The Critical Need for Seeing Where Your Data is Flowing

How a Different Approach to Zero Trust Data Security Secures Data on the Move

Can you see the data flowing through your network? If you are like most IT and Security Pros, you can’t, even though you’ve invested heavily to make your network fast, reliable, and secure. That’s because it’s apparently not the job of the network providers, the applications themselves, or endpoints to show you where data is going and to whom. Which means that data is being sent, seen, and interacted with all over your organization – with no transparency into, or consideration given to, whether that data is appropriate to be seen by that person based on their role.

The issue is pervasive. According to a survey of IT professionals conducted by the Ponemon Institute, a whopping 71% of end users reported having access to data that they shouldn’t see. That includes personally identifiable information (PII), as well as data protected by GDPR, HIPAA, PCI DSS, and SOX regulations, among others.

This blog post looks at the reasons behind this widespread issue, how organizations are currently trying to solve it, and introduces Nullafi, an agentless, zero trust data security solution that detects and auto-classifies data in transit before it reaches its destination, with the ability to redact it from users and apps that don’t need to see it.

Problems and Impact

When data slips through the cracks, it puts potentially sensitive data in the hands of people who shouldn’t be handling it, and often don’t know how to protect it. According to that same Ponemon Institute survey mentioned earlier, less than 50% of IT professionals believe end users actually observe the appropriate measures for protecting the data they have access to.

The result? Unfettered, unwarranted, and over-privileged access, leading to a precipitous rise in data breaches, leaks, and loss.

While you’ve likely secured much of the user workflow (e.g., protecting endpoints, networks, and application access), there simply hasn’t been a good way to see the data flowing across all apps and users every minute of every day – nor an easy way to redact data from users and apps who don’t need to see it.

There are some understandable reasons for that:

• Unknown Data Exposures: How can you protect data you don’t know about, such as data that hasn’t been classified or labeled?
• Lack of Data Access Visibility: Challenges in seeing where your data is coming from, who it’s going to, and what type of data it is.
• Too Much Complexity from myriad complications in mitigating security, compliance, privacy, and regulatory risks as workers move out of the office and use more diverse applications and devices.
• Challenges in Controlling Access: Blocking complete apps and databases or deploying complex IT remedies, creating an unsustainable web of insufficient solutions

The result?

• Too Much Access to Data, resulting in an increased risk of data leakage, inadvertent access, and improper downloading.
• Diminished Productivity: Restricting access to entire apps and databases just to protect data, which disrupts workers and encourages them to use uncontrollable workarounds.
• Inability to Redact Sensitive Data: Challenges in scanning, identifying, and redacting sensitive data before it reaches the endpoint.

Solutions Landscape Overview

There have been many approaches to solve data access challenges, which come with positives and negatives. For example:

Data Loss Prevention

DLP has historically relied on integrations into SaaS applications and focuses on blocking access and/or alerting, mainly at the point of data leaving the company – e.g., an employee sending an email to an outside party that contains sensitive data. This approach is inherently limited in its data recognition and redaction capabilities (which has meant a high rate of false positives).

For example, we know of an instance where a company’s DLP stripped out a Sherwin Williams’ paint code, thinking it was a transaction number. That was most unfortunate, as the company was renovating its building. When they sent an email to the contractor with their paint selections, their DLP solution thought they were transaction numbers and altered them – and neither the sender nor the contractor were aware of the modification. As a result, the contractor used the colors that the new numbers reflected, which just happened to be neon green, not what the company thought they had ordered at all!

All joking aside, DLP has led to bigger problems. For one, security leaders are exhausted by never-ending alerts, making them susceptible to missing real alerts. What is a security pro supposed to do when they are pinged literally hundreds of times a day with alerts that do not make sense (for example, “marketing has just sent out more than 200 SSNs,” even though the company does not collect them). No one needs that. Second, as DLP blocks and interferes with processes that are, in fact, perfectly routine and sanctioned under company policy, different teams experience real disruptions to their operations. It’s difficult to work that way, to say the least.

Other problems with DLP include the fact that it relies on integrating into applications. This means DLP will not work across an application ecosystem and that you must also trust the provider to stay up to date on each and every change in all the applications you use – so that it doesn’t alter or halt functionality just because one of your hundreds of apps pushes a small update that breaks it.

Another problem with DLP and application integrations is that this approach will not work for homegrown applications, especially legacy applications, that are often business-critical (which is why they were built in the first place). DLP has mixed abilities to protect on-premise applications as well.

Now, having said all that, endpoint-focused DLP can be somewhat better, but it suffers from difficulties in deployment, enforcement, and like any endpoint agent, can have broad and significant ramifications on performance as well as inter-agent and operation interference.

