How to Protect Your Data with Layered Security

The Fortra Data Security Suite allows organizations to communicate and collaborate securely, safe in the knowledge that none of their sensitive data is being inappropriately shared with people inside or outside of the organization. In this session, we're going to take a look at how organizations such as yourselves can use the Fortra Data Security Suite to protect your sensitive data from both external and internal threats, avoid costly damage to reputation and legal fines all while ensuring that these protections don't become a barrier to legitimate business processes or incur high management overheads.

Now, to reduce background noise, we do have you all on mute. However, please feel free to use the questions panel to ask any questions as we go through the session. We'll have a section at the end to pick up any questions that we don't tick off as we're running through the session itself. After the session, if you have any further questions or if you'd like access to the recorded webinar, please feel free to email [email protected].

Agenda (02:10)

Just a bit of background about myself; my name's Nick Hogg. I'm one of the directors of technical training here at Fortra. I've been with the organization for over 16 years, and the majority of my time is spent with organizations like yourselves, helping them to understand how they can best use our Data Security Suite to address their data loss prevention and compliance requirements.

In terms of the structure of the session, we're going to start off by talking briefly about what makes data security quite tricky for some of the organizations we deal with. We'll have a look at some best practices we can put in place, the Fortra Data Security Suite, and how it can assist with those best practices. And we'll use a few data protection use cases just to help you see, in context, how you can use the various solutions within the suite. Before we round it off, we’ll touch briefly on our Fortra One vision for the future.

Now, we are going to focus predominantly on our Data Security Suite today, so all the icons in blue here. But don't discount our wider vulnerability, management, and offensive security solutions, because they can make up part of our larger picture when it comes to enforcing security around our sensitive data. Because with the Infrastructure Protection Suite, that essentially gives you the ability to run the scans that will identify the vulnerabilities in your systems or in your applications. And with that, you can then drill in and really start to understand which of those vulnerabilities are exploitable today, which maybe helps you to prioritize how to best address those.

We can go all the way to the full red team exercises, and we have services that can deliver that. But we also have our own software you can use to investigate what’s going to happen if somebody does try to breach one of these vulnerabilities to get your sensitive data so you can start to put in place some additional layers of protection to deal with those risks.

What Makes Data Security So Hard (04:11)

Let's start off then by talking about why data security itself can be so tricky for organizations. I think typically when we're talking to organizations about data loss prevention or compliance projects, their concerns fall into three key areas. The first of those is around stopping the external risks from getting into the organization. So, we’re asked, “how do we stop the ransomware/the spyware from getting into the business to steal our sensitive data or limit our ability to access our infrastructure and our data?”

Increasingly organizations are getting quite concerned about some of the very sophisticated phishing attacks that they're seeing that are trying to trick their employees into voluntarily sharing sensitive data outside of the organization or maybe paying a false invoice or something like that.

The second area organizations typically have the concerns around is with data loss prevention, and you can absolutely put mechanisms in place that will start to reduce the risk of the malicious insiders within an organization. But actually, when you look at a lot of the data loss events that occur, the majority of them are people just making a simple mistake. It's somebody clicking on the wrong name in Outlook autocomplete and sending some sensitive information outside of the organization to an inappropriate recipient. And you can absolutely put controls in place to start to mitigate those kind of accidental data losses.

The last area organizations have the concerns in is the overarching shadow of compliance. It's the GDPRs, it's the HIPAAs, the PCIs of the world that really are putting a lot more focus onto how we handle our sensitive information, how we share it internally and externally, and all the controls that we put around that.

We recently ran a survey of about 250 chief information security officers for financial services firms worldwide, and the results of that mirrored what we see anecdotally when we're talking to organizations. One of the key things that jumped out was the concerns around data visibility, and talking to the CISOs, it almost falls into two areas. The first of these is that, despite having the people and the processes in place that set out how sensitive data should be handled and shared as an organization, CISOs had concerns that they didn't have the full level of visibility that they wanted into all the data flows, repositories, and so on that would give them confidence that their employees are actually following those processes.

