify a 16-digit internal reference number in a document as a credit card number and prevent the file from getting shared. 

    In 2021, DLP describes more a mindset than a unified approach or one specific method to stop data leakage or exfiltration. But DLP modules and add-ons have become part of the point solutions mix. They complement particular applications or tools, such as cloud security services or Microsoft AIP

    And like with many point solutions, blindspots and coverage gaps remain* that you can drive a truck through. Which brings us back to the armored truck. 

     

    Armored truck for confidential data

    If we understand DLP as the cop who creates a bottleneck sorting out which traffic can pass, we can think of enterprise DRM as the equivalent of an armored truck.  Tethered to a C3 (command, control, and communication) center, it can only be unlocked by dispatchers at a remote location.

    In other words, whatever neighborhood the vehicle ends up in once it’s past the exit point, the load remains secure. The owner maintains control over the cargo and who can access it. 

    With Fasoo Enterprise DRM, the C3 center would be the Fasoo server. The cargo is your sensitive data locked down with Fasoo encryption. And the dispatcher would be Enterprise DRM’s centrally managed policy settings.

    So what happens to DLP in this picture? My main point here is that you don’t have to bother with interrogating file content once it is encrypted by Enterprise DRM. That doesn’t mean your existing DLP deployment becomes irrelevant. 

     

    DRM + DLP for the win

    Case in point: sensitive emails. DRM doesn’t automatically encrypt any outgoing email, for example. DLP, on the other hand, can flag content inside of emails for extra protection, or to prevent a message from leaving the organization altogether. 

    Another advantage of DLP is that it helps IT teams gain and maintain a baseline understanding of how sensitive data moves through their network. With adequate calibration, it serves as a low-investment, yet efficient tool for data risk discovery.

    From a pure document security perspective, DRM fills in the remaining blanks. It gives us peace of mind that confidentiality and compliance remain ensured for any file that finds its way past the egress point. Or, to put it differently – if you ran a bank, would you feel comfortable having a bicycle courier handle the money transports?

    Nope, you’d leave it to the pros with proper equipment.

    So, the armored van it is. In summary, deploying an enterprise-scale DRM solution enables your organization to protect its existing DLP investments. It helps you tie up loose ends in a global, multi-cloud, work-from-anywhere IT environment.  

    By combining both methods, you can play to DLP’s actual strengths. Examples include spotting suspicious activities and patterns that indicate possible insider threats, or flagging files – including emails – for DRM protection before they can leave the organization. 

    That way, you don’t have to rely exclusively on the overwhelmed cop at the exit ramp anymore. 

    Would you like to learn more about how Fasoo Enterprise DRM and DLP work together for maximum protection of unstructured data? Connect with our experts!  

    ###

    *For a comprehensive overview, I recommend the post Insider Threat Management: Part 1 – 7 Reasons Not to Settle for DLP on the blog of cybersecurity company Proofpoint.

     

Digital Rights Management Helps the FDIC Proactively Address Cyber SecurityThe Federal Deposit Insurance Corporation (FDIC) will implement Digital Rights Management (DRM) software to prevent unauthorized redistribution of digital information.  This is in reaction to security incidents where departing employees accidentally took sensitive files on portable media.  According to numerous studies, trusted insiders pose a greater risk to sensitive information than hackers and cybercriminals.

I applaud the FDIC for taking this key initiative to proactively protect and control its most sensitive information.  DRM will help prevent unauthorized access and distribution of sensitive files regardless of location or device.  It can limit a user’s ability to view, edit and print and can even limit the validity time for accessing sensitive information.  This applies to both internal and external users.

As a bit of background, Lawrence Gross, Chief Information Officer and Chief Privacy Officer of the FDIC, recently spoke to a congressional subcommittee on its program to identify, analyze, report, and remediate security incidents.  The criteria used to determine the severity of an incident is based on the risk of harm it poses to individuals or entities supervised by the FDIC.  The agency uses guidelines from the Office of Management and Budget (OMB), which recently changed its definition of what is a major incident.

As a result the FDIC upgraded the incidents where departing employees inadvertently downloaded personally identifiable information (PII) to thumb drives and other portable media.  The CIO’s initial judgment was these were inadvertent and posed minimal risk.  The new guidelines changed that, hence the reevaluation.

As part of its remediation efforts, the FDIC is conducting an end-to-end assessment of the FDIC IT Security and Privacy Programs in addition to implementing the Digital Rights Management software.  The agency will also eliminate the ability of employees or contractors to download to portable media, but there are cases when certain employees still need to do that as part of their job.  The CIO said the FDIC is working to identify and implement alternative means to securely exchange data with outside organizations, like state banking departments, by the end of 2016.

