Blog

Protect-First Approach To Data-Centric Security
Sensitive Unstructured Data

Three predominant data-centric security
methods


DOWNLOADABLE RESOURCES

There are three predominant methods in the market today to prevent loss and unauthorized access to sensitive unstructured data. Each is different and the best way to compare and contrast the methods is to understand what a vendor’s solution looks to defend and the primary data-centric tools used.

METHOD Image
Data Flow-Centric
Image
Location-Centric
Image
File-Centric

DEFENDS

Data at Ingress/Egress Points

Folders, File Shares, Disk, Cloud Files

TOOLS

 

Data Loss Prevention

Identity & Access Management
Behavior Analytics

Persistent Encryption
Identity & Access Management

Today, with increasing threats and the consequential impacts of a data breach, more organizations are adopting a file-centric method as the foundation of their data-centric architectures.  It’s the only method that truly denies unauthorized access to your sensitive data no matter how it flows or the location it resides.  This protect-first foundation recognizes that if data isn’t properly protected – your entire house crumbles. 

A file-centric method works as a frontline defense and can be deployed in combination with other methods to achieve a fortified, cohesive data-centric security architecture.  Understanding the key distinctions between the methods helps you navigate vendor engagements and build a protect-first architecture that best fits your needs

Image Data Flow-Centric

These solutions defend sensitive data at corporate infrastructure ingress and egress points and use data loss prevention (DLP) tools to stop data leakage. Ingress and egress points include servers, networks end-points, and cloud services.

Today, the majority of businesses have deployed DLP as point solutions – known as Integrated DLP (e.g., network DLP, email-server DLP, or end-point DLP) while few have scaled to a full enterprise DLP deployment (e.g., a full solution suite across all points).

Data flow-centric characteristics:

DEFENDS:

Prevents data from leaking by intervening with the use or movement of data.

TOOLS:

Content matching that actively looks for regular expressions, defined strings, keywords, patterns or data dictionaries.

Additional tools that can be used include fingerprinting (indexing) and image recognition.

DLP solutions set up rules that specify conditions, actions and exceptions. The tools filter messages and files based on their content and prompt corrective measures. They can simply alert a user that an action may be risky or completely block the action. Examples include alerting when sharing sensitive data through email and restricting the copying of sensitive files onto a USB drive.

Many organizations have implemented email DLP since this is the most obvious ingress/egress point prone to unauthorized exchanges of sensitive data. While there are measured improvements, security and IT administrators still have challenges when implementing and operating DLP  solutions, such as:

  • Rules are complex and create thousands of initial false alerts.
  • Concerns over disrupting user workflows causes administrators to loosen controls and implement few blocking mechanisms.
  • Alerts burden administrators and backlogs might take weeks or months to address.

Too often businesses have inappropriate expectations for DLP.  It works - but many underestimate the complexities and resources needed to build, tune, and manage policies to fit your environment. You should anticipate iterative refinement of rules and alert resolution.

KEY INSIGHT:

Data flow-centric solutions are good at reducing risk but not a strong, protect-first approach. They don’t defend the data itself, but only how it flows in your organization. Any leakage exposes the data to unauthorized disclosure.

Image Location-Centric

These solutions defend sensitive data storage locations. They look for gaps and inconsistencies in identity and access management (IAM) and apply user behavior analytics (UBA) to reduce the risk of unauthorized disclosure of sensitive data. Locations include folders, file-shares, disks, and cloud services.

Location-centric characteristics:

DEFENDS:

Folder, file-share or disk from unauthorized access and suspicious usage.

TOOLS:

Analysis of IAM settings and policies to find discrepancies and obsolete controls.

UBA to monitor and detect anomalous events.

Unlike DLP solutions that query and assess content repetitively, location-centric solutions pre-process, classify, and tag sensitive data. These tags flag where sensitive content is located within your IT data architecture and use:

  • IAM tools: Find excessive, outdated, or inconsistent user permissions and non-existing passwords, evaluate access controls and authorization processes plus search any Active Directory structures to discover discrepancies.
  • UBA tools: Monitor privilege and end user access to detect anomalous behaviors (unusual mailbox activity, large number of failed attempts to access a folder, or excessive downloads of files to a portable storage device).

