Skip to content

企業資料保護框架:化解影子人工智慧風險

反制影子 AI:以資料為中心的企業資料保護框架

保障受管制資料狀態、強化應用程式邊界,並在未經授權的生成式 AI 平台上部署持久性權限管理

策略性架構簡報: 影子 AI(Shadow AI)在企業內部的野蠻生長,為現代 IT、資安與合規團隊帶來了嚴重的可視性與治理破口。其風險並非源於生成式 AI 技術本身,而是源於使用者在未受管理的外部平台複製、上傳或處理敏感企業資產時,所導致的資料譜系(Data lineage)與控制權喪失。緩解此類曝險要求企業從生硬的網路級阻斷,轉向結合內嵌式(Inline)語意控制、資料姿態衛生(Data posture hygiene)以及以承載資料為中心(Payload-centric)之加密技術的整合式安全堆疊。

解構影子 AI 的風險剖析

生成式人工智慧(GenAI)在企業環境中快速擴展,原生優化了從大規模資料聚合、翻譯到程式碼重構和高階主管報告等多種工作流。由於這些工具能帶來立竿見影的生產力提升,在資安決策層來得及制定正式的使用政策之前,員工往往就已頻繁導入消費級的解決方案。這種行為模式催生了影子 AI(Shadow AI)——即在企業基礎設施中,未經授權且未受監控地使用機器學習模型。

從資料治理的角度來看,影子 AI 引入了嚴重的結構性曝險。資安團隊對於以下情況完全處於盲區:哪些外部模型正在主動攝取資訊、這些資料在地理上被儲存於何處,以及第三方模型供應商是否正將企業專有的資料池用於公開大型語言模型(LLM)的訓練週期。


從應用程式限制轉向資料譜系控制

傳統的企業防禦專案高度依賴以周界為核心的控制項,利用安全網頁閘道器(SWG)來阻斷或允許對特定應用程式網域的存取。這種模型在套用於生成式 AI 時宣告失效。GenAI 空間繞過了傳統的周界控制,因為資料可以透過標準網頁瀏覽器工作階段(Session)被瞬間提取——不論是將剪貼簿的原始文字貼入未經授權的聊天機器人,還是將在地檔案拖放到未受管理的瀏覽器擴充功能中。

因此,一項有效的反影子 AI 戰略必須跨越應用程式級圍阻(Containment)的概念。資安架構師必須轉向以資訊為中心的模型,不論資料與何種端點或雲端架構互動,可視性與資料保護控制項都必須緊緊依附於資料承載(Payload)本身。


對映企業資產的曝險足跡

常見的治理錯誤是誤以為影子 AI 的風險僅限於標準的個人識別資訊(PII)。在現實中,未受管理的模型攝取會暴露出多個關鍵的業務層面,包括:

  • 法務維運: 企業合約、已簽署的主服務協議(MSA)以及保密協議(NDA)。
  • 人力資源與人事: 員工檔案、薪資架構、醫療保險指標以及內部績效日誌。
  • 企業財務: 總分類帳條目、未發布的季度預測、價格利潤率矩陣以及在地化的預算模型。
  • 軟體工程: 核心應用程式原始碼、API 憑證模式以及系統配置指令碼。
  • 戰略規劃: 商業產品提案、競爭分析矩陣以及下游的企業併購(M&A)資料。
  • 智慧財產權: 研發工程圖紙、CAD 檔案、專有演算法以及專利申請書。

此曝險面具備獨特的挑戰性,因為透過影子 AI 進行的資料外洩通常是靜默發生的。與標準的惡意軟體感染或憑證濫用事件不同,資料流向外部 LLM 不會觸發任何傳統的端點指標,在沒有清晰的外洩特徵碼(Signature)的情況下,使資料池直接暴露。


一刀切式 AI 限制的維運失敗

面對未受管理的應用程式使用,許多 IT 團隊的直覺反應是在所有未受核准的生成式 AI 網域實施全域阻斷。雖然封鎖高風險平台能在短期內立即降低風險,但將其作為長期戰略卻存在根本性的缺陷:

  1. 消費級 GenAI 新平台的誕生速度,遠遠超過傳統網頁過濾資料庫的更新週期。
  2. 分散式員工可以輕易透過未受管理的個人裝置或外部行動網路,存取未經授權的模型實例。
  3. 過度限制的控制項會逼使員工尋求替代的影子繞過手段,以維持其日常生產力。

組織不應試圖消滅 AI 工具的採用,而必須專注於治理。資安團隊必須清晰定義哪些核心架構是受核准的、為結構化資料狀態建立可接受的應用場景,並提供安全的企業級替代方案,讓員工在保障安全的前提下槓桿 AI 的能力。


戰略性架構能力檢核表

在選擇資安廠商來緩解影子 AI 風險之前,企業資安領導者必須根據幾個關鍵指標,評估其現有的資料保護姿態:

  • 遙測與可視性: 我們的安全維運中心(SOC)能否清晰區分受授權的企業級 AI 實例與未受管理的消費級帳戶?
  • 分類情境脈絡: 我們是否維護著實時的資料安全姿態地圖,以標記哪些高價值資產易受外部模型爬取?
  • 內嵌式外洩防護: 在資料到達外部端點之前,我們現有的端點控制項是否能主動掃描出站文字串中是否包含敏感的語意結構?
  • 外洩後權限控制: 如果一份機密檔案離開了我們安全的雲端儲存環境,我們能否動態撤銷其存取權限,或追溯性地審計其使用歷史?

