Categories
Blog Data Erasure Device Control File Server Security USB Sescurity

[General Data Protection Regulation ②] Checklist for the Organizations to Comply with the GDPR

May 25, 2018, the deadline for GDPR compliance is approaching, and organizations around the world are gearing up to identify what to do and where to begin. More comprehensive and ambiguous than its predecessor, European Data Protection Directive, the GDPR promises to be difficult to comply with. Through its requirements, the GDPR not only places more obligations on the organizations but also gives more power to the EU citizens. If your organization falls within the GDPR’s territorial scope, it is responsible for organizational, operational, and technological requirements to ensure that personal data of the EU citizens are protected.

Some organizations might have a long way to go to meet the GDPR requirements, whereas others might be closer. However, for any organization, meeting these requirements will be unquestionably difficult. To help you prepare to comply with the GDPR, we have drawn up a checklist for you to follow, and ultimately identify what you need to do and where to begin.

Assess the Current Situation. The GDPR and its potential impact on data security and day-to-day operations must be acknowledged on an organization-wide basis, starting with the key decision makers. Initially, it is critical to identify the gaps that may cause non-compliance issues under the GDPR, and arrange the ways to make up those gaps. The next step is to know what the organizations are and will be dealing with, by asking the question “which data can be defined as personal data?” According to the Article 4 of the GDPR, “‘personal data’ means any information relating to an identified or identifiable natural person… directly or indirectly.” Forms of personal data for identification of natural person ranges from common forms like name and identification number, to more specific forms like physiological, economic, and social information. Then, how about when collecting new personal data? Since the Article 13 requires the organizations to communicate how and why the personal data is collected and used, and Article 12 requires the communications to be transparent, organizations must first review their current privacy notice or consent, and make necessary revisions to be GDPR-compliant.

Know the Rights of the Data Subjects. The GDPR gives more rights to the EU citizens; therefore, organizations must examine whether their procedures cover all these rights as declared. Considering these rights, organizations can potentially revise existing procedures and go further, by evaluating their capabilities when the data subjects exercise their rights as manifested in the Articles from 13 to 22.

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • The right not to be subject to automated decision-making including profiling

Data Protection by Design and by Default. The Article 25 explicitly articulates that organizations have a general obligation to implement technical and organizational measures to demonstrate that they have integrated data protection into everyday processing activities. This requirement can be considered as one of the key GDPR principles, as the legislators have recognized that privacy cannot be completely guaranteed only by laws, but that it must become a backbone in the design and maintenance of information systems and processing for each organization. In simpler terms, this requirement aims to guide the organizations to meet the GDPR requirements and protect the rights of data subjects through the means of technical and organizational measures. This requirement serves an equal purpose, but there is no one right answer; every organization must approach it differently by adhering to various data security principles and technologies. Specifically, where personal data processing could pose a risk to individuals, the Article 35 declares Data Protection Impact Assessments (DPIA) as mandatory in the situations. For example, if an organization is deploying new technology, such as artificial intelligence and profiling systems, or is processing personal data on a large scale, such as patient and medical data in health institutions, DPIA must be conducted.

Notify Data Breaches. According to the Article 33 and 34, organizations must ensure that appropriate procedures are in place to detect and investigate personal data breaches, and to notify the details to both supervising authorities and affected data subjects. Even though not all personal data breaches are subject to reporting, breaches that carry a risk to the rights and freedom of the affected data subjects, such as discrimination, damage to reputation, financial loss, loss of confidentiality, or other serious economic or social disadvantage, must be reported. However, the GDPR also provides exceptions to this requirement, if an organization has

  • implemented appropriate technical and organizational protection measures that render the personal data unintelligible to those without authorization for access;
  • taken actions to ensure that personal data breaches do not risk the rights and freedom of the affected data subjects; and
  • determined that notification to each affected data subject would “involve a disproportionate effort.”

Appoint A Data Protection Officer. As a core part of organizational requirements by the GDPR, organizations must appoint a data protection officer (DPO) in some cases. The Article 37 and 38 reveal the legal details on the designation and position of the DPOs. If your organization falls under the GDPR scope and satisfy the three conditions as below, you must appoint one or more DPOs.