The CIO is planning to implement technology that also can help securely share information with external organizations.  DRM can protect information shared with third parties and provide the same level of protection the agency needs for its internal employees.  Rather than using two systems, the FDIC should leverage the same system for both purposes.

Implementing DRM also provides a proactive approach to data security, rather than reactive technologies that identify issues after they happened.  By protecting the data as its created, it helps mitigate the risks of data exfiltration that is becoming more common as both hackers and insider threats pose a risk to valuable information from government and the private sector.

 

Photo credit Josh Bancroft

Home Depot to Pay Big for Data BreachData breaches are beginning to cost companies a lot of money.  This isn’t potentially lost revenue or brand damage, which may be hard to measure.  This is cold, hard cash.

Home Depot has agreed to pay as much as $19.5 million to compensate consumers for the data breach it suffered in 2014 that affected more than 50 million cardholders.  That figure includes $13 million to reimburse customers for losses and $6.5 million for a year and a half of identity protection services.  They have also paid out or plan to pay $161 million in total for costs related to the breach.

As part of the settlement, the company agreed to improve data security and hire a chief information security officer (CISO).  That’s good.  As is common in these cases, the company did not have to admit it did anything wrong.  Not good.  I understand this is common in these settlements, but I find it unfortunate, since the customers are affected by the negligence of the company.  To me this is like saying that if I left my front door open and somebody came in and robbed me, it isn’t my fault.  Companies must take data security seriously, but many of them do not even do the basics of locking the front door.

The standard approach to help those affected in these breaches is to offer identity protection services to the victims for a period of time.  That sounds great, but what happens after that?  Cyber criminals are smart enough to know they can hold on to personally identifiable information (PII) for just a little longer and then use it.  Of course I can change my credit card number, but I’m not going to change my name and address.

A very common cyber attack today is phishing, which tricks someone into clicking an email link or going to a fictitious website.  The goal is to steal information the criminal can use to get money, defraud someone or get something else of value.  Having identity protection services may help monitor your credit cards or bank accounts, but does little if someone tries to pose as you to get healthcare, uses your name to defraud a relative or makes small purchases that fly under the radar.

If you handle regulated or any sensitive data, you need to encrypt it and control its access.  That doesn’t mean only control access while sitting on a file server or in a database.  These breaches prove that hackers can get past those security layers.  You need to provide strong encryption on the data itself that requires multiple authentication factors before allowing someone to access it.

I think these large settlements may finally be a wakeup call for organizations that handle PCI regulated data and any PII or PHI.  Hopefully Home Depot and other organizations will heed the advice from security experts and the FTC and improve their data security practices to prevent data breaches in the future.  Nothing spurs action like a hit to the bottom line.

 

Photo credit Mike Mozart

5 Steps to protect your HR dataI recently wrote an article about the security of sensitive information in the HR department.  While everyone interacts with the people in human resources, most of us don’t think about all the sensitive information they have.

Most of us think about benefits and our 401K when we think about dealings with HR, but there is a lot more sensitive data that is under their control.  They also deal with your healthcare information, information about your spouse and family, customer financial information, employee resumes and salaries.  They also know when you have given notice to leave the company or when you change jobs in your current company.  Add to this the responsibility of developing and circulating company policies and a wide variety of interoffice communications.

Sharing company, employee and customer information with authorized internal and external users poses a unique security challenge for any organization, since HR needs to limit access to sensitive information.  While HR may be the first line of entrée into a company, they are also the first line of defense to protect some of the most confidential information in your company.

You need to encrypt sensitive data and apply security policies to it that ensure only authorized users have access to the information, regardless of where they are or the format of the information.  Here are 5 steps to help protect your HR data.

1. Encrypt received resumes

Since resumes from qualified candidates are intellectual property and highly valuable to a company, you should encrypt them and apply a security policy automatically as soon as you receive them.  This also includes information on criminal background checks and drug testing.  This limits access to specific internal users.

2. Lock down files when an employee gives notice

When someone changes jobs within a company or gives notice to leave, you should change the security policy on sensitive company information.  You can remove them from a group that has access to information from their old job, so they only have access to information that pertains to them.

3. Maintain Client Confidentiality

You should apply security policies to customer contracts and financial information so that only those customers, appropriate outside agencies and internal employees have access.

4. Protect Intellectual Property

HR knows the people and contractors assigned to different departments and projects, so it’s important to work with them to restrict intellectual property (IP) to those that need access to it.  When a contractor leaves, access should be revoked, rendering IP useless to them.