現代反影子 AI 防禦安全堆疊

保護企業資料免受未授權 AI 工具的侵害,需要在不同控制分層上部署多種互補的資安能力協同運作:

控制層組件 核心分析能力 對 AI 治理的戰略貢獻
影子 IT 與 SaaS 資產發現 監控網路與裝置日誌以識別活躍的 SaaS 服務。 揭露隱藏的使用趨勢,並在裝置艦隊中追蹤未受核准的生成式 AI 平台。
CASB 與 SSE 架構 強制執行租戶限制(Tenant restrictions)並檢查經加密的 TLS 工作階段握手。 確立清晰的存取邊界,在允許企業級實例的同時,阻斷相同網域下的個人帳戶。
端點與網路 DLP 掃描出站資料流中的特定內容模式與檔案類型。 阻斷敏感的承載資料(如 PII、信用卡資訊或原始碼)被提交至未受核准的網頁欄位中。
資料姿態管理(DSPM) 自動在多雲資源池中定位、對映並分類敏感資料資產。 在開放且權限過寬的資料儲存庫被在地的企業級 AI 助理安全攝取之前,率先予以識別。
SIEM 與審計生態系 集中化資安遙測數據、記錄存取企圖並追蹤系統行為。 維護清晰且不可篡改的審計軌跡,用於合規報告與事後事件調查。
資訊權限管理(IRM/EDRM) 將密碼學加密與持久性存取規則直接嵌入檔案承載資料(Payload)中。 確保檔案在整個生命週期中維持加密與受追蹤狀態,即使被下載或分享至外部亦然。

部署以承載資料為中心的加固:IRM/EDRM 的角色

由於向 AI 助理輸入文字通常是以片段形式發生——例如複製特定的幾行程式碼、貼上財務簡報中的段落,或上傳孤立的文件章節——僅僅保護儲存庫已不再是足夠的防禦。真正的資料圍阻(Data containment)需要透過資訊權限管理(IRM)或企業數位版權管理(EDRM)來直接保護檔案本身。

透過將密碼學控制項與動態存取規則直接嵌入檔案承載資料中,檔案在整個生命週期中都能受到保護。即使使用者將文件下載至未受管理的裝置,或試圖將其上傳到消費級 AI 環境中,嵌入的加密技術也會強制執行明確的邊界。它能阻止剪貼簿複製、阻斷在地列印、限制螢幕截圖,並允許管理員隨時動態調整或撤銷存取權限,即使在檔案離開企業周界後,也能中和資料曝險風險。


資安領導者分階段實施路線圖

對企業 AI 的整合建立有效的治理,需要採用分階段、漸進式的方法,在安全性與維運生產力之間取得平衡:

階段 1:可視性評估

槓桿影子 IT 發現工具對映當前的使用基準線,識別在企業設備艦隊中哪些未受核准的 AI 平台被最頻繁地存取。

階段 2:正式政策框架定義

起草清晰且易於查閱的可接受使用指南,明確指出哪些模型受核准、概述可接受的企業應用場景,並精確定義哪些資料分類被限制向外部傳輸。

階段 3:資料分類與衛生加速

部署自動化資料發現工具來識別、標記並清理敏感資料庫上的權限,確保高價值的智慧財產權得到妥善編目與保護。

階段 4:內嵌式控制項執行

啟用內嵌式 CASB、SSE 和語意 DLP 政策,以管理租戶邊界、阻斷對高風險網域的存取,並在端點邊緣攔截敏感的文字輸入。

階段 5:核心內容封裝

針對最關鍵的資料類別(包括法務合約、智慧財產權、財務模型和客戶名冊)實施持久性的 IRM/EDRM 控制,確保無論資料儲存於何處都維持加密狀態。

階段 6:持續性生命週期審計

定期審查集中化的 SIEM 指標與行為日誌,以持續調整存取政策,並緊跟不斷演進的生成式 AI 威脅地景。


結論:治理未來的核心工作型態

影子 AI 的興起凸顯了現代數位維運的一個根本現實:商業資訊的流動速度以及所跨越的分散式環境,早已超越了傳統周界安全所能管理的極限。試圖透過一刀切式的網域禁令來解決這項挑戰,只會破壞員工的工作流,並迫使使用者轉向其他未受管理的替代方案。

歸根結底,保護組織免受影子 AI 的侵害,需要轉向以資訊為中心的治理模型。藉由將清晰的應用程式政策與內嵌式語意控制、自動化資料分類以及持久性檔案級加密相結合,資安領導者可以滿懷信心地支持 AI 生產力,同時確保關鍵的企業資料得到最完善的保護。

關於 SealPath

SealPath 是歐洲在數據中心安全和企業數字版權管理方面的領導者,與來自 25 個以上國家的主要企業合作。十多年來,SealPath 幫助製造業、石油和天然氣、零售、金融、醫療和公共管理等不同行業的組織保護其數據。SealPath 的客戶包括《財富》500 強和 Eurostoxx 50 指數中的許多機構。SealPath 的解決方案可以有效防止成本高昂的錯誤,降低數據洩漏的風險,確保機密信息的安全,並保護數據資產。

About Version 2

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

AI 安全架構:整合 SealPath SDK 以實現安全的代理工作流程

生成式知識的安全防禦

槓桿 SealPath SDK 在企業 AI 架構中強制執行持久性資訊權限管理(IRM)

戰略簡報: 將自主 AI 代理人(AI Agents)連結至企業內部儲存庫能釋放巨大的生產力,但同時也創造了嚴重的資料曝險風險。由於大型語言模型本質上會跨越不同的資料孤島進行資訊聚合與綜合,它們經常會繞過傳統的資料夾級權限。本藍圖詳細拆解了 SealPath SDK 如何將外部、以身分為核心的驗證層直接嵌入 AI 管線中,確保自主代理人嚴格根據使用者目前的作用中文件權限來查詢資料。

