Blog

Browse our blog to see what our experts are talking about, and for insights on the latest cyber security trends impacting your business.

Zero Trust Data SecurityZero Trust Data Security
January 19, 2021

Zero Trust Data Security

Even with costly and complex data protection programs in place, data breaches and insider threats are still continually occurring. A reimagined approach to data security needs to be taken to mitigate these threats. Zero Trust is a security concept that requires the owner to have full control over every aspect of their data. To protect data from leaving the cloud, the owner must isolate and control all aspects such as other users, devices, and networks. The combination of controlling all aspects allows you to have control over your data and is the key to achieving Zero Trust. 

One of the main factors of Zero Trust is that the protection is persistent with the data no matter how or where it moves. At one point in time, data protection meant backing up data. Because of this, many of us did not discover and classify what we wanted to keep and chose to back up everything. Data security should protect everything because what you might not think is important today may still be important another day. If all of the data is secured, it doesn't matter where the data lives because it will never be vulnerable without access or keys to the data. 

With Zero Trust protection, when encrypting a file, only allowed applications and users of those applications are able to read the data without decrypting the file. Zero Trust ensures the data will always be protected because the owner will still have full control over everything. The Zero Trust protection automatically inserts a transparent layer between the read and write processes of applications and the application storage systems, whether running on endpoints or in the cloud. When an authorized user accesses, protected data, device, process, or application, the access control policy will allow the user, device, process, or application to read the encrypted bytes.

Zero Trust data security is the most fluid and valuable to an organization when it comes to protecting and being in control of your data. Being able to protect an organization’s source code with Zero Trust implies that your organization has won in a way. A whole barrier over the organization has been lifted because it enables the developer to do their job without releasing control over their data. By protecting source code data persistently and transparently, SecureCircle’s DASB is ideal for today’s zero-trust world. SecureCircle offers the most innovative method of protecting source code from insider threats and data breaches. DASB empowers organizations to enable secure access and full data control with no impact to applications, workflows, overhead, or end-user experience.


Read Article
Blog
Conditional Data Access for EndpointsConditional Data Access for Endpoints
January 19, 2021

Conditional Data Access for Endpoints

Many people think about using Conditional access for SaaS applications or access to specific data sources. However, once that data is accessed, how do you continuously enforce conditional access "to the data" on an endpoint? When your data is kept in a SaaS service, it is generally kept secure by the provider. Once your data leaves the service, that is when your responsibility comes into play with protecting your data. SecureCircle provides a Zero Trust Data Protection solution to ensure that your data is protected with conditional data access for endpoints.

Zero Trust implies that you have absolute control over your data and allows you to have the ability to change your access control at any given point in time. Conditional data access is all about allowing access to users without giving up any control, maintaining control, and adapting based upon telemetry. For instance, if a former employee had access to the organization’s data, you can sort of go back in time to revoke access as long as you did not give up control. When access to data is disabled, the data is no longer accessible to the user, group, or device, regardless of where the data resides. Attempts to access the data on a device that had access revoked will be denied, and these attempts will be logged. 

To detect any risky behavior while possessing control, SecureCircle works in conjunction with your identity provider. SecureCircle becomes part of the device’s compliant posture while your identity service can detect if the device attempting access is compliant before issuing access. SecureCircle always keeps data in an encrypted state and only allows approved applications to access and modify it. If any risky behavior is shown from the analysis of user behavior, SecureCircle enables you to change the posture of what the user is allowed to access. 

Ultimately, when having absolute control over your data, you start to think of the world differently. Zero Trust security is one comprehensive approach that allows you to have conditional data access for your endpoints. Even though data is secure, at one point or another, you are going to have to allow access. When doing so, SecureCircle will be there to eliminate these vulnerabilities.


Read Article
Blog
Cybersecurity 2021 ConferencesCybersecurity 2021 Conferences
January 19, 2021

Cybersecurity 2021 Conferences

Which will be the best 2021 Cybersecurity Conferences?

2020 was undoubtedly a year of change for everybody. People had to adapt and shift rapidly to new habits because of Covid-19. Cybersecurity conferences were not an exception: while some of them were cancelled, others took place in a virtual environment instead of the traditional way. 

Regular attendees are expecting to join the main Cybersecurity Conferences to be held this year even though they will mostly be held virtually. SecureCircle lists here the top 10 conferences that you cannot miss: 

  1. RSA CONFERENCE 2021, SAN FRANCISCO: this year the event will be fully virtual taking place the week of May 17. The topic will be Resilience. You can get the tickets on their website.
  2. GARTNER SECURITY & RISK MANAGEMENT SUMMIT: the event will be a virtual experience happening on March 23 and 24. Check tickets and pricing on their website. 
  3. DEF CON: the conference will be virtual, starting August 5 and finishing August 8. The event will be free. 
  4. RSA CONFERENCE 2021, JAPAN: last year the event took place in July and was free for everybody. For this year they haven't announced anything yet, so we are still expecting relevant information from them. 
  5. ATLANTA CYBERSECURITY CONFERENCE: This conference will be live streamed, taking place on February 24. Pricing and registration on their website. 
  6. NATIONAL CYBERSECURITY SUMMIT: the venue of the conference will be in Von Braun Center, Huntsville, AL. A three - day event from June 8 -10. For further information and pricing check their website.
  7. INFOSEC WORLD: one of the few in person conferences that will take place in Disney's Contemporary Resort, Lake Buena Vista on September 27 - 29. For registration and tickets check their website.
  8. SECURE360 TWIN CITIES: the committee of this event has decided that it will be fully virtual taking place on May 11 and 12. Registration on their website.
  9. THE HUMAN HACKING CONFERENCE: at the moment the only event that gives us the opportunity to attend virtually. The venue will be at Rosen Centre Hotel, Orlando, FL or by the virtual component of the event having access to some exclusive online workshops. The conference will take place on March 11 -13. For registration and more information visit the website. 
  10. CIO´S FUTURE OF WORK SUMMIT: virtual event taking place next month, February 16 - 18. Attendance is free but registration is necessary on their website.