  • Your organization is of public authority
  • Your organization conducts monitoring of individuals on a large scale
  • Your organization conducts processing of specific types of data such as criminal records

The Article 39 explains the minimum tasks of the DPOs as below:

  • inform and advise the organization and its employees for the purpose of GDPR compliance
  • monitor the processing of data to maintain GDPR compliance; and
  • act as the first point of contact for the supervisory authorities and for individuals whose data is processed.

However, who do they need to appoint as the DPOs? Not everyone can perform as a DPO, after all. While the GDPR does not specify the definite qualifications which the DPOs are expected to have, it requires that DPOs must be experienced and educated in the field of data protection law.

With organizational, operational, and technological requirements, this checklist may seem overwhelming. It is no doubt that getting started is the most difficult, yet the most significant step to take. However, how can we really get started for GDPR compliance? Among the requirements, we believe the organizations can start technologically. Head to our next blog and find out what the key technological requirements are for GDPR compliance.

Blog Posts in this Series:
① The GDPR Summary: The 5 Key Points
→ Checklist for the Organizations to Comply with the GDPR
③ Data Protection by Design and by Default: Technological Measures
④ How to Comply with GDPR

Categories
Blog Data Erasure Device Control File Server Security USB Sescurity

[General Data Protection Regulation ①] The GDPR Summary: The 5 Key Points

After four years of discussion and preparation by the European Parliament, the Council of the European Union, and the European Commission, the General Data Protection Regulation (GDPR) is now ready to become effective on May 25, 2018 to achieve more comprehensive enforcement of personal data protection laws for all EU citizens. The importance of protecting personal data with legitimacy has been a major talking point in the recent times, and the EU is taking its bold step to set the bar for the rest of the world to follow.

Leading up to the GDPR

Let’s roll back the years to 1995, when the European Data Protection Directive was imposed to regulate the processing of personal data in the EU. Back then, personal data was simply a component of vast information database in the private scope, and was protected solely under the notion of ‘right to confidentiality.’ Fast forward to now, personal data plays a key role in achieving prolonged growth and greater success for global enterprises, as collecting, processing, and exchanging personal data has become the cornerstone of any business activity. This transition has been apparent and rapid with the various technological and business innovations like social media, complex data analytics, and data storage to achieve superior customer relationships. To keep pace with this unstoppable transition, global enterprises required, and have been obtaining a much wider range of personal data from more people around the globe. Consequently, personal data protection laws had to be reformed to acknowledge the notion of ‘right to protection,’ rather than that of ‘right to confidentiality.’

Understanding the GDPR

Come May 25, 2018, all organizations, even outside the EU, that are currently processing or planning to process personal data of the EU citizens must be prepared to comply with the GDPR. Unfortunately, it does not seem to be an easy task; therefore, we have summarized the GDPR into five key points.

One Law for 28 EU Members. Superseding the former European Data Protection Directive, the GDPR is unified legislation that applies to all 28 member states of the EU. Under one set of laws, each EU member state will establish independent Supervisory Authorities (SA) that will receive and investigate complaints or data breaches, issue warnings or fines, and cooperate with other SAs if required. This change can be considered as welcoming, as the organizations are only required to comply with one set of laws, even if their activities are widespread across multiple EU member states.

More Power to the Data Subjects. The GDPR promises increased power for the data subjects. Data subjects are the natural persons whose personal data is processed by an organization. First and foremost, the organizations must provide clear and concise consent to the data subjects before collecting their personal data, signifying the end of long, illegible terms and conditions that are full of legalese. Furthermore, data subjects can lawfully request the organizations for the access, rectification, erasure, restriction of processing, portability, and objection of their personal data. Accordingly, the organizations must provide documentation that proves the completion of the data subjects’ request(s). Also, the GDPR provides the data subjects with the explicit right to lodge a complaint with the SAs, if any processing of their personal data infringes the GDPR requirements.