代理型知識檢索的結構性風險

企業 AI 工作流允許員工使用自然語言查詢廣闊的資料資產——立即萃取法律合約、供應商參數或專有技術藍圖的摘要。然而,當這些智慧編排器索引了包含繼承權限、開放共享連結或跨部門資料夾的儲存庫時,它們便引入了一個根本性的安全缺陷。

AI 模型並不需要暴露整份機密文件才會引發災難性的資料外洩。代理人只需將敏感片段注入低權限的對話會期、綜合不同來源的受保護資料點,或推論出受限的維運指標,就足以構成威脅。在向量資料庫中與資料的「語義接近性」,已不再代表擁有檢索該資料的權限。對於處理受管制或專有智慧財產權的企業而言,細粒度的存取控制必須從「儲存庫的參數」轉變為「檔案本身的屬性」。

「企業 AI 代理人絕不能基於它在技術上有能力找到的所有內容來構建答案。它必須完全根據查詢身分被明確授權檢視的資料資產來生成回應。」


為什麼在地化隔離優於基礎索引

一個常見的架構誤區是過度依賴簡單的儲存庫同步——直接索引廣泛的共享雲端硬碟,並將資訊過濾的工作留給 AI 系統本身。若缺乏獨立且可審計的密碼學邊界,執行時期引擎(Runtime Engine)將面臨放大企業內部既有權限漂移(Permission Creep)的風險。

這項挑戰已被 Microsoft 365 Copilot 等業界標準所承認,其強調智慧檢索必須在執行時期層尊重基於身分的存取邊界。真正的資料安全需要將核心查詢從「非結構化搜尋」轉變為「經權限驗證的請求」:

檢索範式核心索引查詢維運安全邊界
標準 AI 代理人「在整個已索引的資料資產中,哪些文件與此提示詞具備語義相關性?」依賴基礎的資料夾級繼承;易受權限漂移與過度分享(Oversharing)的侵害。
整合 IRM 的安全代理人「此特定使用者身分在契約與密碼學層面上,被允許解密哪些相關文件?」透過持久、文件級的密碼學簽章強制執行,無論檔案流轉至何處皆保持有效。

架構概述:SealPath SDK 驗證迴圈

SealPath SDK 在自主代理人與底層受保護的檔案矩陣之間,引入了一個自動化的強制執行層。透過將權限檢查直接整合到檢索增強生成(RAG)迴圈中,應用程式會在資料內容進入模型情境(Context)之前驗證資訊權限。

 

安全維運工作流遵循嚴格的順序生命週期:

  1. 提示詞攝取: 人類操作員將非結構化查詢輸入至企業 AI 介面中。
  2. 候選檔案隔離: 代理人查詢其向量資料庫或儲存陣列,以定位具備語義相關性的檔案。
  3. 密碼學認證: 在閱讀或對任何受保護文件進行分塊(Chunking)之前,應用程式會調用 SealPath SDK 介面。
  4. 基於身分的驗證: SealPath 驗證查詢使用者的身分,並根據檔案的安全政策檢查其作用中權限。
  5. 情境內容攝取: 若獲得授權,文件將被解密並將其內容傳遞至模型的情境視窗中;若未獲授權,該檔案將被完全排除。
  6. 限定範圍回應生成: 模型生成完全衍生自經驗證、符合權限規範之來源的答案。

執行時期層的細粒度權限評估

傳統的存取控制採用簡單的二進位(開啟/關閉)決策。相反地,SealPath SDK 允許企業應用程式在自主管線槓桿某個檔案之前,分析與該檔案關聯的確切使用參數。應用程式可以即時動態評估多個安全變數:

  • 解密許可: 確認特定的使用者情境是否擁有打開該檔案的密碼學金鑰。
  • 功能性微權限: 檢查目前身分是否被限制複製內容、列印頁面或編輯欄位——從而允許應用程式相應地限制資料分塊。
  • 時間邊界: 驗證文件的存取窗口是否已過期,或者權限是否已被單方面撤銷。

如果未經授權的使用者請求對未經核實的文件進行分析,系統會將該檔案排除在 RAG 週期之外,允許代理人進行安全的回應:「完全基於您被授權存取的文件,現有的可用資訊指出……」

瓦解 AI 過度分享的放大效應

過度分享(Oversharing)——亦即在不恰當的時間內將企業資料暴露給過多的使用者——是一個長期的資料治理挑戰。歷史上,一個過度暴露的文件通常僅靠「隱蔽性」就能維持安全,因為它被埋在層層嵌套的網路共享資料夾深處。然而 AI 抹除了這種靠隱蔽帶來的安全感。代理人可以在幾秒鐘內發現、聚合並展示一個過度曝險的檔案。

SealPath 的整合透過確保保護令「隨檔案同行」解決了這一脆弱性。無論檔案是被下載、重新命名、複製到外部驅動器,還是移動到不同的資料層,其密碼學邊界都保持完好。如果某個身分無法手動打開該文件,代理人便無法使用該文件為該身分構建答案。

CISO 架構指南:安全企業 AI 整合的最佳實踐

為了在敏感資料資產旁安全地部署大型語言模型,組織應圍繞以下原則建構其架構,並與 OWASP Top 10 for LLM Applications 保持一致:

