Blog

Browse our blog to see what our experts are talking about, and for insights on the latest cyber security trends impacting your business.

Zero Trust DLPZero Trust DLP
February 25, 2021

Zero Trust DLP

Zero Trust Data Security is a prevalent security architecture that is being adopted by many organizations today. A zero-trust solution requires the owner of the data to always be in control at all times. Before Zero Trust protection was even in the picture, DLP was the leading data security solution. There were many flaws within organizations using DLP, and because of that, data was still not fully secure. SecureCircle’s Data Access Security Broker changed this whole paradigm of having to classify whether the data is sensitive, medium, or public. With SecureCircle, this concept does not matter anymore because all of your data is protected no matter what. SecureCircle takes on a Zero Trust Data Security approach to ensure that data is secure at all times without any limitations. 

At SecureCircle, we believe that frictionless data security drives business value for customers. The top four reason why customers trust and choose SecureCircle are :

  1. We remove users from the security process.
  2. We are transparent and frictionless to users and applications.
  3. We reduce costs and complexities.
  4. We are a rapid and simple deployment.

SecureCircle secures the data right at the source so that it is secure throughout the whole journey. Throughout it, the data is encrypted regardless of whether it is a rest, in transit, or in use. Unlike DLP, at no point during this process, the user has to identify whether the data is important or sensitive. Even though classification is important, it should not interfere with how your data is being protected. With Zero Trust protection, everything is always protected no matter what. With Zero Trust being completely transparent, there is no interference with the user behaviors or applications. Visibility is key when protecting data, and it is something that DLP did not have. 

Another advantage of DASB is that our solution is very cost-effective. Many organizations believed that DLP was a very expensive solution that did not guarantee data security. DASB reduces many of the complexities that came with DLP. Setting up all of the policies of DLP could be a massive time and money investment. Unlike many traditional solutions, SecureCircle works on a simple cloud to agent delivery model, which means a fast and straightforward deployment.

SecureCircle’s Zero Trust Data Protection solution covers everything DLP was able to solve and more. Companies worldwide spent billions of dollars on DLP technology, hoping that it would answer their intellectual property protection. However, this is not the case because there were many flaws and evidence that it just did not work. DASB is the “new new” when it comes to data protection because it simply protects your data no matter what.


Read Article
Blog
Microsoft AIP Doesn’t Measure UpMicrosoft AIP Doesn’t Measure Up
February 16, 2021

Microsoft AIP Doesn’t Measure Up

Data security is a measure twice, cut once type of activity. Mistakes in data security are expensive. IBM's recent Cost of a Data Breach report states that the US's average data breach costs companies $3.84 million. Many data security solutions have a fatal flaw that creates a risk for data loss. (see Move Beyond DLP's Failures). What are Microsoft's Azure Information Protection (AIP) failures? AIP fails in three ways:

· Security is only transparent for Microsoft Office applications.

· Data classification relies on users.

· After identification or classification, AIP doesn't protect data immediately.

Security is only transparent to Microsoft Office or RMS-enlightened applications.

Securing data in the Microsoft walled garden works. The real world, however, is made up of applications beyond Microsoft. Like DLP, AIP only supports native Microsoft applications or applications that have the Microsoft RMS SDK integrated. Once you introduce external applications and file types, security looks more like file encryption. File encryption can keep data safe in transit or at rest. The flaw with file encryption is that users must decrypt the file for use. And once the user decrypts the file, security relies on the user re-applying encryption after using it.

Data classification relies on users.

Similar to DLP, AIP requires users to become part of the security process. People are fundamentally prone to make mistakes. Even the most diligent employees will still classify based on their best interpretation of the data. As discussed previously on Forbes.com “Data Loss Prevention’s Classification To Security Gap”, data is in constant motion. The only way to correctly classify information is to monitor the data and automatically label and secure it based on content.

Security not applied during classification

Microsoft's AIP documentation recommends that confidential and highly confidential data tags are secured immediately while internal and public tags are not. By not securing data during classification, data labeled Internal or Public today could evolve to confidential information while the label remains Internal. Eventually, users can accidentally or maliciously send files outside the company. Why not secure all data by default?

Companies should not worry about measure twice and cut once. By removing employees from the security process, securing all data immediately on the endpoint regardless of classification tag, and ensuring security can protect all types of data from any application, companies can finally reduce their data loss risk.

SecureCircle is compatible with all file types and applications without any modifications to workflows or applications. Custom enterprise applications with unique file types are secured in the same way as a Docx Microsoft Word file.

Unlike AIP or other DLP tools, SecureCircle does not require any security decisions from the user. Data is automatically secured using content and contextual information. Securing data by content includes protecting data similar to previously protected data or securing a specific class of data such as PII, PCI, or PHI. Examples of contextual security:

· Securing data downloaded from Salesforce.com

· Applying security to locations such as the Finance folder on a central file server

· Automatically securing all output from Excel orVisual Studio

Because SecureCircle is transparent to users and workflows, SecureCircle secures data immediately upon detection. Unlike legacy solutions, which only apply security when users try to transfer data from the endpoint, SecureCircle's persistent data security works at rest, in transit, and in use.

SecureCircle - no measuring required - transparent continuous automated data security.

Read Article
Blog
HIPAA & NIST 800-111HIPAA & NIST 800-111
February 1, 2021

HIPAA & NIST 800-111

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. The US Department of Health andHuman Services (HHS) issued the HIPAA Privacy Rule to implement HIPAA requirements. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.

The Privacy Rule standards address the use and disclosure of individuals' health information (known as "protected health information") by entities subject to the Privacy Rule. These individuals and organizations are called "covered entities." The Privacy Rule also contains standards for individuals' rights to understand and control their health information usage. The Privacy Rule's primary goal is to ensure that individuals' health information is adequately protected while allowing the flow of health information needed to provide and promote high-quality health care and protect the public's health and well-being. The Privacy Rule strikes abalance that permits essential data uses while preserving the privacy of people who seek care and healing.

