Categories
Blog Data Erasure Device Control File Server Security USB Sescurity

How to Prevent Potential Data Leaks before and after Employees Depart

Four Secudrive data security solutions to help prevent potential data leaks before and after employees depart

When employees join and leave enterprises, the primary concern is to find replacements or re-shuffle the organization structure. However, one crucial, or the riskiest concern that enterprises may overlook is that the departing employees can accidentally or intentionally leak confidential data on their way out, or even after their departure.

Acknowledging that confidential data leakage upon employee departure is more than plausible and that consequences can be damaging, Secudrive recommends its four solutions – Secudrive File Server, Device Control, USB Office, and Sanitizer – that synergize to stop employees from accidentally or intentionally leaking confidential data, before and after their departure.

1) Secudrive File Server helps enterprises to set up a secure file sharing environment where confidential files can be consolidated and protected in a centralized system of file servers. Firstly, Secudrive File Server ensures that consolidated files are isolated from the employee PCs’ local environment, making them only accessible and usable directly on shared folders. Then digital rights management (DRM) is enforced for each folder to stop employees from leaking confidential data.
Digital rights management is the key to Secudrive File Server, restricting specific functions of files and data. With DRM in place, employees can use enterprise files as normally; however, they will be strictly restricted from specific actions that potentially lead to file leakages, like file copying, screen-capturing, printing, and more. With data leakage blocked by DRM, employees will not be able to export confidential data to their PCs’ local environment or outside environment via offline (storage devices) or online (e-mail or messaging apps) methods.

2) Secudrive USB Office and USB Management Server is a solution suite that provides enterprises a secure media to safely store and transport confidential data outside the office environment. Secudrive USB Office is a hardware encrypted USB with DRM, ensuring data security when employees need to take out confidential files for certain situations like business trips, which may seem to be opportune for data leaks. It brings hardware-encryption with AES-256 crypto chip and DRM (identical to that in Secudrive File Server) to ensure that data stored in Secudrive USB Office are safe from not only outsiders’ unauthorized access but also potential leakage that may occur ‘after encryption.’
In addition to the security measures integrated with the USB drives, Secudrive provides a supplementary Secudrive USB Management Server (UMS) that establishes a remote, centralized platform to manage multiple USB drives and their security policies at once. The more USB drives enterprises use, the harder it is to control, and UMS was developed to eliminate such difficulty by allowing enterprises to keep track and change security policies of multiple USB drives at once, real-time. One critical advantage of real-time management is the ability to instantly respond to unexpected events like USB drive thefts or losses. As enterprises ordinarily use regular USB drives with no security measures implemented, and the data stored is exposed to leakage risks by both outsiders and insiders. Therefore, Secudrive’s USB drive security and management solution will prevent data leakage threats by not only outsiders but also insiders.
Even though the enterprises have secure USB drives, backed by a robust management tool at their disposal, they must make sure that only those USB drives are used by employees. Simply encouraging employees or enforcing some policies is not safe enough, since departing employees willing to steal confidential data can easily use their USB drives. Then how can enterprises limit their employees to use only the safe, security-equipped USB drives?

3) Secudrive Device Control regulates and monitors all or specific devices that are used on the endpoint PCs, through ports like USB, Wi-Fi, LAN, and IEEE 1394. As removable storage devices have become IT commodity for everyone, they have naturally become an integral part of enterprises as well. However, enterprises must first control the use of USB drives to eliminate any possibility of data leaving the enterprise premises.
Secudrive Device Control helps enterprises establish and implement various security policies on multiple groups effectively, by initially drawing the information on how all the PCs and employees (users) are structured together from Windows Active Directory (AD). Moreover, when an employee needs to use certain devices for specific tasks, Secudrive Device Control can temporarily ‘unblock’ specific ports, keeping the work productivity flowing. In this case, it is imperative that USB drives be integrated with reliable security measures.

4) Secudrive Drive Eraser is a disk wiping solution that stops potential data leaks from old PCs used by departing employees. When employees leave, their PCs either change ownership or are destroyed, and before doing so, enterprises often format the PCs. However, PC formatting is never enough as it merely removes the path to the data, not the data itself, which actually can be recovered and even worse, be leaked out.
By using Secudrive Sanitizer can the enterprises completely ‘wipe’ multiple PCs simultaneously, and even execute multiple wiping processes remotely from a centralized console. It ensures that PCs are free of remnant data after being wiped with internationally recognized wiping algorithms. Then the enterprises can re-assign or destroy the old PCs used by departing employees, knowing that all data has been rendered unrecoverable. Moreover, remote PC wiping allows bigger enterprises with multiple locations to wipe their PCs with just a few clicks and to monitor the process from start to finish.

All in all, the four Secudrive solutions – Secudrive File Server, Device Control, USB Office, and Drive Eraser – form a holistic data security architecture that stops departing employees from leaking confidential data before and after their departure.

Categories
Blog Device Control USB Sescurity

How to Deploy and Use USB Drives Safely

As the standard media to share all kinds of files with multiple individuals, USB drives are frequently sought by enterprises to streamline their daily operations both in and out of office. However, enterprises sometimes hesitate to put USB drives into actual implementation because the potential risks that arise from not being able to authorize, protect, and manage USB drives easily can outweigh the various advantages that USB drives bring to enterprise work environments. Such risks can negatively impact the confidentiality of enterprise files head-on. Therefore, the decision to implement and use USB drives in enterprises hinges on the availability of USB drive security solutions that deliver enterprise file protection and comprehensive remote management of USB drives.