 We will be there.  Are you going to join us? 


Read Article
Blog
2021 Cybersecurity Predictions2021 Cybersecurity Predictions
January 3, 2021

2021 Cybersecurity Predictions

As the calendar turns to a new year and we gladly put 2020 behind us, here are a few predictions for the new year.

1. Data breaches and privacy violations will continue to grow in 2021. Despite regulations like GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act), the average data breaches cost impact will rise again. Per the Ponemon Institutes latest Cost of a Data Breach Report, the average cost of a data breach in the US grew to a record $8.74 million per infringement.


2. More regulations. CMMC (Cybersecurity Maturity Model Certification) went live in 2020, and lawmakers only have one option to regulate industries that are unable or unwilling to prevent breaches independently. Last month, California passed Proposition 24 (California Privacy Rights and Enforcement Act or CPRA). CPRA will take effect on January 2023 and will create a new privacy enforcement agency. The agency will provide new definitions and protection for sensitive consumer data, expand and clarify the use and sharing of consumer data, and expand liability for data breaches. Without a national regulation, California law will become the defacto standard in the US. CCPA remains in effect until CPRA starts. The EU is working to reconcile PECR (Privacy and Electronic Communication Regulation) with GDPR to remove inconsistencies. The Phillippines will update the PDPA (Personnel Data Protection Act). The UK will formally leave the EU, and the UK Data Protection Bill will replace GDPR.


3. Cybercriminals will continue to focus on remote workers. Even as some companies will return to office work in 2021, other companies such as Twitter, Shopify, Nationwide Insurance, Siemens, Slack, Square, and Zillow have adopted policies to allow permanent work-from-home. The FBIs Intenet Crime Complaint Center (IC3) reported online crimes have quadrupled since the beginning of the COVID-19 pandemic.

SecureCircle's recommendation for 2021 is to adopt a Zero Trust Data Security posture that secures all data by default without relying on end-user involvement.

Read Article
Blog
Protecting Data That Egresses From Cloud Services & SaaS ApplicationsProtecting Data That Egresses From Cloud Services & SaaS Applications
January 4, 2021

Protecting Data That Egresses From Cloud Services & SaaS Applications

For a true Zero-Trust environment, it isn’t enough to think about data in cloud services and SaaS applications. We also must protect, control and audit data that egresses from these services onto endpoints. SecureCircle is  Zero Trust security for data.  SecureCircle enables having full control over data including authenticated users, networks, devices, and applications that have access to secured data. At one point in time, the cloud was sort of the bad guy, and we would want to find all the data that was leaving the premise going into the cloud. However, overnight a transition between the cloud being the bad guy and the good guy took place. Since the cloud is now the good guy, we are trying to protect the data leaving the cloud while using zero trust models. 

When you think about how data Data Processing Agreements (DPA) are all written with your SaaS providers, they control and secure the data that is in the SaaS service. For instance, for Salesforce & Workday, they'll control and secure the data when it's inside their SaaS application but where your responsibility comes into play is once you open that front door. The front door is open once the user and devices are authenticated, and the network is secure. With the front door open, the data is unleashed, leaving you exposed to either unwanted users accessing the SaaS environment or users egressing data from the SaaS application to their local device. With data constantly egressing from the cloud, data must be secure at all times. 

A new approach to protect data is required for organizations to control their data and map to modern compliance requirements. At SecureCircle, we tie into that Zero Trust model and protect the data again because we don’t have to scan for PII. Since SecureCircle is working at a scale without limitations, when the data inevitably leaves the service, you have control over the data that is on the endpoint. SecureCircle has bridged the shared security model between the SaaS provider and your local devices. Everything that is coming out of a Saas service is now protected because SecureCircle is part of the device’s compliance posture. 

With SecureCircle, all of the services are protected and most importantly, so is your data. For instance, when downloading data from a SaaS application such as Salesforce and trying to copy it onto a USB drive to take home, SecureCircle identifies binary similarities. 

SecureCircle is able to determine if the downloaded data is similar to previous secured data.  If so the data is automatically secured with the same access permissions as the original data.  With SecureCircle, security decisions are automated and newly downloaded data can be differentiated between similar to secured data or not.  This prevents securing non-confidential data. 


If the data is similar and is secured, transferring the data to a USB will only transfer the secured (encrypted) data. If the USB is plugged into a device that is not authenticated, it will receive a bunch of encrypted bytes. Without access to rights or decryption keys to read the data, it will be protected no matter where it is. SecureCircle’s DASB is the only solution that will empower you to enable secure access without giving up control of your data with no impact on applications, workflows, or end-user experience.

Read Article
Blog
2020 Recap2020 Recap
December 21, 2020

2020 Recap

Read Article
Blog
Is Zero Trust Data Security Possible?Is Zero Trust Data Security Possible?
December 31, 2020

Is Zero Trust Data Security Possible?

Read Original Forbes Article : Is Zero Trust Data Security Possible?

Some enterprises I've worked with that have deployed a zero trust (trust no one) model have still experienced data breaches. With zero trust implemented correctly, data breaches can be eliminated or minimized to small datasets. I believe breaches still occur because organizations do not rely on zero trust data security solutions. After all, most options I've seen are not zero trust compliant.

