I meet a lot of managers and executives at organizations around the world who aren’t sure if their organization’s data is really secure or not. Many of them know their employees are using consumer-grade file sharing platforms every single day and sending unencrypted email attachments, but they often assume that the developers of the consumer-grade products – Dropbox, Google, etc. – are somehow protecting their data from breaches and leaks. They’re in essence setting their organization up for a big, expensive mess.
It’s easy to believe that as we work in today’s always on, always connected world, we are for the most part safe from cybersecurity threats that we read about in the news. But the truth is that we and the companies that we work at are not. Data leaks, breaches and thefts are, frankly, inevitable if proper precautions are not taken. And they often come as results not of malicious hackers bypassing network security but of mistakes made by employees in dispersing or sharing sensitive information or of intentional leakage and theft by disgruntled workers.
I can’t emphasize enough to these managers and executives how important it is to proactively secure your enterprise’s documents, files and data in a comprehensive way as soon as possible. And when I say comprehensive, I mean protection against exterior malicious threats and inside mistakes and theft.
One good way to tell if you’re in need of a new approach to your enterprise’s file security is to compare your current situation against the hypothetical case described further down in this post. If you find yourself nodding along or thinking, “that sounds familiar,” it’s time to get help before you find yourself the victim of an expensive and embarrassing data leak.
Here's the hypothetical (but all too likely) scenario:
AcmeFin is a made-up financial services company with offices and employees across the globe. Being an enterprise and also a MNC, AcmeFin interacts and shares information with many individuals who are not their employees. This is part of their daily routine and they simply cannot do without it. These external parties include:
- Law firms who handle a lot of their legal and para-legal work
- Accounting firms who handle audits, financial reports, etc.
- Vendors who supply hardware, office supplies, etc.
- IT firms that manage various parts of AcmeFin’s IT infrastructure
- Customers
Dave, AcmeFin’s CISO, understands that any information leaving the confines of his company's protected network is vulnerable to accidental or malicious data leaks, especially when dealing with external parties like those listed above. He also realizes that such data leakage could lead to nonconformity with policies, regulations or even laws and result in exorbitant legal costs and devastating loss of reputation. These risks escalate significantly when his employees resort to consumer-grade file sharing and cloud storage solutions that his IT team cannot monitor or control. Dave knows that once the data goes outside his organization's network perimeter, it is almost impossible to control because unlike devices and endpoints, data cannot “phone home” to tell him how it's doing.
In other words, Dave “gets” the problem with today’s BYOD business world where half of everyone is remote half the time. He understands his enterprise’s weak points and risks. It's good that he understands the problem, but like many CISO’s, Dave is continuing to allow his employees to use consumer-grade platforms and share data “in the wild” without protection. Reasons why executives would allow this kind of exposure to risk stand for long periods of time or until it’s too late is perhaps the subject for another post, but needless to say it’s playing with fire, especially now when methods of stealing and leaking data are becoming more sophisticated by the day.
So let’s say Dave decides to make the right decision. To safeguard the interests of his company and its users, Dave chooses to go with an end-to-end information security solution.
Better yet, he chooses Vaultize, which is simply the most comprehensive option for total control and security of enterprise data on the market today. Vaultize secures and protects enterprise data wherever it goes and wherever it is—cradle to grave and source to destination.
It helps Dave achieve following security and protection goals (these should be on your list if they aren’t already):
1. Secure file sharing: share anything and everything without worry
Vaultize allows Dave’s employees to securely share files and folders via email or chat as simple, secure web links. The data or document on the other end of the link is wrapped in encryption, and if the recipient has the right password or credentials, they can access it.
Senders can simply right-click the files/folders or drag-and-drop them to the Vaultize application to generate the link. Files of any size and in any number can be uploaded quickly, easily and securely to the Vaultize servers (in-house or in the cloud) and sent to recipients as links. If you’re used to consumer-grade solutions like Dropbox, then this process should sound familiar. The key difference is the encryption and security around the original and duplicate files that Vaultize automatically puts in place. Consumer-grade solutions don’t have those mechanisms.
While employees are sharing secure links with each other and outside parties, Dave’s team (IT) can track and control the shared files using Vaultize’s link sharing and enterprise digital rights management (EDRM) policies (transparent to the end-users). They can do things like:
a. Control the countries from where the shared files can be accessed
b. Control the IP addresses from where the shared files can be accessed (blacklist or whitelist)
c. Control the days and time during which the shared files can be accessed
d. Protect the files with passwords and/or one-time-passwords (sent via text/SMS or email)
e. Set expiry on the files (time based expiry or violation based expiry)
f. Set default permissions associated with the shared files
g. Set DRM rights associated with the files for online as well as offline access.
In addition to controlling and tracking the link, Vaultize DRM (vDRM) allows Dave to control and track the files even after they are downloaded on a device. Each vDRM-protected file is an encrypted version of the original plain file with keys and rights maintained only on the server. So if someone wants to open the vDRM-protected file, the file has to “phone home,” making it possible for the Vaultize server to control and track the file.