With Secudrive’s USB drive security solutions can the enterprises deploy USB drives on an enterprise-wide scale safely for employees both in and out of office. The solutions below will help enterprises with protection, authorization, and management of USB drives to ensure that enterprises files remain protected at all times.

  1. Secudrive USB Drives enforce robust protection against both external and internal threats

Implementing enterprise-wide usage of USB drives starts by using the secure USB drives with security measures that protect the stored files from being leaked or breached by not only the external individuals but also insiders. Secudrive USB Drivesprovide such security benefits with the most fundamental AES-256 hardware encryption and TMUSB Anti-Virus against external threats, as well as an innovative integration of digital rights management. Let’s find out how the three measures provide security for enterprises.

USB drives will perhaps spend most of the time outside the office, traveling with confidential data to different places. Thus naturally, USB drives are exposed to external threats like unauthorized access in case of loss or theft, and ransomware infections. Firstly, AES-256 hardware encryption prevents unauthorized file access by adding the primary security layer with keys, which must be set by the administrator. As for ransomware infections that could occur from repetitive USB drive usage on multiple external PCS, TMUSB Anti-Virus will detect, quarantine, and eliminate malware before it causes any harm to enterprise infrastructure after being recovered from usage.

While the two security measures prove to be effective against external threats, the insider threats to file confidentiality still looms large, as it is often overlooked by most of the secure USB drives. Secudrive’s understanding is that the most critical threats to file confidentiality lies ‘after’ the encryption; therefore, Secudrive USB drives go beyond encryption by integrating digital rights management (DRM), which is capable of restricting specific functions like file copy, screen-capturing, printing, and more. With DRM in place, enterprises no longer has to worry about insiders accidentally or maliciously risking the confidentiality of stored files after accessing the USB drives with credentials.

  1. Secudrive Device Control assures tightened control over authorized USB drives on endpoint PCs.

With USB drive security in check, the next step is to ensure that none of the unauthorized or personal USB drives can access the endpoint PCs. Secudrive Device Control is a solution that helps enterprises regulate and monitor the device access to endpoint ports, ensuring that only selected devices, Secudrive USB drives, in this case, are permitted. Enterprises can initially block all endpoint ports from access, and follow by allowing specific ports for access only by selected devices, under close surveillance from start to finish. In the case when an employee needs to access a blocked port for specific tasks, Secudrive Device Control is capable of temporarily ‘unblocking’ certain ports to ensure that work productivity remains uninterrupted.

  1. Secudrive USB Management Server monitors and manages multiple USB drives simultaneously.

If an enterprise is using USB drives in high numbers, negligence of ownership and responsibility that falls upon the users can cause chaos, which can further lead to costly losses and thefts of assets. To avoid such calamity, Secudrive USB Management Server (UMS) provides a centralized platform where multiple USB drives can be managed and monitored conveniently. Enterprises can remotely track, control, and see multiple USB drives real-time with a bird’s eye view for streamlined management and instant response to potentially catastrophic losses and thefts of USB drives. If such events occur, enterprises can lock or wipe the stored files to make sure that stored enterprise files are kept safe from being leaked. Hence, together with comprehensive remote management, UMS extends the degree of security even outside the office.

The three solutions, Secudrive USB Drives, Device Control, and USB Management Server form a perfect security architecture that provides holistic security to enterprises that wish to use USB drives for functional and streamlined daily operations. With three solutions working hand in hand, Secudrive USB Drive Security & Management will ensure granular security against both external and insider threats to file confidentiality, both in and out of office.

Categories
Blog USB Sescurity

How to Mitigate Security Risks of USB Drives in Enterprises

Portable, fast, and easy, USB drives have become the household gadget for file and data transfer for the last two decades or so. From USB 1.0 to the newest standard, 3.2, USB drives have undergone tremendous evolution, which provided great functionality and practicality for both personal and enterprise. Especially for the enterprises, USB drives are incredibly functional IT assets, but they involve some risks regarding the confidentiality and security of valuable enterprise data.

  1. Unauthorized USB drives can cause data leakage and management chaos in and out of office.

Employees may use personal USB drives, without permission, to take and use confidential enterprise files in external environments. Therefore, the safekeeping of confidential enterprise files like customer data spreadsheets, financial statements, and engineering blueprints, are under threat of leaving the safe office premises and exposed to unexpected file leakage or tempering. Simply put, confidential enterprise files may end up in wrong places at the wrong time, and the enterprises might not even know such catastrophe has occurred.

Unseen risks associated with corruption, loss, and theft of confidential enterprise files from using unauthorized USB drives in and out of office is one of the biggest reasons why enterprises ditch them, despite the high level of productivity they offer. Therefore, the essential procedure to use USB drives safely in the enterprise environment is to first designate specific, and secure USB drives and their users, in addition to understanding the purpose of using them.

  1. When using USB drives that are unprotected, despite the clear indication of purpose and designated users, safekeeping of confidential enterprise data can still be at risk due to the three big reasons as below.

Lost or stolen USB drives are easily exposed to data leaks if they are found by unauthorized users since they can connect the USB drives to PCs to browse and use, or even leak the stored confidential files. To eliminate the possibility of confidential file leakage from lost or stolen USB drives, enterprises must consider encryption as a fundamental necessity.

Trusted insiders with permission to use authorized USB drivers can be a critical risk factor, despite the enforcement of encryption. They can take the confidential files for personal interests, like monetary gains or corporate espionage, by simply copying or taking the files and contents out of the USB drives. Therefore, enterprises must implement a ‘layered’ USB drive security that protects stored files ‘before and after’ authorized access.

