Information is now a core component of business differentiation, and both the value of that information and the ability to control it directly affect an organization’s financial performance and reputation. As businesses become increasingly dependent on technology to maintain operations, traditional stop-and-block Data Loss Prevention (DLP) approaches are no longer practical. Communication must continue to flow without disruption. At the same time, increasingly sophisticated cyberattacks are designed to evade detection, making strong security measures more critical than ever.
Fortra Email Security solutions help organizations address a wide range of vulnerabilities — from mitigating insider threats to protecting sensitive information and supporting compliance with data protection laws and regulations. Learn how Fortra’s Structural Sanitization and Document Sanitization technologies help safeguard organizations against active content, advanced persistent threats (APTs), and other hidden risks while enabling secure, compliant communication.
The Wider Demands of the CISO
The CISO serves as the steward of an organization’s information security strategy and must maintain a deep understanding of both internal and external threats to effectively protect against data breaches and cyber risks. At the same time, the CISO must ensure that the right technologies and processes are in place to make information accessible across the organization, enabling operational efficiency, collaboration, and business growth.
The rapid adoption of cloud-based collaboration platforms and social networking tools has expanded communication far beyond traditional channels such as email. Coupled with the widespread use of smart media devices (SMDs) and faster global connectivity, today’s information supply chain (ISC) extends across every corner of the world in real time. While this increased accessibility drives productivity and innovation, it also introduces new security challenges that organizations must carefully manage.
Attacks on organizations are
becoming more sophisticated with innocuous-looking documents and images becoming the carriers of targeted APTs on the way in, and tools for concealing critical information on the way out.
Fortunately, security technology has evolved alongside the threat scape to help combat new age cyber risks, but a traditional ‘stop and block’ data loss prevention (DLP) approach is not viable given our reliance on technology for business operation as it hinders communication flow and organizational agility.
The protection and security of information is not solely the responsibility of the CISO. While the CISO may serve as the custodian of information protection, information owners across the organization — including HR, operations, sales, and marketing — are peers in this responsibility. Each of these leaders must take equal accountability for minimizing malicious or negligent access and ensuring the secure handling and sharing of critical information.
Defense Against Attacks
In the early years of digital collaboration, the primary security focus was on cyber-attacks which were identified as external actors such as hackers, script kiddies and cybercriminals, each using their skills to intentionally interrupt, damage and extract information or systems of a target organization. Since then, a major shift and re-focus have occurred. The insider threat is now more prevalent and makes up almost 60% of today’s information loss, so the information security shift is now on protecting information loss from the inside out. Whereas most external attacks are generally managed reactively, internal data breach risks can be more proactively mitigated, significantly reducing the amount of negligent and inadvertent unauthorized information sharing that happens to cause the breach incident.
Fortra's Adaptive Redaction approaches the challenge of the ‘insider’ threat from two interlinked perspectives:
- The technology builds on Fortra Data Loss Prevention (DLP) functionality and automatically redacts (removes) content that breaks policy, i.e. the sender should not be communicating or the recipient receiving specific information, immediately – reducing the risk of an internal policy breach. However, the rest of the content is sent – rather than being blocked
- Upon redaction, the sender is sent an email to inform them that the communication has been redacted. If the redaction is deemed unnecessary, the sender can immediately request the content to be communicated in its original format, or a change request made to the policy to ensure the content will not be blocked in the future. As well as protecting critical information, the automated feedback provides education on policy around not sharing unauthorized information in the future.
Specifically relevant to point 2 above, most DLP technologies may inform the sender that their content has been quarantined, and in most cases no further interaction happens, unless disciplinary action is involved, penalizing the sender in most cases for something they had not been educated not to do. This stop-and-block approach is unproductive as it hinders communication flow and ultimately business operation.
Fortra offers a proactive approach to data loss prevention that protects individual and the business from unauthorized information sharing, significantly reducing the number of outbound information breaches that the organization could experience. This allows the CISO and information security teams to focus their efforts on information security strategy and high-level projects, rather than spending their days dealing with false positives and system administration.