5. Circulate Policy Manuals In-House Only

Company policy can encompass everything from sexual harassment policy to paid time off.  This information is as important as anything in your business, but should be available to every employee and contractor.  Security policies need to be flexible to allow access by all authorized parties.

 

Your HR department is the front door to your organization, so you need to implement and enforce security policies to protect the most important information in your business.  This is the best way to restrict access to employee PII and ensure that your organization’s important data is secure.

“Clerical Error” in Georgia Results in Data Breach of 6 Million Voters

Clerical Error in Georgia Results in Data Breach of 6 Million Voters

A class action lawsuit was filed by two Georgia women alleging a massive data breach when Secretary of State Brian Kemp’s office released personally identifiable information (PII) of voters, including Social Security numbers, to the media, political parties and other paying subscribers.

Allegations include that the unauthorized information released in October in the voter lists also contained dates of birth and drivers’ license numbers.   Kemp’s office responded this was due to a clerical error where information was put in the wrong file and sent to 12 recipients on a disk.  It is unclear if it was an internal error or the fault of an outside contractor that caused the private information to be included in the file.


Challenge

Once private and confidential information leaves the protected confines of an information repository, file share or cloud-based service, authorized users can share it with anyone, do anything with it and compromise confidential information. Persistent data-centric security protects confidential data so that private information is protected regardless of where it goes or who has it.


Fasoo Solution

Advantages

Fasoo Enterprise DRM (EDRM) protects sensitive information through strong encryption and applies persistent security policies to protect it regardless of where it is or its format.  Once the data is protected, you can safely share it through email, USB drive, CD, external portal or any file sharing site.File access is tracked in real time for precise auditing and access can be revoked instantly.  If there is an assumption that unauthorized people have access to sensitive information, the person who shared the information or an administrator can immediately revoke access to those unauthorized users.

That protects against an “oops” moment when a “clerical error” causes a data breach and affects millions of people.  Fasoo EDRM truly protects and controls sensitive information while at rest, in motion and in use.

  • Securely share sensitive files internally or externally
  • Revoke access to shared files containing private information immediately regardless of location
  • Control who can View, Edit, Print and take a Screen Capture
  • Limit access time and number of devices
  • Trace and control user and file activities in real-time
  • Apply or modify existing security policies using content aware protection

Data protection in Human ResourcesI recently wrote an article about protecting confidential data that flows through the HR department.  This is an area that many people forget when thinking about the most sensitive information in an organization.

Everyone thinks about the obvious, like maintaining information about current employees.  But there are many other pieces of sensitive data flowing through HR.

Resumes and personal information about potential employees come into the HR department as managers post job requisitions.  In today’s world, candidates require criminal background checks and drug tests that need to be kept confidential.  As a company hires people, references, existing health information, 401K data and salary details are maintained by Human Resources personnel and inside information systems they access.

The information on potential employees is just as sensitive as information on existing and former employees.  My company keeps my social security number so it can pay me.  It has my name, address, telephone number and bank account information.  It may have pension and retirement plan information.  It knows about my healthcare coverage and my health status.  It also has this information on those people that have left the company through retirement, layoffs or changing jobs.

That’s a lot of personally identifiable information (PII).  If my company was hacked or someone on the inside decided to steal some of that information, I and my colleagues could be the victims of privacy violations and fraud.  Given the sensitivity of this information, how can an organization restrict access to only those people that need to have it?

HR must categorize or classify the data by its sensitivity.  PII is of the highest value and should be limited to HR management and those in HR who need to use it for their jobs.  Once classified, that information should be encrypted and assigned a security policy that limits its access to those people, regardless of where the information exists.  If this information accidentally or deliberately got into the wrong hands, it would be inaccessible and useless.

Federal and state laws require that PII be retained for a certain amount of time once an employee leaves the company.  After that, the information should be destroyed automatically.  If it’s stored in an information repository, retention rules can delete it.  If it’s stored in files on file shares or locally, access can be revoked after an expiration date is hit,

In a role that requires protecting and sharing sensitive and valuable information, the human resources department has arguably one of the more challenging data-handling responsibilities. Encryption and permission control policies can help streamline these tasks after the data is classified.  This is the best way to restrict access to employee PII and ensure that the organization’s important data is secure.

Data Breaches on Record Pace for 2015?

Earlier this month, an article recorded that data breaches in 2015 are on pace to break records both in the number of breaches and records exposed. In 2014, the numbers of US data breaches tracked by the Identity Theft Resource Center hit a record high of 783, with about 86 million confirmed records exposed. So far this year, as of June 30, the number of breaches reached 400 and additionally, about 118 million records had been confirmed to be at risk.