Furthermore, frequent traveling and connection to external, unauthorized PCs may cause USB drives to be infected by malware without warning. Malware can spread itself to enterprise IT infrastructures like servers and endpoint PCs from infected USB drives after being recovered and used in enterprise environment. To use USB drives with minimum hassle, enterprises must consider implementing a trusted anti-virus vaccine that will detect, quarantine, and eliminate malicious codes on USB drives.

  1. Due to the high number of USB drives, enterprises may feel lost in managing the USB drives and their information.

For enterprises, the number of USB drives used may reach up to hundreds or thousands. If so, enterprises will face a difficult task of asset management, which pertains to assignment of the USB drives (which team or group uses which USB). Even though the USB drives have been authorized to be used, negligence of the ownership and responsibility that falls upon the users will contribute to disorganization in enterprises. Furthermore, such information can change as enterprises undergo structural changes in terms of teams and employees. Therefore, for enterprises that wish to operate smoothly with multiple USB drives and minimize disorganization in and out of office, USB drives and their specific information must be managed and even updated on a centralized platform by a dedicated individual.

For personal uses, authorizing, protecting, and managing USB drives may not matter so much. However, for enterprises, it is a completely different story; they simply cannot put their valuable, confidential files at risk by using ordinary USB drives. However, as technologies evolve, so do the capabilities to make sure that enterprises can authorize, protect, and manage USB drives for safe usage in and out of office.

In our next blog, we will discuss the number of security principles and technical measures to implement for comprehensive USB drive usage and management for enterprises.

Categories
Blog File Server Security Insider threats USB Sescurity

An Economical and Effective Data Protection Tailored to Small and Medium-sized Businesses (SMBs)

Data breach threats are growing exponentially; even the small and medium-sized businesses (SMBs) are now in danger, and are most likely to suffer more than the big enterprises. According to UPS Capital, “60% of smaller businesses are out of business within six months of suffering a cyberattack.” Despite the potential catastrophe due to data breaches, preventing it is challenging for the SMBs. First of all, SMBs have relatively less budget and resources for investment. Second, they do not consider themselves as the targets of data breaches, despite the tendency that cybercriminals tend to take the path of least resistance. Simply put, SMBs are left unaware of and vulnerable to data breach threats that can sink businesses outright in extreme cases.

Due to the ever-growing number of data breach threats, we see a variety of enterprise-targeted, complex solutions like data loss prevention (DLP), enterprise digital rights management (EDRM), user and entity behavior analysis (UEBA), and virtual desktop infrastructure (VDI). Unfortunately, it is extremely difficult for SMBs to implement these types of solutions due to high cost and resource requirements for purchase, deployment, and operation. Having found the demand for solutions tailored for SMBs, some solutions vendors provide similar solutions that are less expensive. However, these solutions are still complex to operate and requires dedicated personnel to manage them effectively. Therefore, SMBs need a new concept of data protection with appropriate practices, which will suit their limited budget and resources.

Practice 1) Treating all relevant data and files as one entity, rather than classifying them by the degree of importance or confidentiality
Understanding this practice is the primary goal to set up cost-effective data protection for the SMBs, as all relevant data, whether confidential or not, is unstructured. This means that all relevant data resides anywhere in the files that are being used daily at multiple endpoints. Therefore, SMBs must first consolidate all its data into a system of data repositories, which require physical and network isolation to prevent physical harm and Internet-based threats, respectively. It is all about reducing the number of exit points from which confidential data can be leaked since SMBs will only have to protect data repositories, rather than tens and hundreds of endpoint PCs.

Practice 2) Protecting consolidated data with solutions that provide not only simple operation but also continued productivity for both administrators and employees
Limited resources for SMBs mean that they have less leeway in hiring or assigning time and personnel to implement and manage solutions on a regular basis. Therefore, quick and easy implementation, along with thorough training for operation is important for the administrator. For employees, the solutions must not interfere them from sharing and working with the protected data and files. If the data protection solution goes as far as hindering business productivity of the employees, it may cause more discomfort than the sense of relief.

Practice 3) Acknowledging that data breach threats arise from both inside and out
Data breach threats are no longer about outside-in; according to IBM, 60% of attacks are carried out by those who have insider access. Effective data protection is all about considering both inside and out; threats like hackers, phishing, and ransomware are from outside, while inside threats include malicious and accidental data leaks by the employees. It is crucial that all relevant data is protected while in use, and in motion by regulating what each employee can do and by monitoring what is happening at file and user level.

Naturally, SMBs have less freedom of budget and resources to run their businesses efficiently, and this constraint makes it difficult to find the right ways to protect their data from being breached by ever-growing threats from both inside and out. Blending data consolidation and protection helps SMBs to achieve the primary stage of complete data protection effectively and efficiently. With added protection against data breach from inside and out, SMBs can cap off the implementation and operation of data protection that delivers cost-efficiency and effectiveness to suit their limited budget and resources.

To learn how Secudrive solutions help SMBs protect their important data from being breached from internal and external threats, please read our next blog!

Categories
Blog File Server Security Insider threats USB Sescurity

3 Reasons Why Data Breach is a Difficult Challenge for Most Small and Medium-sized Businesses (SMBs)

Data breach is causing a lot of headaches among global businesses, and it does not seem to slow down anytime soon. In the US alone, businesses and customers suffered 1,120 total breaches and more than 171 million record exposures during the first 10 months of 2017, according to Identity Theft Resource Center (ITRC). Furthermore, its impact is growing as the average cost of a data breach in 2017 has been reported to be $3.62M globally and $7.35M in the US, according to 2017 Ponemon Cost of Data Breach Study.