The second part of this, though, is it's almost information overload and getting too much data. What they're finding is their existing DLP and compliance suites are generating too many false positives, and that they’re overloading the compliance teams and the security teams. And their real concern is that they're potentially missing some of the real data risks against a background sea of noise. I think when we look at the traditional approach to data security, it's very focused around infrastructure control. But it doesn't matter how well locked down your data center is, how well controlled the access to the applications and the data is because, at some point, we have to give a certain subset of our trusted employees access to that data to do their job.

And that's where the risk of accidental data breaches creeps into play. So, I think ideally, we should be looking at how we can protect the data throughout its entire life cycle, from the point that it's created through the various mechanisms that we use to share it, all the way to the point that it's outside of our control and in the hands of our business partners, our customers, and so on.

What I want to do is move on to talk about a few data security best practices. Every organization we talk to, even those in the same vertical, often have some vastly differing sets of requirements when it comes to data security. So, there isn’t really a one-size-fits-all solution here, but I do think that there are some general best endeavors or principles that we can apply to start to mitigate some of these risks. And I really do believe that using a layered approach to our data security still makes a huge amount of sense, even as we move more and more of that data into the cloud. By using different detection and mitigation techniques, we can provide resilience for those instances when a system or a manual process becomes compromised because we have all of these other systems and mechanisms in place to catch the breach before it escalates into a full-on data loss or compliance event.

Now, we could easily talk at great length about each one of these layers and, maybe as you've seen from that earlier portfolio diagram, Fortra has a huge range of solutions that can assist all these different layers. But what I want to focus on for today's session is around the data security and the human layer. We often hear that people are the weakest link in any cyber security posture, but they can also be our greatest asset if we can work out how to use them most effectively.

I think people, processes and technology all play a key role when it comes to enforcing an effective data security strategy. Historically, vendors have been a little bit too keen to paint this picture that their solution is the complete answer to all of your data security requirements, but really that's just complete nonsense. There isn't a single silver technological bullet that's going to address all these requirements. But if we can get that balance right between the people, processes, and technology, using the technology as an electronic backstop for those times that the people and the processes maybe fail us, that's where I think we can get a much more effective wrapper of security around our sensitive data.

I think on the people side of things, these things always need to be driven from the top; they need to come from the CEO or the board level down, because if it's been driven by the CEO, then it's much harder for people within the organization to just assume that data security is somebody else's requirement. We can use training here to help people to start to understand that they should be handling sensitive data in an appropriate manner. What I would encourage with my training background is once-a-year, big security and compliance training events.

They're okay as a tick box exercise, but even with the best will in the world, unless somebody's job revolves around data security and compliance, nine, 10, 11 months after they've been through that training, can we really confidently say that security will be at the forefront of their mind? I think the most effective strategy I've seen has been a “little and often” approach. Maybe you just choose one topic a month to focus on, put out a short three-minute video or something like that focusing on phishing, ransomware, or whatever. And, if you can, put It in a context where it's not just “how is it relevant to the employee as part of the organization,” but “how do the same principles apply to their personal data and their own laptops and stuff at home” to avoid them falling for a phishing attack.

Training's effective, but people do still make mistakes and people don't always pay the most attention during the training. So, there are other things we can do to help identify areas where we need a little bit more education around. We can run simulated phishing tests with things like our PhishLabs products, where we can do a phishing run on the employees to understand who's maybe going to be a little bit more susceptible to certain types of attacks. And then you can do more targeted training around that.

But it's not just about formal training. If we look at things like data classification solutions, I think they are a very effective tool when it comes to subtly educating users over time. Because with visible markings, you can constantly remind them of the sensitivity of certain pieces of data that they're handling. If you can involve them in the classification process as well, then what happens over time is you see this trend where the number of data loss and compliance events will decrease because you've done that kind of subtle education.

With the process side of things, I think obviously we need to make sure that the processes are very easy to understand and very clear to remove any kind of room for ambiguity. But it sometimes feels, as an employee, you can feel that you're being dictated too and being told that you have to change how you're doing your job because of security or compliance. What I see that works quite effectively from our perspective when we're doing consultancy is when we're talking to organizations--when we're talking to departments within the organizations--it's actually just about understanding where they have problems today. If we can show them that we're going to give them a solution that will make their lives a little bit easier, and at the same time building their security and the compliance controls, then that's where you see the adoption of these solutions is much more successful.