  • 前置情境權限驗證: 務必在文件內容被處理或傳輸到模型情境之前,透過 SealPath SDK 強制執行身分檢查。在資料攝取之後才驗證權限是一個嚴重的架構失敗點。
  • 強制執行使用者情境的最小權限: 避免在擁有所有資料存取權的廣泛管理員帳戶上執行 AI 代理人。強制代理人必須在特定使用者的身分情境內運作。
  • 安全的索引隔離: 防止建立未受管的向量索引或快取資料庫,若這些庫包含未加密的敏感片段且未遵循原始文件級的存取權限。
  • 情境視窗最小化: 將發送到外部或託管 AI 模型的負載限制在解決提示詞所需的絕對最低限度,以減少系統性曝險。
  • 全面的審計追蹤可視性: 記錄所有資料請求、使用者情境與 SDK 授權結果,以維持乾淨的資料治理與合規追蹤軌跡。

使用 SealPath 保護您的自主工作流

採用先進的 AI 能力不應以犧牲嚴格的文件治理為代價。SealPath SDK 允許您將企業級的資訊權限管理(IRM)直接引入您的客製化應用程式、RAG 管線和代理型工作流中。

  • 持續性密碼學邊界: 確保安全政策隨文件同行,保障儲存網路內外的檔案安全。
  • 以身分為核心的驗證: 在資料進入模型情境之前,自動驗證使用者目前的作用中權限。
  • 強固的合規追蹤: 對自動化模型正在利用哪些企業文件保持完整的可視性。

加固您的企業 AI 部署並消除過度分享的風險。歡迎立即聯絡我們的工程團隊,將 SealPath SDK 整合至您的數位工作流中。

關於 SealPath

SealPath 是歐洲在數據中心安全和企業數字版權管理方面的領導者,與來自 25 個以上國家的主要企業合作。十多年來,SealPath 幫助製造業、石油和天然氣、零售、金融、醫療和公共管理等不同行業的組織保護其數據。SealPath 的客戶包括《財富》500 強和 Eurostoxx 50 指數中的許多機構。SealPath 的解決方案可以有效防止成本高昂的錯誤,降低數據洩漏的風險,確保機密信息的安全,並保護數據資產。

About Version 2

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

SealPath reports 50% growth in sales in the first half of the year and consolidates its leadership in data security

The company specializing in corporate information protection attributes its results to the rise in regulations, a significant increase in the number of data leaks, and growing concern among organizations about keeping their sensitive data safe.

BILBAO, SPAIN, AUGUST 4, 2025 – The cybersecurity market continues to show remarkable momentum in 2025, and SealPath’s results reflect this. The company, which specializes in protecting and controlling permissions on sensitive documents, reported a 50% increase in revenue at the end of the first half of this year. This growth is directly related to the increase in attacks targeting key sectors such as finance, industry, and public administration, as well as regulatory pressure from regulations such as NIS2 and DORA.

SealPath, which has just celebrated 15 years offering specialized solutions in corporate data protection through digital rights management technology, has experienced an acceleration in demand for its solutions, especially from medium and large organizations seeking to secure access to their most critical information.

Growth driven by market developments

The company notes that the market is moving toward increasingly proactive data protection solutions focused on preventing information leaks before they occur. This represents a shift from traditional security technologies, which tend to be more reactive. According to SealPath’s CEO, the market is also consolidating the adoption of tools integrated with other cybersecurity technologies, which enable customers to identify and mitigate potential threats more effectively.

In addition, SealPath’s geographical expansion, with new operations in international markets, particularly in Europe, Latin America, and Asia, has been decisive in achieving these strong results. The company is thus responding to growing interest from customers and partners in regions where data protection is a strategic priority for businesses.

Greater focus on industrial property protection

SealPath has also detected an increase in companies investing in protection solutions for industrial designs, reinforcing the management of sensitive information throughout the supply chain. The company believes that proactive security remains critical in the fight against information theft and has therefore stepped up its offering of CAD design protection solutions for its customers.

Luis Ángel del Valle, CEO of SealPath, offers a positive take on the results:
“It is very encouraging to see how companies are prioritizing data protection as a core part of their strategies. We have seen very rapid adoption of our solutions, and the market is demanding more comprehensive technologies to address today’s challenges. This motivates us to continue innovating and striving to lead the sector.”

With its growth figures and ability to adapt to the demands of a changing sector, SealPath consolidates its position as one of the leading companies in data-centric security, ready to face the challenges of the second half of the year and continue strengthening the security of its customers in around 30 countries.

 

About SealPath
SealPath is the European leader in Data-Centric Security and Enterprise Digital Rights Management, working with significant companies in more than 25 countries. SealPath has been helping organizations from different business verticals such as Manufacturing, Oil and Gas, Retail, Finance, Health, and Public Administration, to protect their data for over a decade. SealPath’s client portfolio includes organizations within the Fortune 500 and Eurostoxx 50 indices. SealPath facilitates the prevention of costly mistakes, reducing the risk of data leakage, ensuring the security of confidential information, and protecting data assets.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

CIS Critical Security Control 3 v8: Improving organizations data protection strategy

Know in depth the CIS Security Control 3 v8, a set of security safeguards to help organizations on data protection, the new changes compared to v7, all the safeguards and how to implement CIS Control 3 effectively.

A brief background about data breaches

IBM and the Ponemon institute released a report on the cost of a data breach in 2022, surveying 550 breaches with data gathered from over 3,600 interviews across 17 countries, and the result was mind-blowing. The results show that the average data breach cost US$4.35 million in 2022, indicating that the figures have further risen from the $4.24 million recorded in 2021.