Compliance
There are ever-increasing government and vertical industry bodies requiring regulations to protect data that businesses manipulate every day. It has been widely accepted that non-adherence to these new regulations can harm an organization financially as well as reputationally, damaging both business confidence and growth.
To help organizations immediately address compliance requirements while simplifying deployment, Fortra DLP—specifically its Adaptive Redaction technology — includes out-of-the-box policies and dictionaries that provide immediate coverage for Personally Identifiable Information (PII), Protected Health Information (PHI), and other sensitive data types. This enables organizations to more effectively meet data protection and regulatory compliance requirements, including:
- HIPAA (Health Insurance Portability and Accountability Act) (USA)
- Sarbanes-Oxley Act (USA)
- PCI DSS 4.0 (worldwide)
- GDPR (General Data Protection Regulation) (Europe)
- Federal Data Protection Act (Germany)
- Data Protection Act (France)
- NDB (Notifiable Data Breaches Scheme) (Australia)
- CCPA (California Consumer Privacy Act) (USA)
- PIPEDA (Personal Information Protection and Electronic Documents Act) (Canada)
- DORA (Digital Operational Resilience Act) (European Union)
Most organizational compliance policies address areas such as profanity, inappropriate content, and the unauthorized sharing of confidential information, including salary details, performance review data, and company strategy. Internal policy compliance breaches can occur across a variety of collaboration tools — such as email, social networks, and web platforms — each of which is typically distinct and, in most cases, not integrated with the others.
DMARC Email Authentication
A challenge that organizations continue to face involves the complexity of today’s email channel. Driven by the addition of new cloud-based email services, the acquisition of new companies, or the set-up of unauthorized email servers by shadow IT, an organization’s “email identity” is constantly changing. This creates both a security risk when unauthorized email is sent on behalf of that organization’s brand, as well as a potential business problem if legitimate email is blocked from getting to customers.
Luckily, Fortra DMARC protection can automate DMARC email authentication and enforcement for organizations to prevent brand abuse and protect customers from costly phishing attacks by:
- Improving customer trust by protecting your brand from being used in phishing attacks;
- Accelerating DMARC enforcement and decrease time to reject by automating implementation;
- Maximizing marketing efficacy and improve email engagement with trusted communications;
- Reducing operational costs associated with email channel management.
Besides helping to ensure seamless delivery of business email as well as inbound enforcement, DMARC helps keep your organization compliant. Most recently, Google and Yahoo changed their requirements to have DMARC authentication set up for those organizations that are bulk senders. Watch this video on how to set that up below.
Ease of Use
Resides within the content-aware data loss prevention category, commercially available DLP solutions have not changed architecturally for the past 10 years. Their intent is to stop information being leaked out of an organization, via policy-based policing, that quarantines the content for review by a security analyst after policy violation. Unfortunately, traditional DLP is known for its false positives which have meant inappropriate delays through the ‘stop and block’ approach which, in turn, affects business collaboration and the timeliness of business operations. Anything that stops business fluidity is bad, so all too often DLP solutions become shelf-ware, never being deployed or realizing the true business value it creates.
Addressing the bi-directional removal or amendment of information within a document or image file, email message, or web posting as part of a critical information asset protection strategy, this technology ensures that the communicated content meets organization policies for information security. The automatic removal of hidden content (sanitization) and the removal of sensitive content (redaction) combine to provide an advanced data loss prevention strategy, utilizing existing DLP policies (if applicable), minimizing time to implement and creating a timely return on investment. In essence, it strips out sensitive data that could break policy and leaves the rest intact to continue on to recipients.
