Learn how RightsWATCH is unique in its ability to dynamically enforce an organization’s information security and control policy on all types of unstructured data, at the point it’s created.
1. This digital information may include confidential e-mail messages, strategic planning documents, financial forecasts, contracts, dynamic, database-driven reports, and other sensitive information.
2. Intricate and unclear data classification strategies that aren’t understood by users and end up never being used in the real world; PLUS the classification requirements, many times, don’t take in consideration the business impact and the volume of legacy data present in the organization.
3. The widespread use of laptops and mobile devices adds difficulties in controlling what happens to the data
4. A growing list of legislative and regulatory requirements adds to the ongoing task of protecting digital files and information
Organizations need to control and protect their sensitive and confidential information against information leakage, by dynamically applying a pre-defined Information Control Policy to all types of unstructured information (emails, documents, spreadsheets, presentations, etc.) as that information is created.
Data classification should be established by setting a core set of principles regarding the proper use, handling and applicability of various protection profiles for each data category.
To successfully implement a policy-driven classification process, your organization must know it’s data, and for that it must answer a few questions…
Data Classification & Labelling: all sensitive data must be classified and labelled accordingly to corporate security policy
This means that it’s put into its appropriate category depending on it’s criteria
This could be based on Content, Context and Metadata
Once if falls into a classification, it should be labelled appropriately with headers, footers, watermarks, legal jargon, etc. to protect the organization
It should also have its metadata tagged to allow tracking and forensics
2. Legacy Data:
Not only current files, but also existing legacy files need to be classified according to the company’s defined information security policy
3. Data Loss Prevention:
Apply data-centric policies to files and emails to educate and prevent going against corporate policies, and have the ability to work together with other DLP systems that might already exist in the corporate network
4. Rights Management:
Enforcing role-based access control policies over files, anywhere
- Role-based policy rules (RBPR) applicability allows a corporation to “escape” the limitations of a “one-type-fits-all” approach to policy rules. Leveraging RBPR will have the appropriate policy rules applied to the data depending on the organizational unit, project and/or department to which the user belongs.
5. Mobile Devices:
Keeping sensitive information safe in a BYOD world is a must in today’s world, so there is a need to extend Information Protection & Control to Smartphones and Tablets such as iPhone, iPad, Android and BlackBerry platforms…
6. Data Analytics:
Ability to provide comprehensive audit trail for forensic analysis and clear demonstration of compliance, together with Security Information and Event Management tools, to correlate events and generate dashboards, alarms and reports, knowing in real time who is doing what, when, and how with classified information.
1. By classifying data automatically right at the point of origin, the risk is mitigated and the proper treatment of that information can be applied by users throughout the data lifecycle.
2. Leveraging content and context scanning automation, RightsWATCH’s policies allow the automatic update of the classification of files after a specified date in the future. This is particularly interesting in situations in which classification levels are related to projects/initiatives that have an expiration date and/or whose sensitivity decreases/increases after a specific day in the future.
3. e 4. While increasing user and organizational awareness for the value and sensitivity of data, RightsWATCH significantly reduces corporate liability in the event of breach or exposure, by delivering a comprehensive audit trail for real-time data analysis and data intelligence, make sure you are compliant with a variety of Governance, Risk and Compliance (GRC) requirements, like:
HIPAA - US Health Insurance Portability and Accountability Act
ISO 27001
PCI Compliance - Payment Card Industry Data Security Standard
UK Government Security Classifications (GSC)
Etc…
Explain the data classification process (automatic & user-driven) and the labelling (marks & tags) capabilities of RightsWATCH.
Refer the consistent interface of RightsWATCH across all platforms (Outlook, Office, PDF…)
ITA gives the possibility of automatic file re-classification:
-> ITA allows automatic update of the classification of Microsoft Office files after a specified date in the future
ITA:
1. The IT Manager defines the allowed options and permissions for any given level, scope and user role, according to corporate policies
2. The user is able to define the ITA time frame for a given file, according to corporate policies
-> ITA is particularly interesting in situations in which classification levels are related to projects/initiatives that have an expiration date and/or whose sensitivity decreases/increases after a specific day in the future
-> ITA applies only to and from non-RMS encrypted levels of classification
How does RW address the Legacy data issue? All those unclassified pre-existing data in users’ desktops, shared network drives, or cloud based drives..
This can be done in 2 ways: GP Client and GP Server
There is a third way, that we call:
Global Protector Web that enables the automatic classification of files, based on the defined content and metadata aware policy rules.