Data loss prevention (DLP) requires discovery and classification. DLP doesn't secure by default. Endpoint DLP typically allows data on the device to remain unsecured while locking down the egress of data off the device.

Solutions like information rights management (IRM) and file encryption aren't zero trust. Those solutions only secure the initial transfer of data. An employee can encrypt a file and send the data to an external partner. But once the partner has decrypted the file to consume the content, the partner — not the employee or company — has control of the data.

I believe the use of these data security tools has contributed to data breach after data breach and headline after headline. What enterprises need to do is implement zero trust data security principles.

Here are four core principles of zero trust to implement when deploying a zero trust data security solution.

Use Microsegmentation

It is challenging to implement zero trust without granular controls. Instead of a carte blanch "allow or deny" permission, permission should be extremely granular. Identity providers can authenticate on more than username, name and password. They can also use device, device posture, location, time and others as additional authentication factors.

Data security should have similar granular controls. Besides basic authorization for users and devices, your security team should use controls over endpoint applications, networks, SaaS or cloud applications, and data usage such as copy and paste. Make sure they don't allow unauthorized or unknown processes to access data. New or unauthorized applications that access data can cause ransomware attacks. Whether it's in the cloud or the corporate data center, you should also secure data from centralized sources.

Enforce Policies Everywhere

Data security has previously focused largely on data access. But once data is accessed, the user typically has broad rights to use and transfer the data without additional security controls.

Some solutions claim to be data-centric solutions. That often turns out to be a file-centric approach. With zero trust, the goal is to be as granular as possible.

Security needs to be persistent. You should secure your data at all times: at rest, in transit and in use. Security needs to apply to any file type and any application. Identify solutions that are not zero trust, such as any tools that publish a list of supported applications. A supported application list implies that there are unsupported applications whose data the tool will not secure.

A widespread use case for zero trust security today is downloading sensitive data from a SaaS or cloud service. Make sure you're securing data exported from SaaS services and that it remains secured throughout its entire life cycle.

The most granular data security approaches apply security to the data itself, not the file. As users create new content, compare that content to previously secured content. If the content is similar, automatically secure the new content with the same permissions as the previously secured data. Make sure to monitor small data segments as they move from file to file and apply permission accordingly.

Provide Identity Beyond Identity And Access Management (IAM)

Authorization based on basic credentials such as username and password is not enough. Enable access policies for applications, networks and system tools such as clipboards.

By enforcing application policies, IT can allow only authorized applications to access secured data — no more Word-to-PDF converters downloaded from unknown sources. Enforce application-level network rules, such as only allowing file transfer protocol (FTP) applications to send data to corporate IP addresses. Enforce clipboard policies to block or allow secured data to move between secured and unsecured applications.

Introduce Visibility And Automation

Visibility and automation are two of the cross-functional principles of zero trust. Granular logging and reporting should enable orchestration tools to look for anomalies and suspicious behavior. Log all data access attempts, regardless of whether you allow or deny the action. Your log should include user, application, device, location, time and other metadata. Proper logging will allow orchestration tools to detect potential malware and suspicious user behavior while also creating audit and compliance reports.

By following these zero trust principles when deploying data security solutions, enterprises can finally start to eliminate data breaches.

Read Article
Blog
Companies Need to Protect Trade Secrets Companies Need to Protect Trade Secrets
December 4, 2020

Companies Need to Protect Trade Secrets

The road to a granted software patent continues to be a long, frustrating, and expensive process. In just a few years, old software can be replaced even before a patent application is complete. Typically, patent applications take about four years to complete, which is very time consuming for most companies. 

Many companies choose not to patent software because of how difficult it can be. Under the current patentability law in the United States, software patent applications must meet specific requirements to be patent-eligible. The software may be patentable if it improves computer functionality somehow or solves a computing challenge unconventionally. Additionally, software patent applications must be written carefully. The patent may only be eligible if written with a clear focus on the software solution’s technical merits. 

Since patents are becoming harder to obtain, companies turn to trade secret protection.  There are laws to protect trade secrets. To have legal protection, the company must meet specific standards. There are many steps that companies must take to protect their trade secrets, including identifying what needs protection, monitoring where the information is stored, securing computers, providing adequate security, maintaining secrecy with outside vendors, and training employees regarding security policies. 

Throughout the past few years, trade secret litigation in the United States courts has significantly increased. In 2018, Apple was alleged to have stolen trade secrets from Qualcomm and shared them with Intel Corporation after Qualcomm allowed Apple access to its source code and tools for LTE modem chipsets. Last year, Ahead Engineering attempted to sue former employees claiming trade secret misappropriation under state and federal law. Ahead Engineering ended up facing more penalties because instead of putting in its best efforts to protect their trade secrets, they went on an external fishing expedition on its employees. Companies must use their best efforts to protect trade secrets and show these best efforts in court to be protected. 

 


SecureCircle enables companies to meet the various trade secret requirements for legal protection.

Trade secrets such as source code can be automatically protected as part of the developer workflow without developers, even knowing additional security was implemented.  As source code is checked out of the central repository such as GitHub, the data will automatically be secured.  Data remains secure regardless of location.  Only authorized users, devices, and applications will be able to access the source code.

Every attempt to access secured source code is monitored.  Compliance and audit teams can see in real-time which users, devices, and files have been accessed.  Unauthorized devices or unknown devices will not be able to access secured source code and will not even be able to download source code from the central repository.

Companies can utilize outside vendors without giving up control.  Typically in other security solutions, the data is left unsecured while the data is being changed.  With SecureCircle, the data is persistently secured: at rest, in transit, and even in use.  Derivatives are automatically secured, including Save-As and copy-paste.  Even as outside vendors are working on source code, companies have the ability to revoke permissions at any time.  If the vendor had copied secured data to a USB drive, the contents would remain secure.