Strengthened Authority and Heavier Sanctions. The GDPR declares strengthened authority and heavier sanctions for non-compliance. Through the SAs, written warnings or periodic data protection audits will be imposed in cases of the first and unintentional infringement. Severe infringements may be punishable by a fine up to 20 million Euros or 4% of the annual worldwide turnover. Stricter sanctions dictated by the GDPR certainly put pressure on enterprises and organizations to invest substantial capital and resources to ensure that personal data remains protected and data subjects’ right and freedom are not harmed by non-compliance.

Data Protection by Design and by Default. It is the organizations’ legal responsibility to establish appropriate organizational and technological measures to meet the requirements of the GDPR and protect the rights of data subjects. Organizational measures pertain to appointing appropriate personnel, who can dedicate their expertise and responsibility for the GDPR compliance, while technological measures are associated with the integration of necessary security into the processing of personal data to ensure that rights of the data subjects are protected. This responsibility alludes to the GDPR’s new obligation of appointing Data Protection Officers (DPO) and establishing organization-wide data security.

Data Breach Notification. Unfortunately, data breaches can always occur. In this case, DPOs must take it seriously and notify it to the SAs immediately, or within 72 hours of discovery, by specifying the details such as the number of affected individuals. Furthermore, the affected individuals must be notified of the data breaches as soon as possible. Failure or refusal to notifying such data breaches to the SAs can result in sanctions.

Due to comprehensive and strengthened enforcement, complying with the GDPR will neither be an easy nor avoidable task for many organizations that wish to operate in the EU. As our commitment to data security stays true, we felt obliged to seriously approach and understand the GDPR, and share its implications to data security. The deadline to compliance, May 25, 2018 is approaching rapidly, and we hope that your journey to GDPR compliance will start off positively with Secudrive.

Blog Posts in this Series:
→ The GDPR Summary: The 5 Key Points
② Checklist for the Organizations to Comply with the GDPR
③ Data Protection by Design and by Default: Technological Measures
④ How to Comply with GDPR

Categories
Blog File Server Security

Secudrive File Server: A File Server Data Loss Prevention with Digital Rights Management

Most organizations have file servers: Even small ones usually have at least one file server. However, larger ones have multiple file servers for teams or task-forces. File servers are storing sensitive files such as customers’ privacy, proposals for bids, drawings for new product development, and, etc. multiple users such as employees, consultants, contractors, partners share the information. Therefore, it is imperative to establish and manage an intricate and assured security system to prevent both accidental and intentional data leaks.

Secudrive File Server manages user rights by using Data Rights Management (DRM) technology to prevent data loss from the Windows file server. Even though a user has permission to access a file server, Secudrive File Server makes it possible to prohibit the user from copying or transferring a file from the server to anywhere out of the server. It whitelists applications to use specific applications and not to use an unknown one on the file server so that it can protect file server data from a ransomware attack. It filters file activity logs by users so that it can enable an administrator to monitor user activities at a glance and to use them for post-audit. It can be installed on an existing file server keeping existing Windows Active Directory(AD) environment so that existing shared folder, user, group, and permission can be utilized without any additional operation. Finally, it supports Microsoft Distributed File System(DFS) to manage remotely and collectively scattered multiple file servers in an organization.

Data loss prevention using DRM. Secudrive File Server can restrict user rights for copy, print, screen-capture, and network-transfer which cause data leakage from a file server. It can block all ways relating to copy such as ‘copy and paste,’ ‘save as,’ ‘clipboard copy’ as well as general ‘copy.’ Clipboard copy on a file server can be exceptionally allowed for productivity. Print can be prohibited, or only water-mark printing can be allowed for post-audit. If screen-capture is blocked, not only ‘print screen’ as a basic function of Windows but also screen capture trial by using a third-party sniffing tool does not work. Finally, it can also prohibit network-transfer by using ‘copy to web’ which can copy to the public cloud like ‘OneDrive.’

Ransomware attack prevention using application whitelisting. Prohibiting user rights using DRM technology works only if a user uses specific applications which are supported by Secudrive File Server. Secudrive File Server offers supportive applications including computer-aided design(CAD) files as well as various Office files, and then an administrator can whitelist apps among the list. By doing so, other applications including ransomware except the whitelisted are blocked from being installed and run on the file server so that the file server can be protected from ransomware attacks. An administrator also whitelists domains, IPs, and ports for network-transfer, if he/she enables a user to save a file onto groupware in the intranet.

