Dell shifts security focus to data itself

Brett Hansen, vice president of Data Security Solutions at Dell, calls it his “Mona Lisa.” It may not be as pretty as the artwork, but Dell Data Guardian is pretty sweet nonetheless. What Hansen and colleagues have been laboring mightily to bring forth is a security suite that wraps encryption, complete with policy details, around each and every byte in a customer’s data store.

That way, not only is data encrypted in flight and at rest, but individual files have their own encryption and policies. Until now, data-loss-prevention products have been the answer, but they don’t stop simple export of potentially sensitive data.

Key to Dell Data Guardian is that its attributes are tied to specific file types. When it was first introduced in December 2016, the suite worked just with Microsoft Office documents, but it will be extended to other types in future releases. Expected in August is .pdf, and .csv and .txt will come out in November. Next year, picture formats like .jpg will be introduced as well as specialty types like .cad and .cam.

A important security concept being implemented here is a move away from the idea of walls and moats and toward an assumption that the enemy is among us. The lesson of the Maginot Line was that, no matter how strong, a wall can be breached simply by going around it. Now, the security is woven right into the data. No going around that.

In a study Dell did on this topic, most line-of-business managers in the sample said their employees share sensitive data with people outside their organizations. In this context, no wall makes any sense. And lots of key corporate data is on endpoint devices, like PCs and phones, some of which are in the hands of contractors and temporary employees.

Most employees take a practical approach to security, agreeing to comply with corporate rules on data handling, but doing whatever is necessary when in the field.

With Data Guardian, the IT department sets policy, which is defined by user group. So, for example, the public relations department might have a lenient policy commensurate with its mandate to share information widely. A product group might have a much stricter policy stemming from the fact that most of what it is working on is confidential.

Policies can determine which group can view which files on which days, whether group members can save a file locally, make changes to it, print it, cut and paste its data, or send it to someone else. A policy can limit the viewing window to, say, 10 days. If someone tries to send a file beyond the policy boundary, the recipient can’t open it. A log can be sent to the IT department if someone tries to violate policy.

If a secured file is sent to a known person, it will unlock. If it is sent to an unknown person who tries to open it, a reminder is sent to the original sender, asking them whether they want this new person to have access. This inserts a little friction into the process, Hansen says, but not much, balancing security and convenience. Thus, a file can have both pre- and post-authorization. The unknown recipient still sees a known file type, just not its content, and can ask for viewing permission. One of the benefits of this architecture is that it allows IT to collect data on users outside the company.

The client component of Data Guardian sits on individual endpoints. Setup involves an employee registering their email and downloading an agent. The summer release will have an HTML5 viewer, obviating the need to register and making install that much smoother. The product is on a quarterly release cycle.

All Data Guardian log data is tracked in a centralized console, giving a company the ability to control its information outside its domain, monitor data use, and protect it from access by the wrong people. IT can retract encryption keys at any point in time, rendering files useless to hackers who may have pilfered them. Keys are created and distributed, but a master key is always kept at the central location.

The Data Guardian team is partnering with another Dell division, RSA, to increase the authentication confidence beyond a simple email address, for example, using biometric access or a soft token. In later versions, the system will be able to export the vast amount of security-event metadata associated with files to security information and event management (SIEM) software, like Splunk, which can be used for real-time analysis, intelligent threat detection, and action based on data activity. Such activity could include an attempt to export a file outside the country of origin, multiple tries to cut and paste, or an effort to send a file from person to person to person.

Files can be watermarked, also, including invisibly, although most companies are expected to use visible watermarks. The idea is not to catch someone doing something bad, but to prevent them from doing it in the first place.

Hansen says that early customers include Fortune 50 companies that own highly valuable intellectual property, manufacturers, food and beverage firms, pharmaceutical companies and the federal government.