Because SecureCircle works transparently in the background, there is no user training and onboarding required.  Developers work just as they would with insecure data.  Companies can deploy SecureCircle in days.

Review the SecureCircle Securing Source Code on the Endpoint Whitepaper or view the Demonstration video to learn how to:

  • Secure source code on the endpoint
  • Allow access to source code on the endpoint
  • Secure source code within the clipboard
  • Secure newly created and derivative source code
  • Check source code into the repository
  • Revoke access to source code

SecureCircle delivers a SaaS-based cybersecurity service that extends Zero Trust security to data on the endpoint. SecureCircle’s Data Access Security Broker is a reliable and straightforward security architecture that enables customers to secure source code on the endpoint without impacting developers from doing their job. Instead of relying on complex reactive measures, we simply secure data persistently in transit, at rest, and even in use. SecureCircle also reduces cost and reduces complexity by avoiding the need for multiple products, software integrations, and ongoing security controls administration. Unlike many traditional solutions, SecureCircle works on a simple cloud-to-agent delivery model, which means fast and simple deployment, allowing our customers to implement security for their most sensitive data rapidly.


Read Article
Blog
Preventing Palmerworm EspionagePreventing Palmerworm Espionage
December 4, 2020

Preventing Palmerworm Espionage

An espionage group known as Palmerworm used new malware to attack targets worldwide, including companies in media, finance, construction, and engineering in the US, Japan, Taiwan, and China.

In some cases, Palmerworm maintained a presence on compromised networks for more than a year using 'living-off-the-land' tactics.  These attacks take advantage of legitimate software not to raise suspicion that something might be wrong.  The malware also uses stolen code-signing certificates in the payloads to make the malware look legitimate.

Researchers cannot see what Palmerworm is exfiltrating from their victims, but the group is considered an espionage group and is likely motivated by stealing information from targeted companies.

The Palmerworm attack is similar to standard ransomware in which the thieves steal your data and ask for a ransom to block releasing your data to the public.  In this case, the difference is the attackers already see value in your data and know-how to monetize it without asking for a ransom.  An attack of this nature could go on indefinitely if not caught.

SecureCircle will not prevent the attackers from installing malware and exfiltrating data from the company.  There are End Point Detection and Response (EDR) solutions that will avert suspicious attacks.  One of the known victims was able to detect the attack within two days with proper security in place.

SecureCircle will secure your data so your confidential internal data will not be accessible by the attackers or anyone in the public should the files be released.  Data is persistently secured at all times, including at rest, in transit, and in use.  Even if files transfer outside of the company, unauthorized users will never access the encrypted data.

In the Palmerworm case, the attackers used typical applications for reconnaissance, compression, and remote transfer.  WinRAR was used to compress data to make the data easier to transfer.   Putty was used to open remote connections and transfer the data.  With SecureCircle, these applications would not be allowed to access the encrypted data within files by default.  These applications typically move data.  Similar applications like email clients and web browsers would also not have permission to read the secured data.  Applications that are not enabled to view encrypted data can only move encrypted data.  Applications such as Excel would have permission to read the secure data.  SecureCircle can provide granular permissions beyond devices and users.  SecureCircle can authorize access to secure data by application and network as well.

Another significant benefit of SecureCircle is the rapid time to deployment.  SecureCircle is transparent to end-users and doesn't change user or business workflow, unlike other security solutions.  Without impacting users, companies can secure all their data by default rather than selecting only the most crucial data.  By not having to discover or classify data, companies implement SecureCircle quickly by defining data sources such as SaaS applications, file servers, or specific applications on user devices such as CAD, Adobe, or source code applications.

SecureCircle helps eliminate data breaches from malicious external attacks such as Palmerworm and malicious and accidental insiders.


Read Article
Blog
Zero Trust Data Security WebcastZero Trust Data Security Webcast
December 4, 2020

Zero Trust Data Security Webcast

Security Weekly hosts and SecureCircle's CEO, Jeff Capone, discuss Zero Trust Data Security. SecureCircle delivers a SaaS-based cybersecurity service that extends Zero Trust security to data on the endpoint. Ensure all your data is secure, without impacting the business.

Read Article
Blog
Where's Your Data? Who Cares!Where's Your Data? Who Cares!
November 30, 2020

Where's Your Data? Who Cares!

App, User, and Data, but it's all about the data!  Discovering and classifying data to protect it is tough.  What if you can protect all of your data? Jeff Capone, CEO and Co-founder at SecureCircle, joins Security Weekly to discuss how to protect all of your data and stop asking "Where's your data?". If we can protect everything, who cares where it is, as you continue to maintain control!

Read Article
Blog
Zero Trust DLP WebcastZero Trust DLP Webcast
November 17, 2020

Zero Trust DLP Webcast

Security Weekly hosts and SecureCircle dive into Zero Trust DLP. Zero Trust Data Security is a very popular security architecture that is being adopted by many organizations. A zero-trust solution requires the owner of the data to always be in control at all times. The owner is in control of all of the networks, devices, users, and data.

Read Article
Blog
Quanta Storage Inc. Secures Customer Intellectual PropertyQuanta Storage Inc. Secures Customer Intellectual Property
November 30, 2020

Quanta Storage Inc. Secures Customer Intellectual Property

Quanta Storage Inc. (QSI) is a worldwide leader in OEM and ODM services to the world’s leading consumer electronics brands with headquarters in Taoyuan City,
Taiwan, and factories and offices worldwide.


