Content Security Today: Clear and (Omni)Present Danger

When it comes to content security, your worst enemies might be your best employees.

Today, content is besieged from just about every quarter. When it's not under direct attack by outside hackers, your sensitive data is being put in harm’s way by people from within your organization who are using unsafe, unsupervised file-sharing platforms, unsecure mobile devices, or outdated methods (like email and flash drives) which gives you zero control over the safety of your content.

In this in-depth video series, Rainer Gawlick, Strategic Partner, Intralinks, and Arne Schönbohm, President, Cyber-Security Council Germany, present a 360° view of the current state and practices of enterprise file sharing today – and what you can do to protect your valuable data from dangers both outside and inside the company firewall.

Get more information

To view a video, select a topic below.

Content is the New Perimeter

Episode 1 Englisch
 

Arne Schönbohm and Rainer Gawlick exchange views on how protection today needs to travel along with content to ensure safe collaboration beyond the corporate firewall.

Read the transcript

Get more information

Video Transcription

[MUSIC PLAYING] My name is Rainer Gawlick. I'm here with Arne Schoenbohm to discuss security topics. Security has been a very important topic in the press lately. We've seen a lot of incidents out there of data being lost.

Employees, of course, are very aware of the security issues. At the same time, employees also need to get their job done every day. And so there's a tension here between what the CSOs need to get done and what the employees need to get done. And how have some of the companies in your association dealt with these issues?

I mean, you're absolutely right. I mean, everybody's talking about security. We had all the incidents in the newspaper, and the TV stations, and so on. We had TV5, for example, in France. So everybody knows hey, it's a critical issue.

On the other hand, you have to keep on going and to work appropriately. So therefore, the CSO was normally looking for two issues. One is, that you have, let's say, that the people are getting trained day by day, that they know about what to do, what it's not about to do, on the one hand. And on the other hand, what is the right technology you have to choose? What are the right, let's say, procedures you have to know?

And therefore, they're, of course, looking for new techniques. You know, in the past, 100 years ago, you protected your city by building a wall of brick all around the city. And then it was protected.

But now this is not sufficient. Because if you compare the city, the old cities was a company. It was an enterprise.

Then you just don't need the perimeter. You need it still, but you have to protect your city much more. You have to protect your different kind of houses.

A bank, for example, which is having lots of data, lots of money-- this is, let's say, the cornerstone of your company. It has to be protected in a special way. And these are, let's say, issues, what a CSO is looking for, so how to protect on different kinds of levels within your company, not just at the perimeter, but within your company.

Yeah, I like your analogy about the city wall. I think you're absolutely right that in the past, people just really protected the network, essentially, with various technologies that people used in those cases. And once someone was inside, everything was available.

And we, as a company, really believe that the concept that, in addition to protecting the perimeter, you have to protect the data no matter where it is, such that even if someone gets into the perimeter-- so for example, an advanced persistent threat, which we've seen a lot of today-- that once they're inside the city, so to speak, they can't just access every piece of data-- that there's special security mechanisms are on that data. And only those people authorized to access it can access it. In addition, of course, also data leaves a company, or goods leave a city.

And the question is, how can you make sure that protection is there, as well? And so we protect the data with the technology called Information Rights Management even when the data is outside the walls of the city, so that you can still have visibility and control as to what happens with that data. The term that we use is the data is the new perimeter.

And I think it's really important, because it's like really in a today and today city, right? Even if you have the police driving around and protecting the perimeters, you still have a different kind of keys within each of the houses. And I think that's exactly the right way to move appropriately accordingly forward. And I think this is training. This is having the right concept and then the right technology. And there probably is an existing solution.

Thank you.

You're welcome.

[MUSIC PLAYING]

Lifecycle Visibility

Episode 2 Englisch
 

Cybercrime is now more popular – and more profitable – than drug trafficking. Rainer Gawlick and Arne Schönbohm chart the dramatic rise in Intellectual Property theft.

Read the transcript

Get more information

Video Transcription

I'm Rainer Gawlick. I'm here with Arne Schonbohm to discuss a few interesting security topics. One of the topics that we're seeing among many of our customers is the confluence of two particular issues that seem in conflict. 

On the one hand, we have laws that are increasingly asking companies to focus on security issues to make sure that their data is protected. Both private data and intellectual property. At the same time, we have companies who have a much more disaggregated supply chain. They're using many more partners than they have in the past. 

This is one of the big topics at a recent big, German convention called The Hannover Messe where they talked about the idea of Industry 4.0. And the question is how can we bring these two topics together? So I was going to ask you first perhaps about security issues that the government is bringing to bear, in terms of laws. What kind of legal requirements are you seeing from the government, relative to the protection of data? 

