With over 66,000 customers protecting over 4 million devices, DeviceLock stops data leaks at the source. DeviceLock software provides endpoint data leak prevention (DLP) in situations where users are docking mobile devices like smartphones, tablets or USB sticks to endpoints like laptops or desktops. In addition, DeviceLock software can prevent data leaks via network and cloud-based storage as well as social networks such as Twitter, Facebook, Google+, Tumblr, Skype and many others. Established in 1996, DeviceLock, Inc. has a vast range of corporate customers including financial institutions, state and federal government agencies, classified military networks, healthcare providers, telecommunications companies, and educational institutions. Based in San Ramon, California, DeviceLock, Inc. is an international organization with offices in London, Düsseldorf, Moscow and Milan.
Golden Bridge: How does the Bring Your Own Service (BYOS) movement the use of cloud services such as file sync services and mobile file sharing impact compliance and data protection?
Vladimir Chernavsky: At this point in the evolution of these services, if an organization with compliance requirements is letting employees/ contractors with simultaneous access to sensitive corporate data (intellectual property, PII, medical/HR records, financials, PCI, etc.) while also having the ability to use random cloud based file sync or sharing services (BYOS) from within the network, that organization is doomed to lose sensitive data and being out of compliance unless they have a very stringent data leak prevention (DLP) enforcement policy and solution in place. Moreover, if BYOD is added to an undeterred BYOS model, it doubles the risk of loss. Unless, of course, all organizational data/apps these mobile devices access (including web browser, email client, Skype, or other instant messengers) to do work for the organization are secured and hosted internally with proper access, contextual, and content filtering controls should any attempt to send/move/copy/print the data occur. Current MDM and MEM solutions on the devices are simply not enough, as none do data content filtering or have granular enough controls to allow use of the BYOD-based browser/email/etc. apps with sensitive corporate data. Endpoint DLP, implemented in a hosted virtualized Windows session framework along with the published apps/data described above for use by mobile/remote users, would again mitigate the potential damage. It is certainly feasible to secure a BYOS and BYOS/D scenario while providing the flexibility and mobility the users want, but DLP must be part of the solution and implemented properly with data security the number 1 priority, and user flexibility 2nd.
With over 20 years in the software industry, Mr. Chernavsky served as founder and chief executive officer of Kaspersky Labs Customized Solutions, Inc. He also served as Commercial Director of Kaspersky Labs where he was instrumental in building their U.S. business from the ground up. He contributed significantly to Kaspersky becoming the major player that it is today in the IT security market. He holds a Masters Degree in Marketing from Moscow State University of Economics, Statistics and Informatics in 1998.
Golden Bridge: How can you police your data if you don’t know where it’s stored?
Vladimir Chernavsky: Limited to the parameters of the question, you simply cannot police stored data if the genie is out of the bottle with use of random BYOS services by employees with access to sensitive data…or BYOD devices using native phone or tablet apps for that matter. The established SaaS providers like SalesForce, Workday, etc. make it clear that your customer, HR, or financial data is owned by you, even though they host it and the transactions made to it. They often have additional tools or services to monitor it. The same cannot be said for the cloud based file storage/sync services in many cases. Anyone can set up a file sharing account, and unless their use is blocked or mitigated by corporate firewall settings, DLP policies, or URL filters while they are on your network or if they are using devices that had data access at some point, there is going to be data loss. The best approach is to control as you can with the tools mentioned to handle new data transactions going forward, and then perhaps sign a corporate agreement with one of the file sharing providers to standardize on one service while blocking access to all others if these file access services are necessary for worker productivity. Of course, the ability for corporate IT administrators to have access to the user accounts and stored data under this scenario is paramount.
Golden Bridge: Businesses are aware of external hacking/APT attacks, but what other types of attacks are companies most vulnerable to?
Vladimir Chernavsky: A lot of budget money and IT sweat-equity have been devoted to preventing external threats to networks and data over the years, and by and large the perimeter security solution providers and their customers have done a respectable job if they remained diligent with the tools at hand. However, the prevailing causes of sensitive data loss are due to internal controls being lax or non-existent. Manning used a burnable CDROM at CENTCOM…Snowden allegedly used USB sticks while accessing SharePoint at NSA… These are easily preventable activities that can be thwarted or at least monitored significantly better by endpoint port-device control and DLP content filtering solutions that are properly configured for limiting access and auditing what access is allowed. All recent breaches with laptops being lost or stolen are ridiculous with today’s easily accessible disk encryption like TrueCrypt, BitLocker, or other commercial solutions. The controllable endpoint layer simply needs to be a higher priority in both budget and attention… and that now extends to BYOD phones, tablets, and uncontrolled laptops, which is a bit more challenging (see recommendation above).
Golden Bridge: For organizations that are not properly managing and securing their endpoints, what advice would you offer them?
Vladimir Chernavsky: As mentioned earlier, organizations really do need to pay more attention to securing the endpoint layer…and just throwing a cheap “Endpoint Protection Suite” on them from a traditional anti-virus provider is usually not enough. Data security requires deeper and more granular controls on endpoint data egress points while auditing and content filtering if allowing access is necessary for them to do their jobs. The ease of use of “plug-n-play” storage devices, email, web, WiFi, Skype, printing, copying to the clipboard, and many other apps and tools employees use to be productive are also the same routes by which data easily escapes… only a subset of those are handled by firewall or network perimeter security measures… even network-only DLP is not sufficient… The endpoint is the origin of most data leakage, whether accidental or on purpose, and it must be secured at its source… the same concept extends to VDI-based endpoints if they can do anything with data other than saving it back to the server.
Company: DeviceLock | San Ramon, 94583 U.S.A.