These numbers may reflect only the reality that big enterprises face; however, to small and medium-sized businesses (SMBs), data breach is a threat that is just as clear and present. In 2016, Symantec’s Internet Security Threat Report reported that43% of data breaches were targeted at SMBs.

Data Breaches Hit SMBs Harder!

Data breaches cause SMBs the financial, reputational, and other organizational damages. A report by Kaspersky Lab shows that average cost of a data breach for SMBs was measured at $117,000 per incident, while more potent and targeted breach cost SMBs $188,000 on average. Some of the key spendings on damage control were as below.

  1. Hiring professional experts and preparing employee training programs
  2. Lost customers or business
  3. Lowered credit rating and increased insurance premiums
  4. Software and infrastructure improvement
  5. Brand image reparation and customer compensation

Monetary loss or business setbacks like above may not be the end of what data breaches can inflict the SMBs; data breaches can lead to business bankruptcy as SMBs are most likely to be lacking in the capital and resources to handle such impact. To According to UPS Capital, “60% of smaller businesses are out of business within six months of suffering a cyberattack.”

Why Do SMBs Suffer More?

SMB owners already have more than enough responsibilities to drive their business forward with limited capital and resources, and this puts data security in a less prioritized position, where it gets either neglected or overlooked without any seriousness. SMB owners and employees are generally unaware of the current state and potential damage of data breach; therefore, they naturally become good, naïve targets of opportunity for the cyber criminals, whether they are inside or outside the organization. This lack of awareness ties closely into the nature of data breach, being not only malicious but also accidental, as most breaches are in fact, caused by mistakes like negligent employees mishandling security configurations or employees clicking wrong links online. Not only that, the limitation of capital and resources will lead to difficulty in covering the costs of implementation of technical measures and damage control. The absence of technical measures undoubtedly puts SMBs in a vulnerable position, which is exposed to data breach threats from various fronts.

Say that SMBs were familiar with and prepared for data breaches, the measures which they implemented can turn out to be insufficient as security gaps can unexpectedly emerge, opened to exploitation by data breach threats. This issue can be considered as a by-product of current trend of data security industry that is focusing on providing enterprise-grade security that demands high investment, dedicated IT resources, and complex configurations. Thus, SMBs are finding it difficult to find the right solutions that will meet their specific requirements, and they are left to settle for cost-effective alternatives that are less capable.

If you, as an SMB owner, have experienced or are worried about data breaches, the important thing is to start seriously considering the potential risks now, and not after the damage has been done. With lack of awareness, capital, and resources, SMBs can be left unsure on “how and what” to do to prevent data breaches. Head to our next blog to learn how SMBs can establish their data security against data breach threats from outsiders and insiders.

Categories
Blog Data Erasure Device Control File Server Security USB Sescurity

[General Data Protection Regulation ④] How to Comply with GDPR

Secudrive recognizes the GDPR as a welcoming and progressive leap to protect the rights and freedom of all EU citizens with the new laws for comprehensive personal data protection, and an exciting opportunity for us to solidify our commitment to what we do best: providing reliable data security solutions for businesses and organizations.

The GDPR requires global organizations to comply with its organizational and technological requirements if or to process personal data of any EU citizen. Organizational requirements are considered as clear-cut, as they pertain to appointing the right people for the right positions, such as Data Protection Officers (DPO), and educating the employees and external personnel about the GDPR and the rights of the EU citizens. On the other hand, meeting technological requirements are rather obscure and difficult, as organizations are now flooded with numerous data security solutions in the market and simply unsure where to begin. To guide the organizations to an effective shortcut to comply with the GDPR, Secudrive provides a lineup of four data security solutions.

  1. Secudrive File Server
  2. Secudrive Device Control
  3. Secudrive USB drive solutions
  4. Secudrive Drive Eraser

It is critical to protect the confidential data in storage, and even while being processed by individuals. As mentioned in the previous blog, organizations can consider typical solutions like data loss prevention (DLP), enterprise digital rights management (EDRM), and virtual desktop infrastructure (VDI). These solutions promise to be effective in protecting your personal data, but are considerably challenging to implement and manage without professional consultants or qualified data security managers. Big, rich organizations may feel indifferent to these potential barriers, but SMBs with limited capital and human resources may look for other solutions that are as comprehensive and straightforward.

Secudrive File Server is a data loss prevention (DLP) solution for file servers, equipped with digital rights management (DRM) and application whitelisting to prevent internal data leaks and external cyber attacks, respectively. As file servers serve as a popular form of repository for confidential and unstructured data like personal data, organizations must consider some of the key security principles like network separation, encryption, anti-virus solutions, and backup. However, insider threat prevention must also be considered as confidential data is most exposed to data leakage when it is being processed. With Secudrive File Server, users are configured with different DRM policies, which can restrict them from unauthorized copy, print, screen-capture, and network-transfer; therefore, all personal data that are either in storage or processing will be prevented from accidental or malicious leaks. Against external cyber attacks like ransomware, application whitelisting prevents unauthorized applications or even malicious malware from being installed and run on the file servers to protect the personal data from harm. For visibility across an organization, Secudrive File Server provides logging of all file and user activities for real-time monitoring and future audits. It also provides security for personal data in motion, as its secure audited copy protocol (SACP) allows users to first encrypt the files for export, transport them in Secudrive USB drives, and decrypt later for access within Secudrive File Server environment.