Yet again, the core strengths of DLP are also why it’s a bit myopic: by focusing on “loss,” DLP helps with one large symptom of an unfortunately larger disease – who can see what to begin with. Yes, an employee shouldn’t send a message containing customer credit card numbers to outside parties, but the real question is, should the employee have been able to see those credit card numbers to begin with? Solve that larger question and your DLP efforts become instantly easier, faster, more potent, and surgical in scope.

One last thing to mention about DLP: pricing is often charged by the user and by the “integration,” which can make it very expensive.

Data Security Posture Management (DSPM)

An offshoot of Cloud Security Posture Management, DSPM comprises automated security solutions that enable security and IT departments to manage data security across their full breadth of datastores and applications. These tools can improve a company’s overall security posture, reduce storage costs, and shrink a company’s attack surface.

DPSM is an emerging category, which can be a bit problematic for companies to find the right “fit” for. Also, for many companies, while they may end up needing a DPSM solution, the problem is that first and foremost, they are not sure of the scale or severity of their “problem,” or whether they have a problem at all. That’s important, because DSPM can be a significant undertaking — time-consuming and resource-intensive to set up and manage if not done correctly. Investing the time, resources, and effort into a large and robust system when you aren’t even sure you need it leaves many people wanting some of the comfort of having a DSPM in place, but unable to justify investing in it in blind faith. This leaves them with no solution.

Finally, there are many companies that do not meet the threshold level of complexity in their data and corporate environment that would necessitate a solution this broad, even though they have data access transparency issues and data access issues that are not being met.

CASB

A cloud access security broker (CASB) acts as a security check point between cloud network users and cloud apps. It manages and enforces data security policies and practices, such as authentication, authorization, and encryption. While the market was very excited about CASBs when they first came out, they have only managed to gain a very small foothold in terms of market penetration. The reason for that is because CASB deployments are known to be lengthy and expensive.  Think: multi-month deployment, often millions of dollars, and a full-time job to manage once it’s running. While CASBs are powerful solutions, they realistically are just too much lift, cost, and time to use them for most companies. They can be extremely useful at the largest, well-funded, and often more complex organizations, but for most companies not only are they unattainable, but they are ill-suited for the job, making deploying them almost a negligent allocation of resources. Invoking the 80-20 rule, most companies would end up using about 20% of the power of a CASB, so investing in one would literally be a waste of company resources. But how else would you get that 20% you are extremely interested in?

That’s a valid question for the vast majority of companies out there who need something that from day one that delivers fast time to value, is easy to use, and simple to run.  A solution that gives you transparency and control, and which can scale with you and handle increased complexity as your needs evolve. And that’s exactly what Nullafi was designed to do.

Introducing Nullafi

Nullafi is the first of its kind, a true zero trust data security solution that shows you where your data is coming from, who it’s going to, and what type of data it is. Because Nullafi operates at the network level, we can detect and classify any data any app sends to anyone (or any other app) anytime, anywhere, with no application integrations or endpoint deployments. It doesn’t matter where the data originates, what field it’s in, or how it’s labeled. Combining this with active enforcement capabilities, customers can then set policies to redact sensitive data “in flight” from users and apps that don’t need to see it.

With less than a 15-minute setup just by changing a single configuration file on your network, customers are able to detect and redact sensitive data to solve data security, privacy, and access challenges. Imagine mitigating data leakage, inadvertent access, and improper downloading along with third-party data risk, insider threats, sensitive data exposure, and related compliance headaches.

How It’s Different from Alternative Solutions

Unlike CASBs, Nullafi can be up and running in 15 minutes simply by connecting us with your existing architecture. The solution is completely flexible such that we can protect as much or as little data as you like without requiring a large scale deployment. It’s affordable for teams and stacks of all sizes, scales, and maturities. Lastly, there’s no ongoing commitment – you can turn Nullafi off anytime you want with no hassle.

Unlike DLPs, Nullafi allows you to see and control who can see what, not just data leaving the organization. As well, we’re not just about alerting, we can actively obfuscate data on the fly. Lastly, we don’t need to integrate into applications, because we can work on almost any app, anytime, anywhere.

Unlike DSPM, Nullafi doesn’t just scan repositories and alert to data access violations nor does it “solve” violations by merely recommending work for the customer to undergo. Rather, Nullafi detects data in flight and can actually enforce policies in real time on the fly. We’re flexible as to the action and logic that can trigger obfuscation as well as bidirectional communication based on what data is being consumed, by whom, where, and almost any other telemetry point you might need. Lastly, we are not focused on data proliferation and repository control and security, we are concerned about who can see what, and about gaining both transparency into that as well as control over it.