We are in a phase which is just beginning. We're looking to the history. You know, why is government let's say moving forward, regarding legislation. 

It is because organized crime is earning since 2009 more money with cyber than with drugs. And you know how strong our legislation is with drugs. And how strong law enforcement is. In Germany, for example, we have just a kind of quota where you're getting the thieves of 25%. So 75% of the incidents, you're not getting the people who did it. The organized crime guys. 

So therefore, that's why the governments are working forward to it. We have lots of legislations in Germany. We have it in France, we have it the UK. And there are various strong [INAUDIBLE] incidents. 

Think about [INAUDIBLE] for example in France. Right? It's not so far away. And this is why governments are moving forward. And this is very important for them to move forward in this way, but on the other hand, it is of course increasingly becoming more and more difficult for the companies to react in this different kinds of legislations. Because you have in Spain, very different kind of the legislations than in Italy or in Greece. 

And how are you working on this one, in this very, agile environment where you are? If you think about Internet of Things, or Industry 4.0, smart [INAUDIBLE], smart energy, and all this kind of stuff. And this is, of course where you have to act very flexible, and to have all the legislation in mind. And I think personally, that this is just really a very, very big challenge for companies to deal with in this environment. 

Yeah, it seems, in many ways, like a contrast. At the one hand, you want to protect your data. On the other hand, you have to have a very agile, partner-friendly type of business approach. 

One of the things that we're doing at Inter Links that can help is to really find technologies that think about the laws, but also think about the employees, and how they have to act. And two particular things that we're working on is one is the ability for a company to put data wherever they choose. So if it's data about German citizens, it would be in Germany. If it's data about French citizens, it would be in France. And so you could deal with the privacy laws associated with each of the various countries, while at the same time allowing me to share that data with my partners who might, for example, be in China. 

And so we add technology that allows you to control what happens with a file once an employee emails it or downloads it in a different country. So we can control who sees, how long they see it, when they see it. And ultimately could also revoke data. And in that way, we're trying to find a way to be cognizant of the laws, and follow the laws at the one hand. But allow for this Industry 4.0 flexible engagement with partners, on the other hand. 

I think it's very important, as you said, that it's a very flexible and reliable solution. And at the end, if something's happening, let's say the supervisory board, it's a management board and so on. It's possible to audit who did what, when, and what time, and so what's the reaction out of it? 

So that you can, let's say, get the wrong doing in the right way. So that a company can act accordingly. And I think this is very important, and therefore I think it's a very interesting issue what you're offering there. 

Thank you. 

Application Chaos

Episode 3 Englisch
 

Arne Schönbohm and Rainer Gawlick examine the explosion of unsafe apps and personal devices employees are using without oversight or permission from security. 

Read the transcript

Get more information

Video Transcription

[MUSIC PLAYING] My name is Rainer Gawlick. I'm here with Mr. Schoenbohm to talk about some interesting security issues. The particular topic we want to cover today is application chaos. One of the things that we're seeing a lot in companies are two trends that are driving a multitude of applications into the company. 

The first is, of course, lots of new applications, like Slack, Wunderlist, Trello, coming to the forefront, which are very good applications and help people be productive. Secondly, we have this notion of consumerization of software. And people find tools that they use as a consumer and bring them in to companies. A particular example we have all seen in the US recently is that the Secretary of State and presidential candidate didn't really like the email system that was offered by the State Department so brought her own email system into the company. 

Now, naturally, this creates some issues from a security perspective for companies and governance perspective. And I'm just curious how you see companies dealing with the issue of writing tools that employees want, but at the same time, making sure that governance and security issues aren't too complicated, aren't compromised too much? 

I think it is a real challenge for the CEO of a company, or for the CSO, to detect what are the right tools, because people, employees, are not using the tools because they want to harm their company. They are using it because they want to have it as usable, as flexible. It's probably increasing their productivity. And they don't know what else to use. 

And I think this is now the real challenge for the CSO-- that you are giving them the right tools, that they can be very productive on the one hand, but also very secure on the other hand. And I think this is a big challenge for them. And that's what companies are looking for. So they have a balance between the security and productivity on one hand, especially within the application issues. 

And I think this is what they are looking for. And that's one of the biggest challenges that we currently have. And probably even the Secretary in the US will have used, let's say, the email system, let's say, of the department, because then it's much more flexible and robust, let's say, and be more secure than had been what she did. 

Yeah. I'm sure at this point she wishes she had. It's actually one of the things as a company, Intralinks, we focus on, really, is two aspects that you mention here which are very important. On the one hand, create software that people are delighted to use, that have a user interface that's very consistent with the consumer experience that they have at home, and has the productivity characteristics that they're looking for. So a delightful UI is very, very important, something we work on very hard. 