The following types of individuals and organizations are subject to the Privacy Rule and considered covered entities:

·  Healthcare providers

·  Health plans

·  Healthcare clearinghouses

·  Business associates

HIPAA requires data at rest to be secured according toNIST 800-111 and data in motion to be secured by NIST 800-52, 800-77, or FIPS140-2. Standards-based Transport Layer Security (TLS) secures data in motion, so organizations don't have to decide how to implement transit security.Organizations have multiple options for meeting 800-111.

What is NIST 800-111?

NIST 800-111 is a Guide to Storage EncryptionTechnologies for End User Devices. It is a dated standard that describes the encryption technology options available. SecureCircle's Data Access SecurityBroker (DASB) didn't exist in 2007 when NIST created the specification. DASB has helped numerous organizations meet their HIPAA requirements.

While meeting the requirements may not be a challenge, ensuring an organization receives value on their implementation is. All the solutions listed below can help companies secure data from threats involved in lost or stolen devices. Some of the options can also prevent OS and application layer threats such as malware and insider threats.

Some solutions offer a portable encryption solution compliant between devices when sharing files across operating systems such asWindows and Mac.

SecureCircle is the only solution that allows for customizable data encryption scope based on the customer requirement. Customer scan select to secure data files only or all data. 

SecureCircle is also the only fully transparent solution that provides portability. End-users use existing applications and workflows without any change. There are no additional steps to decrypt files before working with the data. Any application, any file type, and any file size is supported. Customers deploy SecureCircle quickly since no end-user training is required.

Contact SecureCircle to find out how DASB helps organizations meet compliance requirements such as HIPAA.

Read Article
Blog
The Zero Trust Data Journey (0 to Zero Trust in 2 steps)The Zero Trust Data Journey (0 to Zero Trust in 2 steps)
February 1, 2021

The Zero Trust Data Journey (0 to Zero Trust in 2 steps)

The Zero Trust Journey (0 to Zero Trust in 2 steps)

What is Zero Trust?  Many companies have adopted Zero Trust as their security framework.

Zero Trust requires all users, even those inside the organization's enterprise network, to be authenticated, authorized, and continuously validating security configuration and posture before being granted or keeping access to applications and data. The simplified explanation is 'Trust no one and secure everything, including data by default.'

Zero Trust has four key pillars that map directly toZero Trust solutions: People, Networks, Workloads, and Devices. But what about Data?

Legacy endpoint DLP (Data Loss Prevention) solutions don't secure data by default and should never be considered Zero Trust. Legacy DLP solutions only block or encrypt data that tries to leave the endpoint/device. External attacks such as the Palmerworm take advantage of the lack of security. Another large security gap is internal users avoiding security because protection such as legacy DLP hurt their productivity. Employees will find ways to work around security to improve their productivity. Employees discover workarounds because legacy DLP requires an extensive library of rules and policies which need to be continuously updated. Security administrators play whack a mole with new applications, SaaS vendors, and more.

To deploy Zero Trust Data Security, companies need a solution that doesn't impact users and workflows and protects data by default. The only solution in the market that meets those requirements today is SecureCircle.

SecureCircle is transparent to users and workflows.Users continue to use the same applications without any knowledge an additional security layer is active. There is no change in file names or extensions, and SecureCircle has no limit to file size. Due to the transparent nature of security, SecureCircle can secure all data by default.

Data security from Zero to Zero Trust in 2 steps

1.  Deploy SecureCircle agents to all your devices similar to AV (Antivirus), EDR (Endpoint Detection Response), or any other software update.

2.  Apply security policies to users, devices, datasources, data types, applications, networks, and more. (examples below)

·  Data Source: secure all data downloaded fromSaleforce.com and only allow users from the 'Sales' group in Active Directory or OKTA to access the data

·  Data Source: automatically secure source code from GitHub and only allow users from the 'Engineering' group to access the data.

·  Content: select data sets to secure when detected, such as PII (Personally Identifiable Information), PCI (Payment Card Industry),and PHI (Protected Health Information).

·  Application: create a list of applications that are allowed to access secured data

·  Application: automatically secure any output from git.exe

·  Network: Block Microsoft Word from saving unsecured data to OneDrive or SharePoint.

Let employees continue their work without any change tot he workflow and remove employees from the security process.

Deploying legacy DLP takes months to set up and requires significant resources to upkeep. With SecureCircle, companies see value within days or weeks. Since SecureCircle's security is transparent, there is no training needed for employees. Ongoing maintenance doesn't require creating new and updating existing DLP rules. SecureCircle policies only need to change when data egress policies need to change. SecureCircle Zero Trust data security for endpoints doesn't impact users and workflows and protects data by default.

Start your Zero to Zero Trust journey by contactinginfo@securecircle.com.

Read Article
Blog
Where's Your Data? Who Cares!Where's Your Data? Who Cares!
January 25, 2021

Where's Your Data? Who Cares!

Discovering and classifying data to protect it is challenging. Many of us tend to wonder, “Where is our data?” However, what many of us do not realize is that it does not matter where our data is, but how it is being protected. By having a Zero Trust Data Security solution in place, such as SecureCircle, your data will persistently be protected no matter where your data is. 

Having all of your data protected can be very beneficial to an organization. Human error is one of the most unfortunate causes of data breaches. Protecting data at all times removes the human element.  It can be challenging for many organizations to continually ensure that the data does not egress to the wrong parties. One of the most significant flaws that many organizations have gone through relies on people to do the right thing. Many of us may take out data without even realizing its value or extending the proper protections. Secured data removes the need to know where the data is.  Data is always encrypted regardless of whether it is at rest, in transit, or in use. At no point do users need to or should be able to decide what data is important or sensitive because the data is simply protected by default.