We all have heard about the government data breaches that have reached the headlines but in addition to those, some other major data breaches which have exposed more than 92,000 people’s personal information are three separate organizations in very different industries. Florida’s Orlando Health, California’s Cuesta College and Michigan’s Firekeepers Casino recently acknowledged data breaches.

Orlando’s Health announced on July 2, 2015 that approximately 3,200 patients’ personal records were exposed by a former employee. The data included names, birthdates, addresses, medications, medical tests, test results and other clinical data. This wasn’t the first time as back in January 2014 a flash drive was misplaced that contained and exposed 586 children’s data, and also the theft of patient records by a former medical assistant in February 2013.

Cuesta College announced on May 31, that a college human resources analyst on medical leave allegedly downloaded reports containing approximately 4,000 current and previous employees’ personal information, then emailed the reports to a personal email address.

Lastly, Michigan’s Firekeepers Casino, announced on July 3, 2015 that approximately 85,000 credit and debit cards used between September 7, 2014 and April 25, 2015. They also discovered that there may have been unauthorized access to a file storage server, which holds customers’ social security numbers and/or driver license numbers, as well as current and former employees’ social security numbers, health benefit selection and medical billing information.

The stories are the same and what we have continued to see is that none of the information/data had been encrypted. Even with all the articles and advice that not only security companies are saying but reporters in this area have also continued to say data needs to be protected. Now the government especially state governments are taking the stance to make sure that your organizations that hold/store customers’ personally identifiable information are required to secure them by “encrypting them or by any other method or technology that renders the personal information unreadable or unusable.”

By encrypting this data and applying granular permissions to them automatically, personally identifiable information, intellectual property and other sensitive information can remain protected. With data-centric security, whether it is a malicious or unintentional insider such as a current or former employee or an outside hacker who has gained access to your file storage server, you data is protected no matter where it goes.

 

Photo credit by: Jbosarl

Data Encryption is Now Mandatory, Are You Prepared?

On July 1, Connecticut’s Governor Dannel Malloy signed legislation that expands the current definition of personal information and now requires new data breach security terms and conditions in every state contract dealing with confidential information. From this article, the bill also states, “Not later than October 1, 2017, each company shall implement and maintain a comprehensive information security program to safeguard the personal information of insureds and enrollees that is compiled or maintained by such company,” the bill states, adding that the security program will need to be in writing and contain appropriate administrative, technical and physical safeguards.

This bill also addresses the issue of data encryption, and explains that all personal information that is being transmitted wirelessly or on a public internet connection must be encrypted. Sensitive personal data must also be encrypted on laptops and other portable devices.

With all the recent major data breaches, that have also affected a lot of people and organizations from Connecticut, it can be seen that they are taking the stance to demand encryption of customer data.

Encryption technology can be used to protect confidential information. If information is encrypted in sufficient strength it can remain safe even when stolen or lost in any media. It also protects information during transition but it does not prevent the leak after decryption by authorized recipients. Considering most of data leaks are originated from insiders who have or had access to documents, organizations must complement and empower existing security infrastructure with the solution which can protect data in use persistently.

Enterprise Digital Rights Management (DRM) is the only systematic solution to protect your information persistently from insiders as well as outside threats. Enterprise DRM controls the usage of DRM-enabled documents depending on the permissions given to the user. The DRM-enabled documents can be protected at rest in storage, in transit and also in use persistently.

Enterprise DRM enables the circulation of confidential information without the fear of leaks, handling customer information for better support without a slight risk of PII (Personally Identifiable Information) exposure and sharing trade secrets or technical details with your trusted partners.

In the time of all of these data breaches, it is important to determine which encryption will protect your data against these hacks. From malicious and careless insiders to external threats, Enterprise DRM will provide the protection your data needs throughout its entire lifecycle.

 

Photo credit by: EFF Photos

IT Business Edge shows how Fasoo protects HR dataHR departments have a unique set of security challenges to maintain the confidentiality and integrity of internal staff and external clients.  While maintaining the confidentiality of personally identifiable information (PII), they also develop and share information that needs wide distribution.

Managing these somewhat contradictory requirements requires an approach that is flexible enough to protect against insider threats, while enabling secure sharing.

IT Business Edge has published the slideshow, “Data Protection: Five Challenges Facing the Enterprise HR Department”, that highlights five functions of an enterprise HR department and how Fasoo can help meet the specific access and permission requirements for different tiers of information.

Most companies think about employee PII and information that is generally under the control of HR, but how about when someone leaves the organization?  HR is one of the first to know and can inform the organization of a pending departure.  This helps ensure the organization can immediately disable access to sensitive materials, if there is a concern of theft.

View the slideshow and see some of the ways you can protect your most sensitive information.

Categories
Book a meeting