The Challenge


QSI obtains customer intellectual property (IP) such as designs, roadmaps, costs, legal documents, and schedules. Customers are concerned about the safety of their IP. The IP includes traditional Office files, source code, mechanical design files, photos, videos, and more.


QSI’s customers are some of the most recognized consumer electronic brands globally. Customers are concerned data may leak to their competitors, which are also QSI
customers, or to the public.

Additionally, QSI creates its internal intellectual property, such as design and source code files for designs and products which QSI owns and needs to secure.

The Solution


QSI evaluated many encryption and data loss prevention solutions before selecting SecureCircle. The alternative solutions could not protect any file type and impacted
QSI employees with workflow changes.

“SecureCircle was selected because their technology applies to data regardless of where the data is stored or what applications are used,” said Luis Chuang, Associate Manager. “Two critical requirements for QSI is support for all platforms including Windows, Mac, and Linux and to support any application and file type, including native design files.”

SecureCircle ensures sensitive customer intellectual property (IP) is protected when customers share data with QSI. Customers upload data to a secure FTP location. The data is automatically secured on upload and added to the customer-specific Circle. Customer data is segregated from other customers, so data cannot accidentally or malicious leak from one customer to another. Employees do not have access to
customer Circles, which they are not directly involved.


SecureCircle secures QSI’s internal confidential information, including business, design, and manufacturing data. QSI is able to secure data across multiple sites, including its headquarters in Taiwan, as well as major factories in China and Thailand. SecureCircle authenticates users across multiple Active Directory servers distributed throughout their global footprint.


SecureCircle secures software source code throughout the development process. Developers code on Windows, Mac, and Linux devices using the approved IDE (Integrated Development Environment) applications without any change to the workflow.


QSI is able to secure data without additional operational overhead. Unlike other DLP solutions, QSI is not required to discover and classify data prior to securing it. There is also no need to create or maintain DLP policy rules since SecureCircle secures all data by default.

The Outcome


Due to the OEM and ODM industry’s sensitive and competitive nature, QSI strives to achieve the highest data protection level to ensure internal IP and customer IP are
always protected.

QSI has deployed to employees around the world, securing IP while not impacting employee or business workflows. There has been no additional management overhead since SecureCircle leverages the Active Directory groups, which were already maintained to grant access to file servers and other resources.


SecureCircle transparently secures data from internal and external threats, including accidental sharing, lost/stolen devices, shadow IT, and rogue employees.

To Learn More Contact your Data Access Security Broker expert at sales@securecircle.com or 408-827-9100

Read Article
Blog
Securing Source Code on EndpointsSecuring Source Code on Endpoints
December 13, 2020

Securing Source Code on Endpoints

Securing Source Code on Endpoints

Securing source code from loss or theft has historically been challenging due to the lack of security options available to deliver effective security without impacting developer productivity. For many businesses, their source code is an extremely valuable asset yet to enable productivity it has to be copied onto developer endpoints in plain text formats, making it difficult to keep this valuable asset secured and monitored.

SecureCircle’s Data Access Security Broker (DASB) is a simple and reliable security architecture that enables customers to secure source code on the endpoint without impacting developers from doing their job. DASB protects against both insider threat and accidental data loss without constraining developers to a particular IDE or build tools.

When deployed in a best practice configuration, SecureCircle can secure source code on endpoints without development teams needing to change how they operate or interact with code, IDEs, and development tools. This focuses on SecureCircle best practices for securing source code in development environments.

High Level Architecture

The most common approach to managing and working with source code is to leverage one or more code repositories that are considered the source of truth for a given development project. The code repositories provide functionality that simplifies managing various versions of code, branches, and releases.

In development environments, it is common practice for developers to copy code onto their endpoints (Mac/PC/Linux) using a pull request or checkout process. This checkout or pull operation allows developers access to move code directly to their local endpoint for the fastest and most reliable development experience when working with code.

SecureCircle ensures source code is persistently encrypted when it moves to the developers’ endpoint without impact to developers and their tools so businesses always remain in control of their source code regardless of where the code resides.

Securing Source Code on the Endpoint

When SecureCircle has been configured to best practice, source code is secured as it moves from the code repository to developer endpoints. Specifically, the client process (e.x. git, svn) on the developers’ system is configured as a Secure Process. When the Secure Process copies or writes source code files to the developer endpoint, the SecureCircle agent ensures the source code within the files is encrypted at all times and remains secured even in-use.

An additional layer of security recommended by SecureCircle is to use SSH as the transfer protocol for any pull requests from the code repository. Not only will this ensure source code is encrypted in transit, but it also allows an added layer of security by allowing the private SSH key file on developers’ endpoints to be managed by SecureCircle. By securing the key with SecureCircle, access to both the source code on the endpoint and access to the repository over the network can be revoked when disabling a user or device. When access to the code is revoked, it can no longer be read on the endpoint by any process. Similarly, the endpoint will no longer be able to make requests to the repository, as the SSH key that grants access to the code repository is also unreadable. All secured source code on developer endpoints is monitored. When the applications and process attempt to access the source code, the attempted actions can be logged in a SIEM for further analysis.

Allowing Access to the Source Code on the Endpoint

Source code within files that have been checked out by an approved developer on an approved endpoint, by an approved process, are always kept in an encrypted state. Not only is the code always encrypted, only approved IDEs and compilers are granted access to the code within the file other processes on the developers’ endpoint can’t access the plain text version of source code unless explicitly approved.

When an approved IDE opens source code, it reads plain text yet the file is never decrypted. However, the source code is kept within the IDE and other approved processes, such as alternate IDEs. Compilers can also be approved applications and read plain text within the secured file so that compiled code can be successful without any change to the developers’ normal workflow or changes to the build tools.