And then the last piece there is our technology piece. And as I said, it's not your total answer here. It has to be a part of it. It has to be there to compliment the people. And in the event that maybe somebody makes a mistake, that's where the technology is your electronic backstop in the event that somebody doesn't follow a process or it’s a little bit too tricky to follow. Again, that's maybe where the technology comes into play to catch that event before it escalates into something much more severe.

When we approach our DLP projects and our compliance projects, we typically break them into three phases, and the first of these is around understanding what the sensitive data is. I think this is quite a useful step because when we can recognize that not all the data within an organization is created as equal, and when you can identify the sensitive data, then you can make sure that you are wrapping the appropriate security controls around that to ensure that that data can only be shared with the right people inside and outside of the organization. While at the same time, you don't throw any unnecessary barriers into the way of the employees that are going about the more legitimate day to day business processes.

Once you've identified that sensitive data, that's where you can start to put the controls into play to govern how that's been accessed, how it's been shared within the environment, how it's been shared outside of the organization to make sure that only the appropriate recipients are receiving it. And then lastly, we do have to recognize that we do have to share the sensitive data more and more outside of the organization as we outsource more services and so on. So that's where we can ensure that when we're sharing the appropriately, we can also use things like encryption within emails or Digital Rights Management to keep data in secure in transit, or keep data secure even once it's outside of our traditional network boundary in the hands of our users.

And there's a number of elements here that I think can really go into putting an effective set of controls around our sensitive information. We can use data classification to identify what that sensitive information is and involve the end users in the process. And once you've identified that sensitive information, you can use the DLP control within your email traffic at the end point in the Managed File Transfer in the web traffic to really start to hone in and ensure that that sensitive data is protected appropriately without those unnecessary barriers to the communications.

I think ransomware often gets a lot of attention, but actually it’s the humble phishing emails that are potentially the biggest problem for a lot of organizations. I think about 90%, 96% of phishing attacks still happen over the corporate mail systems, or at least the first approach happens over a corporate mail system. So, we can use our email security solutions to start to mitigate the risk of the phishing attacks coming into the organization or the ransomware, the spyware coming into the business over the mail system. But we can enforce the same policies across web traffic Managed File Transfer and all these other kind of contact points with the outside world.

We see Managed File Transfer is becoming more and more of a popular requirement for organizations because they might have compliance mandates that actually say, "Well, if you're sharing healthcare data, PCI, et cetera, et cetera, with the organization, it must be done using secure protocols and secure encrypted platforms and an encrypted data." I think MFT is brilliant because it gives you an easy-to-use mechanism or users to share files that are potentially too large to share over a corporate mail system with third parties. It also potentially gives you something where you might be a little bit concerned about--users putting things into cloud services--because maybe you have data sovereignty requirements where the data has to sit within certain geographical boundaries and the users maybe don't always appreciate where that data will actually live within the cloud.

So, something like an MFT system can give you the ability to deliver the equivalent of a Dropbox or a OneDrive service, but one that you own, that you have full visibility of; you can inject your DLP and your compliance controls into to make sure that if that's being used to share data, it's only being used to share data appropriately with the correct recipients.

And we'll also touch a little bit on some of the automation processes within MFT, because I think automation can be very powerful where it gives you the opportunity to potentially take humans out of the loop from those kinds of repetitive tasks. So it maybe frees them up to focus on other more value add tasks for you as an organization, but also by taking the humans out the loop, you reduce some of the room for error that the human can make there.

And then lastly, you have the Digital Rights Management piece. I think DRM is becoming more and more of a requirement for the organizations we talk to, because it could be that you need to share your intellectual property with a business partner, sensitive details with a business partner or customer, but you’re maybe concerned that that could then be forwarded on to somebody who shouldn't be able to access that data. So, with the Digital Rights Management, we don't just encrypt the data, but you can actually wrap access control lists to, say, who is able to access the data and permission lists to, say, what they can do with it.

Can they only view it for a week? Can they print it off? Can they edit it? So it really gives you a very fine-grain level of control of that information even once it's outside of the corporate network. And that could be if you're sharing it with remote workers and home workers where they're potentially accessing it on a personal device where you can't necessarily guarantee the integrity of that device. But also, it can be when you've shared something with a business partner and customer, and you just want to make sure that that can't then be forwarded on to an inappropriate recipient.