Here are some screenshots showing just some of the sharing permissions and DRM rights settings on Vaultize’s platform:
2. Secure email attachments – It’s still the no. 1 unsecured sharing method
The most common and popular way of sharing information at any business or enterprise is email. So obviously Dave would like to secure and protect this channel as well. When his employees attach files to emails via email clients like Microsoft Outlook or Lotus Notes, the Vaultize email client plugin uploads the attached files to Dave’s Vaultize server and replaces the attachments with a hyperlink that is subjected to all the controls described in section 1 above and all the tracking in section 3 below, including DRM.
For more information, please read our blog posts about Vaultize’s email plugin for Office 365 and Lotus Notes.
3. Tracking – your safety net in case something does go wrong
For Dave, just controlling files is not enough; he also wants to know what is happening with his data and get a periodic view into the happenings. In case of litigation or in any electronic discovery process (e-discovery), it is his job to dig out the evidence. Vaultize maintains detailed tracking information related to files, shared links and users. All of it is available to IT administrators in the form of reports as well as an interactive history UI.
4. Maintaining an audit log – who watches the watchmen?
Dave also wants to make sure that when any event or action is happening inside the Vaultize server or clients (including the actions his IT team is taking), everything is recorded in an un-editable log for auditing purposes. Vaultize maintains detailed audit information of all the activities carried out by users and administrators, thus ensuring accountability and safety from tampering.
5. Analytics & integration with SIEM – making sense of it all
Dave would like to record all events generated via Vaultize like a file being shared, a shared file being downloaded, a shared file being opened and so on, and then perform analysis on them to determine possible correlations of these events to other events like users logging in and out, sending emails, chatting and so on. For this, Vaultize supports integration with “Security information and event management” (SIEM) solutions like (but not restricted to) Symantec’s SSIM, HP ArcSight, NetIQ, Splunk, IBM Qradar and syslog. This also enables Dave to use Vaultize along with his existing SIEM-integrated products for real-time analysis of security alerts, generating compliance reports, and so on.
6. Support for anti-virus & DLP – why reinvent the wheel?
Dave has to make sure that when data is coming in or going out via Vaultize (due to external sharing or collaboration), it does not bring in any malware / Trojans / viruses or result in any data leakage. Organizations like Dave’s usually already have an anti-virus or anti-malware service installed on their network to protect against threats. At the same time, they also have a data loss prevention (DLP) solution to prevent any sort of data leakage based on content-based classification of data. These are big investments for any enterprise and it makes sense to make use of them. So Vaultize supports integration with anti-virus as well as DLP from companies like McAfee, Symantec, WebSense / ForcePoint and CodeGreen / Palo Alto Networks.
This helps Dave’s team to enforce their existing security policies from anti-virus and DLP solutions in conjunction with Vaultize. There’s no need to rewrite rules or redeploy software. These integrations gel seamlessly with Vaultize’s file sharing and DRM capabilities for securing the organization’s data.
7. Vaultize Digital Rights Management (vDRM) – control beyond the perimeter
On an (almost) final note, I want to switch gears really quick to another made-up exec at this made-up (but representative) organization to illuminate another use for Vaultize in an enterprise setting.
Jane is a VP at AcmeFin. Her team is currently working on creating a financial model that, if successful, would generate very significant revenue for the company. Thus, documentation of the model is very sensitive intellectual property. Of course, Jane is interested in ensuring that any documents related to this project shared by her employees can only be used by the authorized people, in the prescribed manner and for the definite purpose.
vDRM helps Jane maintain the safety and security of this intellectual property. It ensures that MS Office files, PDF files, text and CSV files can be utilized only in permitted manners by the designated users of the file. Thus, if the file owner does not allow actions like printing or copying while sharing files, the vDRM will make these operations impossible for the end users. vDRM also disables copying of document contents via screen capture mechanisms like Print Screen and tools like “Snipping Tool”, “Snagit”, “Team Viewer” and “WebEx”. Vaultize can even watermark the documents with the accessor’s email, IP address and machine address (MAC).
To read more about Vaultize DRM, please check out our posts on the subject:
Introducing DRM in Vaultize's File Sharing Platform
Vaultize Is the First Company to Fully Secure Text and CSV files with end-to-end DRM
Vaultize data protection – proof of the matter
While all of the above is going on, Dave would like to track not just the meta-data of the files but also the data. It’s not enough to know where the data is going, it’s also important to know how it’s changing while it’s moving.
Unlike other EDRM solutions, Vaultize versions all the protected files (for any duration of time Dave desires) making sure that even the changes to data are captured (as versions) and are available in case of litigation, e-discovery, inquiry or any other “matter”. IT or users can access all the versions of their files and see all the changes made to them in full context (who, what, where, when). Also, if a user leaves the organization or her DRM keys are corrupted / lost, the original data is safe (fully encrypted) inside the Vaultize server and its ownership can be changed in a jiffy.
if you read Dave’s case and feel like you’re lacking any of Vaultize’s functionality and protection (and it’s all necessary in today’s risky business environment), I encourage you to reach out to one of our solutions managers ASAP. We can work with your current situation and figure out how to better secure your data against accidental leaks and intentional theft alike.
We’d love to hear from you about anything else as well. Please feel free to reach out via phone or email with questions, topic suggestions and so on.