User and file activity log monitoring. An administrator can monitor detailed file activity logs on when a user creates, modifies, deletes, copies, prints, screen-captures, and network-transfers a file as well as user activity logs on when and where a user accesses a file server. If file transfer out of the file server is allowed, the transferred file can be automatically backed up, and the log can be left for post-audit.

Easy installation and operation while keeping the existing system. Secudrive File Server can be added to the existing file server(s) keeping existing settings relating to information on users, folders, groups, and permissions. Secudrive File Server shows existing shared folders and enables an administrator to choose one among them and change it to ‘a secure shared folder’ on which DRM policy for users can work. Secudrive File Server also provides an easy user interface to add, modify, and delete a user, a folder, a group, and permission in an administrator’s console.

Compatible with enterprise environment. Secudrive File Server is compatible with AD environment so that existing AD environment can be maintained without any modification. It supports Windows Distributed File System to remotely and collectively manage scattered multiple file servers at a glance in large organizations.

Secudrive File Server could be an easy and efficient data loss prevention solution for a file server(s) with DRM technology so that it can make file server(s) a secure cooperative workspace for enterprises by protecting data from insider threats as well as outside attacks. Secudrive provides more detailed information and 30-day free trial of Secudrive File Server from its website.

Categories
Blog File Server Security USB Copy Protection USB Sescurity

How to Prevent A Data Breach Risk by Contractors

Many security managers are worried about the possibility of a data breach by contractors when sensitive information is shared. As discussed in the previous blog, it is not easy to prevent data breaches by contractors, even though the breaches can cause crucial damage to a business. This blog describes a couple of typical examples where contractors could cause a data breach and suggests ways to prevent a data breach by using Secudrive solutions.

First, let’s imagine this situation: a company extracts customer information from their database and hands it over to contractors as a Microsoft Excel file. The contractors conduct a cold-call marketing campaign with the information, fill out the result of the calls in the files, and return the files to the company. Thousands of customers’ information is stored on every contractor’s PC, but the contractors’ PCs are separated from the company, so the company cannot control and monitor them. A contractor could accidentally send the Excel file as an attachment in an e-mail to the wrong person or deliver it into the wrong hands with malicious intent. In addition, if the company gave the contractors its marketing plan for the campaign, which the company has spent considerable money and time to create, the plan might be copied and delivered to a competitor too.

Second, imagine an industrial machinery company that hires hundreds or thousands of technicians as contractors to conduct a maintenance service for their customers, who are scattered all over the United States. The company should provide manuals related to all their products as well as a price list for all of the parts. The information might contain very important intellectual property and be very sensitive for the competition in the market so that it should not be handed over to the public or a competitor. Therefore, the company cannot help but worry about how the technicians handle the sensitive information in diverse environments. What if a technician loses his or her unencrypted laptop storing the sensitive data? What if the technician copies the files and places them into the wrong hands? What if the technician keeps files even after leaving this job, and hands them over to a competitor? The possibilities are endless.

Secudrive USB solutions could ensure data security in the above two cases.

First, Secudrive USB Office+ is suitable for use in telemarketing. Excel files can be placed onto a Secudrive USB Office+, a copy-protected USB flash drive that enables an administrator to restrict users’ rights for copy, print, screen capture, and network transfer. If all the users’ rights are restricted, users can simply open and edit the files on the USB flash drives. After the telemarketing campaign, contractors fill out the results and return the files to the administrator. If Secudrive USB Management Server is used together with Secudrive USB Office+, you can monitor all users’ activities with the USB flash drives. Even if a user loses a USB flash drive, the data would be secure because it is encrypted by an encryption chip. You can also destroy the data or lock the USB remotely when necessary for information security.

If you want to check the results of a campaign in real time, you can use Secudrive File Server instead. The customers’ information is stored in a file server that is separate from the company’s database, and Secudrive File Server is installed on the file server. Secudrive File Server makes it possible for an administrator to restrict users’ rights for copy, print, screen capture, and network transfer when users use files in a shared folder. Users only open the Excel files and fill out the results of the calls in the shared folder, and the administrator can check on this process in real time.

