KuppingerCole Webinar recording
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
KuppingerCole Webinar recording
KuppingerCole Webinar recording
Good afternoon, everyone in Europe and good morning to people in north America and welcome to this webinar, sponsored by Titus hardly a day, goes by without another news event of loss of data or leakage of data. And this webinar is going to focus on protecting information in this unstructured world that we have today. And the presenters for this webinar are myself, Mike Small. I'm a senior Analyst with Coco and Steph Charo, who is the CTO of Titus KuppingerCole is an industry Analyst based in Germany with a presence in north America as well.
And our focus is are on research services, advisory services and running events, mainly around the cloud and identity and access management. And the next event that we will be having, this is the, the must not miss event of Europe, the European identity and cloud conference to be held in Munich May 14th to the 17th. And there you'll hear all the industry gurus in these areas, giving real advice and good, good information to people who attend as well as giving you a tremendous opportunity to network with your peers. Some of the basic guidelines for the web webinar are that everyone is muted.
You don't have to do anything. I, if you, if you want to ask questions, the way to best ask questions is to use the questions box on the little popup that's on your screen, the webinar will be recorded and the recording will be available from tomorrow.
This, this webinar qualifies for continuing education credits, and you can see what the learning objectives they're on the screen. It qualifies for one group internet based CPE. And to get this credit, you will have to take a test at the end of the, of the, of the webinar, pass that test, and then you will get a certificate. The test is entirely optional. If you don't want to get the CPE, you don't need to take the test.
So the, the webinar will be structured as follows that we're going to start off with me. Talk on why we, Jacob, believe information stewardship is critical to protecting information. Then Steph will talk about how to bring structure to information in the world of unstructured data. And then we will have a period for questions and answers. So first of all, information is in information is a valuable asset, and this has been known throughout history.
In fact, for those of you that are interested in history, you will know that that, that the Rosschild fortune was in part founded upon knowledge and information that they had before anyone else as to who had won the battle of Waterloo. Now, that was just a piece of data, but they were able to use this information to, to buy government stocks in a particular way, which enabled them to make a great deal of money.
So this information has become more and more widely available using the internet and that wide availability and the wide access the internet provides has also led to an increase in risks. So people talk about data loss and loss of information as though all information were the same.
Well, it isn't really, in fact, some information you want people to have some information is public. So it's kind of difficult to lose public information, but there's also a lot of regulated information and much heat and lights around information, which is subject to laws and regulation in particular in Europe around privacy, but unregulated information such as sensitive information.
Like for example, as we saw when with the, the examples of the corporate email sent from senior executives that were leaked in, in the press, that information that isn't regulated can still be sensitive and damaging if it is allowed to escape. So the question is, how do we manage that? And it seems to us that sometimes the only people who really value information are the people who are trying to steal it because many organizations treat the valuable asset as though it was loose change. And the question is, why should that be happening?
So let's look at some of the causes for information leakage the first and perhaps the most widely publicized is that of malicious activity. And indeed there is a great deal of activity going on that has moved on from being run by the spotty teenager, to, into the hands of organized crime who are, who understand the value of information and how to get that value out of it. And they're out to steal it. And this is a serious problem that, that that organizations need to address. And so malicious activity is a major, a major problem.
Now, in addition to that, what you have is you have misuse where data that is correctly available to people is, is misused by those people. And for example, administrators can abuse their privilege to, to access data. And as examples of this, that people can be overcome by curiosity. And because they have access to data, they can look at it. Some people want to just cut corners and all of those things can lead to monetary penalties and embarrassment of organizations that hold the, the information. Then we have the simple question of mistakes.
People who are not doing anything that's malicious or intending to misuse information, often they're in fact trying to do their job better, and then they unfortunately lose it. And you can see some examples here of where these kinds of things can go wrong. Emails sent to the wrong addresses and people walking around with sensitive information on unencrypted on sticks, because they think they can do their job better if they use that.
Now, one of the key things that's behind this are the, the human beings. And one of the common causes throughout all of these examples is that somewhere along the line, a human weakness is exploited. And here we can see sometimes it seems that Downing street in the UK, which is where the prime minister lives is.
In fact, the most dangerous street for losing information, that there was an anti-terrorist policeman who walked down Downing street, carrying details of a very secret undercover of anti-terrorist operation. And of course he was photographed and by the press and they blew up the pictures and they could see what it, wasn't only this January, there was an embarrassment to government where somebody did the same thing. So technology can be part of this problem, but technology doesn't necessarily need to be part of it.