Location-centric solutions are easier to implement than rules-based data flow-centric solutions because the tools are non-intrusive and use system log and UBA. Location-centric solutions place priority on data visibility and are superior to many approaches when it comes to privacy compliance, audit and reporting requirements.

However, drawbacks with location-centric solutions include:

  • IAM and UBA tools are location-specific. Once a file is removed from the location and downloaded to laptops or endpoints, you lose visibility of the data.
  • Folder management becomes a challenge at scale as a single terabyte can spread to over 50,000 folders. Keeping access lists current and monitoring user activity across millions of folders is burdensome.
  • Like data flow-centric solutions, the alerts place significant demands on administrators’ workloads and their ability to respond in a timely manner.

While obfuscation tools are not native to these solutions, some do use data encryption while the data resides and is used within a particular location. However, when files are downloaded to endpoints, stored in personal cloud accounts, and shared outside the location - protection, visibility and control is lost.

KEY INSIGHT:

Location-centric solutions use a “least privilege” approach as the foundation for their data protection method – not a “protect-first” approach. Critical gaps arise when data is moved from its original location, and lacking persistent encryption, expose your sensitive unstructured data to a breach.

Image File-Centric

In contrast to the other methods, persistent encryption and IAM are tied to and travel with the file. This is independent of networks, severs, locations and devices. 

File-centric characteristics:

DEFENDS:

Office documents, CAD/CAE files, PDF, plain text, other digital media file types.

TOOLS:

Encryption is persistent, centrally managed and enforced at the file level.

IAM is assigned and enforced at the file level

The method uses data classification tags to:

  • Encrypt the file contents: If exfiltrated, the sensitive data is obfuscated and is of no value to threat actors.
  • Restrict file access to only authorized users: Users can be an individual, departments, business unit or defined by role or title.

File-centric solutions were historically used for very specific use cases but today are experiencing a market resurgence. Modern solutions take advantage of the latest in software tools like RESTful APIs and open operating system standards to work transparently across the enterprise. Centralized policies ensure access and protection are consistently applied across all networks, file-shares, devices, end-points and cloud services.

And when it comes to denying access to sensitive content, the file-centric method is by far the best "protect-first" approach. Here's how leading analyst are advising clients:

  • Despite extensive DLP coverage there are “gaps in data flows where data can leak” and “the better answer is a strategy focused on securing the data itself.”
  • Encryption is entering a “Golden Age.” Due to the growing concerns of data theft, privacy and government surveillance, security pros are increasingly using all forms of encryption throughout their digital businesses.
  • “Identity” is the new perimeter in a world of distributed Software as a Service (SaaS) and other cloud-based services. Centralized administration and control of access to data must be maintained by the business, not service providers.

Look for file-centric solutions that automate discovery, classification and encryption in a single instantaneous step without user intervention. This improves productivity and consistency in application of policies.

KEY INSIGHT:

File-centric solutions use a “protect-first” approach as the foundation of their data protection method. Persistent access control and encryption remains with the file throughout its life-cycle. Most privacy regulations exempt loss of encrypted files from breach reporting or alternatively, impose significantly reduced penalties.


Protect-First,
File-Centric
Approach

Organizations struggle to distinguish between data-centric solutions from different vendors as they search for the best way to safeguard their sensitive unstructured data.   Data-centric security encompasses a wide range of processes and tools, many with overlapping functions and focused to different end goals.  Adding to this confusion has been a flurry of gap-filling point solutions (e.g., CASB, end-point protection) launched to address today’s cloud and mobility adoption. 

And despite significant investments in traditional data flow and location-centric methods, data breaches today are at all time highs. 