The Fortra Data Security Suite (19:44)

What I want to do now is move on and talk to you a little bit about the Fortra Data Security Suite and how it can be an integral part of your overall sort of data security and compliance policies. It's worth pointing out that just delivering a kind of comprehensive and a powerful suite to you is hugely important, but there's no point in us doing that if it's too hard for you to use it effectively. So, one of our key guiding principles is around operational simplicity. If we can deliver solutions to you that are easy to use and allow you to deploy flexible policies that don't get in the way of your employees doing their jobs, then you are so much more likely to see the good levels of risk mitigation that you're looking for.

And it's also worth stressing: the word suite can sometimes feel a little bit daunting, because it feels like you have to buy all the bits of that in order to get the benefit. But that is absolutely not the case here. We have designed our Data Security Suite to be entirely modular. So, you can choose those components that allow you to address the immediate business issues that you have alongside your existing infrastructure, projects, time scales, budgets and so on. But you can do that safe in the knowledge that in the future, if you choose to deploy additional solutions from Fortra, you can take advantage of the integrations between those different solutions to further enhance your data security and your compliance controls but do it in a way where maybe you're not increasing the management overhead or the end user manual processes and so on.

And we recognize that you will already have significant investments in third party solutions within your environment. So, we work very nicely alongside a whole host of these third-party solutions. If you're already using Microsoft 365, where you're using the sensitivity markings to enforce a classification policy within the organization, that's perfectly fine. We can use those Microsoft 365 sensitivity markings within our email security solutions, our MFT solutions, our DLP solutions to trigger policy elements within there.

If you have SIEM solutions like the Splunks and the ArcSights of the world, then again, we are well set up for passing the data around policy violations across to those solutions as well. Now, we're not saying that we're the complete answer here, but we do see that we can be this integral part of anyone's overall data security strategy, complimenting your processes and being there as a last line of defense in the event that one of your employees makes a mistake or doesn't follow a process. So you can use the data classification solutions to identify what your sensitive information is, where it lives within the network, and ensure that the right classification markings are associated with that data.

And then we can start to wrap the security controls around that data to ensure that it's only been shared with the right people inside and outside of the business. With the email security solutions, you can use those to guard against these external threats, the malware, the phishing attacks coming into the organization. But you can also use the integrated DLP capabilities there to look for the classification markings, to look for the sensitive words and phrases, and then start to enforce your DLP and compliance policies within the mail flow.

Our MFT solutions really are like a Swiss Army knife. They give you that kind of end user ad hoc-initiated file transfers for files that are potentially too large to email, where the mechanism to share the data, the platform, and the data itself are all encrypted. But because the DLP controls can plug in there, you can make sure that that doesn't become a vector for a data loss or a compliance event. You can also make sure that the MFT traffic doesn't become the way for malware or ransomware to get into the organization.

The data loss prevention side of things, one of our more recent acquisitions, is Digital Guardian and they're such a powerful tool from a DLP perspective. Because we can deploy both at the end point level, but also into the network traffic to really understand very quickly what the employees are doing today in terms of how they're accessing and sharing the data and where the data lives within the environment. And then we can start to enforce the policies around reporting, blocking, encrypting or whatever, moving the sensitive data into the right area of the network from maybe a more publicly accessible location.

And then lastly, we have Vera for the Digital Rights Management piece, and that gives us that very powerful tool, not just to encrypt the data, to wrap the access control lists and the permission lists around the file to make sure that only the appropriate people are able to access it and to control what they can actually do with that file.

So let's drill down now and talk about each one of these solutions in a little bit more depth before we look at the scenarios and how they can be used within some of the customers today. With the data classification solutions, they give us a number of things. They give us the ability to put those visible markings into the documents and the files to help remind a user that a certain piece of information needs to be handled securely. You can involve the end users in the classification process with plugins into common applications like Word into mail clients like Outlook or even into things like AutoCAD packages and so on so that when a user's working on something or receives a document, they can classify that document.

That's very useful because typically you would expect the users to understand what the sensitivity of this data is, and by involving them in that process, you help to do that subtle education that I was talking about earlier. But we do recognize that people can make mistakes, so that manual classification process is backed up by our machine learning. We can potentially identify where a user has misclassified some healthcare information, for example, and we can ensure that not only does the right level of classification actually get applied to the file, but that we also can do some of that end user education at that point to ensure that they are not going to make the same mistake in the future.