How It Works

Nullafi gives customers unprecedented visibility into and and control over their data by inspecting and filtering traffic between applications and users in order to detect and redact sensitive data. Nullafi works automatically with products from Bluecoat (Broadcom), Check Point, Citrix, F5, Fortinet, Juniper Networks, McAfee, Skyhigh Security, and Squid as well as any ICAP-enabled client. Nullafi:

• Provides complete visibility into all data flowing through your network, detecting sensitive data as it travels

• Allows optional redaction of sensitive data in transit, before it gets to the user's device — no matter where it originates, what field it's in, or how it's labeled
• Mitigates third-party data risk, insider threats, improper data exposures, and related compliance headaches
• Eliminates risks such as data leakage, inadvertent access, and improper downloading — all while allowing business to continue without interruption
• Works with any application, any data, anytime, anywhere, with no application integrations necessary
• Gives you customizable access control policies and automatic policy enforcement to achieve compliance

“No vendor had an intelligent, Zero Trust approach to the problem of data security until I saw Nullafi. Cybersecurity is ultimately about data protection. Data is what hackers steal; it’s what brings down companies. Nullafi offers the approach to the problem, removing the risk from data compromises across the kill chain.”

— Chase Cunningham, Chief Strategy Officer, Ericom; Former Research Analyst, Forrester

Common Use Cases

Getting and staying secure and compliant is more challenging and time-consuming than ever before. Data privacy is an ever-shifting target, and with the move toward remote work capabilities and outsourcing, data breach risks and privacy exposures are increasing like never before. We get it, protecting sensitive data can be hard. But it doesn't have to be. Use Nullafi to streamline your compliance, assure data privacy, control third-party access, manage insider threats, and redact sensitive data within specific apps.

Compliance: Prove Governance Without Creating Roadblocks

Nullafi streamlines compliance with easy-to-enforce access policies that enable you to control who can see what data, prove who interacted with what data, and illustrate when, in what app, and from what location they interacted with that data. Automatically and with natural language commands.

Data Privacy: Build Privacy-by-Design into Daily Business Activities

Nullafi simplifies privacy compliance by giving the right people access to the right data, without getting in the way of everyday activities. With Nullafi, you can intercept and mask data before it reaches devices for enhanced data governance. Eliminate excess access that can create privacy violations by limiting data transmission of data types such as email address, phone numbers, and social security numbers. Ensure access control consistency across complex and diverse application ecosystems without worrying about integrations or database replication.

Third-Party Risk Management: Gain Control Over Third-Party Data Access and Use

Nullafi enables business users to enforce third-party access controls, track and control downloads, and prevent devices from accessing sensitive data. With Nullafi, your vendors get fast access without having to spend months on DPAs, risk assessments, and compliance audits – all while ensuring better third-party risk hygiene than you've ever had before. That way, you’re able to quickly select, contract, and onboard vendors without worrying about added risk.

Insider Threat Management: Mitigate Employee Risk

Nullafi works with Code42 Software to restrict access to regulated data – financial, healthcare, Personally Identifiable Information (PII) – or other sensitive data that may be accidentally or maliciously exposed by insiders. The integration between the Code42 Incydr™ product and Nullafi Shield detects, intercepts, and redacts certain data across corporate applications and systems, like customer relationship management (CRM), human capital management and business intelligence (BI) tools.

Data Redaction within Specific Applications

Regardless of whether you are using Hubspot, Salesforce, Redash, or other applications, it’s important that users see only the information they need to see to do their jobs. With Nullafi, you can limit user access according to the principle of least privilege for a best practices approach to security, privacy, and compliance. Use data access controls to mask individual data fields instead of blocking access entirely to maximize the return on investment. Nullafi’s platform gives teams a way to secure access, protect privacy, and extend usability by preserving all search capabilities.

Next Steps

If you’re looking to see where your data is flowing and control who can see it, we’d love to chat.

To learn more about Nullafi:

• Read “Avoid Data Breaches and Data Loss by Quickly and Easily Controlling Who Sees What Data.”
• View our Corporate Overview, “Easily Protect Sensitive Data, Everywhere.”
• Request a demo to see Nullafi in action.

About Nullafi

Nullafi is a fast-growing provider of zero trust data security software, giving customers unprecedented visibility into and control over data. Instantly see where data is coming from, who it’s going to, and what type it is. Customers can then set policies redacting  data “in flight” from users and apps that don’t need to see it. The company serves primarily mid-market companies, technology resellers, and application developers in North America. With rave reviews from analysts, multiple patents granted, and key partnerships already established, Nullafi is well-positioned to transform data security as we know it. For more information, visit www.nullafi.com.

‍