Adopt a protect-first, file-centric method for your data security architecture. Establish this strong frontline defense to deny any unauthorized access to sensitive unstructured data, no matter how it is used, with whom it is shared, or where it is located. Then, use this foundation to integrate other data-centric methods and tools to architect a data security infrastructure that meets your organization’s governance, risk and compliance mandates.   

Fasoo products span the life-cycle of sensitive unstructured data to discover, classify, protect, monitor, control, track and expire access to content wherever it travels or resides. Our unified solution enables users to securely collaborate internally and externally with sensitive information while consistently meeting corporate governance and regulatory requirements. Our file centric approach using encryption with a unique identifier allows organizations to have more visibility and control over unstructured data without interrupting workflows. We’ve engaged in this journey with over 1,500 enterprises to field data-centric solutions that proactively protect corporate brand, competitive position and meet increasing regulatory demands.

Six trends impacting your sensitive data right now


Explore the latest article
 
 

Sign up for emails on new Sensitive Unstructured Data articles

Never miss an insight. We’ll email you when new articles are published on this topic.


 
Six Vulnerable Points In Your Data Security Architecture and How You Can Protect Them
Sensitive Unstructured Data

Do you know where you are most vulnerable? Now is the time to check these key trends:


DOWNLOADABLE RESOURCES

1.


Hybrid and Multi-Cloud

2.


Privacy

3.


Insider Threat

4.


Security Gaps

5.


Remote Workforce

6.


Third-Party Collaboration

1. Hybrid and Multi-Cloud Environment

According to Flexera’s “State of the Cloud, 2020 Report”, organizations use an average of 2.2 public and private cloud providers. This exposes your data to the following risks:

Image

Identity and Access Management (IAM): You may have heard the phrase, “identity is the new perimeter”. This “new perimeter” is the intersection of users, devices, and cloud services. Due to the COVID-19 pandemic and increasing regulations, many companies across the globe have had to reconsider how much access their employees have to their systems, applications, and data.

Image

Security: Educate your Governance, Risk and Compliance (GRC), IT security, and Human Resources (HR) teams on the latest risks and make sure they have the data-centric tools they need to combat them. Ultimately, a breach will significantly impact your organization’s reputation and finances.

Image

Data Residency: Cloud environments are boundless and can be located anywhere in the world. Legal and regulatory requirements are imposed on data in the country or region it resides. Review where your sensitive unstructured data is stored (on or off-premise) and make updates accordingly.

SOLUTION CONSIDERATION:

A data-centric approach identifies files and secures them in a centralized management system to provide consistency across all channels. Using discovery tools helps locate your data and classifies it with specific tags to control their cloud location.

 

2. Privacy

Today’s privacy regulations demand greater visibility and control over an individual’s data.

Regulation types include:

  • Responding to the Rights of Individuals: Regulations such as General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) give individuals greater rights to their personal data. Data subject and consent rights must be associated with all information collected on an individual.
  • Access and Revoke: Every file access (system and user) must be traced for data collected. Individuals can elect how and when their data is used. The “right to be forgotten” requires total removal of all data and most transactions. Your organization’s staffing department must respond promptly to any individual privacy and audit requests. Breach notifications timelines are tightened (GDPR and CCPA is 72 hours).

SOLUTION CONSIDERATION:

Deep visibility tools accumulate access information during the entire lifecycle of the sensitive unstructured data. You should avoid traditional tools that provide limited visibility and require forensic action to correlate and search across multiple log files.

 

3. Insider Threat

While external threats from hackers and cybercriminals make the headlines, trusted insiders can pose a greater threat to your sensitive unstructured data. A traditional security infrastructure focuses on external threats using firewalls, anti-malware, intrusion detection, and other security solutions. These solutions may not prevent an employee, contractor or third party vendor with access from sharing it with unauthorized users.

There are three types of insider threats that require your attention:

1.


Accidental: An employee or contractor may accidentally share a document with the wrong person exposing sensitive data. Once out of the person’s control, the information could go anywhere, violating privacy regulations and compromising your competitive position.

2.