The award-winning, patented, adaptive redaction functionality is integrated into Fortra's on-premises Email and Web Gateway solutions, with solutions available to address:
- Enhancing Existing Web Security Infrastructure: Integrated with the Blue Coat ICAP solution (ProxySG) and the F5 ICAP proxy, the Adaptive Redaction functionality is provided within the Fortra Secure ICAP Gateway that enhances existing web proxies and their clients with advanced critical information protection
- Internal Email Security: Integrated alongside the Microsoft Exchange Server, the Fortra Secure Exchange Gateway provides advanced DLP and Adaptive Redaction capability for internal email collaboration, identifying and redacting critical information assets before unauthorized communication can occur.
All of these solutions are capable of bi-directional Adaptive Redaction (on inbound and outbound traffic), based on policies created by the administrator and performed automatically without any manual intervention. Only a fully-automated solution can be trusted to provide consistent and effective protection. Commercially sensitive information (intellectual property or business plans), national security concerns (such as planned projects or operations), and/or legally restricted assets (NIN, tax information, etc.) can all be protected from being uploaded and/or sent outside the organization through redaction.
As only the policy identified critical information is removed, the rest continues unhindered, enhancing business continuity through sharing information without breaking corporate, legislative, or regulatory requirements. For example, if an email is sent with personal or financial information, the Fortra Secure Email Gateway appliance will remove/redact the information asset and replace it with asterisks, then send the new ‘redacted’ communication, allowing the business to continue interactions while safeguarding critical information in real time with no quarantine required.
Our Adaptive Redaction solution supports hundreds of file formats, ensuring sensitive information is protected across all digital collaboration channels. Whether data is shared through email messages, documents, images, or HTML files, the solution inspects information in transit and automatically redacts sensitive content to help prevent unauthorized exposure.
It is also capable of two other operations that remove the risks found in hidden content – Document Sanitization and Structural Sanitization. Traditional methods for sanitizing information in communications and files typically rely on manual inspection or the use of built-in application tools, such as the “Inspect Document” feature in Microsoft Word. However, these approaches depend on users remembering to perform the task, leaving room for human error or intentional bypass.
Sanitization functionality automates this process to ensure consistent protection by removing hidden sensitive metadata — including author names, tracked changes, comments, and other embedded information — as well as active content that could be used to deliver malware into a corporate network.
Structural Sanitization
Active content exists everywhere. Its purpose is to provide the user with a more interactive experience, either on the internet or within a document. Hackers, however, embed their own active content into either purpose-built or compromised documents and files – for example in HTML and Office documents to be downloaded or PDF and images files distributed as email attachments. Since the active code rarely affects the content, it is good practice to simply remove it. Infection of the corporate network by advanced persistent threats (APTs) is a CISO’s nightmare and embedded active content is the most common way to deliver them. Removing the active content, removes the threat.
Structural sanitization policies are most frequently used on incoming content – so documents and files that are downloaded from the web, or sent through email, can be secured against embedded malware. Deploying structural sanitization policies will automatically reduce the risk of targeted attacks such as phishing or ransomware campaigns, being successful by automatically removing the delivery mechanism – the active content.
Outgoing documents can also have structural sanitization applied, for example in stripping macros from financial spreadsheets, where the macros are the intellectual property or secret sauce for the organization.
Document Sanitization
Most documents and files contain hidden data that is often sensitive. This could be in the document properties, which can disclose both the author and the true date of the document; or in tracked change histories, which can leak sensitive data that the author or authors believe they have removed – such as project details, new product names and prices.
For example, the Australian Federal Police Department experienced a data breach because a document containing ‘hidden’ metadata information about the subjects of criminal investigations was made public and the critical information was subsequently found. Other examples of sensitive information being exposed in metadata that could have been mitigated by Fortra’s Adaptive Redaction technology have been experienced by some of the largest global companies and agencies, such as Merck and the British government.
- Merck: Metadata revealed that the company deleted vital information concerning the arthritis drug Vioxx, resulting in users having false information on heart attack risk associated with taking the drug.