What we mean by “Where’s your data? Who Cares!” is that, as humans, many of us just do not care. An organization’s employees may just want to get their job done and not worry about a data breach or their security decisions. With SecureCircle, the organization can transparently secure their data without any interference in their workflow. When data moves onto endpoints, SecureCircle transparently encrypts the data in a way that is invisible to both users and applications. This transparent approach means that user behavior does not need to change, and applications do not need to integrate in any way to take advantage of the control and security that SecureCircle delivers. This approach also takes a burden away from the employee and allows them to focus more on getting their job done rather than constantly worrying about protecting their data. 

Organizations are better off leaving the human element behind when it comes down to protecting their data. The majority of employees are not security professionals, and because of this, it can cause disruption if the correct security measures are not in place. SecureCircle’s Data Access Security Broker allows organizations to have frictionless protection over their data at all times. No matter where data is stored, it will always be secured.


Read Article
Blog
Move Beyond DLP's FailuresMove Beyond DLP's Failures
February 2, 2021

Move Beyond DLP's Failures

Move Beyond DLP’s Failures

DLP (Data Loss Prevention) solutions haven’t stopped data breach growth. IBM reports the average total cost of a data breach reached $3.86 million USD in 2020. DLP solutions only block or encrypt data that tries to leave the endpoint. Hackers have used malware and ransomware like the Palmerworm to take advantage of the lack of security. Data security should focus on persistently securing data wherever it goes. Data should be secured regardless of location. Which means data must be secured by default.

Another large security gap for DLP is internal users will find ways to work around any security solution that impacts their ability to work effectively. Workarounds are possible because DLP requires an extensive library of rules and policies which need to be continuously updated. Security administrators play whack a mole with new applications, SaaS vendors, and more.

SecureCircle’s Data Access Security Broker (DASB) addresses DLP’s faults. Data is secured without impact to users and workflows while securing data by default.

SecureCircle is transparent to users and workflows. Users continue to use the same applications without any knowledge an additional security layer is active. There is no change in file names or extensions, and SecureCircle has no limit to file size. Because of the transparent nature of security, SecureCircle can secure all data by default.

SecureCircle corrects the failures of DLP

• DASB doesn’t require extra discovery or classification tools.
• Users are entirely unaware security is in place since there is no change to user workflow.
• DASB’s secure by default posture allows aminds to focus on exception policies only.
• SecureCircle’s security continues regardless of data location.

DLP Pain Points:

Discovery & Classification

• DLP requires additional tools, such as Discovery and Classification, to work. Relying on other products increases cost and complexity.

Operations

Operational success can be measured by the amount of friction introduced into the work environment on users and administrators.
• Because DLP is so complicated, companies often hire DLP deployment consultants to configure the DLP to work correctly. The Symantec DLP version 15.5 Administration Guide is 2560 pages.
• Companies never operationalize DLP within a company because DLP requires so much maintenance. Admins must continuously create and update new rules to cover policy changes, additional applications, additional cloud/SaaS applications, etc.
• Companies either continue paying their DLP consultant to maintain their solution, or the effectiveness of DLP begins to degrade.

Failed Architecture and Technology

• DLP doesn’t secure data on the endpoint. Instead, DLP tries to limit data egress from the endpoint. By doing this, users are blocked from everyday tasks such as copying data to the USB drive. For files and workflows that can’t be emailed due to size, portable drives and cloud storage may be the only option to transfer large files and data sets. DLP security coverage is limited to a small set of business applications and file formats.
• DLP requires users to be an active participant in the security process. Users do not have an interest in doing this. They will secure the least amount of data because it makes their work easier. Also, even diligent employees will make mistakes.
• DLP is based solely on regex pattern matching, which is very fragile. Creating lots of data escapes.
• Specific vendors such as Symantec have limited cross-platform support.

Security versus Friction

Endpoint DLP

• High Friction: Admins need to create and maintain a massive list of DLP rules. Admins cannot keep up with changes in the network, endpoint applications, etc. so
over time, more and more holes are introduced. DLP asks users to be part of the classification process. Users are also limited to the applications and file types that can be used.
• Moderate Security: The fundamental security model is flawed since data is not secured by default. Security is only applied when data attempts to egress from the device. Ransomware and malware take advantage of this because once the malicious application is running on the device, the application can try many methods to get data off the device.

Data Access Security Broker

• No friction: DASB is completely transparent to users. Users continue with the same workflow as before. Admins integrate with existing authentication solutions and manage exception policies only. Exception policies do not change often.
• Complete Security: Data is secured by default, including at rest, in transit, and even in use. When secured data is transfered off the device, the data remains encrypted and only authorized users will be able to access the content. This allows for use of cloud storage and file sync and share to be used as secure transport methods.

Download DLP Failures Datasheet

Read Article
Blog
Zero Trust Data SecurityZero Trust Data Security
January 19, 2021

Zero Trust Data Security

Even with costly and complex data protection programs in place, data breaches and insider threats are still continually occurring. A reimagined approach to data security needs to be taken to mitigate these threats. Zero Trust is a security concept that requires the owner to have full control over every aspect of their data. To protect data from leaving the cloud, the owner must isolate and control all aspects such as other users, devices, and networks. The combination of controlling all aspects allows you to have control over your data and is the key to achieving Zero Trust. 

One of the main factors of Zero Trust is that the protection is persistent with the data no matter how or where it moves. At one point in time, data protection meant backing up data. Because of this, many of us did not discover and classify what we wanted to keep and chose to back up everything. Data security should protect everything because what you might not think is important today may still be important another day. If all of the data is secured, it doesn't matter where the data lives because it will never be vulnerable without access or keys to the data. 

With Zero Trust protection, when encrypting a file, only allowed applications and users of those applications are able to read the data without decrypting the file. Zero Trust ensures the data will always be protected because the owner will still have full control over everything. The Zero Trust protection automatically inserts a transparent layer between the read and write processes of applications and the application storage systems, whether running on endpoints or in the cloud. When an authorized user accesses, protected data, device, process, or application, the access control policy will allow the user, device, process, or application to read the encrypted bytes.