The RW GP Web is a software component that is installed on an IIS - Internet Information Services web server, and operates independently of any agent and/or plug-in (COM Add-on) running on the endpoint.
So, MS Office files are classified when “leaving” (i.e. being exported/downloaded from) the web server, being the process completely “transparent” to the end user.
Warning Policy Rule: An alert is shown for user educational and training purposes. The user will be able to save the file or send the email
Blocking Policy Rule: An alert is shown to the user and, independently of the chosen classification level, the file won’t be able to be saved or the email won’t be sent
RightsWATCH adds visual labels to enforce corporate policies, educate users with visual clues and prompts to protect the company from a legal and compliance perspective.
Digital fingerprint can also be tracked as metadata, as RightsWATCH adds the RMS unique identifier to the metadata of emails, MS Office files and PDFs to leverage “downstream” technologies (e.g. a DLP, an email gateway,…).
Tagging for DLP:
Combining RightsWATCH and DLP, enables enterprises to have mechanisms to discover information, monitor its flow and protect it to prevent leakage, to ensure compliance with information security and access policies, and to maintain an audit trail for control and compliance.
By classifying and labelling unstructured data at creation, RightsWATCH vets the unstructured data with the enterprise’s document management policies, thus the DLP can implement precise and deeply content-aware decisions about an asset (document, email, …).
**********************
Combining RightsWATCH classification with a Data Loss Protection system allows enterprises to:
Remind users of information management policies as the information is created;
Enforce the policies – tag, watermark, append headers, add metadata – before the data leaves the endpoint;
Track where what type of unstructured data is being created, and by whom;
Streamline information classification and protection across the extended enterprise (BYOD).
Here is an example of RW enforcing role-based access control policies.
In this case, when a user tries to send internal information by email to an external user (a Gmail account):
RW detects that some recipients might not be able to open the email and access the information attach because they do not have permissions to do so;
RW presents the user with 3 options:
Option 1) Remove the recipient from the recipients list, and then send the email
Option 2) Downgrade the classification level of the email, so that all recipients are able to open and read it
Option 3) Ignore the warning and send the email anyway, however, the user with the Gmail account will not be able to open it
MDM solutions allows IT to leverage existing enterprise resources such as email, content repository, security certs and identity management, and enables the use of both corporate owner or employees devices in the enterprise.
RW adds to this by managing the data itself on the device, by classifying it, enforcing role-based access control policies and being able to perform remote kill access on-demand
Single Sign-on and PIN Authentication - Users need only enter a single secure password (or PIN) to gain access to all MDM enabled apps.
Automatic App Configuration for Users – Distribute mail login and server URL information centrally via MDM. When RightsWATCH is first deployed, users are not required to enter complicated email configuration information.
AppTunnel Integration – Secure, app specific VPN connectivity over SSL that is invisible to the user
Secure Data Removal - If a phone is lost or stolen, the app and all its data can be selectively wiped
Device Pinning – Only allow corporate users to log on to an App on a device that is authorized by the MDM.
RightsWATCH has a monitoring interface that allows for Logging, Audit Trails, Forensics and Damage Control actions:
With a Content Rich Database
All-in-one Centralized Management
Scalable Architecture
Secure Implementation
Comprehensive Audit Trails
Information Tracking for Forensic Analysis
On top of this, it also supports and integrates with SIEM tools, so for example:
- Enterprises running RightsWATCH and Splunk® are able to leverage Splunk® to correlate events and generate dashboards, alarms and reports, knowing in real time who is doing what, when, and how with classified information.
RW currently supports Splunk®, that leads the market in providing tools to search, monitor, and analyze machine-generated big data
Further support is planned for other SIEM tools
To do this, RightsWATCH delivers a manual on how to integrate booth tools and a configuration file that allows for the SYS Admin to have predefined metrics and analytics being shown in the SIEM interface
(such as ArcSight (from HP), QRadar (IBM), PowerBI (Microsoft), etc… is already planned for future releases
CISOs and SYS Admins need to:
1. Design a simple information security model, easy to understand, implement and apply. With levels of classification for sensitive information applicable to structured and unstructured data (for example: Public, Internal, Confidential and Secret)
2. Support data classification initiatives with the necessary policies, processes and tools to achieve the project's objectives
3. Make sure that your data classification process and tools take in consideration your data’s lifecycle and that they are able to accommodate possible classification changes
4. Address your business needs, like legislative and regulatory compliance, with clearly defined project scopes