Data loss prevention[i] (DLP) has been part of cyber security professionals’ arsenal of tools for over a decade. This concept is simple: protect sensitive, proprietary, or confidential data from leaving the organizations’ systems in an insecure and/or unauthorized manner. Execution, however, is anything but. When DLP was first introduced to the market, data loss prevention was difficult enough. DLP required organizations to classify data. Classifying data was dependent on correctly identifying data owners then getting those data owners to pinpoint data repositories. Operations teams had to determine who/what had access to each data repository and figure out if levels of access were appropriate. And this is just the tip of the procedural iceberg.
Add to this quagmire the fact that, in the mid-2000s, cloud and unmanaged mobile device connectivity weren’t ubiquitous, enterprise-approved collaboration tools were mostly purpose-built internal applications, and remote work was reserved for a scant few employees. These things were beginning to creep into the workplace, but the scale of complexity in managing data was miniscule compared to today. DLP software was one of those “must have” security product buys, but yesterday’s DLP tools don’t begin to scratch the surface of efficacy. While most organizations have DLP implemented in their environments, identifying sensitive data, controlling access, and managing policies remain major barriers to use.
According to a survey by data security vendor Code42, ninety percent of companies set their traditional DLP implementation to monitor mode, thereby disabling any of the prevention capabilities for which DLP was built. Mark Wojtasiak, VP of Security Research and Product Marketing at Code42, told me he’s not at all surprised. “The number of policies that need to be written and which require exceptions make traditional DLP ineffective, and even if a security team can manage all those policies, blocking users isn’t acceptable in today’s workplaces,” he said during a recent call. True enough, businesses today thrive on ease of access, frictionless productivity, and collaboration. Anything that prohibits these things is deemed unacceptable to executive teams, even if it flies in the face of security.
Code42’s approach to DLP is different; the product does not require policies to be written or maintained, nor does it block users from data/application access. Then how can it be an actual data loss prevention mechanism, you might ask (as I did). To understand the company’s current offering, it helps to learn a bit of history.
Founded in 2001 as custom software development house, Code42 initially focused on writing software for Macintosh computers. At that time, enterprise solutions were geared toward Windows and Linux machines, as they were the overwhelming hardware of choice. But the founders of Code42 foresaw a market need and bet on Apple’s rising popularity. Thus, in 2007, the company bought a small kiosk at MacWorld to showcase their then-product. Their booth was located just outside the keynote room, and as fate would have it, that keynote stage was where Steve Jobs would announce the iPhone, changing computing and networking forever.
While many security professionals struggled with how to accommodate this new technology—a mini-computer disguised as a mobile phone—on their networks (as would become the corporate mandate), Code42 developed CrashPlan, a small business backup and data protection solution. Over the next several years, the team developed enterprise versions of the software and learned from their install base that users were worried about the collection of files and wanted a broader solution to protect files. By 2015, Code42 transitioned into a full-fledged security company that could, in Wojtasiak’s words, “see files leaving the endpoint."
Today, Code42 is used by customers to better manage insider risk. Alexandra Gobbi, the company’s Chief Marketing Officer, said, “If you think about today’s businesses, they’re looking for ways to collaborate, whether through Slack or GitHub or other file shares. We live in a collaborative culture; data movement is continuous. CISOs need to protect the organization, whether it’s trade secrets or customer files, whilst allowing the workforce to be collaborative.” Just like the iPhone forced its way into accepted business practice, so too has data sharing and the ability to access data from anywhere, at any time. Facilitating this ease of access and collaboration are the problems Code42 wants to solve.
Wojtasiak explained that the company’s data-centric approach is what sets them apart. However, many security product vendors will tell you their focus is "protecting the crown jewels.” What really sets the company apart from traditional DLP vendors is how the product works technologically. Code42 is a cross-platform endpoint agent that looks at file metadata and file behavior to determine suspicious activity. For example, have unusually large amounts of data been created, modified, or deleted more than they have in the past? Have files or data been downloaded to removable media or web-based collaboration tools like Dropbox or Google Docs? Code42 audits a 90-day history of past file activity and correlates it with metadata such as file owner, category, name, and hash to build a risk profile.
Another key differentiator is feature parity across Mac, Windows, and Linux; agent updates are pushed out from the cloud to all three platforms ubiquitously so users don’t have to manage different types and stages of updates.
All data from ingest to analytics to storage is run in the cloud. I asked Wojtasiak and Gobbi how they work with companies that still have reservations about cloud. Their answer was that their go-to-market strategy is focused on companies that are cloud-forward, primarily in five sectors: high tech, high-tech manufacturing, media and entertainment, pharmaceuticals, and professional services. That said, like any wise product company, they work with businesses not yet in the cloud and help them with secure migration—nearly a quarter of the company works on the customer experience and operations team, which offers support, training, and professional services.
There is no doubt that businesses today commoditize data. As such, they collect and store as much data as is possible. Yet, the more data company has, the greater the risk of data loss, either through accidental loss by a well-meaning employee or intentional loss by an employee leaving the corporation who wants to use the data for personal gain, or who wants to inflict damage on their soon-to-be-former employer. Traditional DLP tools and insider risk solutions have always had their limitations, so it’s nice to see a company taking an approach that doesn't put productivity in the path of detection and response.
Code42 boasts an impressive install base and is certainly worth a look. External threat actors may get all the good press, but insiders who don’t need to find illicit ways to access sensitive company data pose a greater threat in some ways. Therefore, it’s best to have a backup plan for that data in case an authorized party goes rogue or simply tries to make their own lives easier by copying files to a USB they accidentally lose. Who better to trust with that backup plan than a company that started as a backup provider?
[i] Also known as data loss prevention, data leak protection, and data leak prevention.