At the same time, also providing a set of tools that allow you to engage with a multitude of applications out there in some kind of secure way-- so for example, we have some technologies that allows you to wrap security around files. And even if those files wander into other applications, you still are able to maintain a level of security, control, and, more importantly, visibility as those documents are used in this multitude of applications. 

And I think this kind of solution is very important, because at the end, when you have really a security breach, something that's very important is that the normal legal authorities, that they have the possibility to get all the information they need. And they don't care if a company or if an employee is choosing a different kind of solution which is out of the, let's say, normal scope of it. It has to be legally binding for the company. 

Otherwise, you will get in deep trouble. And therefore, I think it's important that the company is having a solution that's security, productivity, and then also lets you have it from the legal [INAUDIBLE], that it's the right solution there. 

Thank you. 

You're welcome. 

[MUSIC PLAYING] 

Work Anywhere, Any Time

Episode 4 Englisch
 

The working week is now 24/7. The office is now everywhere. Rainer Gawlick and Arne Schönbohm show how secure collaboration can be achieved on mobile devices.

Read the transcript

Get more information

Video Transcription

[MUSIC PLAYING] My name is Rainer Gawlick. I'm here with Arne Schonbohm to discuss a few interesting security topics. The one that we'd like to discuss today is this notion of work anywhere any time. As we know we now live in this 24/7 work environment. We no longer just go to work at 8 o'clock, come home at 5 o'clock and all of our work happens within the four walls of our employers buildings. 

Nowadays we often do our work at home on our own devices, while we're traveling. In the extreme case, perhaps even access in an internet cafe where we're looking at using a PC that doesn't really belong to anyone. It's very public. And the question is when people are doing these things, they should be doing it for good reasons. 

To stay very productive, and in a world where often have partners around the world in different time zones. But naturally, this creates security concerns that are not insignificant, I would imagine. 

Hey, you are absolutely right. That's a very challenging question or issue. You're right. Because if on the one hand you have, let's say, productivity. On the other hand, you have security, and how you can bring it together. 

Because people have to work, let's say, with bring your own device, because you have a different kind of customers. Are you're running around was five smartphones for each of your customers? Where you have specific, let's say, know-how, the specific data of each of your customers here? It's really challenging. 

So how are you going to protect it? If you are speaking about protection, then you have to think about, how shall it look like, because so that it's not harming really, let's say, as a productivity. And this is really the big issue. And I mean they are, of course, the companies, [INAUDIBLE] they are looking very strongly. 

Hey, who is having there a very interesting solution, which is on the one hand it's a enhancing security. But on the other hand, also, enhancing productivity, so that this is not going to be harmed. But that, so that this is not the opposition of each other, but this is to say, in addition of each other. And this is, currently, where companies are looking for good solutions. 

Yeah. I like your example of a contract, perhaps, who works with many companies in some sense, inherently. They must be an example where data resides on a PC that's not controlled by the company. The approach that we are trying to take, is this concept called Information Rights Management. So the idea here would be that data, that I as a company, want to protect. 

I can put a security wrapper around that data. And then, even if the data wanders off into areas that aren't controlled by my IT department, be that a home PC, be that a partner's PC, be that an iPad. Be it, as I said, an extreme case , in an internet cafe, that data can be accessed, looked at, and used. 

But within the confines in the rules established by that security envelope. And as soon as that security envelope as violated, the data, essentially, is shut out. And the person who's trying to violate it can't look at that data. 

But can you explain a little bit more in detail. Because, hey, come on I'm outside in a restaurant, for example. And then I'm reading all my emails, I have all my contact datas, all my calendar issues, and so on. And they are really confidential. And I have it, say, on my iPad. 

And I'm just paying the invoice, and then it's gone. So what is going to happen there? Because all the data is gone with the thief. So what's happening? 

As I said, what we do, is we put this wrapper around the document. And so this document has to protected. And there's too many key concepts around how we put the wrapper around. The first is that it needs to be ideally without any plug-ins. So people will have to install software everywhere. 

And so this notion of plug-in free is very, very important. And the second thing that is important that we think about is this notion called friction-free IRM. So in other words, I should be able to do whatever I do without creating friction in my workflow. So I'm going to your specific example. 

The way that we would do this is we protect all the attachments that are in the email, for example. And if I lose my iPad, or someone loses it for me, by taking it, and they try to open the documents, even if they're already in the iPad, let's say the person didn't put a password for the iPad itself. When they then click on the document, another password is going to be asked for. 