If users do not need to edit files after distribution, as in the second case, Secudrive USB Copy Protection is an excellent choice. You can restrict users’ rights for copy, print, screen capture, and network transfer when you distribute files with USB flash drives. If you need to update product information or a price list, you can upload the update files onto an update server, and then these files can be automatically updated when the distributed USB flash drives are connected to the Internet. Secudrive USB Copy Protection can utilize general USB flash drives that have serial numbers, making it more cost-effective, but this option is less secure because it is encrypted only by a software algorithm instead of an encryption chip. However, you can also destroy the data or lock the USB flash drives remotely.

In both cases, you can update files on the USB flash drives remotely through the Internet after distribution, without the need to deliver a physical CD/DVD every time you update files after distribution. Therefore, distributing the USB flash drives using Secudrive Solutions is much more efficient and cost-effective than distributing CD/DVDs using existing solutions.

Secudrive solutions are also very effective in preventing data breaches by contractors who work with sensitive corporate information but cannot be easily controlled under a regular corporate security regulation and system. With Secudrive, you do not need to open a corporate server system that is full of sensitive information. If you select the information that you have to open and deliver it to contractors using Secudrive, you do not need to worry about data breaches caused by contractor mistakes or malicious actions.

Categories
Blog File Server Security USB Sescurity

How to Protect CAD Files from Being Copied

Design drawings are manufacturers’ key intellectual properties. If a design drawing for a new product or core product technology were to be leaked to a competitor, it could severely damage the business; therefore, many high-tech manufacturers make an effort to keep their design drawing files secure.

However, manufacturers often design in tandem with business partners or big manufacturers like Apple, Samsung, or Dell, which usually design their own products and distribute the drawings to parts manufacturers. It is more difficult to keep drawing files secure in these cooperative environments. Big manufacturers pay serious attention to how securely their parts manufacturers manage drawing files, typically creating certain information security regulations for the small manufacturers and sometimes requiring them to retain it as a condition of cooperation. Secure drawing file management is an essential condition for manufacturers to grow as well as to survive.

Secudrive provides drawing file security for small- and medium-sized manufacturers.

Secudrive File Server CAD edition makes Windows file servers secure cooperative workspaces where in-house and remote coworkers can collaborate by sharing CAD files. Users can edit CAD files in a shared folder if they have permission to access it, while users’ rights for copy, print, screen capture, and network transfer of the files are prohibited. File activity logs, such as creator identity, opens, modifications, copies, prints, screen-captures, network transfers, and deletions can be monitored in real-time. A file can be prohibited from being saved in a different folder on the PC, a USB flash drive, an external hard drive, or the cloud. Copying a certain part of a drawing to a different folder by using the ”copy to clipboard” function can be also prohibited using the program. If there are many remote coworkers sharing CAD files, a file server can be located in the cloud using platforms such as AWS or Azure.

Secudrive USB CAD edition, which is compatible with Secudrive File Server CAD edition, is useful in situations where a user has to work with a CAD file outside of the office, such as a business trip where network connections are not available. With administrator approval, an encrypted copy of a CAD file can be saved in Secudrive USB CAD edition where the file cannot be copied, printed, screen captured, or network transferred from a USB flash drive because the administrator preset user rights in advance. All file activity logs can be monitored in real-time through the network or saved on a USB flash drive, allowing an administrator to see when the flash drive has returned to the office if not network connected. Before a file goes out from the file server to a USB flash drive, a copy of the file can be saved in the file server for ex post facto audit.

Secudrive USB CAD edition makes it possible to use all features of CAD programs with CAD files, meaning a user can rotate, view, and edit three-dimensional drawing files to come together with coworkers while the files are copy protected from the USB flash drive. It is different from existing general USB copy protection solutions, which convert three-dimensional drawing files to PDF-style, two-dimensional files. If you compare your view of a complicated original three-dimensional CATIA file with what you see in a converted two-dimensional image file, you can easily imagine how efficiently you can work with Secudrive USB CAD edition.

