The company’s FileFlex Enterprise is based on a Zero Trust Data Access strategy. The product unifies remote access, sharing and governance of data storage across multiple environments using a Zero Trust Architecture.
Anthony DeCristofaro believes the sooner more organizations adopt a Zero Trust Data Access (ZTDA) security strategy the better off they will be.
Sure, that will no doubt be a major plus allowing the company he co-founded to grow, which is the ultimate goal of any organization, but as he points out in our latest ECA Founder’s Podcast, equally as important is the level of protection it provides in the ongoing battle with “the bad actors.”
They are, he says, both clever, and as the recent Microsoft Exchange server and SolarWinds attacks prove, very sophisticated.
The principles of Zero Trust, DeCristofaro says, are simple. Never trust, always verify. In practice, that means each user must be verified before access is granted to any resource. Every request from every user, inside or outside of your perimeter security must be authenticated, authorized and encrypted, in real-time.
Founded in 2009 by Forrester analyst John Kindervag, it is also not a new concept.
In a blog released last year, Forrester principal analyst Chase Cunningham wrote that the firm has “continued its research and support of this security concept for over 10 years, and it doesn’t look like we will be drifting from the herd anytime soon.
“Why? Because old-school approaches to security aren’t cutting it. Many organizations feel that Zero Trust is too hard, time-consuming, or costly to implement, but it will save your organization in the long run.
“The strategy leads to the reduced risk of being the victim of a ransomware attack, paying hefty fines, or suffering loss of customer trust following a breach. Frankly, we’re still not quite sure what else the security industry needs to see to grasp that Zero Trust is both real and a necessity.”
Meanwhile, FileFlex Enterprise, a Zero Trust Data Access (ZTDA) platform, provides secure sharing of confidential files within the app itself via secure encrypted channels, instead of sharing files via vulnerable email attachments or syncing and duplicating in the cloud, which increases the attack surface area. Authentication and authorization are strictly enforced before access and sharing is allowed, and access is granted on a per session basis.
It’s time, DeCristofaro says, has come: “It stops a lot of malware from entering your network. It gives remote workers a lot more protection without affecting productivity. It simplifies the management of the security operations of the centres actually by enhancing the automation.
“It has been quite an interesting journey as I've talked with some large corporations who have actually moved to Zero Trust. From a security perspective, it's actually simplified things and given them better visibility, better productivity into potential threats to improve the proactive remediation and response.”
The concept, he says, changes the focus from a location-based security strategy to a model based on user identity authorized access.
An example of that was the recent Tesla break-in in which an employee stole 26,000 confidential files in his first week of employment and downloaded all of them to his personal Dropbox folder. “A lot of important data went in there. If FileFlex was part of that platform solution, we would have stopped that cold in the first hour with an alarm. It’s all about protecting your data.”
DeCristofaro points out that this has become even more critical since the onset of the pandemic, which forced employees to work from home and created many a sleepless night for chief security officers around the world.
Attachments, which clearly create a risk area, are a fundamental way for hackers to infiltrate a system, but through FileFlex Enterprise, IT controls sharing permissions and user permissions over all storage locations even to file level granularity. The administrative console includes a view of all activities of all users that can be monitored in real-time or exported to security incident event management software.
Access and Sharing can be revoked at any time on an individual contact, user, or file-by-file basis. In addition, double encryption will ensure that the transmitted data is encrypted all the way through from sender to receiver and can never be intercepted at the server level.
This is a far cry, DeCristofaro says, from “living with 25-year-old technology that includes VPN and a bunch of other so-called security platforms, but the world is changing.
“Whether your organization is already applying Zero Trust or completely new to it, it’s important to understand the concepts of it and how it can protect your organization.”