Zero Trust data security is the most fluid and valuable to an organization when it comes to protecting and being in control of your data. Being able to protect an organization’s source code with Zero Trust implies that your organization has won in a way. A whole barrier over the organization has been lifted because it enables the developer to do their job without releasing control over their data. By protecting source code data persistently and transparently, SecureCircle’s DASB is ideal for today’s zero-trust world. SecureCircle offers the most innovative method of protecting source code from insider threats and data breaches. DASB empowers organizations to enable secure access and full data control with no impact to applications, workflows, overhead, or end-user experience.


Read Article
Blog
Conditional Data Access for EndpointsConditional Data Access for Endpoints
January 19, 2021

Conditional Data Access for Endpoints

Many people think about using Conditional access for SaaS applications or access to specific data sources. However, once that data is accessed, how do you continuously enforce conditional access "to the data" on an endpoint? When your data is kept in a SaaS service, it is generally kept secure by the provider. Once your data leaves the service, that is when your responsibility comes into play with protecting your data. SecureCircle provides a Zero Trust Data Protection solution to ensure that your data is protected with conditional data access for endpoints.

Zero Trust implies that you have absolute control over your data and allows you to have the ability to change your access control at any given point in time. Conditional data access is all about allowing access to users without giving up any control, maintaining control, and adapting based upon telemetry. For instance, if a former employee had access to the organization’s data, you can sort of go back in time to revoke access as long as you did not give up control. When access to data is disabled, the data is no longer accessible to the user, group, or device, regardless of where the data resides. Attempts to access the data on a device that had access revoked will be denied, and these attempts will be logged. 

To detect any risky behavior while possessing control, SecureCircle works in conjunction with your identity provider. SecureCircle becomes part of the device’s compliant posture while your identity service can detect if the device attempting access is compliant before issuing access. SecureCircle always keeps data in an encrypted state and only allows approved applications to access and modify it. If any risky behavior is shown from the analysis of user behavior, SecureCircle enables you to change the posture of what the user is allowed to access. 

Ultimately, when having absolute control over your data, you start to think of the world differently. Zero Trust security is one comprehensive approach that allows you to have conditional data access for your endpoints. Even though data is secure, at one point or another, you are going to have to allow access. When doing so, SecureCircle will be there to eliminate these vulnerabilities.


Read Article
Blog
Cybersecurity 2021 ConferencesCybersecurity 2021 Conferences
January 19, 2021

Cybersecurity 2021 Conferences

Which will be the best 2021 Cybersecurity Conferences?

2020 was undoubtedly a year of change for everybody. People had to adapt and shift rapidly to new habits because of Covid-19. Cybersecurity conferences were not an exception: while some of them were cancelled, others took place in a virtual environment instead of the traditional way. 

Regular attendees are expecting to join the main Cybersecurity Conferences to be held this year even though they will mostly be held virtually. SecureCircle lists here the top 10 conferences that you cannot miss: 

  1. RSA CONFERENCE 2021, SAN FRANCISCO: this year the event will be fully virtual taking place the week of May 17. The topic will be Resilience. You can get the tickets on their website.
  2. GARTNER SECURITY & RISK MANAGEMENT SUMMIT: the event will be a virtual experience happening on March 23 and 24. Check tickets and pricing on their website. 
  3. DEF CON: the conference will be virtual, starting August 5 and finishing August 8. The event will be free. 
  4. RSA CONFERENCE 2021, JAPAN: last year the event took place in July and was free for everybody. For this year they haven't announced anything yet, so we are still expecting relevant information from them. 
  5. ATLANTA CYBERSECURITY CONFERENCE: This conference will be live streamed, taking place on February 24. Pricing and registration on their website. 
  6. NATIONAL CYBERSECURITY SUMMIT: the venue of the conference will be in Von Braun Center, Huntsville, AL. A three - day event from June 8 -10. For further information and pricing check their website.
  7. INFOSEC WORLD: one of the few in person conferences that will take place in Disney's Contemporary Resort, Lake Buena Vista on September 27 - 29. For registration and tickets check their website.
  8. SECURE360 TWIN CITIES: the committee of this event has decided that it will be fully virtual taking place on May 11 and 12. Registration on their website.
  9. THE HUMAN HACKING CONFERENCE: at the moment the only event that gives us the opportunity to attend virtually. The venue will be at Rosen Centre Hotel, Orlando, FL or by the virtual component of the event having access to some exclusive online workshops. The conference will take place on March 11 -13. For registration and more information visit the website. 
  10. CIO´S FUTURE OF WORK SUMMIT: virtual event taking place next month, February 16 - 18. Attendance is free but registration is necessary on their website.

 We will be there.  Are you going to join us? 


Read Article
Blog
2021 Cybersecurity Predictions2021 Cybersecurity Predictions
January 3, 2021

2021 Cybersecurity Predictions

As the calendar turns to a new year and we gladly put 2020 behind us, here are a few predictions for the new year.

1. Data breaches and privacy violations will continue to grow in 2021. Despite regulations like GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act), the average data breaches cost impact will rise again. Per the Ponemon Institutes latest Cost of a Data Breach Report, the average cost of a data breach in the US grew to a record $8.74 million per infringement.


2. More regulations. CMMC (Cybersecurity Maturity Model Certification) went live in 2020, and lawmakers only have one option to regulate industries that are unable or unwilling to prevent breaches independently. Last month, California passed Proposition 24 (California Privacy Rights and Enforcement Act or CPRA). CPRA will take effect on January 2023 and will create a new privacy enforcement agency. The agency will provide new definitions and protection for sensitive consumer data, expand and clarify the use and sharing of consumer data, and expand liability for data breaches. Without a national regulation, California law will become the defacto standard in the US. CCPA remains in effect until CPRA starts. The EU is working to reconcile PECR (Privacy and Electronic Communication Regulation) with GDPR to remove inconsistencies. The Phillippines will update the PDPA (Personnel Data Protection Act). The UK will formally leave the EU, and the UK Data Protection Bill will replace GDPR.