In general, when processes that consume data run on the endpoint they are either considered an Allowed Process that grants permission to read the content within files or a Denied Process, in which case they are forced to read the encrypted version of the bytes. Transport tools such as windows explorer, Mac Finder, email clients, and file sync clients (e.g. Dropbox) are all recommended to be Denied Processes, which means these processes can transport secured files but never read the plain text contents.

Securing source code within the clipboard‍

It is common to use the clipboard in the operating system to move data from one location to another. In source code development, the ability to copy and paste is an important tool for productivity. With SecureCircle, developers are free to copy and paste within and between Allowed Processes. However, if a developer attempts to paste code from an Allowed Process to a Denied Process, the operation will be blocked. By controlling copy and paste in this way source code can be blocked from being exfiltrated into unapproved applications and processes that are considered high risks, such as email clients or web browsers.

Securing newly created and derivative source code

When new source code files are created, they can either be secured by default, as part of a Secure Process, which secures every new file created or they can be secured based on the content of the code being a derivative of source code that was previously secured by SecureCircle.

By enabling Secure Derivative, similarities within data across files will be detected. When a new file is created with similar contents to an existing file, it will be automatically secured with the same policies as the original file and transparently encrypted to allow the security to move with the data. When source code is copied from one file to another within an Allowed Process, Secure Derivative ensures the file that receives that code will inherit the security of the file that contained the original code.

Checking source code into the repository

When checking code back into the code repository, the process on the developer endpoints can be set as an Allowed Process, which removes the encryption from the bytes within the source code as it is sent to the code repository. The source code files are encrypted in transit through SSH but are then stored in plain text format within the source code repository, which allows standard server-side tools within the code repository to continue to operate as expected. When a developer checks out the code in the future, it will be secured as per the original method described above. SecureCircle recommends that security controls be implemented on the repository to complement the code workflow described in this whitepaper.

Revoking access to source code

In the event that access to source code needs to be revoked, SecureCircle allows the ability to disable access to source code on endpoints by user, group, or device.

When access to data is disabled, the data is no longer accessible to the user, group or device implicated, regardless of where the data resides. Attempts to access the source code on a device that had access revoked will be denied and these attempts will be logged. Additionally, the ability to copy source code from the repository will also be revoked as the SSH private key file will no longer be accessible to the clone process on the developers endpoint. Removal of access to source code can be effective within seconds based on the configuration of time to live (TTL) settings within the SecureCircle service. Finally, access to any additional copies or derivatives will also be revoked even in the event they were copied onto removable media.

Conclusion

SecureCircle allows businesses to create workflows that automatically secure data as it moves to endpoints. By deploying SecureCircle source code is encrypted within files as they are pulled out of source code repositories with no impact to developers or the tools they use. Source code is always kept in an encrypted state, and only approved applications can access and modify the plain text code. Access to source code can be revoked at any time, regardless of where the secured source code files are being stored. Keeping data encrypted within any type of file without impacting developers or developer tools is what makes this approach to source code security unique. At SecureCircle, we believe that frictionless data security drives business value for our customers by providing persistent protection against
accidental exfiltration and insider threat. For more information on how we approach data security, please visit our website www.securecircle.com.

Download Whitepaper : Securing Source Code on Endpoints

Read Article
Blog
Conditional Data Access for EndpointsConditional Data Access for Endpoints
October 29, 2020

Conditional Data Access for Endpoints

Security Weekly hosts and the CEO of SecureCircle, Jeff Capone, dive into how we can have conditional data access for endpoints. "Most folks think about using Conditional access for SaaS applications or access to specific data sources. However, once that data is accessed how do you continuously enforce conditional access "to the data" on an endpoint."

SecureCircle delivers a SaaS-based cybersecurity service that extends Zero Trust security to data on the endpoint. At SecureCircle, we believe frictionless data security drives business value for our customers. End users operate without obstacles, while data is continuously secured against breaches and insider threats. Instead of relying on complex reactive measures, we simply secure data persistently in transit, at rest, and even in use.

Read Article
Blog
Cybersecurity isn't Going to Work Until it is SimpleCybersecurity isn't Going to Work Until it is Simple
October 28, 2020

Cybersecurity isn't Going to Work Until it is Simple

IBM recently reported in its fifth annual Cyber Resilient Organization Report 2020 that the average enterprise deploys 45 cybersecurity tools. Additionally, enterprises using over 50 tools ranked themselves 8% lower in their ability to detect threats and 7% lower in their defensive capabilities. Having more tools is not helping. It is causing more harm.

Enterprises often deploy multiple tools in the same category because one tool handles specific use cases the other cannot.

The idea of a converged solution is Gartner's Secure Access Service Edge (SASE). SASE aims to offer four benefits to organizations that

·   Reduce IT cost and complexity

·   Deliver a great user experience and high productivity

·   Reduce risk and fewer data breaches

·   Improve compliance with broader visibility and control

SASE replaces point products such as DLP (data loss prevention), SWG (secure web gateway), NGFW (next-generation firewall), VPN (virtual private network), CASB (cloud access security broker), and Routers with services:

·   Web Security

·   Cloud Security

·   Network Security

·   Data Security

·   Advanced Threat Protection

·   Zero Trust Network Access

So if 50 and 45 are not the right amount of tools, how many are needed? Let's focus on one of the critical tenets of SASE or any similar architecture, data security. Let's define data security as sensitive data that should never leave the organization.

