Blog

Tag: zero-trust

Enhance your data security with the Fasoo Zero Trust Data Security platformAre you struggling to implement Zero Trust across siloed data-centric tool sets?  You’re not alone.  Analysts say this is one of the major roadblocks to Zero Trust uptake.

The hybrid workplace left security teams scrambling to deploy new point solutions, adding to an existing array of data protection tools. These disparate solutions sit at ingress/egress points (DLP/CASB/EPP) applying rules and analytics where sensitive data intersects with users, applications, and devices.

It’s where data intersects and crosses these siloed solutions that cause real problems for Zero Trust. This interrupts the continuity of data flow, visibility is lost, and policy misconfigurations occur.

 

Zero Trust relies on context about users, applications, data, and devices everywhere, always available

Vital to Zero Trust is continuous monitoring of context to detect anomalous events. It’s the basis for adaptive risk assessments that decide if, and how much access a user merits. It won’t work if you lose sight of sensitive files and their use.

But that’s the world of the hybrid workplace. Users extract data from corporate databases, insert it into ad-hoc documents on endpoints anywhere, move it to the cloud, and share it with external partners. Sensitive files easily find their way to unmanaged devices and unsanctioned cloud services, out of the purview of corporate control.

It’s clear security and operations teams need new approaches and methods to move forward with Zero Trust initiatives.

 

Consolidate siloed data-centric processes in conjunction with implementing Zero Trust principles

Consolidation of data-centric processes into Data Security Platforms (DSP) is underway and teams can leverage this trend to accelerate Zero Trust initiatives. Gartner projects that by 2024, 30% of enterprises will adopt Data Security Platforms, up from less than 5% in 2019.

A platform better implements control and security policies using a centralized policy engine that spans all data-centric processes. The integration and continuity of processes remove siloes to enhance data visibility and make tracking more consistent. This allows you to leverage automation across the platform to make security transparent to users and operations less complex.

Forrester Research recommends a platform first establish a data control foundation with core processes. One that includes unifying data discovery, classification, control, and some form of data loss prevention and obfuscation, like encryption, as a start. The deployment of this initial core provides your team key insights into where sensitive data originates, travels, and is accessed.

A DSP delivers an infrastructure that makes it easier for security teams to implement Zero Trust across your organization’s hybrid workplace.

 

Recognize Zero Trust principles set higher standards for sensitive data control and protection

Many modern DSPs emerged during the move to a hybrid workplace, formed by traditional vendors adding adjacent technologies. Examples include DLP vendors integrating classification and alternatively classification vendors adding protection. While all are steps forward, today’s DSP capabilities vary widely and can leave Zero Trust initiatives at risk.

Zero Trust principles set a higher bar for sensitive data. It requires enhanced control, visibility, and monitoring of data that today’s traditional solutions struggle to deliver.

It’s no longer enough to keep layering MFA techniques onto user access. It’s just as critical to control how the data is used once users gain authorized access. With today’s solutions, the user has a free pass to copy, cut, paste, share, and store sensitive files as they wish.

Explicit trust requires data never be unprotected. DLP and behavior analytics query and assess files to make sure you follow rules or check for anomalous events, but don’t usually protect the data itself. Exposed data is exfiltrated and goes undetected for weeks if not months.

Security teams need to pull back the covers on DSP and understand the underlying technology. While all deliver platform advantages from tool consolidation, capabilities to achieve Zero Trust standards can be limited.

 

A true Zero Trust Data Security Platform to make security stronger and easier

For over 20 years, Fasoo developed and consolidated data-centric capabilities as we continually work to meet our customer demands for lifecycle management of sensitive data. Fasoo now leads the industry to converge Zero Trust with an advanced Data Security Platform.

Fasoo consolidates core data-centric processes to deliver the benefits of a DSP. Centralized policies, deeper data visibility, and automation all contribute to more effective and less complex operations. And within this infrastructure, Fasoo has built the most advanced control and security methods to comprehensively implement Zero Trust standards.

Our advanced methods differ from traditional solutions. We push controls and security closest to what you need to protect, the file itself, so safeguards travel with the sensitive data. Binding controls and protection to the file provide deep visibility, data is never out of sight, and policies are consistent across the hybrid workplace.

The file is the new micro perimeter where we not only control access but control how you use the data. If I simply need to view a document, why let me extract or share the data? Granular rights enforce document controls that explicitly protect data and enable least privilege Zero Trust principles.