Secudrive Device Control prevents internal data leaks by regulating the access of various ports such as USB, Wi-Fi, LAN, and IEE 1394, and monitors all activities regarding storages devices like USB drives, external hard drives, and smartphones that are connected to endpoint PCs. Among various ports, it is crucial to regulate the ports to storage devices, as data leaks through storage devices do not leave traces for the organizations to investigate and identify the wrongdoers. Therefore, organizations must either completely restrict or temporarily permit these ports for access. Secudrive Device Control achieves this with an added security feature of real-time monitoring in case of temporary USB port permission.  However, what if it is unavoidable for an organization to use USB drives, and simply restricting USB ports is no longer a viable option? Organizations can consider permitting only the designated USB drives with reliable security features like password encryption, file activity logging, and remote management.

Secudrive USB drive solutions provide a system that helps organizations securely manage the storage and transportation of personal data while being protected from accidental or malicious leaks even outside secure office premises. First, Secudrive USB drives are well-equipped against losses and thefts, the two most common human occurrences during data transport. Furthermore, Secudrive USB drives provide visibility as it records all file activities as logs for future audits. For the organizations that wish to manage multiple Secudrive USB drives simultaneously, Secudrive USB Management Server(UMS)  provides management of monitoring of multiple USB drives in real-time and even lock or wipe them remotely through a centralized console. With UMS,  organizations have the liberty to manage thousands of Secudrive USB drives and security policies remotely and respond to thefts and losses as swiftly as possible.

Lastly, Secudrive Drive Eraser provides assured and cost-effective data wiping for organizations. The caveat here lies in the danger of potential data leakage through recovery, even after deleting the stored data beforehand. Not only that, PC disposal is often performed by specialized facilities outside the office, and this leaves in doubt the danger of data leakage through loss or theft while en route. Secudrive Drive Eraser eliminates this danger by allowing the organizations to wipe the data on the PCs within the secure, on-site premises, and even to ‘recycle’ them to help cut costs. Furthermore, it provides extraterritoriality with the ability to distribute the solution to the PCs via online, wipe the PCs, and monitor the entire process remotely from a centralized location. Last but not least, Secudrive Sanitizer boasts effortless data wiping for any organizations as it performs with only a few clicks, even while operating systems are running.

The GDPR is out to achieve a common goal across the EU, but organizations of all sizes and industries are considering the Regulation a varying level of difficulty and different perspectives. As a data security solutions provider, Secudrive considers it as an exciting opportunity to provide a reliable blend of data security solutions that are comprehensive and straightforward. With Secudrive Device Control, organizations can ensure that untraceable data leaks through storage devices are restricted at the endpoints. Meanwhile, Secudrive File Server protects the confidential data directly from where it is stored by enforcing user-specific DRM policies for insider threats and application whitelisting for external attacks. When organizations require transporting their personal data outside the secure office premises, Secudrive USB Drive Solutions provide on which the personal data can be stored and protected from leakage with hardware encryption, DRM, and remote management. Finally, Secudrive Sanitizer helps organizations to ensure that personal data are deleted and rendered unrecoverable before disposing of the PCs. With our solutions lineup, will be well-prepared to carry on their operations without having to worry about where and how to begin their action plan for GDPR compliance.

Blog Posts in this Series:
① The GDPR Summary: The 5 Key Points
② Checklist for the Organizations to Comply with the GDPR
③ Data Protection by Design and by Default: Technological Measures
→ How to Comply with GDPR

Categories
Blog Data Erasure Device Control File Server Security USB Sescurity

[General Data Protection Regulation ③] Data Protection by Design and by Default: Technological Measures

Just over five months from now, the GDPR will be enforced for a stricter, thorough, and fair protection of personal data of all EU citizens, and the organizations with the presence in the EU have a tough task of GDPR compliance in their hands. To lighten the burden, we wrote a checklist of requirements for the organizations to follow on our earlier blog. Continuing our blog series on the GDPR, we will take a closer look at a technological aspect of compliance and how organizations can approach it.

For starters, where should the organizations begin to comply with the technological requirements of the GDPR? We turn our attention to “Data Protection by Design and by Default”, or Article 25. It explains that the organizations that fall under the GDPR scope must implement appropriate technical and organizational measures, which are designed to implement data-protection principles to integrate the necessary safeguards in order to:

  1. meet the requirements of this Regulation and protect the rights of data subjects, and
  2. to ensure that only personal data which are necessary for each specific purpose of the processing are processed.

The organizations are explicitly required to implement appropriate technical measures for personal data protection. However, with a plethora of data security solutions out there, some organizations may feel lost. From the technological point of view, we understand the Article 25 as the organizations’ responsibility to apply a cohesive blend of multiple data security principles to the full extent of data life cycle, which largely consists of data storage, processing, and erasure. We believe that this approach will serve as a backbone from which the organizations can start preparing for the GDPR.

After collecting personal data by complying with the GDPR requirements, data storage follows. The fundamental security principle here is to store all the personal data in one or more secure data repositories, separate from, but accessible by individual PCs via local network. The most common data repository is the file server, which is often operated and managed in multiple numbers, dedicated to multiple groups of users that will only be allowed to work on the files while being restricted from unauthorized file exports. To make sure your file servers are kept safe from potential dangers, organizations must consider some of the key security principles as below.