And so we see examples of how people inadvertently disclose or lose information through negligence and thoughtless behavior. So what we think is needed to look after this is something called stewardship and stewardship is basically means looking after things that are not your own a good steward looks after his master's property, a good steward looks after other people's property properly.
Now, stewardship, isn't a new idea. People have been writing about information stewardship for some time, but what has been missing in that has been looking at the areas of security, privacy, and compliance. And you can see that information stewardship has been concerned with the whole of the information lifecycle, making sure you get the business value, making sure you build a data architecture, making sure the information you hold has a good quality, but part of it is looking after that information. And that part seems to have been forgotten.
So what you have to do to implement information, steward stewardship, well, it starts with good governance and good governance means understanding what you actually have, the value of what you have to the organization, creating a culture within the organization that is going to look after that data properly and implementing best practices to deal with it. And of this.
One of the key steps that you need to take is to make sure that the people at the top of the company, the executive board, the CTO of the board of directors understands the value of the information that you hold and the care that you need to take with that information and information has a lifecycle. And if you don't manage that lifecycle properly, then you, you, you are going to get, meet, meet with problems.
And that lifecycle includes understanding who owns the data, classifying that data in terms of its impact on the business, understanding where it's created, how it's accessed and when it's deleted and all of those kinds of steps in this, this cycle life cycle for the, the information can lead to problems. And one of the critical things that has occurred is the proliferation of unstructured data that when data was held in a structured database, when it was limited through the particular applications that you could use and how it could be transmitted, then there were no not the same problems.
But one of the things that had really happened is this exponential explosion of unstructured data, which has occurred in, in the form of word documents, emails, spreadsheets, and so forth. And not only that, these are now hold held on things like SharePoint servers, which adds to the problem. So an information security culture is also an important aspect that is often neglected. We are all brought up to understand the value of certain things.
You know, you all understand how much a dollar or a pound or a Euro is, and you are taught that by your parents from a very early age, but somehow other information doesn't seem to have figured in that. And so we have a generation of young people who are happy to give away a lot of information about themselves without really constant considering what those, the impact of that is.
And within an organization, there is often a mistaken use of information and a mistaken view of its value, and to achieve that you need to change the perception of security within the organization, which is often seen as something rather negative rather than something which is an enabler. It's a good idea to recruit as champions, people who are respected within the organization, who are then able their behavior is, is copied if you will, by by the other people, because they are respected. You need to teach and train people in the organization as to how they should treat information.
And finally, it needs to be seen that information is valued and that if people look after it, they're rewarded and if they don't look after it, there are sanctions and that's not easy, but that's a necessary part of the, the thing that we have to do. And this also has an impact on how we organize it.
Now, the interesting thing is, is that in order to implement information stewardship, everybody has to be responsible for the information and data that they touch. Clearly there is the it department has an important aspect in this because they are the people who process most of the information. So it governance and it management have a role to play, but they are not themselves completely responsible for information. Everyone who touches information has to take responsibility for what they do with it.
And that needs some guidance from the business functions, because the business functions are to people who really understand what the value of the information is to the business, how it should be used by the business and where it should be created and how it should be used.
So that means that there is a change if you will, in the perception that may be seen in many organizations where information security has to be moved from simply something that's done by the LT department into something that is a business function, where, and that everybody is enabled and understands their responsibilities surrounding it. So in order to look at that, from another perspective, we believe that information stewardship needs and information centric rather than a technology centric security, it's been too often.
The case in the past that information security was seen in terms of a firewall or of a particular piece of technology that was going to enable things. When in fact, it's not the technology that you have to start with, it's the, the information, and you need to look at the information rather than simply looking at the technology.
Now, information centric security can consists of three major elements. The objectives are well understood to be the confidentiality of information, making sure its integrity is preserved and making sure that it is available to people that are authorized when they need it and where they need it. And in order to achieve that, you have a series of processes, which are important. And just to kind of remind ourselves of those processes, that the most fundamental process is this process of classification.
And many people have ignored that, or they have reams of data that they don't have any idea of what the value is or what the classification is. You can't protect what you don't know you have. And so I can't emphasize enough how important it is to have some kind of process for classifying information. When you have classified it and you understand sensitivity and its value, then you can start to set up control policies for who should access it so forth.
And those are important, but you wasn't forget that information is a very important part of business continuity planning and that this is the availability part of security, that if information is not available to people when they need it, then that is a, a major problem to the business. And finally, you need to be able to audit what has been happening to that information, not the least, because in many cases, now there are laws which say you have to declare when there is a risk, that information has been stolen.
And the elements that you can see are a number of different technologies and processes that lead to this like identity and access management flow control, data, leak, prevention, technology, and so forth. So what, what I'm going to do is to sort of map some of those elements against the risk points, because information is at risk at different points and from different ways, for example, it's at risk in the data center from being hacked or from the components of the data center being disposed of or lost.