Protection of the data itself needs to be present always. Encryption is an obvious need for an explicit-based model. It automatically encrypts a sensitive file when a user creates or modifies it – that’s true adherence to never trust, always verify principles. Don’t ask the new hire to decide.

Fasoo’s Platform delivers this and a complete suite of advanced methods that implement Zero Trust standards. Fasoo’s approach is superior and it’s why security teams select our Platform as their path to Zero Trust.

 

Learn more about Fasoo’s Zero Trust Data Security Platform

Learn more about the full suite of advanced data-centric methods Fasoo employs to truly achieve Zero Trust for data security.

Understand the core data-centric processes Fasoo’s Platform consolidates and the benefits of a Data Security Platform.

Read how one CISO used a quick-take playbook to prioritize and down-select 2023 Zero Trust Initiatives and accelerate the security team’s journey to Zero Trust.

EDRM deployments on the riseA resurgence of interest in Enterprise Digital Rights Management (EDRM) is trending as cloud, mobile, work-from-home (WFH), personal devices (BYOD) and collaboration platforms create new coverage gaps in traditional data protection approaches.

Gartner reports that EDRM technology, a core solution of Fasoo’s Zero Trust Data Security Platform, entered the “Plateau of Productivity” stage across three of its Hype Cycle Reports. In this Hype Cycle stage:

“the innovation has demonstrated real-world productivity and benefits, and
more organizations feel comfortable with the greatly reduced level of risk.”

Quick Glance Back

Many security veterans recall that EDRM was one of the first data-centric tools to run the gauntlet of operational deployments. IT professionals familiar with network tools were unprepared for the more involved engagement required with business units and end users to protect sensitive data.

EDRM was too often deployed in a decentralized manner forcing users to decide how to implement the wide-ranging capabilities. Improper policy decisions set restrictive enforcement measures that overwhelmed business processes and had a negative impact on worker productivity.

Today, most organizations have a better understanding of the unique challenges to secure and control sensitive data and overcome these earlier missteps. EDRM uses centralized policies, implements capabilities without user interaction, enforces adaptive security, and does not interrupt workflows.

Moving Forward

The ease of EDRM deployments isn’t the only reason for its resurgence. Industry experts also note:

1. EDRM closes DLP coverage gaps triggered by the hybrid workplace

2. EDRM capabilities are essential to Zero Trust Data Security

 

EDRM and DLP

The Gartner Hype Cycle for Cloud Security findings is a good example of where DLP falls short in today’s hybrid and multi-cloud environments. DLP can’t enforce rules at all locations where data may travel, often outside of enterprise controls like WFH or files shared with supply chain partners. And here’s another wake-up call from the Gartner report:

“Through 2025, more than 99% of cloud breaches will have a root cause of preventable misconfigurations or mistakes by end-users.”

With EDRM, you are in control of your data no matter where it travels or who accesses it. That’s because EDRM safeguards – encryption, user access, and data-in-use controls – travel with the file itself. Safeguards are persistently enforced no matter the location. This eliminates misconfiguration and end-user mistakes.

Learn more about “Why DLP Needs EDRM

 

EDRM and Zero Trust

Zero Trust is all about explicit risk assessments. It’s an approach that requires thorough verification of all users, data, and devices, and allows only minimal privileges.

Analysts and many organizations recognize that EDRM is now foundational to Zero Trust Data Security. Its core functionality enables the assignment of minimal privileges to sensitive data and the ability to dynamically grant increasing levels of explicit access. It encrypts, restricts user access, controls the use of data, monitors data, and employs adaptive measures based on context-aware user and device behavior.

Learn more about “How EDRM and Fasoo Enable Zero Trust Data Security

 

A New Perspective on EDRM

EDRM has come a long way since those first projects, and you can feel comfortable deploying this robust technology to protect and control your sensitive data. EDRM also sets you on a path to fortify your existing DLP infrastructure and move to a true Zero Trust Data Security capability.

Fasoo, an EDRM pioneer for the past 20 years with over 2,000 customers and millions of users, has been at the forefront of simplifying EDRM deployments and operational demands. Today, these EDRM capabilities are one of many data-centric tools consolidated into Fasoo’s industry-leading Zero Trust Data Security Platform. This purpose-built, highly automated, centrally managed, data-centric platform lets organizations secure their data better and more easily.

Learn more about “Fasoo’s Data Security Platform

 

Organizations are working to bring existing security capabilities up to date with Zero Trust standards.  An organization’s path to Zero Trust Data Security often starts with an existing DLP solution set.