Most product design management solutions and product life cycle management solutions that focus on access rights management, file versioning management, and approval management are not enough to keep design drawing files secure. For design drawing files, there is a special focus on insider threats (e.g., a malicious employee attempting to hand files over to a competitor). Adopting multilayer security solutions like a big company, however, is not an easy job, especially for small- and medium-sized manufacturers. Secudrive File Server and USB CAD editions can be a necessary, simple, and easy security tool to prevent leakage of CAD files and to cooperate with business partners safely.

Secudrive supports the following CAD programs, with the compatibility list continuously growing: AutoCAD 2004-2016, 3DS Max, Maya, CAM350, DraftSight, DWG TrueView 2008, DWGEditor, eDrawings, OrCAD, P-CAD, Solid Edge ST, PTC Creo Parametric 2.0, CATIA, Solidworks, Unigraphics NX, AutoCAD MAP 3D, ArcView GIS, EPANET, and more.

Categories
Blog File Server Security USB Sescurity

File Activity Monitoring in a File Server

In many businesses, a great deal of confidential information is stored in a file server or a Network Attached Storage(NAS) and shared by employees, contractors, consultants, and business associates. Although we easily share files in shared folders to work together, the management may often worry that a confidential file can be modified, deleted, or even copied by an unauthorized person because of somebody’s mistake or malicious actions.

We usually control users’ access rights first to prevent unauthorized access to a shared folder and then give read-only or read/write permission to users who have access rights to the folder. But users are sometimes given access rights and permissions in exceptional cases, and often, these are not taken back. If this happens repeatedly, things can get messed up. Ultimately, access control and permission management efforts are often given up.

Finally, we look for file activity log features. We try to monitor who creates, modifies, copies, and deletes files and when, because we believe we can detect unauthorized or suspicious activity when a user tries to do so. And users who recognize that their file activity is always monitored can also proactively protect themselves from unauthorized and suspicious actions. File activity log monitoring is more useful in small- and medium-sized businesses where there is no dedicated administrator for a file server.

Of course, there is a log management feature that is provided as a default option by Windows file servers. However, if you set up some options to generate file activity logs, you will find tons of logs, struggle to sort what you really want out of them, and finally end up in big trouble with storage capacity management for the huge logs. This is why some expensive third-party log management solutions for Windows file servers are successful in the market.

Secudrive File Server shows at a glance file activity logs on users who create, read, modify, copy, and delete a file. Customers say that Secudrive File Server’s file activity log feature is useful enough to monitor users’ file activity in a file server without opting for any expensive log management solutions.

Secudrive File Server is basically a data leakage prevention solution for Windows file servers. Secudrive File Server makes it possible to manage users’ rights for copying, printing, screen capture, and network transfers of files from shared folders, while keeping existing shared folders and users’ access rights and permissions in existing Windows file servers. If we block users’ rights to copy, print, screen capture, and network transfer in shared folders and keep all confidential files in the shared folders through their life cycles from creation to deletion, we can completely prevent data breach from the folders.

Secudrive File Server can be utilized differently according to customers’ situations: 1) if users’ rights do not need to be changed often, their rights to copy, print, screen capture, and network transfer are all blocked, and all file activity logs are monitored. This is the most secure option. 2) If users’ rights need to be changed often and there is no dedicated system administrator, we can utilize the file activity monitoring feature for audit as a minimum safeguard to prevent data leakage from a file server instead of blocking all of the users’ rights.

When a user transfers a file from a file server to outside, the Secudrive File Server can back up the file in a certain storage area for audit, encrypt the transferring file, and let it be decrypted only in a copy-protected device such as another file server that has installed Secudrive File Server or a Secudrive USB flash drive.

Categories
Blog File Server Security Insider threats

The final step of file server security: prevention of copying a file from a file server

Important unstructured data concerning accounting, product development, and marketing are stored in file servers in organizations. Users share the data using shared folders on file servers. File server security is crucial because organizations could lose intellectual property and be damaged in terms of business continuity and reputation if the data is lost or leaked from a file server due to disaster, error, or external attack.