One of the areas of concern when we talk to some organizations about data classification is, well, “we've got terabytes of data in our environment and classifying all of that manually will take a while.” And yeah, that's absolutely the case, which is why we also have our automated solutions as well. So, we can crawl the local drives of the users, network shares, and corporate cloud storage, identify the sensitive data, make sure that the right level of classification is applied to that, and we can also move it from maybe an area where it shouldn't be into a more secure area within the environment.

So between that end user classification backed up by the machine learning and the automated discovery, then that really allows you to ensure that you are getting the right level of classification applied to the sensitive data within the organization. And then you can really wrap the appropriate security controls around that data. With our email security solutions, they give us the ability to guard against these external risks. So, we have our more traditional secure email gateway that can sit the boundary of the organization's mail flow, and we can help to guard against these very nasty and urgent ransomware and spyware risks as they're coming into the organization.

The integrated DLP controls within there can also help to guard against the data loss and the compliance events--and I'll touch on those in a second-- but it could be that you've already got a bunch of boundary email security in place, but potentially you're seeing your phishing messages making it into your users’ mailboxes that are a little bit concerning from your perspective. And that's where our Agari solution comes into play because our Agari solution can plug in at the mailbox level. It can use the host of threat feeds that we have access to backed up by the intelligence that we gain from looking at all the traffic patterns within our customer mail flows and backed up by our machine learning model.

So, we can really start to find those business email compromise messages--those account takeover messages--that are often quite tricky to get, but that could be the one where somebody's masquerading as one of your business partners, trying to trick one of your employees into paying a false invoice, or sharing some sensitive data outside of the organization. So with the Email Security solutions, we can sit at the boundary, we can stop the ransomware, the malware coming in, but we can also sit at the mailbox level to look at the things that maybe made it past your existing email defenses to give yourself this additional layer of protection within there. And then we can also look at the outbound traffic in the internal email traffic to ensure that the sensitive information is only going to the right people, both inside and outside of the business.

And that could be based upon the classification markings, but we've also got the kind of language analysis, all the pre-configured tokens for PII and PCI that would let you identify maybe whether there's some sensitive data that hasn't yet been classified but needs to be handled in an appropriate mechanism. And we can potentially extend your detection capabilities so that a scan of a legal contract or of a medical record that could quite happily sail through Microsoft 365 without getting picked up, we can pick up because we have the optical character recognition that can extract the text out scanned documents and imagery to identify where there's something sensitive within there.

As well as the more standard stop-and-block and encryption mechanisms, we also have our redaction and our sanitization controls that give you the mechanisms to reduce some of the data risk but do it in a much less intrusive way than some of the other solutions that are out there. So it could be that we see something in ‘Appendix D’ of a document that looks like a social security number, and rather than just blocking that and potentially delaying a legitimate business communication, we can go in there and if policy dictates, we can redact out that one thing that violates the policy. Once we're happy that there's nothing else within there that poses a data risk or a compliance risk, we can allow the rest of that communication to go on its way.

That allows you to be quite proactive about the policies you're putting in place, because you're not going to see a spike in terms of the management overhead around folks’ positives and delays to legitimate business communications. We've also got the integrated encryption features, so it could be that you're sharing healthcare data with a customer or sensitive financial information or IP with a business partner. We have the ability to perform the automated encryption within there. So, we can identify based upon where the traffic's coming from, where it's going, or the content of the traffic--that this data's going to an approved recipient, even though its sensitive data, but we need to automatically encrypt that, secure it, and transit.

And if it's the business-to-consumer model where you're a bank or a healthcare provider talking to customers, we have our encryption portal. If it's the more business-to-business model where maybe you're a financial organization sharing something with your underwriters, then that's where we've got the PGPs, the S/MIMEs, the password protected zips there. The key thing from my point of view is, though, that this can all be done automatically. So, you're not asking a user to remember to press a button or write something into a subject line because they might forget to do these things. We can be there, again, to catch that and make sure that things are encrypted where appropriate.

The MFT solutions, like I said, they're like this amazing Swiss Army knife; they give you that ability to do something very simple in terms of “we've got a file that's too large to email--we need a simple mechanism to share this with a business partner or a customer,” then that could be something as simple as giving your users a button in Outlook to press to send this oversized file through our Secure File Transfer platform. But because that is a secure platform, because the data's encrypted, because you get all the audit controls within there, there's a number of other things you can do as well.