Every year, IBM statistics for the cost of data breaches indicates that the figures keep rising by at least 2.6 per cent, and numbers are expected to shoot up in the coming years.
However, in the US, the figures and drastically different, as the average cost of a data breach was found to be $9.44M, more than double the global average. Know how is the Data Breach loss cost estimate obtained?

The IBM report also showed the causes of most breaches, with stolen or compromised credentials accounting for 19% of breaches, phishing being responsible for 16%, and Cloud misconfiguration causing 15% of breaches.

It’s essential for organizations to deploy a robust data protection strategy to reduce the possibility of a data breach or data leakage, which often leads to financial loss. The CIS Controls is a collection of the best data and computer security practices to mitigate attacks on cyber systems and networks.

CIS Security Controls v8, Data Protection

The CIS Critical Security Controls (CIS Controls) is a set of security Safeguards to help organizations mitigate the most prevalent cyber-attacks against computer systems and networks. These Controls are improved from time to time to address constantly evolving cyber threats and keep up with modern systems and technologies.

More specifically, CIS Control 3 focuses on ensuring data protection both in storage and when transmitted through data management for mobile devices and computers. The Controls map out processes and techniques to identify, classify, safely handle, retain, and dispose of data in a way that minimizes the risks of a data breach.

It’s no news that an organization’s data is no longer restricted to its borders. Some data are now stored in the cloud, shared with partners, transferred over portable end-user devices, and so on. This diverse handling of data opens it to more risks of attack, making data protection a great concern for organizations.

Although encryption offers a lot of protection to data, it doesn’t offer much help in the face of malicious actors with deep-rooted knowledge of bypassing encrypted data. As a result, organizations need to incorporate a holistic data protection strategy outlined by CIS Control 3 to strengthen their security and mitigate cyber-attacks.

Changes compared to v7 where Data Protection is now the Control 3

CIS Control 3v8 is a comprehensive revision of the 3v7 and contains safeguard updates to improve data security and reduce the risks of a breach. Some of the changes include:

– the addition of Service Provider Management Control: a new control that tackles the sensitivity of data in SaaS platforms, including their storage and processing.

– moving Data Protection from the number 13 spot to number 3 and adding five new Safeguards to this Control. These five new Safeguards are focused on managing and identifying data in a more secure approach to minimize vulnerabilities.

Other changes involved Controls, such as Controls 4,5,6,14, and so on.

What data protection safeguards does CIS Control 3 include?

Below are the safeguards of CIS Control 3

3.1: Establish and Maintain a Data Management Process

Organizations should put in place an effective data management process that handles data sensitivity, ownership, storage, retention, backup, and disposal. The data management process should align with the regulations of your specific organization and be reviewed annually or wherever there’s a major policy change.

3.2: Establish and Maintain a Data Inventory

Your inventory outlines the type of data your organization produces, the degree of sensitivity, and how they’re retained and consumed. Typically, your inventory should reflect both structured data (e.g., data stored in databases) and unstructured data (e.g., documents and photos) to ensure a comprehensive data protection policy.

3.3: Configure Data Access Control Lists

Restricting each user’s access is a crucial part of data security, and each user should only have access to the data, applications, and systems on the organization’s network that they require to do their job. Having access to other than what they need (especially sensitive data) increases the risk of a data breach and security compromise, either deliberately or accidentally.

Regular review of access control lists should be done to detect and swiftly remove any unauthorized permissions that a user has, such as when they move to a new department, branch, or role.

3.4: Enforce Data Retention

Data should have minimum and maximum timeframes to control the extent to which different types of data should be retained. To ensure full compliance, you should consider automating the data retention process so that certain types of data do not stay beyond their expiry period due to forgetfulness.

3.5: Securely Dispose of Data

Whether you need to dispose of data because it’s old and irrelevant or due to standard regulations, ensuring secure disposal is crucial to preventing unauthorized access to the data. You should dispose of data according to their sensitivity, making sure that sensitive data are entirely eliminated in a way that no user can access.

3.6: Encrypt Data on End-User Devices

In certain scenarios, company devices get compromised by internal or external threats. Encrypting data on end-user devices helps prevent data misuse when such scenarios arise, adding an extra layer of security to your organization. Typical examples of encryption tools are Windows BitLocker, Linux dm-crypt, and Apple FileVault.

3.7: Establish and Maintain a Data Classification Scheme

Not all the data in your organization are on the same level. Some are sensitive, while others aren’t. Establishing and maintaining a data classification scheme helps you to distinguish sensitive data from non-sensitive data, so you can provide more protection for sensitive ones. Even non-sensitive data can also be further classified as private or public to enhance data protection.

Organizations should review their data classification scheme annually or whenever there’s a significant policy change.

3.8: Document Data Flows

Organizations should keep tabs on the movement and flow of data in and out of the enterprise in order for timely detection of vulnerabilities that could weaken their cybersecurity. You should review documentation annually and apply necessary updates whenever a significant change that could potentially impact this safeguard occurs.

3.9: Encrypt Data on Removable Media

Organizations should prepare for scenarios of device theft by encrypting the data on external hard drives, flash drives, and other removable media. These devices may also be misplaced and eventually land in the wrong hands, but with encryption, you can rest assured that the data will not be misused or exploited.

3.10: Encrypt Sensitive Data in Transit

Organizations should encrypt critical data in transit to ensure optimal protection wherever the data goes. Popular encryption options for companies are Open Secure Shell (OpenSSH) and Transport Layer Security (TLS). All encryptions must also be adequately authenticated. For example, OpenSSH validates host keys and investigates any connection warnings, while TLS uses valid DNS identifiers with certificates signed by a trusted and valid certification authority.

