Continuous Data Protection (CDP) and Data Loss Prevention (DLP) During Access and Sharing

Posted by Ankur Panchbudhe on September 9 2014

One of the key differentiators for Vaultize has been the holistic approach we take towards data protection, security and control ("data governance") while enabling easy access and collaboration. Vaultize Enterprise Platform comes built-in with end-to-end data security, continuous data protection and enterprise-class data loss prevention. So, end users don't have to worry about their data getting lost or compromised, and IT administrators don't have to worry about risks arising from data loss, lack of security and non-compliance.

The core of our platform comes built with a robust data protection and data loss prevention (DLP) engine. In this post, I'll try to describe these capabilities in a little more detail:

Vaultize Continuous Data Protection (CDP) Capabilities

Our data protection capabilities are policy-based and can be applied to any combination of users, groups or the whole organization. Like our other features, the protection engine works on top of our end-to-end security. This means, data is encrypted at source and all the communication happens over SSL+OAuth. Recent Heartbleed security hole has shown that only SSL connections are not enough to protect data and so, Vaultize encrypts data at source, even before transferring, with AES-256. The data stays encrypted on the server or cloud or whichever data storage you choose. Oh wait, did I mention our Smart De-duplication technology? We perform de-duplication of data before sending it to the server/cloud and we do it smartly - based on the file's type and format. This technology saves up to 90% of your storage and network bandwidth.

Backup

The first aspect of data protection we cover is data backup. IT admins can configure automatic and continuous backup of data that is being shared or accessed remotely, or they can use this feature in a standalone manner. They can also enable end users to do their own backups. This feature is being used by some of our customers to create a remote or "cloud-based" repository of data and then making that repository accessible to users. Some customers are also creating a secondary copy of their primary data ("cloud sync") and then enabling users to share and/or access this secondary.

Vaultize backup policies can target specific users or groups of users with different configurations. Backup can be configured with policies as shown below. If you are wondering about the Encrypt and Wipe actions in the screenshot below, they are explained in the following sections.

Vaultize Data Protection Policy

Next, admin can be selective about sources for data backup based on device types, IP addresses etc:

Controlling data sources in Data Protection policy

Next, folder and file filters can be specified based on file/folder type, size and age:

Powerful data filters in Data Protection policies

Finally, admin can configure schedule for versioning and the policy to be used for data retention:

Data Retention and versioning policy

Versioning

We keep incremental versions of your files that fall under protection policies. If you choose continuous versioning, new versions are created as files get changed. Later, you or your users can access any previous version of any file at any time. With policies, you can also configure maximum number of versions to be maintained and also how the versions are created - continuous, periodic or scheduled.

Retention

Data retention policy is about wiping out versions older than specified retention period. Retention helps you control how your storage is used and it is usually dependent on your storage or data copy compliance. For example, versions older than X days may not be of much significance and so you can choose to wipe out versions older than X days. Versions can also be wiped based on the number of versions you'd like to keep.

Vaultize Data Loss Prevention (DLP) Capabilities

In addition to data protection capabilities, Vaultize also has built-in data loss prevention capabilities (popularly known as DLP). The goal here is to make it hard for inadvertent or malicious data loss to happen and/or to discourage it.

Endpoint Wiping

Wiping of data becomes essential for avoiding unauthorized access to data when a device gets lost or stolen. With Vaultize wiping policies, IT can easily wipe out data from users' devices (mobile as well as non-mobile). Our wiping policies are selective and hence go well with BYOD (Bring Your Own Device) schemes, providing admins easy ways to separate personal data from corporate data.

Wiping can also be done automatically by geo-location, IP range or server time-out. When a device leaves a pre-defined geography or connects from an IP that is out of pre-defined range or does not "heartbeat" with the server within per-defined time, specified data on the device is wiped automatically.

Automatic wiping policy (by geo, IP or time-out)

 

Endpoint Encryption

Vaultize also provides on-device encryption solutions to prevent unauthorized access to data; for example, by an attacker removing the storage/disk and accessing it directly. On Windows, we use the Encrypting File System (EFS) for keeping data encrypted, while on iOS and Android, we use our own patent-pending data containerization technology. Encryption policies can be selective about data, by configuring which files/folders are to be encrypted (see source and filters in Protection policies above).

Mobile Data Containerization and Mobile Content Management (MCM)

On mobile devices, Vaultize isolates corporate data from personal data by creating secure containers and prevents mixing of corporate data with personal data. All the corporate data is kept in our container encrypted with AES-256. To avoid unauthorized access when device is lost or stolen or when a user leaves the organization, these containers can also be remotely wiped. All containers are additionally protected using a device-specific PIN or password, as configured by policy.

User can or cannot copy any data from/to containers to/from personal space only as allowed by MCM policies. For user to be able to view or edit data inside a container, we provide our own document editor, which can be enabled or disabled by policy. MCM policies can also be used to control usage of data on mobile devices, including copy-paste, print, opening in third-party apps, sharing using Bluetooth and screenshots.

Digital Rights Management (DRM / IRM)

Vaultize will be soon adding Digital/Information Rights Management (DRM / IRM) into the platform to further strengthen the control and protection of documents accessed and shared through file sharing and anywhere access methods.


This post is written by Sandeep Sukhani, member of Vaultize's Data Protection and Data Loss Prevention (DLP) team. He’s a Software Engineer at Vaultize and works in our Pune India R&D Centre.

Topics: Design & Architecture, Solutions, Features

Subscribe To The Blog