If you want to give that the users that equivalent of a OneDrive, or a Dropbox account, but where you want full visibility of the data sharing, you want to scan the data to make sure that there's no compliance violations within there or there's no potential for ransomware to come into the organization. Then that's where, again, a Secure File Transfer platform can assist you. And then the automation capabilities are very powerful--could be that maybe if you're a bank and you're sharing customer details with an insurance underwriter, and you have to do that once an hour, once a day, or whatever, maybe you want to replace some homegrown scripts where you don't necessarily get full visibility of when those transfers happen.

Then you can use the Secure File Transfer platform to pull the data out of the CRM, to encrypt it, pass it across to the business partner, but also to inspect the data to make sure that there's nothing within there that might pose a violation for the organization. So, you're making sure that the right data's going to the right recipient, and you get the full audit control for compliance properties within that. The endpoint solution is a really powerful tool--I like this too. It gives you the ability to deploy both of the endpoints onto Windows platforms, macOS, and Linux, but we can also drop into the network flow to do the data and use piece. So, we can look at whether a user trying to copy a file onto a USB stick or into a network share where this type of data shouldn't be going, we can stop them from potentially uploading customer details to a Dropbox account, and we can also drop into that network traffic to look at the email flow, web traffic, and MFT flow to make sure that there's nothing sensitive being shared with an inappropriate recipient. 

And both at the endpoint level and at the network level, we can do the data discovery. So, we can scan the local drives, network shares, and cloud storage to find the sensitive information and report on that or potentially move that to a secure location within there. One of the nice pieces of integration we have is our data classification solution integrated with our Digital Guardian DLP solution.

So Digital Guardian can be set to do a scan. If it finds something that's sensitive, contains healthcare data, it can then write the classification tags into the alternate data stream without any kind of user intervention at that point. From your perspective, one of the nice features here is when you deploy Digital Guardian, it's deployed essentially in a monitoring mode where there's already a huge number of pre-configured policies. It's going to be looking for a host of these data loss or compliance risks. So that can really help you to build up a picture of “what are my users doing today with this sensitive information--where did my sensitive information live within the environment?”

You can then use that to make a very informed decision when it comes to turning the policy into an enforcement mode of “where do we block? Where do we encrypt? Where do we allow these types of transfers?” And then the last component there is the Digital Rights Management piece because that DRM piece is the ability that allows us to extend the controls to the data once it's outside of our environment. So, we don't just apply the AES-256 Encryption to the file. We wrap the access control list around the file to see who is able to access that, and we verify that at the point the user tries to access it. So, there's a call into our cloud service to see, “does this user have access?” That doesn't mean that you can revoke access on the fly, though, so if you suddenly decide a week after you've shared something with a business partner that you don't want them to be able to view that data anymore, it's a couple of clicks to remove their ability to access that data anymore.

You've also got the ability to set permission list. So, you can say, "well, I will share this with this business partner for a week and it's read-only, so they can only see that data.” They won't be able to print it or copy and paste text out of it, or you can give them full editing controls where appropriate. So many of the organizations we deal with, they really appreciate the value of this DRM piece, because it does allow you start to fill one of those gaps where in the past, you've just had to trust that the recipient won't necessarily do something inappropriate with the data you share with them.

Data Protection Use Cases (36:47)

So that's a ridiculously high-level overview of all the solutions there; we could spend hours on each one of those solutions. What I want to do now is really just use a few scenarios to show how customers have been able to use the solutions to address some of their data security requirements. In the first one here, when we talk to organizations about the data security side of things, they can often have some really different sets of requirements, different infrastructure, budgets and so on. In this case here, we've got a defense organization--a defense contractor--who are working on some very large-scale defense contracts where they have to collaborate with third parties, and the information they need to share with them falls under International Trafficking in Arms Regulations or ITAR for short.

The issue they've had, though, is that they also work on a whole number of commercial contracts with other contractors, and they've had this systematic series of data breaches where this ITAR data has accidentally been shared with the commercial contractors who have no right to be seeing this type of data. It's escalated to a point where their local Department of Defense has told them they have to get the house in order. So, they've taken a very considered approach. They started off by replacing their manual data classification processes that are a little bit error-prone with our data classification solution, where they can involve the end users, they can back that up with the machine learning and the automated discovery to ensure that their ITAR data is classified appropriately.