  1. Physical security to prevent intruder breaches
  2. Encryption to ensure protection of data against hackers or theft
  3. Keeping it off Internet to restrict potentially malicious or accidental access from outside of your LAN
  4. Anti-virus solutions to prevent cyber attacks from the outside
  5. Maintain high availability to ensure continuity of work productivity in case of accidental or malicious disruption to file server(s)

Once personal data is stored in the file servers, it will be subject to data processing by diverse personnel such as employees, contractors, partners, and consultants. It is critical to realize that data processing is the breeding ground for both accidental and malicious data leak threats from inside and out. The most common form of data leaks is accidental, due to employee negligence, operational mistakes, or lack of education. However, organizations cannot overlook the risk of malicious data leaks that can be caused by greed, ego, and competition. Therefore, a stringent data security system is required to ensure that only the certain files and folders are accessible by authorized users. Furthermore, all user, file, and folder activities must be logged for auditing and only allowed to be accessible by certain users. When processing personal data, employees may also transfer or share it outside the secure premises. For secure processing of personal data, organizations can consider some of the general countermeasures as below to mitigate the risks of leaking data.

  1. Data loss prevention (DLP) detects potential data leaks by monitoring the important data and blocking it from leaving the secure premises from the end-points.
  2. Enterprise digital rights management (EDRM) provides file access control and file activity restriction features that are persistent and manageable even outside the secure premises.
  3. Virtual desktop infrastructure (VDI) runs multiple user desktops inside virtual machines (terminals) with persistent data security policies that only allows users to access the data within the centralized data center(s).

Once the processing of personal data is complete, organizations may undertake data erasure to free up their storage space, or to ensure that personal data remains unavailable to others. Data erasure is closely related to the Article 17, which states that the data subjects have the right to erasure, or the right to be forgotten. Therefore, organizations must be prepared to erase personal data, rendering it unrecoverable in any situation. In this case, direct data erasure on the storage devices, through one or a combination of the general methods as below, is the safest procedure.

  1. Data erasure software by overwriting with randomized data
  2. Degaussing, or elimination of magnetic fields on storage devices to erase all stored data
  3. Brute destruction of storage devices

Despite the advantage of complete data erasure, degaussing and brute destruction carry two distinct disadvantages. Firstly, they make the storage devices unusable, and secondly, they require the devices to be transported to the external facilities, risking them to potential theft or loss. On the other hand, data erasure via software bypasses the two disadvantages by allowing the organizations to ‘recycle’ their storage devices and perform data erasure within their office premises. Therefore, organizations can ensure complete and secure data erasure with a software initially, and by subsequently degaussing or brutely destroying devices.

Meeting the technological requirements of the “Data protection by design and by default” can help organizations to get off to a solid start in achieving GDPR compliance before the deadline. We recommend the organizations to consider implementing the technological measures for the three steps of data life cycle: storage, processing, and erasure. This approach allows the organizations to devise a cohesive blend of multiple data security solutions, which will protect personal data from leaks and breaches from both internal and external threats. Capping off our blog series on the GDPR, we will discuss how Secudrive solutions can technologically help you to achieve “Data protection by design and by default” to prepare for the GDPR.

Blog Posts in this Series:
① The GDPR Summary: The 5 Key Points
② Checklist for the Organizations to Comply with the GDPR
→ Data Protection by Design and by Default: Technological Measures
④ How to Comply with GDPR

Categories
Blog Data Erasure Device Control File Server Security USB Sescurity

[General Data Protection Regulation ②] Checklist for the Organizations to Comply with the GDPR

May 25, 2018, the deadline for GDPR compliance is approaching, and organizations around the world are gearing up to identify what to do and where to begin. More comprehensive and ambiguous than its predecessor, European Data Protection Directive, the GDPR promises to be difficult to comply with. Through its requirements, the GDPR not only places more obligations on the organizations but also gives more power to the EU citizens. If your organization falls within the GDPR’s territorial scope, it is responsible for organizational, operational, and technological requirements to ensure that personal data of the EU citizens are protected.

Some organizations might have a long way to go to meet the GDPR requirements, whereas others might be closer. However, for any organization, meeting these requirements will be unquestionably difficult. To help you prepare to comply with the GDPR, we have drawn up a checklist for you to follow, and ultimately identify what you need to do and where to begin.

Assess the Current Situation. The GDPR and its potential impact on data security and day-to-day operations must be acknowledged on an organization-wide basis, starting with the key decision makers. Initially, it is critical to identify the gaps that may cause non-compliance issues under the GDPR, and arrange the ways to make up those gaps. The next step is to know what the organizations are and will be dealing with, by asking the question “which data can be defined as personal data?” According to the Article 4 of the GDPR, “‘personal data’ means any information relating to an identified or identifiable natural person… directly or indirectly.” Forms of personal data for identification of natural person ranges from common forms like name and identification number, to more specific forms like physiological, economic, and social information. Then, how about when collecting new personal data? Since the Article 13 requires the organizations to communicate how and why the personal data is collected and used, and Article 12 requires the communications to be transparent, organizations must first review their current privacy notice or consent, and make necessary revisions to be GDPR-compliant.

Know the Rights of the Data Subjects. The GDPR gives more rights to the EU citizens; therefore, organizations must examine whether their procedures cover all these rights as declared. Considering these rights, organizations can potentially revise existing procedures and go further, by evaluating their capabilities when the data subjects exercise their rights as manifested in the Articles from 13 to 22.

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • The right not to be subject to automated decision-making including profiling

Data Protection by Design and by Default. The Article 25 explicitly articulates that organizations have a general obligation to implement technical and organizational measures to demonstrate that they have integrated data protection into everyday processing activities. This requirement can be considered as one of the key GDPR principles, as the legislators have recognized that privacy cannot be completely guaranteed only by laws, but that it must become a backbone in the design and maintenance of information systems and processing for each organization. In simpler terms, this requirement aims to guide the organizations to meet the GDPR requirements and protect the rights of data subjects through the means of technical and organizational measures. This requirement serves an equal purpose, but there is no one right answer; every organization must approach it differently by adhering to various data security principles and technologies. Specifically, where personal data processing could pose a risk to individuals, the Article 35 declares Data Protection Impact Assessments (DPIA) as mandatory in the situations. For example, if an organization is deploying new technology, such as artificial intelligence and profiling systems, or is processing personal data on a large scale, such as patient and medical data in health institutions, DPIA must be conducted.