3. Cybercriminals will continue to focus on remote workers. Even as some companies will return to office work in 2021, other companies such as Twitter, Shopify, Nationwide Insurance, Siemens, Slack, Square, and Zillow have adopted policies to allow permanent work-from-home. The FBIs Intenet Crime Complaint Center (IC3) reported online crimes have quadrupled since the beginning of the COVID-19 pandemic.

SecureCircle's recommendation for 2021 is to adopt a Zero Trust Data Security posture that secures all data by default without relying on end-user involvement.

Read Article
Blog
Protecting Data That Egresses From Cloud Services & SaaS ApplicationsProtecting Data That Egresses From Cloud Services & SaaS Applications
January 4, 2021

Protecting Data That Egresses From Cloud Services & SaaS Applications

For a true Zero-Trust environment, it isn’t enough to think about data in cloud services and SaaS applications. We also must protect, control and audit data that egresses from these services onto endpoints. SecureCircle is  Zero Trust security for data.  SecureCircle enables having full control over data including authenticated users, networks, devices, and applications that have access to secured data. At one point in time, the cloud was sort of the bad guy, and we would want to find all the data that was leaving the premise going into the cloud. However, overnight a transition between the cloud being the bad guy and the good guy took place. Since the cloud is now the good guy, we are trying to protect the data leaving the cloud while using zero trust models. 

When you think about how data Data Processing Agreements (DPA) are all written with your SaaS providers, they control and secure the data that is in the SaaS service. For instance, for Salesforce & Workday, they'll control and secure the data when it's inside their SaaS application but where your responsibility comes into play is once you open that front door. The front door is open once the user and devices are authenticated, and the network is secure. With the front door open, the data is unleashed, leaving you exposed to either unwanted users accessing the SaaS environment or users egressing data from the SaaS application to their local device. With data constantly egressing from the cloud, data must be secure at all times. 

A new approach to protect data is required for organizations to control their data and map to modern compliance requirements. At SecureCircle, we tie into that Zero Trust model and protect the data again because we don’t have to scan for PII. Since SecureCircle is working at a scale without limitations, when the data inevitably leaves the service, you have control over the data that is on the endpoint. SecureCircle has bridged the shared security model between the SaaS provider and your local devices. Everything that is coming out of a Saas service is now protected because SecureCircle is part of the device’s compliance posture. 

With SecureCircle, all of the services are protected and most importantly, so is your data. For instance, when downloading data from a SaaS application such as Salesforce and trying to copy it onto a USB drive to take home, SecureCircle identifies binary similarities. 

SecureCircle is able to determine if the downloaded data is similar to previous secured data.  If so the data is automatically secured with the same access permissions as the original data.  With SecureCircle, security decisions are automated and newly downloaded data can be differentiated between similar to secured data or not.  This prevents securing non-confidential data. 


If the data is similar and is secured, transferring the data to a USB will only transfer the secured (encrypted) data. If the USB is plugged into a device that is not authenticated, it will receive a bunch of encrypted bytes. Without access to rights or decryption keys to read the data, it will be protected no matter where it is. SecureCircle’s DASB is the only solution that will empower you to enable secure access without giving up control of your data with no impact on applications, workflows, or end-user experience.

Read Article
Blog
2020 Recap2020 Recap
December 21, 2020

2020 Recap

Read Article
Blog
Is Zero Trust Data Security Possible?Is Zero Trust Data Security Possible?
December 31, 2020

Is Zero Trust Data Security Possible?

Read Original Forbes Article : Is Zero Trust Data Security Possible?

Some enterprises I've worked with that have deployed a zero trust (trust no one) model have still experienced data breaches. With zero trust implemented correctly, data breaches can be eliminated or minimized to small datasets. I believe breaches still occur because organizations do not rely on zero trust data security solutions. After all, most options I've seen are not zero trust compliant.

Data loss prevention (DLP) requires discovery and classification. DLP doesn't secure by default. Endpoint DLP typically allows data on the device to remain unsecured while locking down the egress of data off the device.

Solutions like information rights management (IRM) and file encryption aren't zero trust. Those solutions only secure the initial transfer of data. An employee can encrypt a file and send the data to an external partner. But once the partner has decrypted the file to consume the content, the partner — not the employee or company — has control of the data.

I believe the use of these data security tools has contributed to data breach after data breach and headline after headline. What enterprises need to do is implement zero trust data security principles.

Here are four core principles of zero trust to implement when deploying a zero trust data security solution.

Use Microsegmentation

It is challenging to implement zero trust without granular controls. Instead of a carte blanch "allow or deny" permission, permission should be extremely granular. Identity providers can authenticate on more than username, name and password. They can also use device, device posture, location, time and others as additional authentication factors.

Data security should have similar granular controls. Besides basic authorization for users and devices, your security team should use controls over endpoint applications, networks, SaaS or cloud applications, and data usage such as copy and paste. Make sure they don't allow unauthorized or unknown processes to access data. New or unauthorized applications that access data can cause ransomware attacks. Whether it's in the cloud or the corporate data center, you should also secure data from centralized sources.

Enforce Policies Everywhere

Data security has previously focused largely on data access. But once data is accessed, the user typically has broad rights to use and transfer the data without additional security controls.

Some solutions claim to be data-centric solutions. That often turns out to be a file-centric approach. With zero trust, the goal is to be as granular as possible.

Security needs to be persistent. You should secure your data at all times: at rest, in transit and in use. Security needs to apply to any file type and any application. Identify solutions that are not zero trust, such as any tools that publish a list of supported applications. A supported application list implies that there are unsupported applications whose data the tool will not secure.

A widespread use case for zero trust security today is downloading sensitive data from a SaaS or cloud service. Make sure you're securing data exported from SaaS services and that it remains secured throughout its entire life cycle.

The most granular data security approaches apply security to the data itself, not the file. As users create new content, compare that content to previously secured content. If the content is similar, automatically secure the new content with the same permissions as the previously secured data. Make sure to monitor small data segments as they move from file to file and apply permission accordingly.