And if that person who stole the iPad doesn't have that password for that document, they have no ability to access it. And, furthermore, if the employee that reports the iPad is stolen, we can revoke access to the document for anyone in total. So even if, for example, their password for that document, some also get lost, maybe. 

They had it on a piece of paper or something. That can also be revoked. A nice thing is there's a transferability to do this in the following sense. Let's say this thief initially got the password, and then we revoke access. Then the access goes away in, kind of essentially, in real time. 

And so we can kind of go back and grab the data, so to speak, even if it has been lost and compromised. 

That sounds interesting. 

Thank you. 

Welcome. 

European Data Privacy Legislation

Episode 5 Englisch
 

Rainer Gawlick and Arne Schönbohm discuss global cloud computing in the context of new European protection laws which require data to be held within sovereign borders.

Read the transcript

Get more information

Video Transcription

My name is Rainer Gawlick. I'm here with Herr Schoenbohm to discuss security topics. Today we want to talk about the special security concepts and regulations that we often see in the German market. 

The German market has obviously been, German government and German society in many ways has been someone that's really been at the forefront of dealing with security issues in a very kind of sophisticated, and I think very thoughtful way. And as an American company that's in the Cloud, we obviously have certain things that we need to be careful about to be successful in this market. And I thought maybe you can comment on some of the unique requirements that a companies such as ours need to meet in order to be successful in Germany. 

I think it's very important to be a reliable partner so that you are not making sales like, hey, come on, I made a nice salesman and then I just need a signature, have the contract and then run away, but that you are staying with the customer. That you're a reliable partner is very important. And part off being a reliable partner in the, let's say, Cloud business, because it's a virtual business, it is that the data are stationed or located here in Germany. Because of the ways we see currently the world, how it is changing with NSA and all these kind of discussions on the one hand. 

And also that data is, even if legal requirements are there somehow, but that they are protected, that the data is staying with the customer. Because it's, let's say it's company owned, and it's not owned by the Cloud provider. And I think this is very important, that you are having a solution there in this kind of area. 

And this, by the way, is not just a German issue. It's also a European issue, because lots of other member states in the European Union, if you think about Dutch, if you think about Spain, Italy, and so on, they all are looking to it. And if you're looking to the EU Commissioner Oettinger regarding the digital agenda of the European Union, this is exactly where they're looking at how to protect the data. And there you need a good solution. 

Yeah, we try to attack this from a number of angles. Of course, we're getting a German data center this year, which is very important, as you point out. But we also think in addition to the physical control, the cause of logical control is very important. 

So for that we have this concept called customer-managed keys. So the idea is, I encrypt data with the set of keys that the customer provides and the customer owns, and is under the control of the customer. We, as a provider, do not even see the keys, have no access to the keys. And then when the data is encrypted with those keys, almost no matter where it resides, the control rests entirely with the customer who owns the keys. And they can decide who can and cannot have access to the data. 

That's the second concept. The third concept we think is very important to think about is, naturally if I'm a German company, I'm going to have partners that are not German by and large. I'll have those. And at times, I'm going to have to exchange data with those customers. 

When I send them the data, it's not in Germany. It's going to be with that customer, wherever they may reside. And the question is, can I bring controls to bear even in those situations? 

And for that we have this concept called IRM, Information Rights Management, that essentially put a security envelope around that data. And even when that data leaves Germany to interact with that partner, and they download it, and do whatever they need to do with it, as a German company who owns that data, you still have full control. You can decide who sees it, when they see it, what they can do with it. 

You can revoke the access any time. And you have full visibility as to what's happening. So we think it's important to not just talk about where the data is at rest, but what can you do to maintain control of the data when it's in motion. 

Let us go a little bit more into the details here, if I may. So if you are sending it via an envelope-- because it's secured, so you don't see the content of it-- so if you're legally obeyed from the American law, because you're an American company, and the court says, hey, we need it for a kind of special criminal investigation or whatever, to pass over the information, can you get the information from, let's say, a German data center to the US court? Or how is it working? 

That's a great question. That's why this concept of a customer-managed key is very important. So the customer owns the key. They can change the key anytime. They can throw away the key, if they want. 

So if the US government asked us for the data, unless the German company has explicitly given us permission to access the data-- which generally there's no reason that they would, because we're not a partner, we're just a vendor in this particular technology-- we have no access to it. The government can ask us to give it. We can give them a pile of bits. But without the keys, those pile of bits are entirely useless. 

And so we will, unfortunately, have to-- or fortunately, I guess-- have to tell the US government, if you want that data, we can give you the pile of data. But if you actually want to read it, you have to get the keys, the encryption keys, from this German company. Here's their name and address. 