Notify Data Breaches. According to the Article 33 and 34, organizations must ensure that appropriate procedures are in place to detect and investigate personal data breaches, and to notify the details to both supervising authorities and affected data subjects. Even though not all personal data breaches are subject to reporting, breaches that carry a risk to the rights and freedom of the affected data subjects, such as discrimination, damage to reputation, financial loss, loss of confidentiality, or other serious economic or social disadvantage, must be reported. However, the GDPR also provides exceptions to this requirement, if an organization has

  • implemented appropriate technical and organizational protection measures that render the personal data unintelligible to those without authorization for access;
  • taken actions to ensure that personal data breaches do not risk the rights and freedom of the affected data subjects; and
  • determined that notification to each affected data subject would “involve a disproportionate effort.”

Appoint A Data Protection Officer. As a core part of organizational requirements by the GDPR, organizations must appoint a data protection officer (DPO) in some cases. The Article 37 and 38 reveal the legal details on the designation and position of the DPOs. If your organization falls under the GDPR scope and satisfy the three conditions as below, you must appoint one or more DPOs.

  • Your organization is of public authority
  • Your organization conducts monitoring of individuals on a large scale
  • Your organization conducts processing of specific types of data such as criminal records

The Article 39 explains the minimum tasks of the DPOs as below:

  • inform and advise the organization and its employees for the purpose of GDPR compliance
  • monitor the processing of data to maintain GDPR compliance; and
  • act as the first point of contact for the supervisory authorities and for individuals whose data is processed.

However, who do they need to appoint as the DPOs? Not everyone can perform as a DPO, after all. While the GDPR does not specify the definite qualifications which the DPOs are expected to have, it requires that DPOs must be experienced and educated in the field of data protection law.

With organizational, operational, and technological requirements, this checklist may seem overwhelming. It is no doubt that getting started is the most difficult, yet the most significant step to take. However, how can we really get started for GDPR compliance? Among the requirements, we believe the organizations can start technologically. Head to our next blog and find out what the key technological requirements are for GDPR compliance.

Blog Posts in this Series:
① The GDPR Summary: The 5 Key Points
→ Checklist for the Organizations to Comply with the GDPR
③ Data Protection by Design and by Default: Technological Measures
④ How to Comply with GDPR

Categories
Blog Data Erasure Device Control File Server Security USB Sescurity

[General Data Protection Regulation ①] The GDPR Summary: The 5 Key Points

After four years of discussion and preparation by the European Parliament, the Council of the European Union, and the European Commission, the General Data Protection Regulation (GDPR) is now ready to become effective on May 25, 2018 to achieve more comprehensive enforcement of personal data protection laws for all EU citizens. The importance of protecting personal data with legitimacy has been a major talking point in the recent times, and the EU is taking its bold step to set the bar for the rest of the world to follow.

Leading up to the GDPR

Let’s roll back the years to 1995, when the European Data Protection Directive was imposed to regulate the processing of personal data in the EU. Back then, personal data was simply a component of vast information database in the private scope, and was protected solely under the notion of ‘right to confidentiality.’ Fast forward to now, personal data plays a key role in achieving prolonged growth and greater success for global enterprises, as collecting, processing, and exchanging personal data has become the cornerstone of any business activity. This transition has been apparent and rapid with the various technological and business innovations like social media, complex data analytics, and data storage to achieve superior customer relationships. To keep pace with this unstoppable transition, global enterprises required, and have been obtaining a much wider range of personal data from more people around the globe. Consequently, personal data protection laws had to be reformed to acknowledge the notion of ‘right to protection,’ rather than that of ‘right to confidentiality.’

Understanding the GDPR

Come May 25, 2018, all organizations, even outside the EU, that are currently processing or planning to process personal data of the EU citizens must be prepared to comply with the GDPR. Unfortunately, it does not seem to be an easy task; therefore, we have summarized the GDPR into five key points.

One Law for 28 EU Members. Superseding the former European Data Protection Directive, the GDPR is unified legislation that applies to all 28 member states of the EU. Under one set of laws, each EU member state will establish independent Supervisory Authorities (SA) that will receive and investigate complaints or data breaches, issue warnings or fines, and cooperate with other SAs if required. This change can be considered as welcoming, as the organizations are only required to comply with one set of laws, even if their activities are widespread across multiple EU member states.

More Power to the Data Subjects. The GDPR promises increased power for the data subjects. Data subjects are the natural persons whose personal data is processed by an organization. First and foremost, the organizations must provide clear and concise consent to the data subjects before collecting their personal data, signifying the end of long, illegible terms and conditions that are full of legalese. Furthermore, data subjects can lawfully request the organizations for the access, rectification, erasure, restriction of processing, portability, and objection of their personal data. Accordingly, the organizations must provide documentation that proves the completion of the data subjects’ request(s). Also, the GDPR provides the data subjects with the explicit right to lodge a complaint with the SAs, if any processing of their personal data infringes the GDPR requirements.