Provide Identity Beyond Identity And Access Management (IAM)

Authorization based on basic credentials such as username and password is not enough. Enable access policies for applications, networks and system tools such as clipboards.

By enforcing application policies, IT can allow only authorized applications to access secured data — no more Word-to-PDF converters downloaded from unknown sources. Enforce application-level network rules, such as only allowing file transfer protocol (FTP) applications to send data to corporate IP addresses. Enforce clipboard policies to block or allow secured data to move between secured and unsecured applications.

Introduce Visibility And Automation

Visibility and automation are two of the cross-functional principles of zero trust. Granular logging and reporting should enable orchestration tools to look for anomalies and suspicious behavior. Log all data access attempts, regardless of whether you allow or deny the action. Your log should include user, application, device, location, time and other metadata. Proper logging will allow orchestration tools to detect potential malware and suspicious user behavior while also creating audit and compliance reports.

By following these zero trust principles when deploying data security solutions, enterprises can finally start to eliminate data breaches.

Read Article
Blog
Companies Need to Protect Trade Secrets Companies Need to Protect Trade Secrets
December 4, 2020

Companies Need to Protect Trade Secrets

The road to a granted software patent continues to be a long, frustrating, and expensive process. In just a few years, old software can be replaced even before a patent application is complete. Typically, patent applications take about four years to complete, which is very time consuming for most companies. 

Many companies choose not to patent software because of how difficult it can be. Under the current patentability law in the United States, software patent applications must meet specific requirements to be patent-eligible. The software may be patentable if it improves computer functionality somehow or solves a computing challenge unconventionally. Additionally, software patent applications must be written carefully. The patent may only be eligible if written with a clear focus on the software solution’s technical merits. 

Since patents are becoming harder to obtain, companies turn to trade secret protection.  There are laws to protect trade secrets. To have legal protection, the company must meet specific standards. There are many steps that companies must take to protect their trade secrets, including identifying what needs protection, monitoring where the information is stored, securing computers, providing adequate security, maintaining secrecy with outside vendors, and training employees regarding security policies. 

Throughout the past few years, trade secret litigation in the United States courts has significantly increased. In 2018, Apple was alleged to have stolen trade secrets from Qualcomm and shared them with Intel Corporation after Qualcomm allowed Apple access to its source code and tools for LTE modem chipsets. Last year, Ahead Engineering attempted to sue former employees claiming trade secret misappropriation under state and federal law. Ahead Engineering ended up facing more penalties because instead of putting in its best efforts to protect their trade secrets, they went on an external fishing expedition on its employees. Companies must use their best efforts to protect trade secrets and show these best efforts in court to be protected. 

 


SecureCircle enables companies to meet the various trade secret requirements for legal protection.

Trade secrets such as source code can be automatically protected as part of the developer workflow without developers, even knowing additional security was implemented.  As source code is checked out of the central repository such as GitHub, the data will automatically be secured.  Data remains secure regardless of location.  Only authorized users, devices, and applications will be able to access the source code.

Every attempt to access secured source code is monitored.  Compliance and audit teams can see in real-time which users, devices, and files have been accessed.  Unauthorized devices or unknown devices will not be able to access secured source code and will not even be able to download source code from the central repository.

Companies can utilize outside vendors without giving up control.  Typically in other security solutions, the data is left unsecured while the data is being changed.  With SecureCircle, the data is persistently secured: at rest, in transit, and even in use.  Derivatives are automatically secured, including Save-As and copy-paste.  Even as outside vendors are working on source code, companies have the ability to revoke permissions at any time.  If the vendor had copied secured data to a USB drive, the contents would remain secure.

Because SecureCircle works transparently in the background, there is no user training and onboarding required.  Developers work just as they would with insecure data.  Companies can deploy SecureCircle in days.

Review the SecureCircle Securing Source Code on the Endpoint Whitepaper or view the Demonstration video to learn how to:

  • Secure source code on the endpoint
  • Allow access to source code on the endpoint
  • Secure source code within the clipboard
  • Secure newly created and derivative source code
  • Check source code into the repository
  • Revoke access to source code

SecureCircle delivers a SaaS-based cybersecurity service that extends Zero Trust security to data on the endpoint. SecureCircle’s Data Access Security Broker is a reliable and straightforward security architecture that enables customers to secure source code on the endpoint without impacting developers from doing their job. Instead of relying on complex reactive measures, we simply secure data persistently in transit, at rest, and even in use. SecureCircle also reduces cost and reduces complexity by avoiding the need for multiple products, software integrations, and ongoing security controls administration. Unlike many traditional solutions, SecureCircle works on a simple cloud-to-agent delivery model, which means fast and simple deployment, allowing our customers to implement security for their most sensitive data rapidly.


Read Article
Blog
Preventing Palmerworm EspionagePreventing Palmerworm Espionage
December 4, 2020

Preventing Palmerworm Espionage

An espionage group known as Palmerworm used new malware to attack targets worldwide, including companies in media, finance, construction, and engineering in the US, Japan, Taiwan, and China.

In some cases, Palmerworm maintained a presence on compromised networks for more than a year using 'living-off-the-land' tactics.  These attacks take advantage of legitimate software not to raise suspicion that something might be wrong.  The malware also uses stolen code-signing certificates in the payloads to make the malware look legitimate.

Researchers cannot see what Palmerworm is exfiltrating from their victims, but the group is considered an espionage group and is likely motivated by stealing information from targeted companies.

The Palmerworm attack is similar to standard ransomware in which the thieves steal your data and ask for a ransom to block releasing your data to the public.  In this case, the difference is the attackers already see value in your data and know-how to monetize it without asking for a ransom.  An attack of this nature could go on indefinitely if not caught.

SecureCircle will not prevent the attackers from installing malware and exfiltrating data from the company.  There are End Point Detection and Response (EDR) solutions that will avert suspicious attacks.  One of the known victims was able to detect the attack within two days with proper security in place.

