Data and Software Security

Defending the Enterprise against Trusted Insiders

June 2014

Ron ArdenVice President, Fasoo USA

Bill BlakePresident – Fasoo USA

Agenda

• Current environment• Costs of data loss• Current technology gaps• EDRM at a glance• Solution case studies• Q&A

About Fasoo

• Incorporated in June 2000• 270 employees• Specializes in Enterprise DRM (EDRM) solutions and services• Largest EDRM vendor with the most EDRM developers• Deployed to over 1,100 major organizations• Protecting data for over than 2 million users globally:

One company - 170,000 internal users in 32 major affiliates

“The ongoing theft of Intellectual Property represents the greatest transfer of wealth in

human history!” General Keith Alexander

The IP Commission Report 2013

Did you know?

"About 65 percent of employees who commit insider IP theft had already accepted positions

with a competing company or started their own company at the time of the theft.”

“More than half steal data within a month of leaving.”

Behavioral Risk Indicators of Malicious Insider IP Theft: Misreading the Writing on the Wall,

“About 20 percent were recruited by an outsider who targeted the data.”

Relationships don’t last forever

Content is everywhere

Shadow images of confidential data can be left on unprotected systems Most organizations do not have the knowledge and experience to identify all of the

Blind Spots in their infrastructure!

Content is in constant motion

Constant risk of data loss

Boston Globe – May 5, 2014

529 plan PII (60K people) on partner staging server

WBTV – April 18, 2014

Former hospital employee steals patient information to open bank accounts

SC Magazine – May 7, 2014

SSNs on postcards sent to 5,000 former Molina Healthcare members

Long Island radiology practice informs 97,000

patients of data breach

Newsday – June 24, 2014

CYBER ATTACKS ON TRADE SECRETS

Chinese PLA hackers indicted for stealing US secrets

Washington Post – May 22, 2014

Types of insider threats

Human or system error cause almost 60% of data breaches.*

*Ponemon Institute 2014 Data Breach Report

Careless

Accidental/System Failure

Malicious

Malicious

The gap that’s allowed cyber-criminals to breach these and other organizations is why Forrester Consulting described the situation in simple, blunt terms:

“Basically, the enterprise is a sitting duck.”

Careless

15,000 employees affected

Careless

$22,000,000,000 loss in stock value

Accidental

Did you really want to send that email to the boss?

US breach notification laws

Regulations

Types of data

Types of data

Personally Identifi-able Information

Confidential/Sensi-tive business data

Military & Govern-ment data

Financial data

Intellectual Prop-erty

Protected Health Information

Outside Staffing $54,131.56 Forms/Printing $15,817.91 Advertising $73,132.98 Kroll (forensics) $3,701,398.25 Call Center $186,740.52 Allied Vaughn $1,949.76 Private investigator $3,202.37 Database license $8,800.00 Oregon Monitor $1,787.50 LexisNexis $13,381.50 Translation Services $3,079.95 Cascade Direct $34,485.35 Postage $125,282.87 Laptop encryption $700,000.00 EDS $773,205.66 Data Transport., Storage $6,998.46 Legal $1,029,440.31 Total External Expenses $6,732,834.95 Internal Expenses $179,113.63

Total Expenses $6,911,948.58

Postage Costs $125,282.87

Cost of data breach

Cost calculator

http://www.hubinternational.com/data-breach-cost-calculator/

Per Record$1,115

Security technologies and policies

Secure FTP

VPN Host/Net DLP

Web Protection

Device Control Encryption

Email Protection

MDM/ Device

Security

Today’s Solutions Result in:

Never enough security

False sense of data protection

Vulnerable to authorized user threat

No control over data outside domain

The end result!

Enterprise DRM

Enterprise Content

Management

Full Disk Encryption

Narrow

Wide

ControlledPerimeter

Internal use

External use

Data at Rest Data in Transit Data in Use

ControlledPhase

EDRM vs. other security solutions

VPN

Network Transport

Encryption

Data Loss Prevention

What is Fasoo Enterprise DRM?

Prevent unintended information disclosure or exposure

1. File encryption – persistent document security 2. Permission control – prevent unauthorized use of digital files3. Audit trail – consistent protection and verification

22

Regardless of its location!

Controlling your content

Benefits of Fasoo EDRM

5Supports mobile devices (Android, iOS)

3Integrates with existing third-party applications

Restrict document accessHow: view, edit, print, screen capture, VM, copyWhen: validity period, how many timesWhere: device, network address

Supports a wide range of documents and files

Can revoke sensitive documents by making them inaccessible

2

1

4

Author

Review

Content Server

EDRM Policy Server

Partner

Unauthorized User

PartnerNetwork

Corporate VPN

VIEW

Protecting and controlling your information

Case Studies

Novant Health

Challenges

Enable access from anywhere Streamline existing process

Secure confidential data Comply with JCAHO regulations

Create

View

CVO

Co-chair

Solution

Credentialing System

Edit

Chair

View

Doctor

Results

• Permission management through document classification• Automatically encrypt document upon download or access• Access from any device or location through Citrix

30

Groups Document PermissionsCVO All View, Edit, Print, Decrypt

Chair,Co-chair

PII View

Recommendation Edit

Default All No access

Benefits

• Guarantee no data leaks of PII• Audit trail for all document activities• Streamline process and reduce risk• Information accessible from any device• Comply with regulations

31

CJ Group

32

Challenges

33

Minimize change to user productivity

SECURE & RELIABLE

Integrate with existing authentication system

Inter-organizational communications

Restrict external user access

Secure confidential data

Edit 30 days

PartnerRevoke

Create

Edit

Decryptionserver

View

Finance

Legal

Marketing

Print

VP

Chris Peters9:37 3/26/13172.16.125.21

Solution

Decrypt

Joe Peters9:37 6/24/14172.16.125.21

Results

• Permission management through document classification• Some users automatically encrypt document upon save• Documents scanned and encrypted/reclassified if PII is detected• Email-based authentication for external users

35

Class Users & Groups PermissionsInternal All users View, Edit, Print

Proprietary All users View

Specific users & groups Edit, Print, Watermark

Confidential Specific users & groups View

Default Owner Full access

Benefits

• Different permissions based on role and group• Audit trail for all document activities• Captured document for all Decrypt activities• Not managing external user credentials• Minimal impact to user productivity

36

Classify, Prioritize and Protect

When should you protect confidential files?

At creationAutomatically?

At destructionAutomatically

Collaboration Manually or Automatically?

Persistent RightsManagement

Highest level of protection against

insider threats

Data Loss PreventionNo protection

with legitimate third party sharing

After the factProtection

Delete files or destroy media

Beginning End

Thank you

39