The following should be done to secure file servers: 1) keep file servers in a secure place to prevent theft, 2) separate file servers from the Internet to prevent cyber-attack, 3) encrypt file servers using Bit Locker to prevent data leakage in case of theft or loss, 4) keep Windows file server software updated to maintain up-to-date security patches, 5) install anti-virus software to prevent malware, 6) control access and privileges of users, 7) regularly back up file servers, 8) whitelist applications in a file server to prevent ransomware, and 9) audit the file logs of users.

However, existing file server security solutions have mostly concentrated on preventing attacks from the outside and lack focus on preventing insider threats to file servers.

Theoretically, we can audit files a user copies or transfers outside the server through logs provided by the Windows file server; however, in reality, if the options are set to create logs, tons of logs can be created. Accordingly, it is very hard to figure out which log is useful, and log data management can be another bothersome job, which is why many expensive third-party file server audit software applications for sorting, managing, and monitoring logs are needed.

We can manage users’ permission as ‘read only,’ ‘write,’ ‘modify,’ etc. However, we cannot prevent a user from copying a file to the outside, even by assigning the ‘read only’ permission to a user. As a user’s permission provided by Windows, ‘read only,’ only makes it impossible to modify the original file with the same file name. If we rename it, we can modify and copy it as well. However, when it comes to file servers, as an important collaborative workspace in organizations, more features relating to insider threat prevention are needed for more than permission management. It should be possible to prevent users from copying, printing, screen-capturing, and network-transferring files, even when they can edit the files.

Secudrive File Server prevents users from copying, printing, screen-capturing, and network-transferring a file in a shared folder of a file server, even when users can edit the file. Moreover, it makes it possible to filter and sort when and where a user can create, modify, copy, transfer, and delete a file, making it very useful for auditing as well as real-time monitoring. Secudrive File Server can keep file servers secure as a collaborative workspace from insider threats and can be considered the final step in file server security.

Categories
Blog Device Control File Server Security Insider threats USB Sescurity

How to Prevent HIPAA Data Breach by Insiders

The most frequent cause of health data breach accidents is an insider. About half of these accidents are a result of an error by insiders while the other half are a result of wrongdoing. Obviously, we should prevent accidents by both causes. (Read: Insiders: the Most Frequent Reason for HIPAA Data Breach)

First, health data should not be stored in scattered PCs, but should be stored separately from other data in a securely reinforced storage computer. This has a decided advantage to keep not only confidentiality but also integrity and availability, which are required in the security rules of HIPAA.

A file server could be a good option, after it is reinforced with some actions, as follows. Access to and permission to edit the data should be controlled. File versioning is needed to keep data integrity against intentional alteration or deletion of the data. The data should be backed up in real time or regularly to keep data availability. And finally, the network for storage should be separated physically/logically and encrypted to protect against attack from outsiders.

Secudrive File Server makes it possible to manage users’ rights of copying, printing, screen capturing and network transferring to use files in the file server. File activity logs are monitored at a glance and stored in real time so that they could be very helpful for audits. When data is transmitted to the outside, it provides encrypted data transfer under approval by the authority. In addition, whitelisting to enable specific applications to be used in the server can protect the data against attack by ransomware.

When data needs to be taken outside using a USB flash drive, Secudrive USB could be used to prevent users from unauthorized copying, printing, screen capture or network transfer of data on the USB flash drive to others, even in an ‘out of sight’ environment. Usage logs are gathered and monitored in real time through the network. When offline, the logs are gathered in the secure zone of the USB flash drive. When it comes back to the office, an administrator can view what the user had done with the USB flash drive. If the USB flash drive is stolen or lost, the data on it can be destroyed remotely. Of course, the USB flash drive is hardware encrypted, requiring a password to see the data. Secudrive USB Management Server provides a central management environment to manage the security policy of scattered USB flash drives and to monitor their real-time usage.

Because external hard drives, USB flash drives, and smartphones can be connected to PCs through USB ports, they could be used to take data from a PC. Secudrive Device Control can block the USB ports, ensuring that only secure USB Flash drives like the Secudrive USB flash drive can be used. For a coworker off site, an access-controlled account can be made for him/her in the file server to share files. This is much more secure than using email or public cloud service to share data.