And then that German company can decide how they want to respond. Maybe they want to be cooperative. Maybe they feel the request is inappropriate. And if they do, they have the opportunity to deny it to the American government. 

And can you elaborate a little bit regarding encryption, how secure it is really encrypted? 

Yeah, so we take the latest encryption technologies, the latest is called elliptical encryption, which is both very, very secure and also very, very fast. And it's the latest and greatest, essentially. And so, as far as is known, certainly to anyone in the industry, this stuff is not crackable-- unless you have the keys. And the German customer would be the one with the keys, fortunately. 

OK, sounds very interesting. 

Thank you. 

Thanks. 

Lack of security awareness

Episode 6 Englisch
 

Security tools are not enough. Arne Schönbohm and Rainer Gawlick highlight the need for educating employees on how to recognize and handle sensitive company information.

Read the transcript

Get more information

Video Transcription

My name is Rainer Gawlick. I'm here with Herr Schoenbohm to discuss some security topics. Today we want to talk about culture. 

One of the things that I've noticed-- certainly, at my age, I'm not a particularly huge user of Facebook. I'm not particularly comfortable putting my life out in the open, and letting people see all aspects of what I do personally. However, I've noticed with my teenage children, it's completely the opposite. They use things like Facebook, and Twitter, and Snapchat quite extensively. And as a result, much of their private lives really is, in many ways, shown to their friends in a very real-time kind of way. 

And that, interestingly, creates a different culture than you and I grew up with. And the question is, what happens when that kind of culture and attitude is brought into companies? And these new, young employees all of a sudden have access to data that's very sensitive, very important, really can't be lost, but the same time have this kind of social media-driven attitude towards privacy, or lack of privacy. How have companies dealt with these issues? 

I think it's a big challenge for the companies, right? Because the young employees are one of their biggest assets. But they have to train the assets, they have to learn what does it really mean-- privacy. Let me give you an example. For example, when you think about, let's say, the new cars, when you make some kind of photo shooting somewhere. Let's say, in the US, in the desert somewhere, where you have some bright sky, new cars-- I don't know. 

Just as an example, in US class, you're making nice pictures, and then you have a big camera team. You have lots of, let's say, staff there. And then there is nice young guys who are just starting to learn their career as a professional photographer, and say support them. And then what they do with their mobile phone, of course-- say I'm making some pictures, also, very quickly. 

And then when we had been young, probably, we would be doing the same. Then we would go to a bar, and tell the guy who was sitting next to us, having a beer or a coke, or whatever together-- then we would explain, hey, how great we are, and we'll be done today, and that we make some great photos regarding the new Mercedes S Class, and then that's it. So the opponent would know about it. 

Today, what are they doing? They will post it on Facebook. They will twitter it. They will do whatever they like, and it is, of course, very sensitive information. So it's a most important issue for the companies to train people, and to train their own employees, but also the employees of their partners, of your corporate partners you have, of your suppliers-- what is really sensitive information, and how to deal with it. I think this is very important, because it's not just about technology or a product. But it's really regarding a whole concept about it, and think that's what companies are looking for. 

I think that's a great concept to talk about-- education. At Intralinks, the company, we have a bunch of technologies that are very helpful here. The most important is a concept called information rights management, allows us to control data no matter where it goes. 

But a key component out of getting a solution that ultimately works for the customer and the client is to provide the education services that are associated with adoption and most importantly, correct adoption. So in other words, when we bring the technology there, we have a series of workshops and create a whole education campaign associated with the new technology. 

So that despite people's more, let's say, open attitudes to technology that they might bring from their personal life, we sensitize them to the need to be careful with company data, and show them how to do that in a way that doesn't, hopefully, cramp their style too much in terms of how they conduct their day-to-day work. 

I think it's very important, especially regarding can you explain a little bit regarding how are you going to train? Let's say, is it people, the employees, and so on, when you're introducing new technology, because I think that's mandatory. 

Yes. So part of any solution we bring to the client is, of course, the technology. And then we have these adoption services that we talk about. And we actually have a team that's responsible for adoption services. 

And what they do is, they look at the current workflows that exist in the company-- where the technology that we are using goes into those workflows, ideally, in a way that changes those workflows as little as possible, and then works with the client to articulate a series of messages that will come in emails, will come in posters, come in training sessions, maybe even some social media videos that you can create. There are funny videos you can use the executives for, to do that kind of education rollout. 

And that, for us, is as important as the technology. Because even the best technology in the world, if it's not used properly, ultimately has a very limited positive impact. 

Absolutely. They sound really interesting. Thanks. 

Thank you.