3.11: Encrypt Sensitive Data At Rest

Sensitive data at rest either on servers, databases, or applications, should be encrypted with at least Storage-layer encryption. Additional encryption methods can be deployed to ensure that only authorized users can view and use the data, even if the storage device gets into the wrong hands.

3.12: Segment Data Processing and Storage Based on Sensitivity

Data processing and storage should be segmented based on data classification to ensure that sensitive data is treated with more caution than less sensitive data. Avoid processing sensitive data on enterprise assets that manage less sensitive data at the same time. Doing this will prevent a hacker from automatically accessing all company data once they gain access to some less sensitive data.

3.13: Deploy a Data Loss Prevention Solution

Data loss protection (DLP) is a powerful automated system for protecting on-site and remote data from accidental loss and exfiltration. The tool identifies all sensitive data processed, stored, or transmitted through enterprise assets and updates the data inventory. Know more about DLP vs IRM here.

3.14: Log Sensitive Data Access

All sensitive data actions should be logged, including access, modification, and disposal, as this is essential for timely detection and response to malicious activity. Post-attack investigations and detection of breach culprits for appropriate accountability also require data access logs to be fully carried out.

How a data-centric security approach can help you to implement CIS Control 3

Organizations deploying data-centric security can better implement CIS Control 3 because their technologies, processes, and policies are concerned with the lifecycle of data, including its location, collection, transfer, storage, and visibility.

Key Elements And Benefits of a Data-Centric Security Approach

The key elements of an effective data-centric security system include the following:

1. Identification, discovery, and classification of sensitive information

An internal or external attacker’s primary target is to access the most sensitive company information since they carry the highest benefits. They may as well go after other data, e.g., regulation data like EU-GDPR, PCI, or others. Often, these data are stored in specific repositories known to only the company’s team; however, they can be shared, putting the data at risk. Organizations interested in implementing data-centric security controls need tools and technologies that help to identify where their data is at all times to prevent unauthorized access. Know the Advantages of Data Classification boosted by AI and Machine Learning.

2. Data-centric protection

Data-centric security controls focus on monitoring and securing an organization’s sensitive information to prevent unauthorized access due to cloud, network, or data leakage. You know where your data is and where it goes while having absolute control over it, regardless of how far it travels.

3. Audit and monitoring of access to data

Organizations must analyze data use and determine if users’ behavioural patterns are within the acceptable standard so as to know the level of risk associated with the data at any time.

4. Administration and management of data policies

Employees come and go, but company data remain relevant at all times. A data-centric security approach allows organizations to determine who should or shouldn’t have access to certain data, depending on their policies. So when you stop collaborating with someone or find out they’re at risk, you immediately revoke access to the data, destroy it, or prevent it from leaving the corporate network.

How can SealPath help?

When it comes to improving your organization’s data protection strategy, SealPath can offer a data-centric security system that effectively monitors your data at rest, in transit, and in use. Thus, regardless of how far your data travels, you are not only aware of its journey, but you still have absolute control over it and can destroy it in case of a breach risk.

SealPath offers you Information Rights Management (IRM) / Enterprise Digital Rights Management (E-DRM) / Enterprise Information Protection and Control (IPC) over all your data, preventing a breach incident.

Information Rights Management (IRM)/Enterprise Digital Rights Management (E-DRM)/Enterprise Information Protection and Control (IPC) solution

The IPC (Information Protection and Control), or IRM / E-DRM (Information Rights Management / Enterprise Digital Rights Management) technologies give you the power to control information wherever they are, even if it’s outside the cloud. It combines identity control + encryption + auditing + remote control and takes them beyond the sphere of traditional encryption.

Some of the capabilities of this technology include the ability to:
• provide protection that travels with the information
• monitor access to information and limit the permissions on the documentation (Only View, Edit, Print, etc.).
• revoke access, no matter where the files are stored

A data-centric approach to security makes protection user-driven or managed by the administrator in order to secure certain folders. In the cloud, folders or documentation repositories are automatically protected by encrypting them in systems with O365, Box, etc.

These technologies can be integrated with classification tools so that classified data within or outside the corporate network or cloud are automatically protected, depending on their level of confidentiality, DLP, or CASB.

About SealPath
SealPath is the European leader in Data-Centric Security and Enterprise Digital Rights Management, working with significant companies in more than 25 countries. SealPath has been helping organizations from different business verticals such as Manufacturing, Oil and Gas, Retail, Finance, Health, and Public Administration, to protect their data for over a decade. SealPath’s client portfolio includes organizations within the Fortune 500 and Eurostoxx 50 indices. SealPath facilitates the prevention of costly mistakes, reducing the risk of data leakage, ensuring the security of confidential information, and protecting data assets.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Mobile device secure file sharing to Prevent Leaks

5 tools to prevent data exfiltration when sharing files from mobile devices are analyzed to help you take the best steps to protect the business information. Learn how to improve security, make informed decisions and understand the effectiveness of each option based on our more than 10 years of experience helping organizations with their data security.

1. Limitations of secure file sharing from mobile devices

Although we come from a security mindset where everything is perimeter-focused and every action is blocked, the reality is that business professionals often need to share sensitive documents with others. And if they have blocking measures in place, they may even bypass them in order to be productive, agile, and meet business objectives. It is therefore undeniable that the secure sharing of sensitive documents with others is a gap.

And of course, the fastest and most convenient way to share documents is via mobile devices. There may be several reasons for this: not having a PC at hand, not being in a good location to access a PC, or simply not having much time because you are traveling, at a business lunch, or away from the office. But at the same time, you need to send a document right away, you need to share it urgently. We take risks when we send sensitive files without any security measures. We sacrifice security for convenience and speed.