Finally, educating insiders about security should be a top priority to prevent health data breaches by insiders. Data should be classified to be kept secure and access and rights to classified data should be allocated to the right persons. Administrative works should be done and updated regularly. In the ongoing administrative process, Secudrive could be an easy and cost-effective solution for small and medium healthcare organizations to mitigate the risk of a data breach by insiders in accordance with the technical safeguards of the security rules of HIPAA.

Blogs relating to HIPAA

Data Destruction for HIPAA Compliance
Insiders: the Most Frequent Reason for HIPAA Data Breach
the Costs of Data Breaches and Violation against HIPAA
The Primary Threats to Data Breaches of Protected Healthcare Information(PHI)
The Three Safeguards of the HIPAA Security Rule Summarized

Categories
Blog Device Control File Server Security Insider threats

Insider Threat Prevention Using a File Server in an SMB (Small & Medium Business)

One possible alternative for resolving data security and management issues in a distributed data environment is the VDI (Virtual Desktop Infrastructure). In a VDI environment, the insiders’ PC functions as a terminal with which to work with data stored on servers. Insiders’ PCs don’t have any data stored on them, thus providing a significantly enhanced level of information security for enterprises. System administrators can focus on server management, while insiders are responsible for managing what happens on their own PCs.

However, the VDI environment is quite unlike the typical PC environment, and being so unfamiliar to most of us, we would likely need the help of VDI specialists to introduce and manage it. Furthermore, a VDI environment costs about twice as much as a standard PC environment because the software licenses for servers which are not required in PC environments can be quite pricey. Consequently, many companies, especially SMBs, are often reluctant to introduce VDIs despite their obvious advantages in terms of information security and management.

A file server solution represents a reasonable alternative to a VDI. In this solution, all corporate data is stored on a file server, and an administrator focuses on the server to enhance the level of security and to facilitate asset and data management. With all corporate data now stored on the file server, all activity log files from creation to deletion can be gathered quickly, and individual access authority can be managed collectively. Moreover, if the file server has a backup system, data loss due to inadvertent or malicious deletion by insiders can be prevented. Ransomware attacks can also be prevented through the use of whitelisted corporate applications. Of course, the file server should be encrypted and equipped with antivirus to prevent attacks from outside, too.

All file activities should be executed on the server, and all users should be restricted from copying and network transferring a file to outside the file server, thus preventing data leakage. A watermark or print prohibition feature could be useful in preventing data leaks through printing. If a file server is equipped with such DRM features, it can effectively prevent insider threats. In sum, there is a range of data and network security features available with a file server solution, thus negating the need for a VDI.

Categories
Blog File Server Security

4 Actions to Prevent Ransomware Using a File Server in SMBs

Small and medium businesses (SMBs) cannot be exempt from ransomware attacks. However, they cannot afford to follow the general recommendations to prevent ransomware attack due to lack of budget and human resources. While big enterprises have their own dedicated IT security teams, SMBs are mostly defenseless to ransomware attacks. However, we suggest the following four actions to easily prevent ransomware using a file server in SMB.

First, corporate data should be isolated from employees’ PCs and consolidated into a file server. The file server should be utilized as a corporate secure work space in which all files are created, edited, shared and deleted. Ideally, there should be no corporate files in employees’ PCs. It will be much easier for an administrator to focus on managing one file server than hundreds of PCs. Then business continuity can be maintained even if a PC is affected by ransomware.

Second, the file server should be carefully managed under the recommendations for file sever security such as physical separation, encryption, vaccination and log monitoring. In addition, it would be safer if there is file versioning and rights management for copy to prevent insiders from inadvertently or maliciously deleting and copying.

Third, the file server should be a high availability system or backed up to maintain business continuity. It is apparently more effective than backing up individual PCs in terms of cost, traffic and management.

Fourth, available applications in the file server should be whitelisted because sometimes a file server can be consequently infected after ransomware is installed in a shared folder.

Secudrive File Server is an easily applicable solution for SMBs to consolidate corporate data and protect against ransomware as well as insider threats.