Negligence: An IT or security administrator forgets to apply a security patch or update to a firewall rule, exposing your sensitive unstructured data to theft. This is most likely an oversight, since many IT and security groups are overworked and understaffed. Another example would be for a user to deliberately circumvent security policies.

3.


Malicious: Employees, contractors or partners who want to harm your organization or make money selling valuable information to competitors. This type of insider threat is difficult to stop because many have a legitimate need to access sensitive unstructured data.

SOLUTION CONSIDERATION:

Encrypt files and apply rights management to decrease the likelihood of unauthorized users accessing your sensitive unstructured data. If hackers and cybercriminals exfiltrate protected sensitive data, it will be useless to them. The same goes for employees or contractors who want to take sensitive data.

 

4. Security Gaps

Despite significant investments in security infrastructure and the deployment of data loss prevention capabilities, breaches are at all-time highs. Threat actors have greater success exfiltrating information on endpoints and servers where sensitive unstructured data is common.

What you need to acknowledge and have teams address:

  • Beyond prevention: Data Loss Prevention (DLP) blocks and prevents sensitive data activities but doesn’t protect the data itself. Data breaches continue. Organizations and regulators are recommending the increased use of encryption to address the challenge.
  • Not a breach: Many regulations take into account if encrypted data was considered a breach or not. Fines can be significantly reduced depending on the status.
  • Ransomware: While companies may still be subject to disruption, often the most significant risk is sensitive data being exposed to the public or provided to others for financial gain. Data protected with encryption eliminates this risk. Encryption is mandated in modern-day regulations such as GDPR, CCPA, and New York State Department of Financial Services (23 NYCRR 500).

SOLUTION CONSIDERATION:

Enhance existing DLP investments by encrypting files with sensitive data. Use centralized encryption key management to maintain protection and control wherever the file travels.

 

5. Remote Workforce

This is a significant trend that’s been recently accelerated by COVID-19. Security and privacy implemented in corporate offices can’t be replicated at each home. Review your current policies to see if they address:

Image

Home office/Virtual Workspaces: Work is more likely to happen on unmanaged and shared devices, over insecure networks, and in unauthorized or non-compliant apps.

Image

Increased downloads: Slow network traffic, the convenience of working and sharing files - all result in increased volumes of sensitive unstructured data on endpoints.

Image

Insider threat: Unintentional errors disclosing sensitive content increases without safety precautions. Malicious intent from at risk employees with access to home-based, non-sanctioned portable drives and printers is particularly concerning.

SOLUTION CONSIDERATION:

Use strong data-in-use tools like rights management capabilities that restrict printing and storing content on removable media.

 

6. Secure Third-Party Collaboration

Customer information shared with others remains your responsibility, regardless of who leaks the data. The challenges here are:

Image

Loss of control: Once outside your organization, highly sensitive information can be shared either unknowingly or for improper business advantage that hurts your competitiveness.

Image

Screen sharing: Zoom, Skype, WebEx, Google Chat and Google Meet, Microsoft Teams, Free Conference Call, and similar applications expose sensitive information to screen capture by others.

Image

End of project: Sensitive information often remains with third parties long after the project or relationship ends, often unprotected.

SOLUTION CONSIDERATION:

Deploy agentless browser collaboration with file tracking and protection. Screen blocking of sensitive information during collaboration sessions prevents losing sensitive data. Revoke access of sensitive files if shared with third parties once no longer needed.

 

Proactive organizations stay ahead of these vulnerabilities by acting early to evaluate the impact of safeguarding their sensitive unstructured data.
 


Recommended best practices include:



 

1.


Update GRC policies to reflect new guidance

2.


Perform security gap analysis of current infrastructure

3.


Implement employee awareness training as new risk and threat vectors emerge

Educate and empower your organization to stay one step ahead of hackers, cybercriminals, threat actors, and those with malicious intent.

 

What Unstructured Data is Sensitive?


Explore the latest article
 
 

Sign up for emails on new Sensitive Unstructured Data articles

Never miss an insight. We’ll email you when new articles are published on this topic.