- British Government: Released a dossier titled “Iraq: Its Infrastructure of Concealment, Deception, and Intimidation.” The government says the dossier is based on high-level intelligence and diplomatic sources and was produced with the approval of Prime Minister Tony Blair. Unfortunately, the dossier still held the original properties from a September 2002 article by university student Ibrahim al-Marashi.
Document sanitization is frequently applied as a policy for documents leaving an organization to ensure that there is no hidden information that might be found and come back to bite the sender in the form of a data, or an embarrassing situation. Many industries have differing requirements for the movement and collaboration of critical information assets. If the policy of the organization is not to utilize blocking or redaction of sensitive data or IP, there is an option to create a policy within Secure Gateway to encrypt the message and/or attachments after being scanned and found to have critical information.
Some DLP solutions have encryption built in, however not all governments and organizations use the same encryption standards. Fortra supports all of today’s common industry-standard encryption technologies, including TLS, S/MIME, PGP, password-protected zips, and portal-based encryption. Which encryption is chosen is policy-based on the recipient, making it transparent for the sender and removing operational overhead and any concerns around interoperability, giving clients the assurance that their critical information assets are securely shared with other organizations without the risk of data breaches.
Centralized Management
Adaptive Redaction technology resides on each of the Fortra Secure Email and Web Gateway instances to ensure both availability and scalability. All solution instances can be peered, creating resilient processing groups and their centralized management is provided by a modern, user-friendly web-based user interface (UI). A granular authorization architecture, which is integrated with LDAP or Microsoft Active Directory, enable system administrators with different privileges to perform different system tasks such as policy definition, message management (quarantine), reporting and system monitoring.
Fortra solutions can be peered to share policies from a single UI. For example, a customer might have two on-premises Secure Email Gateways, two Secure Exchange Gateways and three Secure Web Gateways servicing up to 5,000 clients. Policy across the entire solution ensures consistency.
Total Cost of Ownership (TCO) & Return on Investment (ROI)
Fortra's Adaptive Redaction feature provides two levels of TCO and ROI:
1. Immediacy: Organizations can install the standard system with pre-defined policies which include standard dictionaries and tokens within 30 minutes, immediately redacting content that breaches these policies. This level of imme-diacy can also be implemented in ‘Watch mode’, where potential breaches that result in quarantined data are reported on by automa-tically routing through LDAP/MS Active Directory, rather than any brash actions taken. This provides a level of visibility into potential policy breaches enabling fine-tuning of policies before they're enforced. Pre- or post-implementation engage-ments create more sophisticated policy definitions which can be applied to protect unique critical data–like IP–and minimize ‘false positives’. This automated education will be received by those inadvertently breaching policies via feedback mechanisms.
2. Risk Mitigation: A breach of policy that causes critical information assets to be accessed or shared by an unauthorized individual can result in financial and reputational penalties. As an example, when Stoke-on-Trent City Council were fined £120,000 by the Information Commissioners Office (ICO) for sending ‘Care Order’ information about a juvenile to the wrong person, the Adaptive Redaction technology would have stopped this sensitive information being sent to unauthorized recipients, mitigating the breach from happening, and subsequently saving the £120,000 fine, plus costs incurred to manage the incident. Organizations can further determine the ‘Risk Mitigation’ TCO/ROI by using policy breach reporting and applying it to examples that are freely available, identifying financial penalty savings and potential reputational damage.
Summary
In today’s rapidly evolving business environment, organizations must adopt automated technologies such as Adaptive Redaction as a strategic approach to managing the growing demand for authorized information sharing while maintaining control over the information supply chain. While security risks were once viewed primarily as external threats, organizations must now also address insider risks and hidden threats embedded within documents and shared content.
Adaptive Redaction is designed to support secure, continuous collaboration across all communication channels by protecting sensitive information without disrupting business operations. By intelligently identifying and managing sensitive content, it enables organizations to share information confidently while strengthening security, reducing risk, and supporting compliance requirements.