Zero Trust is all about explicit risk assessments, monitoring, and control.  One that extends beyond just managing access to data but to control how you use the data.  An approach that uses continuous monitoring to make dynamic, explicit decisions each time a user accesses sensitive files.

Traditional DLP falls short of these standards.

Here are three essential capabilities to bring your existing data security up to Zero Trust standards.

1. Centrally Apply File Encryption

DLP solutions monitor data – Allow/Block – but the sensitive data itself is left unprotected.

Zero Trust principles dictate stronger measures like file encryption. This eliminates implicit access to files and sets a clear reference point to make Zero Trust explicit access decisions.

Zero Trust Data Security also cares about “who” encrypts the file. Many solutions rely on the user to encrypt sensitive files and in some cases, a user sets a password. This can lead to errors in protecting data and requires the encryptor – your employees – to grant access to your own critical data.

A centralized policy platform is foundational to Zero Trust Data Security. With centrally enforced policies, a file with sensitive data can be automatically encrypted when created or modified, all transparent to the user. It lifts the burden from the user, eliminates errors, and keeps workflows moving.

This also gives you control over the encryption keys – not the user, cloud provider, or any other third party. This is increasingly important in hybrid and multi-cloud workplaces as privacy regulations become more proscriptive regarding data residency and access rights.

Consistently and proactively centrally applied file encryption is a big step toward achieving Zero Trust Data Security.

 

2. Control Data-In-Use

Insider threats expose a major gap in DLP solutions. It’s the poster child example for implicit trust that Zero Trust looks to eliminate.

With DLP, once a verified user gains access to the file, it’s a free pass to use corporate sensitive data. Users can copy, cut, and paste sensitive data into new file formats; share the data across multiple collaboration applications; and store and print sensitive files on personal (BYOD) devices.

DLP binary actions, full or no access, are no longer enough. Zero Trust principles are based on a continuous, explicit risk assessment that takes a least-privilege approach to access and use. It considers the sensitivity of the data and the context in which it’s being used.

Zero Trust Data Security requires the availability of a broader range of file permissions to control data-in-use. For example, a user that only needs to read a document should be restricted from extracting or sharing the data. Allowing a user to edit a file, but restricting copy or print, are other examples of granular document controls. Disabling screen sharing when displaying sensitive data, and print watermarking are other necessary capabilities in a Zero Trust world.

Upgrading DLP with granular document rights controls provides the data-in-use options that enable Zero Trust Data Security.

 

3. Monitoring Depends on Visibility

The ability to continuously monitor data activities so you can make explicit decisions each time someone tries to access sensitive files is central to a Zero Trust approach. How you use data, how it moves about, and what users do with it is an essential input to an explicit model.

However, traditional DLP and network tools create a patchwork approach to data visibility with some organizations employing over 40 IT and security tools to trace data. Visibility is also thwarted in today’s hybrid workplace by cloud and work-from-home environments where data can be stored in unauthorized locations and devices.

To move toward Zero Trust Data Security, you should upgrade your DLP solutions with a file-centric approach, making the file itself the source of reporting. A unique ID embedded in each file logs every access (network/application/individual), what was done with the file, and other context-aware information like device and geographical location.

Implement a file-centric approach to achieve the visibility necessary to enable Zero Trust Data Security.

 

Update DLP to Zero Trust Data Security

Implementing a Zero Trust approach to an existing security model is gradual.  The Fasoo Data Security Platform helps you achieve success without ripping out your current DLP infrastructure.  This protects your existing investment but gives you true Zero Trust Data Security to meet your governance and regulatory requirements.

Extend your DLP with zero trust data protectionThe term data loss prevention or DLP is used throughout the information security industry to mean any technology that can stop users from sending sensitive information outside the corporate network.  It can take many forms and can include locking down USB ports on PCs, stopping emails from leaving the company, and preventing documents from moving outside of your firewall.  DLP can mean many things to different people.

While DLP can enhance your information security by changing employee behavior, it does so by limiting activities and is dependent on creating adequate policies.  It acts to restrict data use, not enable it.  Business users need to legitimately share and use information and preventing that can cause problems.

DLP has two main functions, monitoring, and blocking.  Many organizations only monitor activity to understand usage patterns.  Once they start blocking the movement of information, there are typically a lot of exceptions because people need to get their jobs done.  If you are only monitoring data access and movement, you are not protecting the data.  You are only aware of a problem after the data has left your organization and already gotten into the wrong hands.  If you throttle back blocking to the point where it is primarily monitoring, you have the same situation.