SecureCircle will secure your data so your confidential internal data will not be accessible by the attackers or anyone in the public should the files be released.  Data is persistently secured at all times, including at rest, in transit, and in use.  Even if files transfer outside of the company, unauthorized users will never access the encrypted data.

In the Palmerworm case, the attackers used typical applications for reconnaissance, compression, and remote transfer.  WinRAR was used to compress data to make the data easier to transfer.   Putty was used to open remote connections and transfer the data.  With SecureCircle, these applications would not be allowed to access the encrypted data within files by default.  These applications typically move data.  Similar applications like email clients and web browsers would also not have permission to read the secured data.  Applications that are not enabled to view encrypted data can only move encrypted data.  Applications such as Excel would have permission to read the secure data.  SecureCircle can provide granular permissions beyond devices and users.  SecureCircle can authorize access to secure data by application and network as well.

Another significant benefit of SecureCircle is the rapid time to deployment.  SecureCircle is transparent to end-users and doesn't change user or business workflow, unlike other security solutions.  Without impacting users, companies can secure all their data by default rather than selecting only the most crucial data.  By not having to discover or classify data, companies implement SecureCircle quickly by defining data sources such as SaaS applications, file servers, or specific applications on user devices such as CAD, Adobe, or source code applications.

SecureCircle helps eliminate data breaches from malicious external attacks such as Palmerworm and malicious and accidental insiders.


Read Article
Blog
Zero Trust Data Security WebcastZero Trust Data Security Webcast
December 4, 2020

Zero Trust Data Security Webcast

Security Weekly hosts and SecureCircle's CEO, Jeff Capone, discuss Zero Trust Data Security. SecureCircle delivers a SaaS-based cybersecurity service that extends Zero Trust security to data on the endpoint. Ensure all your data is secure, without impacting the business.

Read Article
Blog
Where's Your Data? Who Cares!Where's Your Data? Who Cares!
November 30, 2020

Where's Your Data? Who Cares!

App, User, and Data, but it's all about the data!  Discovering and classifying data to protect it is tough.  What if you can protect all of your data? Jeff Capone, CEO and Co-founder at SecureCircle, joins Security Weekly to discuss how to protect all of your data and stop asking "Where's your data?". If we can protect everything, who cares where it is, as you continue to maintain control!

Read Article
Blog
Zero Trust DLP WebcastZero Trust DLP Webcast
November 17, 2020

Zero Trust DLP Webcast

Security Weekly hosts and SecureCircle dive into Zero Trust DLP. Zero Trust Data Security is a very popular security architecture that is being adopted by many organizations. A zero-trust solution requires the owner of the data to always be in control at all times. The owner is in control of all of the networks, devices, users, and data.

Read Article
Blog
Quanta Storage Inc. Secures Customer Intellectual PropertyQuanta Storage Inc. Secures Customer Intellectual Property
November 30, 2020

Quanta Storage Inc. Secures Customer Intellectual Property

Quanta Storage Inc. (QSI) is a worldwide leader in OEM and ODM services to the world’s leading consumer electronics brands with headquarters in Taoyuan City,
Taiwan, and factories and offices worldwide.


The Challenge


QSI obtains customer intellectual property (IP) such as designs, roadmaps, costs, legal documents, and schedules. Customers are concerned about the safety of their IP. The IP includes traditional Office files, source code, mechanical design files, photos, videos, and more.


QSI’s customers are some of the most recognized consumer electronic brands globally. Customers are concerned data may leak to their competitors, which are also QSI
customers, or to the public.

Additionally, QSI creates its internal intellectual property, such as design and source code files for designs and products which QSI owns and needs to secure.

The Solution


QSI evaluated many encryption and data loss prevention solutions before selecting SecureCircle. The alternative solutions could not protect any file type and impacted
QSI employees with workflow changes.

“SecureCircle was selected because their technology applies to data regardless of where the data is stored or what applications are used,” said Luis Chuang, Associate Manager. “Two critical requirements for QSI is support for all platforms including Windows, Mac, and Linux and to support any application and file type, including native design files.”

SecureCircle ensures sensitive customer intellectual property (IP) is protected when customers share data with QSI. Customers upload data to a secure FTP location. The data is automatically secured on upload and added to the customer-specific Circle. Customer data is segregated from other customers, so data cannot accidentally or malicious leak from one customer to another. Employees do not have access to
customer Circles, which they are not directly involved.


SecureCircle secures QSI’s internal confidential information, including business, design, and manufacturing data. QSI is able to secure data across multiple sites, including its headquarters in Taiwan, as well as major factories in China and Thailand. SecureCircle authenticates users across multiple Active Directory servers distributed throughout their global footprint.


SecureCircle secures software source code throughout the development process. Developers code on Windows, Mac, and Linux devices using the approved IDE (Integrated Development Environment) applications without any change to the workflow.


QSI is able to secure data without additional operational overhead. Unlike other DLP solutions, QSI is not required to discover and classify data prior to securing it. There is also no need to create or maintain DLP policy rules since SecureCircle secures all data by default.

The Outcome


Due to the OEM and ODM industry’s sensitive and competitive nature, QSI strives to achieve the highest data protection level to ensure internal IP and customer IP are
always protected.

QSI has deployed to employees around the world, securing IP while not impacting employee or business workflows. There has been no additional management overhead since SecureCircle leverages the Active Directory groups, which were already maintained to grant access to file servers and other resources.


SecureCircle transparently secures data from internal and external threats, including accidental sharing, lost/stolen devices, shadow IT, and rogue employees.

To Learn More Contact your Data Access Security Broker expert at sales@securecircle.com or 408-827-9100

Read Article
Blog
Securing Source Code on EndpointsSecuring Source Code on Endpoints
December 13, 2020

Securing Source Code on Endpoints

Securing Source Code on Endpoints

Securing source code from loss or theft has historically been challenging due to the lack of security options available to deliver effective security without impacting developer productivity. For many businesses, their source code is an extremely valuable asset yet to enable productivity it has to be copied onto developer endpoints in plain text formats, making it difficult to keep this valuable asset secured and monitored.

