Preserve IP and PII With Dynamic Governance Over External Workflows

Internal file threats entail a breach of sensitive information from secure content stores to unauthorized third parties. To prevent them, you must ensure that all sensitive files are saved to the correct repository, and then tightly control who, when and how files can be retrieved. Assuming you have shrunk the threat surface with enterprise content integration, making it safe and easy for users to save and retrieve files, then the next step is to inspect every attempted retrieval and block unauthorized requests.

The modern enterprise spends millions of dollars on cyber security, yet the modern CISO can’t say in any specific detail what information is entering and leaving the firm. If you can’t see it, you can’t defend it. Everyday workflows where employees exchange sensitive information with external parties expose the firm to constant threats, including leaks, phishing, malicious files, and compliance violations. These external workflow threats have a common theme: a user is the actor, and a file is the agent. Complete protection requires a defense that spans the full breadth of the associated threat surface: the collective paths of all files entering and leaving your organization.

On-premise or private cloud repositories are best suited for protecting IP

In my last blog post, we discussed hardening the threat surface by restricting access to sensitive data. Today, I’ll discuss defending the threat surface against data breaches by employing tight governance over all file transfers.

Limit Content Access and Analyze File Transfer Metadata

Enterprise content access should be tightly governed with highly granular user-level permissions that ensures data privacy. The most sensitive content should be segregated, so that additional security measures can be easily applied, such as multi-factor authentication. This is all standard best practice. However, a CISO dashboard that monitors the entire file transfer path—the end-to-end threat surface—enables real-time application of stronger security measures based on transfer metadata, such as sender, receiver, origin, destination, and time of transfer.

Defend the threat surface against data breaches

Granular permissions and content scans ensure that only authorized files are retrieved and sent externally. [source: Accellion secure file sharing and governance platform]

Deploy Data Loss Prevention as an Additional Line of Defense

On a file-by-file basis, DLP can be deployed to deny unauthorized requests based on the content. This process can be accelerated by implementing a data classification standard that allows DLP scans to be performed offline and requests for sensitive content to be processed in real-time. This type of context-aware, content aware dynamic security and governance can only be applied along the natural threat surface of external workflows: users, applications and files. It is impossible to apply it at the network and physical layers, because the relevant data is either unavailable or encrypted.

In the next post, I’ll discuss defending the threat surface against external threats by inspecting every file to block malicious attacks. Future posts will cover concepts like building a holistic, proactive defense that spans the entire threat surface.

Don’t want to wait? Download the eBook now!
Protecting Sensitive Content in a Dangerously Connected World

Protecting Sensitive Content in a Dangerously Connected World

Discover the 5 strategies for protecting sensitive content against external workflow threats with this informative eBook.

Keep Reading about Cyber Security

DLP Integration and its Role in Secure File Sharing

DLP Integration and its Role in Secure File Sharing

by Bob Ertl
Data Loss or Data Leak Prevention, more commonly known as DLP, has been around a long time and it doesn’t take a computer scientist to understand why. Integrating DLP into your security infrastructure ensures all...