At this point, they're able to take advantage of one of the integration points between our solutions, because you can set up policies within the data classification solutions that say, "well, as soon as a user or the automated discovery mechanism classifies a file as ITAR-related, then we can automatically apply the Digital Rights Management to the file without any kind of manual user intervention there.” That's a very powerful tool because they've been able to identify the ITAR data and immediately they've ensured that the DRM has been applied to the file so that they can share it outside of the organization, confident that only the approved recipients will be able to access that data.

They've deployed our email security solutions because, typically, this type of information is being shared across the corporate mail flow. The data may not just be within the attachment; there might be something ITAR-related in the body of the message. So, we can look for the classification tag in the attachment to recognize that this is going to an approved recipient and allow the communication. We can look for the ITAR data in the body of the message and recognize that maybe we need an additional layer of encryption on the message body itself to keep that ITAR data secure in transit. And importantly, we can make sure that that ITAR data doesn't get accidentally shared with an unauthorized recipient.

Because some of these files are a little bit too large to email, AutoCAD files and so on. Then they also deployed our Managed File Transfer platform or Secure File Transfer platform that gave them that secure auditable platform for sharing the data with the authorized business partners. But again, because our DLP controls were plugged in there, we could look for the classification tags to make sure that that ITAR data was only being shared with the approved recipients. And if we could see that there was some information there that hadn't yet been classified, hadn't yet being identified as ITAR data and had the DRM applied to that, the Secure File Transfer platform could automatically apply the DRM before it was shared with the business partners.

So, the right people get the data, but if they were to then forward that onto an unapproved recipient, that unauthorized recipient simply would not be able to access that information. Sometimes, though, we speak to organizations that really have to make some very immediate changes to deal with some burning issues that they're seeing, but they potentially want to build in the foundations that they put in place in the future. In this case here, we have got a healthcare provider in Germany, who had a series of systematic data breaches because they obviously have to share healthcare information with other hospitals, insurance companies, and so on, but they'd had a series of breaches where that healthcare information had been been shared with people who shouldn't be able to see it.

They were getting a lot of pressure from their local Information Commissioner's Office to fix this very, very quickly, so they took a phased approach. In phase one, they looked at how this data was typically shared across the corporate mail systems. They deployed our email security solutions into the corporate mail flow. We could look for the healthcare data; when we saw that it was going to another hospital, an insurance company, or some other authorized recipient, we could encrypt that to keep it secure in transit.

If we saw that it was being shared with an unauthorized recipient, we could block it or redact it in line with the corporate policy. Again, they also had issues with some of the files that they needed to share were too large to email--medical imaging files, MRI scans and so on. So, they deployed our Managed File Transfer platform to give them that secure platform for their end users to easily share these oversized files. But again, our DLP controls are plugged in there to make sure that the healthcare data is only going to the authorized recipients. And that was phase one. It allowed them to go back to the Information Commissioner's Office and show them they had taken some very meaningful steps to address their data and compliance risks.

In phase two, they deployed our data classification solutions to make sure that all the healthcare information within the environment was classified appropriately, but they could do that safe in the knowledge that the Managed File Transfer, the DLP, and the email security solutions that they'd already deployed would simply be able to use these additional classification tags to further enhance the policy. The last scenario here came from a police force actually, but I think it's similarly applicable to healthcare organizations, financial organizations, and a whole host of organizations where you maybe want to give members of the public a mechanism to share files with you, but you're concerned that that might be the mechanism that brings the ransomware or the spyware into the organization.

So, in this case here, the police force wanted an easy-to-use mechanism for a member of the public to maybe upload dashcam footage, CCTV footage, or maybe a scan of a driving license to them. They deployed our Managed File Transfer solution to give them that easy-to-use web portal for the members of the public. They could go there, upload the file, put in a case reference number, and some other pieces of information. The automation in the background can make sure that that data was stored in the right area in the network and the right systems and that the investigating officer was notified about receiving that type of data, but they also deployed our DLP controls within there to provide that layer of hygiene, to make sure that this wasn't a vector for the malware or the ransomware to get into the organization.