Data security has failed because it monitors data only within the deployed environments, such as network, endpoints, and cloud. Legacy solutions relied on technology designed for on-premise perimeters and later extended and adapted to cloud use cases and loaded with features, disjointed policies, configurations, and workarounds. Data security has become very complex, difficult to deploy and manage at scale, and too expensive.

SecureCircle is a cloud-delivered solution based on the data itself. Policies are applied uniformly to protected data at rest, in transit, and in use regardless of location. SecureCircle deploys many of the principles of SASE.

·   Intrusion protection - SecuerCircle logs all data access attempts for SOAR (security orchestration automated response). Rich metadata is available, including user, application, device, location, and much more.

·   Content inspection - Unknown data is scanned to determine the digital DNA (dDNA) within the file. If dDNA is similar to other protected data, SecureCircle protects the new data with the same permissions as the original data. Additionally, SecureCircle can monitor data patterns and automatically protect PII, PCI, and other pattern identifiable data.

·   Malware protection & application access - Applications policies determine which applications are allowed to access protected data. Block unauthorized or unknown processes from touching data. SecureCircle automatically protects all data from critical applications such as finance tools or design software like Git or AutoCAD.

·   URL filtering & firewalling - Firewall policies to allow or reject data transfers. Policies are granular to the application level. Automatically protect data transferred from specific URLs such as HR data from Workday.com or sales data from Salesforce.com.

Benefits of SecureCircle

·   Transparent to end-users. Authorized users will not even notice SecureCircle is protecting data in the background. Users follow their existing workflows. SecureCircle supports any application and file type without changing the file name or extension or modifying the application.

·   Reduce operational overhead compared to legacy solutions. All policies are managed by exception, not by rule. Removes any security tasks such as discovery and classification, which was required by legacy solutions.

·   Cost savings. SecureCircle focuses on protecting data in today's distributed environment. Licensing cost is much lower than legacy tools, and there is no dependency on discovery or classification tools. Reduction in operational overhead saves hundreds of hours used to create and maintain policies and classification states.

·   Zero trust approach. SecureCircle verifies user, device, application, network, and other factors for authorization and automatically protects data based on workflow, content, pattern, and context. For example, ransomware applications will not be able to read the contents of protected data.

·   Visibility and orchestration. SecureCircle provides unparalleled visibility to data access as well as data modification patterns. The comprehensive monitoring allows for automated orchestration tools to disable suspicious devices or notify administrators of potential ransomware applications trying to access data.

SecureCircle's Zero Trust data security allows enterprises to deploy a data security solution that relies on a scalable and straightforward architecture that enables lower operational overhead and a transparent end-user experience.


Read Article
Blog
Cybersecurity Breakthrough AwardCybersecurity Breakthrough Award
October 29, 2020

Cybersecurity Breakthrough Award

In the 4th annual Cybersecurity Breakthrough Awards 2020, SecureCircle was recognized as the top Enterprise Encryption Solution of the Year. SecureCircle delivers a SaaS-based cybersecurity service that extends Zero Trust security to data on the endpoint. At SecureCircle, we believe frictionless data security drives business value for our customers. End users operate without obstacles, while data is continuously secured against breaches and insider threats.

Cybersecurity Breakthrough Awards 2020

Read Article
Blog
National Cybersecurity Awareness MonthNational Cybersecurity Awareness Month
October 19, 2020

National Cybersecurity Awareness Month

Now that work, school, and many other life aspects have shifted online this year, it is vitally important that we remember to take on cybersecurity precautions. Working from home introduces many new challenges for companies because their data is now in multiple different locations on different devices. Since October for National Cybersecurity Month, SecureCircle wants to remind you data breaches are still increasing. 

For starters, the average cost of a data breach is now 8.64 million dollars, which is a 5% increase since 2019. Internal actors account for 31% of data breaches in North America. When working from home, many employees tend to abandon security practices and expose company information due to negligent or malicious acts. 76% of companies that have experienced a data breach have said that remote work would increase time to identify breaches. Legacy security tools do not work. 

Cybercriminals have many advantages when it comes to a remote workforce. In most cases, home setups are often insecure. Most of them lack a defense-in-depth approach, such as using VPNs, antivirus solutions, firewalls, and intrusion prevention systems to protect data in residential environments. While at home, employees also tend to use several devices, leading to multiple potential entries for threats. Overall, there are so many more cracked doors for cybercriminals to open and attack. With a Zero-Trust data security solution, companies will steer clear of data breaches and cybercriminals. 

At SecureCircle, we believe frictionless data security drives business value for our customers. We deliver a security service that simplifies Zero Trust data security on endpoints. Customers use SecureCircle because of these four key reasons :

1) Remove users from the security process

2) Transparent and frictionless to users and applications

3) Reduce cost and complexity

4) Rapid and simple deployment

Along with that, SecureCircle secures an endless amount of use cases, but we focus on three primary use cases. These use cases include :

1) Source Code Protection

2) Zero Trust data security for Saas

3) User-generated intellectual property

With SecureCircle, companies proactively keep all of their data secure without impacting user or business workflows. Instead of relying on complex reactive measures, SecureCircle simply secures data persistently in transit, at rest, and even in use.

Read Article
Blog
Jeff Capone of SecureCircle: 5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and CybersecurityJeff Capone of SecureCircle: 5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity
October 15, 2020

Jeff Capone of SecureCircle: 5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity

As part of Authority Magazine's series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, the CEO of SecureCircle, Jeff Capone, is interviewed by Jason Remillard. Capone shares his own experiences and tips that many organizations can use to enhance their own data privacy and cybersecurity.

Jeff Capone's "5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity" :

  1. Zero Trust Data Security.
  2. Impose control around users, data, devices, and networks.
  3. Make sure to have visibility.
  4. Users should not be part of the security process.
  5. Look for the latest and greatest technology because security changes rapidly.