The risks run are not only when storing sensitive documents on the mobile device but also when sharing this information with third parties. Nor do you have any guarantee that the person you send sensitive files to will apply effective security measures to prevent your sensitive information from being exfiltrated. Mobile devices are one of the main risk vectors for companies, where less security is applied, as detailed in this Security Intelligence article.

Therefore, it’s crucial for organizations to recognize that data exfiltration from mobile devices is a far more serious threat than it appears. Businesses must strike a balance between the necessity for mobile productivity and the imperative to protect sensitive data from unauthorized access. Related Article: 9 tools to prevent data theft in your organization.

2. Real-World Use Case

Busy executives traveling

Imagine the life of a busy executive, Sarah, who is always on the move, traveling between cities for high-stakes meetings. One afternoon, while waiting for her next flight in a bustling airport lounge, she receives an urgent message on Microsoft Teams from her company’s internal channel. It’s a sensitive document outlining the latest corporate strategy, meant only for top-tier management.

The urgency of the situation presses Sarah to act swiftly; she contemplates sharing it with a few key colleagues via WhatsApp for immediate input. Unbeknownst to her, this seemingly simple act of convenience could expose the company’s sensitive data to unauthorized access, compromising corporate confidentiality and security.

Sales representatives on the road

Now consider Alex, a dedicated sales representative who spends his days maneuvering through endless hours of travel between client meetings. His effectiveness depends on agility and the ability to instantly respond to clients’ needs.

While on the road, Alex receives a personalized technical guide through Slack, crafted specifically for a high-profile client. Time is of the essence, so Alex decides to forward the guide to the client using Outlook on his smartphone. While his intention is to offer exemplary service, this act of expedience could potentially bypass security protocols and put proprietary company information at risk.

These scenarios underscore the pervasive threat of data exfiltration from mobile devices in the enterprise world. The need for a balance between efficiency and data protection has never been more critical, as data exfiltration incidents can occur at any moment. This highlights the necessity for businesses to establish comprehensive mobile security strategies that safeguard sensitive information, even amidst the constant urgency and demands of corporate operations.

3. File Sharing Options and Tools

Preventing data loss in organizations requires a multifaceted approach, leveraging various tools and methods designed to address specific use cases and contexts. Each tool offers unique strengths and capabilities, aimed at minimizing the risk of data exfiltration and ensuring the secure sharing of files across mobile devices. Let’s take a look at what our options are:

Password Protection

It’s as simple as creating a password for your document or folder with documents and sending that password through another channel to the recipient so that only the person with the password can access it. File encryption tools such as AxCrypt, SecureZIP, or GnuPG are a good option.

Pros:

  • Useful for very ocasional sends: It’s useful if you need to send sensitive documents a very small number of times. Password encryption is simple and can be fast.

Cons:

  • You have no control over the document: There is a risk that unauthorized persons can access it. Either because the password and file was obtained (or stolen) or because the authorized person shared the password and file with others.
  • Manage and remember passwords: It is not safe to send documents always with the same password, so you will have to manage the different ones you create, store them securely and/or remember them.
  • It is not an agile method for everyday use: Every time you want to send sensitive documents, you have to create new passwords, store them, and send them securely through a different channel.

Virtual Private Networks (VPNs)

VPNs create a secure tunnel between the user’s device and the internet or a remote network. They provide an encrypted connection. This helps protect data transmitted over public or unsecured networks by ensuring that the data remains private and concealed from unauthorized access or interception. Commonly Used VPN Services are Palo Alto GlobalProtect, Cisco AnyConnect, OpenVPN and NordVPN.

Pros:

  • A good choice for securing data in transit: This option is good to make sure that no one intercepts the files while they are being sent, while they are in transit.

Cons:

  • The data is not protected once downloaded or at rest: They do not provide protection for data once it has been downloaded. If the recipient does not follow security best practices, the data could still be compromised.

Upload the files to a Repository, Cloud Storage or File Sharing Service

These tools make collaborating easy by allowing users to access files from any Internet-connected device. Commonly Used Services are Google Drive, Dropbox, OneDrive, SharePoint and Box. Users can upload documents, images, or videos to the platform. These files can then be shared with others via direct sharing invitations or private links. To learn more about how to secure business documents in file servers, cloud repositories, or on-premises document storage systems, read this article.

Pros:

  • A great choice for collaboration: They are a great way to store files or collaborate on the same document.

Cons:

  • It requires that the documents be uploaded first: This is an essential step that can be a hindrance to the user, making them less agile, adding an extra step and taking more time.
  • You lose control once they are downloaded: Even if you only give access to authorized people who have to log in, once they download the file, you run the risk of exfiltration again. And it is not always enough to simply allow viewing of documents and block downloads.

Email Encryption Services

Email encryption services are designed to protect the content of email from being read by unauthorized parties. These tools ensure that only the intended recipient can access and read email content by encrypting it during transmission and storage. Commonly Used Email Encryption Services are ProtonMail, Microsoft Purview Message Encryption or Zix. Learn about the 3 common types of encryption in our in-depth article.

Pros:

  • This is a good way to send secure e-mails: They are a good option when only sending sensitive documents via email.

Cons:

  • It limits the channels of secure communication: Nowadays we communicate through different channels such as Teams, WhatsApp, Slack… Limiting it to email only can present obstacles for users and they may decide to skip it. Or, the conversation with the recipient may be on a different communication channel.
  • Large Attachments: Sending very large files as email attachments can be cumbersome and might not be supported by all email encryption services.
  • You lose control once they are decrypted: The document is sent securely but once the recipient has decrypted the document and downloaded it, you lose all control over it. You run the risk of it being exfiltrated.