[inaudible 00:44:04] these with the crime prosecution service and so on, and judges and so on. And they just wanted an easy-to-use mechanism for that data to be shared securely, but they also wanted to be able to inspect the data to make sure that there was nothing sensitive going to an inappropriate recipient across that Managed File Transfer traffic.

So those three scenarios together have hopefully helped to set out how you can use the Data Security Suite and how the modular nature of that potentially gives you the option to just really pick and choose those solutions that will allow you to address your immediate business concerns. But it does give you opportunities in the future to really start to deploy additional solutions and take advantage of the integrations between them.

Our Vision (45:02)

And all that's what we have today. One last message about the future for Fortra is we're working on this Fortra One project, and the goal with the Fortra One project is really to give you a single common user interface and a single sign-on for you to manage all of the data security solutions within there.

So, one point to go to get access to the email security, the data classification, all the management controls, and also that centralized point of visibility within there. Now, as I said, it’s very early days for Fortra One; we have a couple of the products integrated in there today, but the goal as we go forward with all the solutions you've seen today, but also with all the ones that will be coming down the pike in terms of our acquisitions to give you additional options there, will be to eventually give you the single point of management and visibility with all the solutions there.

So, in summary then, our Data Security Suite allows organizations to understand what their sensitive data is and where it lives within their network, to govern how that data's being shared to ensure it's only shared with the right people both inside and outside of the organization, and lastly, to protect that data--to ensure that when it's been shared appropriately, it's also been shared securely. So, I'm just going to have a quick look at the questions; I've been trying to tick them off as we've been going through here. But let me just take another look and see if there's any I've missed. In the meantime, feel free to ask any additional questions that you might have of me.

Okay, so, I can see there's a question around the Secure File Transfer in terms of… we've got three solutions listed under the Secure File Transfer, and actually that's applicable when you look at data classification and email security: “is there a recommended one?” One of the nice things about the Data Security Suite is what we've tried to do when we've chosen the solutions as part of our developments and our acquisition process, is really started to give you a range of choices, rather than just saying, "we've got a single solution for Secure File Transfer/we've got a single solution for Email Security/we've got a single solution for data classification,” and really just trying to fit your requirements into that kind of straight jacket.

Really what it allows us to do is be much more consultative about these things, where we can understand what your requirements are, understand what your existing infrastructure looks like, and really recommend out those range of solutions, which one's going to be the most appropriate one for you today, but also what might be the best one with the view to future projects going there. So, there's not one that we would typically say, "choose that over this." It really just gives us a range of options based upon some of the requirements you might have within there. I can see there's a question about the email security side of things, and how's it delivered: “how's it hosted?”

With the Email Security Gateway, the choice is up to you. You can deploy that yourself on-premise, both in physical or virtual infrastructure like VMware and Hyper-V. You can spin that up in the cloud, we've got instances in the AWS store. You can deploy as into your Microsoft Azure Deployment. We also have a managed service that we can provide for you. So, it really is up to you for on the email gateway side, for what you to want to achieve there. For the Agari side of things, that is a cloud-hosted solution, and we use essentially sensors that will be deployed within your environment to tap into the mail flow at the mailbox level. If you're on-premise Exchange, we can integrate your gallery with that.

If you are Microsoft 365, if you're G-Suite, again, we can integrate Agari with that. So, we're quite flexible from that point of view, but the management piece and all the intelligence within there is hosted by ourselves. The only bit that would be within your infrastructure would be the sensors that we integrate within there. Let me just scroll through these again. Okay. So, I think I've ticked off all of the questions as we've gone through. If you do have any other questions after the session or you... I can see Brooke has put the link to the Data Security Use Cases Guide into the chat here.

That's also up on the slide, then feel free to drop an email through to info @fortra.com, especially if you need any additional questions answered or if you'd like to see a demo and maybe talk specifically about your requirements there. Those data security use cases--it touches on the ones we've used, but actually there's a whole range of other ones listed on there as well. So, with that, I will thank you very much for your time. It's been very much appreciated. If you have any additional questions and let us know. And with that, the Fortra Data Security Suite allows organizations to communicate and collaborate securely, safe in the knowledge that of their sensitive data is being inappropriately shared with people either inside or outside of the organization.