Read the full interview at Authority Magazine

Read Article
Blog
The Real Enterprise Data Protection Problem: CAD files and Other Legacy Apps DataThe Real Enterprise Data Protection Problem: CAD files and Other Legacy Apps Data
October 15, 2020

The Real Enterprise Data Protection Problem: CAD files and Other Legacy Apps Data


Talk to any enterprise CISO and you quickly learn that despite all the DLP and encryption solutions that focus on protecting office files, the real problem that nobody talks about is protecting highly valuable data in non-office file formats:

  • Automotive, manufacturing and industrial enterprises rely heavily on the CAD design data format to store and exchange critical IP
  • Healthcare exchanges data in proprietary billing and patient record formats exported from Electronic Medical Records systems
  • Media and design enterprises put their most valuable IP into MOV and MP4 files, Photoshop PSD files and other media formats
  • Source code used more and more by large enterprises as part of their digital transformation contains valuable IP
  • MS Visio and MS Project formats - even Microsoft offers little to protect these critical forms of IP

Even worse, the majority of large enterprises also rely heavily on line of business ERPs like SAP, as well as their own legacy or home-grown line of business applications at the core of their operations. When data is exported from those applications whether for sharing internally or externally, that is an immediate threat to the business. 

Imagine a legacy CAD tool that produces an enterprise’s key industrial designs, however the editor is no longer supported by the vendor. Or a home-grown content authoring tool that no longer has an in-house development team. These legacy applications are so entrenched in business workflows that changing to another application for security reasons is unrealistic, so the enterprise has no choice to find a data protection solution… or simply operate with no protection. 

Compound this with sharing data between more remote workers and more data sharing with 3rd party vendors, and your most valuable data is simply pouring into the wrong hands at an alarming rate.

Traditional DLP Is Not Enough

Most enterprises have a data loss prevention (DLP) solution in place, but despite this data breaches still happen at an alarming rate. The root cause is simple: DLP lets all data flow by default and attempts to only selectively identify, classify and block sensitive data from falling into the wrong hands. But identifying sensitive data to protect is extremely error-prone. A DLP might be able to spot highly structured, pattern-oriented data like credit card numbers and social security numbers (though even that is not always true). But DLP will miss most forms of intellectual property like product designs, manufacturing blueprints, corporate IP, employee personal information, HR information, etc. This is because IP is rarely in a machine-detectable format like a credit card, and it is often housed in non-office formats like CAD, PSD, image files, source code, as well as legacy and proprietary formats that DLP doesn’t handle. 

No wonder half of all manufacturers experienced a data breach in the last year! 

Other traditional data protection technologies attempt to augment DLP to solve the issue, but are clearly ineffective as data leaks are still rampant. Manual classification, for example, puts the identification of IP in the hands of employees. However employees are busy, make error-prone decisions, and may even represent an insider threat.  Cloud Access Security Broker (CASB) and Digital Rights Management (DRM) are dependent on accurate identification of data as well, rendering them as inaccurate as DLP. And none of these solutions have true support for non-office data formats anyway.

Specialized Solutions for Different Forms of IP

There are security solutions marketed specifically for source code, or specifically targeted at protecting CAD designs. This may be the best way to address an urgent use case for a particular type of sensitive data.

Buyer beware, however: 

  • Many of these solutions are marketed as if specialized, however under the hood they simply use the same age-old techniques that have made DLP ineffective.
  • Purchasing solutions that are specialized in one use case may create additional integration and maintenance challenges 
  • There may not be a specialized solution for legacy or home-grown data formats.

DASB Solves the Enterprise Data Protection Problem

SecureCircle's Data Access Security Broker (DASB) is a specialized solution that addresses the unique needs of intellectual property data protection in any data format - CAD, PSD, Visio, MOV, etc. 

DASB achieves this in 3 ways:

  1. DASB’s default is to protect data, rather than allow data to flow. Much like a firewall that protects by default and only allows by exception, DASB protects any specialized IP by default. This is very different from DLP’s heavy and error-prone data classification techniques. 
  2. DASB is completely transparent to the end-user. DASB is able to protect by default because it can do so without the end-user even knowing that it is working behind the scenes. 
  3. DASB protects all types of data. Not just office files, but all formats including source code, specialized CAD, MOV and other formats, even home-grown and legacy data formats. 

DASB achieves this by adding an invisible layer of indirection between the user and the data, just as http became https by adding a layer of security over all exchanges on the web, regardless of the type of content served in your web browser. 

When it comes to legacy and home-grown client/server and web applications, DASB is agnostic to applications. Security is applied with zero change to the application and no impact to existing integrations or workflows.

And when it comes to users creating, copying and importing new data into the enterprise, DASB is data-centric.  DASB follows data as it moves from file to file and application to application to automatically protect derivative work without any user intervention and regardless of format including CAD, images, and health records.

A Specialized Solution, For All Data Types

CISOs who have already invested in DLP but still have a laundry list of unprotected data use cases need not worry. This is the sad norm. DASB is a specialized solution that can immediately solve a specialized data protection use case such as CAD manufacturing designs, media files, images, and homegrown and legacy data formats. DASB is fast to deploy and works in a way that is invisible to users and other security tools, so there is no need for custom integrations or changes to your process. An enterprise that deploys DASB will solve their data use case in days, not years.

But DASB is a paradigm shift that works for any data, allowing it to take on more and more use cases as needed, to evolve with the needs of your data protection strategy, rather than leaving you buying a separate product for every situation that comes up. 

What is your data protection use case? Put specialized DASB to the test. 


Read Article
Blog