This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Yuval Eldar of Secure Islands Technologies can relate to his customers' needs. Before starting up Secure Islands, Eldar was an R&D manager for a large security company and a worker in his group stole source code which Eldar describes as "the crown jewels of the company."
The traditional security measures that were pervasive throughout the company were not enough to prevent the theft of important intellectual property. Eldar felt strongly that the only thing that could have prevented this insider theft was to embed security right into the source code file at the time the file was created. This would have rendered the file undecipherable to anyone not specifically authorized to view it. Eldar felt it was time for a new approach to data security, and this led to his new venture as co-founder and CTO of Secure Islands.
Eldar calls the concept of applying protection directly to the file at the moment of creation "data immunization." Security attributes are actually embedded into the file itself by means of persistent encryption. Among the security attributes are information about who can legitimately access the file and what entitlements they have. The security stays with the file throughout its lifecycle, from creation through consumption, collaboration, storage and even archival. What's more, the protection is independent of the infrastructure where the file was created or currently resides.
The first step is to determine what data needs to be protected, and where it originates. No company needs to protect everything, and so the solutions to protect the data sources are basically modularized. Secure Islands' solution, IQProtector, can work on multiple data sources, including: endpoints (e.g., PCs and mobile devices); applications (e.g., Exchange, SharePoint); cloud services (e.g., Box, Dropbox, Salesforce); and storage/archival repositories (e.g., NAS, SANs).
Once the company has determined what files to protect, IQProtector's data handling follows three stages:
- Interception – Interceptors throughout the organization catch data as it is created or enters the organization, and submit it for classification.
- Classification – The data is analyzed by multiple configurable criteria including content, usage, data type, and source, and tagged according to a configurable policy.
- Protection – According to policy, IQProtector protects the data by embedding in it encryption and usage rights, and determines whether to allow access to the data or not.
The interception stage uses agents to grab unstructured data as it is being created, or in the case of cloud services, as it is going into or coming out of the applications. The Interceptor submits data to IQProtector, which adds the necessary protection according to policy. Upon completion of the protection step, the Classification and Protection (C&P) server returns protected data to the Interceptor.
On organizational endpoints and servers, the Interceptor is bundled with a C&P engine into a local IQProtector Agent that performs all three functions. In other cases, such as MS Exchange and some other server applications, only Interceptors are deployed in the data locations, as shown in the graphic image below.
All C&P engines (C&P servers, and Agents) communicate with a central IQProtector server from which they periodically retrieve policy updates and to which they submit logs. The IQProtector server uses a central SQL server database and provides a web-based user interface for policy management, usage discovery, auditing, anomaly detection and big-data analytics.
Secure Islands says no integration is necessary with any of the existing IT infrastructure. "The solution wouldn't scale well if companies had to perform integration to get IQProtector to work with each service or application it uses," Eldar says. Instead, the interceptor agents can grab data as it is going into or coming out of various sources. "This solution can tie into any application,” Eldar says. “It could be SharePoint, Salesforce, SAP—it doesn't matter what application. We just tie into the application itself and IQProtector protects files going into and out of the certain point."
Secure Islands leverages an organization's directory service, IAM system and usage rights systems to add policies to who can access what data files. For example, if a person already has the right to access data that is in, say, Salesforce, then IQProtector incorporates those rights into the policy that protects that data.
An organization that deploys IQProtector will get immediate protection of all files created after the implementation. To cover the files that existed prior to implementation, Secure Islands has a scanner module that can scan existing files and add classification and protection according to the company's policies.
The product is gaining traction with large enterprises with sensitive information. One customer, Credit Suisse, was sufficiently impressed to persuade Credit Suisse NEXT Investors to become a leading investor in the company.
Eldar points out his solution could have been used to prevent a lot of damage in the Sony Pictures Entertainment breach. "That company took a lot of heat for embarrassing email messages being made public. Had they used IQProtector to protect those messages, they would not have been decipherable by the hackers who posted them to public websites." Yes, and perhaps former co-chairman Amy Pascal could have kept her job instead of resigning in disgrace after her embarrassing and offensive private messages were made public.