Strengthened Authority and Heavier Sanctions. The GDPR declares strengthened authority and heavier sanctions for non-compliance. Through the SAs, written warnings or periodic data protection audits will be imposed in cases of the first and unintentional infringement. Severe infringements may be punishable by a fine up to 20 million Euros or 4% of the annual worldwide turnover. Stricter sanctions dictated by the GDPR certainly put pressure on enterprises and organizations to invest substantial capital and resources to ensure that personal data remains protected and data subjects’ right and freedom are not harmed by non-compliance.

Data Protection by Design and by Default. It is the organizations’ legal responsibility to establish appropriate organizational and technological measures to meet the requirements of the GDPR and protect the rights of data subjects. Organizational measures pertain to appointing appropriate personnel, who can dedicate their expertise and responsibility for the GDPR compliance, while technological measures are associated with the integration of necessary security into the processing of personal data to ensure that rights of the data subjects are protected. This responsibility alludes to the GDPR’s new obligation of appointing Data Protection Officers (DPO) and establishing organization-wide data security.

Data Breach Notification. Unfortunately, data breaches can always occur. In this case, DPOs must take it seriously and notify it to the SAs immediately, or within 72 hours of discovery, by specifying the details such as the number of affected individuals. Furthermore, the affected individuals must be notified of the data breaches as soon as possible. Failure or refusal to notifying such data breaches to the SAs can result in sanctions.

Due to comprehensive and strengthened enforcement, complying with the GDPR will neither be an easy nor avoidable task for many organizations that wish to operate in the EU. As our commitment to data security stays true, we felt obliged to seriously approach and understand the GDPR, and share its implications to data security. The deadline to compliance, May 25, 2018 is approaching rapidly, and we hope that your journey to GDPR compliance will start off positively with Secudrive.

Blog Posts in this Series:
→ The GDPR Summary: The 5 Key Points
② Checklist for the Organizations to Comply with the GDPR
③ Data Protection by Design and by Default: Technological Measures
④ How to Comply with GDPR

Categories
Blog USB Sescurity

How to Protect Top Secret Information on USB Flash Drives.

On October 28, Daily Mirror reported a severe data breach through an unencrypted USB flash drive that was discovered by a pedestrian in the street of west London. The USB flash drive contained 2.5 GB of classified data, in the form of at least 174 documents, maps, and images. Discovering what this data detailed alarmed the authorities at Heathrow Airport, as it revealed top secret information that was critical to the UK’s national security such as Queen’s route to the airport, security patrol timetables, IDs for restricted areas, and operating manuals for Doppler radar surveillance system. The shocking details did not stop, as the USB flash drive was not even encrypted, meaning that anyone could access it without entering a password. The Metropolitan Police is seriously considering this happening as a terror threat and is currently investigating how this critical information was originally leaked out. Furthermore, the authority may have to invest a massive budget to build a new security system for Heathrow Airport, as the current system may have been already compromised and possibly leaked out to the wrong hands.

Without a doubt, this security lapse has been a hot issue in the IT security industry. Right after the news broke out, Spiceworks, one of the biggest online communities for IT professionals, has been conducting a poll to find out if IT professionals or organizations prevent data leaks by encrypting data or disabling USB ports. As of November 14, the results showed that 325 of 865 respondents (38%) neither encrypt data nor disable USB ports to prevent data leaks. Among those that impose security measures, 26% disabled USB ports, 13% encrypted their data, and 18% implemented both.

Organizations that appreciate data security disable USB ports on employees’ PCs, as 44% of the respondents answered in the poll above. This security measure allows the IT administrators to monitor who transferred and worked with what data through which network, only by permitting data transfer online. However, this measure presents a shortage, as the data security still remains in doubt due to the inability of managing the file activity once the files leave the secure office premises. In response to this shortage, organizations often store the files on USB flash drives that will be given to trustworthy employees who monitor the file activity with naked eyes, ensuring that nothing gets out and the files return safely to the office premises. Additionally, organizations use USB drives in other numerous ways to store and transport data within, or outside the office premises. Therefore, USB drives are considered as the widely accepted means for data management and transport, as 51% of poll respondents do not disable USB ports or only encrypt their data.

However, is USB drive encryption or USB port restriction, or even a combination of both truly enough to achieve reliable data security standards? Are we covering all the possible fronts?

Going back to the security lapse concerning Heathrow Airport, it is beyond belief to learn that an authority that is responsible for the national security of the highest order does not use encrypted USB flash drives. However, even if they did encrypt their USB flash drives and top-secret data, would this solution be sufficient to prevent data leaks in the future?

The answer is a clear no, as the risk of data leakage by an insider with the highest security clearance, who can copy and export the top-secret files to the wrong hands via USB flash drives, can never be overlooked. Even worse, it is almost impossible to identify the ‘what,’ ‘who,’ and ‘when’ about the data leakage.

If you must store ‘top secret information’ on USB flash drives, they must be not only encrypted but also copy-protected. If an employee, who is carrying one or more USB flash drives with top-secret information, must work with a co-worker out of office, it is imperative to restrict the employee’s right to copy, print, screen capture, and network transfer the files on the USB flash drives. Moreover, the USB drives must be configured to be only accessible via specifically permitted IPs, and the administrator must be able to monitor all activities real-time through the internet. Secudrive USB drive solutions are designed to prevent any leakage of top-secret information from USB flash drives.

If you expect a potentially catastrophic result from leakage of top-secret information, Secudrive USB flash drives are the perfect solution that provides infallible security with hardware encryption chip, copy-protection with digital rights management, and remote monitoring and management. Before trusting your employees or official documents like a non-disclosure agreement, protecting your data from leakage, malicious or accidental, begins by establishing a robust and dependable security system that protects your confidential, top-secret data from both internal and external threats.