SecureCircle’s Data Access Security Broker (DASB) is a simple and reliable security architecture that enables customers to secure source code on the endpoint without impacting developers from doing their job. DASB protects against both insider threat and accidental data loss without constraining developers to a particular IDE or build tools.

When deployed in a best practice configuration, SecureCircle can secure source code on endpoints without development teams needing to change how they operate or interact with code, IDEs, and development tools. This focuses on SecureCircle best practices for securing source code in development environments.

High Level Architecture

The most common approach to managing and working with source code is to leverage one or more code repositories that are considered the source of truth for a given development project. The code repositories provide functionality that simplifies managing various versions of code, branches, and releases.

In development environments, it is common practice for developers to copy code onto their endpoints (Mac/PC/Linux) using a pull request or checkout process. This checkout or pull operation allows developers access to move code directly to their local endpoint for the fastest and most reliable development experience when working with code.

SecureCircle ensures source code is persistently encrypted when it moves to the developers’ endpoint without impact to developers and their tools so businesses always remain in control of their source code regardless of where the code resides.

Securing Source Code on the Endpoint

When SecureCircle has been configured to best practice, source code is secured as it moves from the code repository to developer endpoints. Specifically, the client process (e.x. git, svn) on the developers’ system is configured as a Secure Process. When the Secure Process copies or writes source code files to the developer endpoint, the SecureCircle agent ensures the source code within the files is encrypted at all times and remains secured even in-use.

An additional layer of security recommended by SecureCircle is to use SSH as the transfer protocol for any pull requests from the code repository. Not only will this ensure source code is encrypted in transit, but it also allows an added layer of security by allowing the private SSH key file on developers’ endpoints to be managed by SecureCircle. By securing the key with SecureCircle, access to both the source code on the endpoint and access to the repository over the network can be revoked when disabling a user or device. When access to the code is revoked, it can no longer be read on the endpoint by any process. Similarly, the endpoint will no longer be able to make requests to the repository, as the SSH key that grants access to the code repository is also unreadable. All secured source code on developer endpoints is monitored. When the applications and process attempt to access the source code, the attempted actions can be logged in a SIEM for further analysis.

Allowing Access to the Source Code on the Endpoint

Source code within files that have been checked out by an approved developer on an approved endpoint, by an approved process, are always kept in an encrypted state. Not only is the code always encrypted, only approved IDEs and compilers are granted access to the code within the file other processes on the developers’ endpoint can’t access the plain text version of source code unless explicitly approved.

When an approved IDE opens source code, it reads plain text yet the file is never decrypted. However, the source code is kept within the IDE and other approved processes, such as alternate IDEs. Compilers can also be approved applications and read plain text within the secured file so that compiled code can be successful without any change to the developers’ normal workflow or changes to the build tools.

In general, when processes that consume data run on the endpoint they are either considered an Allowed Process that grants permission to read the content within files or a Denied Process, in which case they are forced to read the encrypted version of the bytes. Transport tools such as windows explorer, Mac Finder, email clients, and file sync clients (e.g. Dropbox) are all recommended to be Denied Processes, which means these processes can transport secured files but never read the plain text contents.

Securing source code within the clipboard‍

It is common to use the clipboard in the operating system to move data from one location to another. In source code development, the ability to copy and paste is an important tool for productivity. With SecureCircle, developers are free to copy and paste within and between Allowed Processes. However, if a developer attempts to paste code from an Allowed Process to a Denied Process, the operation will be blocked. By controlling copy and paste in this way source code can be blocked from being exfiltrated into unapproved applications and processes that are considered high risks, such as email clients or web browsers.

Securing newly created and derivative source code

When new source code files are created, they can either be secured by default, as part of a Secure Process, which secures every new file created or they can be secured based on the content of the code being a derivative of source code that was previously secured by SecureCircle.

By enabling Secure Derivative, similarities within data across files will be detected. When a new file is created with similar contents to an existing file, it will be automatically secured with the same policies as the original file and transparently encrypted to allow the security to move with the data. When source code is copied from one file to another within an Allowed Process, Secure Derivative ensures the file that receives that code will inherit the security of the file that contained the original code.

Checking source code into the repository

When checking code back into the code repository, the process on the developer endpoints can be set as an Allowed Process, which removes the encryption from the bytes within the source code as it is sent to the code repository. The source code files are encrypted in transit through SSH but are then stored in plain text format within the source code repository, which allows standard server-side tools within the code repository to continue to operate as expected. When a developer checks out the code in the future, it will be secured as per the original method described above. SecureCircle recommends that security controls be implemented on the repository to complement the code workflow described in this whitepaper.

Revoking access to source code

In the event that access to source code needs to be revoked, SecureCircle allows the ability to disable access to source code on endpoints by user, group, or device.

When access to data is disabled, the data is no longer accessible to the user, group or device implicated, regardless of where the data resides. Attempts to access the source code on a device that had access revoked will be denied and these attempts will be logged. Additionally, the ability to copy source code from the repository will also be revoked as the SSH private key file will no longer be accessible to the clone process on the developers endpoint. Removal of access to source code can be effective within seconds based on the configuration of time to live (TTL) settings within the SecureCircle service. Finally, access to any additional copies or derivatives will also be revoked even in the event they were copied onto removable media.

Conclusion

SecureCircle allows businesses to create workflows that automatically secure data as it moves to endpoints. By deploying SecureCircle source code is encrypted within files as they are pulled out of source code repositories with no impact to developers or the tools they use. Source code is always kept in an encrypted state, and only approved applications can access and modify the plain text code. Access to source code can be revoked at any time, regardless of where the secured source code files are being stored. Keeping data encrypted within any type of file without impacting developers or developer tools is what makes this approach to source code security unique. At SecureCircle, we believe that frictionless data security drives business value for our customers by providing persistent protection against
accidental exfiltration and insider threat. For more information on how we approach data security, please visit our website www.securecircle.com.

Download Whitepaper : Securing Source Code on Endpoints

Read Article
Blog