What are some of DLP’s challenges?

DLP’s ability to scan, detect data patterns, and enforce appropriate actions using contextual awareness reduces the risk of losing sensitive data.  It depends on policies to govern the movement of information, and those policies can become complex to manage.  A lot of companies will monitor and potentially block personally identifiable information (PII), personal health information (PHI), social security numbers, PCI data, and any data that is governed by regulations.  You can easily write policies to block this information, but what about all the trade secrets and intellectual property (IP) that really drive your business?

The problem is that most businesses need to share sensitive data with outside people.  DLP does not provide any protection in case users have to send confidential information legitimately to a business partner or customer.  It cannot protect information once it is outside the organization’s perimeter.  This has become more of an issue with remote work becoming the norm for many businesses.

Considering most data leaks originate from trusted insiders who have or had access to sensitive documents, organizations must complement and empower the existing security infrastructure with a zero trust data security solution that protects data in use persistently.

Add zero trust data security

By adding context-aware data protection to DLP, you ensure that only authorized people can access sensitive information no matter where it is.  The three key areas to consider are:

    • Encryption – by encrypting the data with centralized security policies, you can extend the monitoring capabilities of DLP.  If the information does leave your network, it is always protected and under your control.  If an unauthorized person tries to access that information, the protected data will appear as useless bits.  This policy can even apply to authorized people who are on the wrong device, or in the wrong place.
    • Control use of the data – apply a persistent security policy that travels with the data and controls what a user can do with it when they open a file.  By limiting editing, copy & paste, or printing, you eliminate sharing data with the wrong people.  This can extend to immediately revoking access to files once shared, regardless of location or device.
    • Monitor and validate use – continuously validating user access to sensitive data is critical since people’s roles change and the data may not be relevant if the person changes jobs or leaves your organization.  This ensures you only grant access to sensitive data if and when a user needs it.

 

Today data is everywhere and continues to grow.  I could access a file on my mobile device, move it to the cloud, copy it onto my PC, and then move it into a document repository.  Keeping up by managing and monitoring every location and every device is almost impossible.  It’s like playing whack-a-mole.  You plug one hole and another appears.

You need to expand your thinking on how you protect your data, by locking it at the moment you create it and continuously validating user access.  This gives you visibility and control through its entire lifecycle.

 

US House Recommends 'Zero-Trust' Model for Insider Data AccessData from our Ponemon study, “Risky Business: How Company Insiders Put High Value Information at Risk,” was recently cited in Tara Seal’s Infosecurity Magazine article, “US House Recommends ‘Zero-Trust’ Model for Insider Data Access.” The article referenced the statistic that 72 percent of surveyed organizations are not confident in their ability to manage or control employee access to confidential documents and files. This leads to the actions of careless employees being the primary cause of data breaches, rather than malicious attackers.

The US House has recommended that federal agencies invoke a “zero-trust” system to keep personal, confidential data out of the hands of foreign attackers . The House views government employees as just as big a risk to their organizations as they do malicious attackers — a consideration that all organizations would benefit from adopting. While “zero-trust” sounds a bit harsh, there are multiple ways that these federal agencies can implement security measures to reduce the employee risk they fear so much.

Bill Blake, president of Fasoo, Inc., was quoted in the article saying “What should be concerning to C-level executives and corporate boards is that most organizations have no idea where mission-critical information is located on the corporate network, who has access and what they are doing with that information.  Deploying DRM solutions is a first step. Beyond that, organizations must be vigilant in applying and enforcing security policies as well as knowing where the organization’s most valuable information is located at all times.”

The first step to reducing the risk is to take control over all employee access and permissions. The second step is to consistently monitor and follow up on these protocols. How many employees really need access to sensitive data? For the employees who do access it, what are they doing with it? Who are they sharing it with? An organization that places security as a top priority should be able to easily answer these questions.

Deploying technology to help discover, protect and control confidential data at all times would be the next logical step once the organization can answer these questions.  Limiting access to select groups is important, but having a way to dynamically change that access and even revoke it on information already shared provides a more robust approach to protection.  Auditing and monitoring is key to understanding changing business requirements, since roles and responsibilities are always changing.  Coupling policy changes with technology that can enforce those policies provides the best way to invoke a “zero-trust” system.

Think of sensitive data as a toddler at the park…you must always keep an eye on it, even if from afar.

Categories
Book a meeting