Enterprise Digital Rights Management (DRM) Solutions

The primary purpose of enterprise digital rights management (DRM) solutions is to protect sensitive digital content from unauthorized use and distribution inside and outside an organization. These tools control access, usage, and distribution of digital files, ensuring that only authorized parties can view, edit, or share the content. They enforce protection on the document itself. DRM solutions protect digital content by encrypting files and applying policies that dictate how the content can be accessed and used.

Pros:

  • Protection is permanent: It is a good option because it focuses its security and protection on the data itself, accompanying it wherever it goes or travels, in all three data states: at rest, in transit and in use. If you want to know more about the 3 data states, visit our article.

Cons:

  • User Frustration with Restrictions: EDRM can lead to user frustration if it interferes with usability or creates a poor user experience.

It is perhaps the most comprehensive and versatile approach to mobile data security because it focuses security on the data. For us, it is the safest way, and we believe so strongly in this technology as a game changer.That is why we have developed an EDRM product specifically for mobile devices. We present it to you below.

4. Introducing SealPath Information Protector App

SealPath is the most advanced EDRM solution that provides persistent protection for documents regardless of how they are stored and shared, and has been in the market for over 10 years. Satisfied with SealPath protection on their PCs and Macs, our customers asked us to bring protection to their mobile phones and tablets. They wanted a flexible yet robust way to protect documents on the go. And it is with this in mind that we present the SealPath Information Protector App, so that they can continue to be productive and agile in their day-to-day work while protecting the information with the highest level of controls.

How does it work SealPath Information Protector App

  • 1. Open the File: Open the file within your desired app such as Slack, Outlook, or WhatsApp on your phone or tablet.
  • 2. Share the File: Tap on the options menu and select the share option.
  • 3. Protect the Document. Inside the SealPath Information Protector App, tap the “Protect Document” button.
  • 4. Select Protection Policy: A window will open allowing you to search and select your desired protection policy. You can type the policy name for quick access.
  • 5. Final Steps: The app will protect the document. A window will open offering you the choice to either share the protected document via your desired app or save it on your phone or tablet .

Note: The entire process only takes a few seconds to complete.

Secure File Sharing with Real Use Cases

From Teams internal channel to board members via Whatsapp

John, an executive at a multinational company, is traveling for business. While at the airport, he receives a sensitive document containing strategic information through Teams on an internal channel. John needs to share this document with other executives quickly and securely. Using his tablet, he opens the document, taps the share option, and selects the SealPath Information Protector App.

Within the app, he taps “Protect Document” and chooses the “Confidential” policy, ensuring that only a small group of executives have permission to access the document. Once the app protects the document, John shares it via WhatsApp. This process ensures the sensitive information is secure while allowing him to stay productive and efficient.

Receive a document in Slack and email it to a client

Emily, a sales representative, spends most of her time on the road, traveling between client and partner meetings. During a break, she receives a personalized technical guide with important customer details through Slack’s internal channel on her phone. Emily needs to protect this sensitive information before sharing it with the customer.

She opens the document, taps share, and selects SealPath Information Protector App. She then taps “Protect Document” and secures the guide with the appropriate protection policy. After protecting the guide, Emily shares it with the customer via Outlook. This ensures the document is secure, and Emily can maintain her agility and responsiveness, even while on the go.

Key Features of SealPath Information Protector App

  • Protect and unprotect from your usual apps: Protect and share in seconds via whatsapp, slack, teams, gmail, google drive, sharepoint, OneDrive, Telegram… You can also unprotect files using the same process.
  • Easy and fast: Protecting files is very easy with an intuitive interface, and the process is very fast so it takes very little time.
  • You control the data wherever it goes: You have the ability to limit who can access it and what usage permissions they have (edit, view only, print…). You can even block access after the document has been sent and monitor accesses.
  • Secure login: To prevent anyone from unprotecting confidential files on your device and to make it more convenient to log in, you can use your fingerprint or face.
  • Available for phones and tablets: Available on the App Store and Google Play for iOS 11 or higher and Android 5.0 lollipop or higher.

Protect your sensitive business data throughout its lifecycle
with our easy-to-use EDRM App

Get Started

5. Balance Between Convenience and Security

In the quest to secure mobile document sharing, organizations must weigh convenience against security to select the optimal solutions. It’s crucial to implement tools that secure data without hindering user experience, as overly complicated systems may lead to user workarounds. Key considerations include ensuring robust encryption to protect data at rest and in transit, and implementing user-friendly authentication processes to streamline access without sacrificing security.

Solutions should offer seamless integration with existing applications and workflows to minimize disruption. Real-time monitoring and alerts can help detect and mitigate exfiltration attempts swiftly. Ultimately, the chosen approach should provide strong data protection while maintaining efficiency and productivity, fostering a secure yet convenient environment.

 

About SealPath
SealPath is the European leader in Data-Centric Security and Enterprise Digital Rights Management, working with significant companies in more than 25 countries. SealPath has been helping organizations from different business verticals such as Manufacturing, Oil and Gas, Retail, Finance, Health, and Public Administration, to protect their data for over a decade. SealPath’s client portfolio includes organizations within the Fortune 500 and Eurostoxx 50 indices. SealPath facilitates the prevention of costly mistakes, reducing the risk of data leakage, ensuring the security of confidential information, and protecting data assets.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

×

Hello!

Click one of our contacts below to chat on WhatsApp

×