And that needs to be managed you through, for example, proper encryption technologies for, from properly managing privileged access and from managing and protecting the information as it flows around the networks, to make sure that it can't, it can't be easily stolen and leaked in that way. The, there is an increasing problem with end user devices, which are lost and stolen and all kinds of things seem to happen to them.
They grow legs and walk away and to help with that, you have things like identity and access management, technology, data, leak prevention, technology in various forms and mobile device management tools. And in terms of managing the human interface, you have to look at the culture which we talked about earlier on, which is really quite important, the policies and the training.
Now, finally, it's important to understand that if you lose information, then there are two to, to aspects to this one is you may be obliged to inform people about this new maybe subject to breach disclosure rules. And secondly, you may need to ensure that your business continues. Should you be deprived of access to that information? So if we look at some of the things that are around this, first of all, loss leakage, resilience, it's certainly a good idea.
If not a mandate thing, to make sure that data is encrypted, but then often the issue is not just simply the encryption, but also the management of the keys. And that's increasingly a problem as people are moving to the cloud, you need to make sure that information stewardship and information security is properly factored into business continuity claim. When you back up data, is it properly dispersed? Is it just backed up in the same place that could be flooded or set on fire?
And is there a proper process for recovering data if in fact, a disaster occurs and how long would it take and how long can your business last without it, then there is the other aspect which is to do with damage mitigation, where in fact, your obliged, perhaps to know that you've lost data and or that that data has been illicitly or illegally or unauthorized access. And what is the notification process you have to go through? And how do you plan for that? Because you may have quite a limited time in which to, to, to actually notify people or regulators around that.
And last, not least is handling the press of the media. It's quite clear that it is, it is, there are better ways and worse ways of how you handle the press. So you need a plan for the worst that could happen, even if you hope that it's not going to happen. So what we're trying to say is that the continuing problem of data leakage and so forth has shown that many of the supposed term approaches are inadequate. And what we believe is needed is better information stewardship.
And some of the key points that we are trying to say lead to this are that you need to have good information, government governance. And that really make means make sure that the CEO, the executive board understand the value of information.
They, they are supporting programs to look after that information. Remember that looking after information involves everyone, not just the it department or one or two people understand the sensitivity and adopt the best practice and implement technical controls. And finally make sure you have a plan for what to do if the worst happens. So that is my part of the presentation. And so now we're going to hand over the screen to Steph the CTO of Titu over to you, Steph. Great. Thank you very much, Mike, good afternoon and good morning to people in Europe and over across north America.
So my name is Stephan Charo. I'm the CTO of Titus and like mic has spent the last 20 minutes or so talking about the, the, the importance of the information within enterprises. I'm gonna kind of talk to that, that fact, and kind of dictate some of the philosophies that we've adopted here at Titus in handling some of the challenges that Mike has pointed out.
Now, if we take a look at structured information, so as they travel around the world and talk to customers and large enterprises around the world, you know, what type of things keep them at night and they kind of ex explore, or they explain some of the things that they have within their enterprises.
Things like, you know, employee information or health records, some structured information they have today, they typically are, have that well, understood and protect that type of information because it's structured and it's kept in secure locations, such as databases and things that they can control access to. And it's not normally those type of information that they worry so much about. But once we start talking about these unstructured information is where that challenge seems to arise.
So as far as some well known information, such as the employee records of such databases and such seem to be a good place to hold that information along the same type of lines for structured information, if we take a look at large enterprises in the manufacturing space, for example, or software development like ourselves, we have a large number of documentation that talked about the intellectual property that we maintain and losing that information could damage our reputation.
It could damage an enterprise's capacity of, you know, they've been researching technology over a number of years and it just takes a second to lose that information. So what people have typically done is that IP information, traditionally, if I'm in manufacturing is in AutoCAD drawings and we have very specific formats to maintain it, whether it's paper, format, store locked cabinets, or we get into specific CAD drawings and so on, we typically want to protect that and we'll put systems around it. So there's specific file types.
So we would go in corporate firewalls, gateways, DLT systems to look for those file types and block them all. Now what's missing here is we may not understand a public drawing versus a something very sensitive or has some intellectual property into it. But we have systems that try to protect that type of information in, you know, very global perspective. Then we take a look at the proliferation of mobile devices within our enterprises.
And if we look back just a few years ago, people with cell phones or smart, or, you know, are capable of doing email, for example, they would maintain some information that could be sensitive to those enterprises. And typically what we would look to do with those type of devices is provide them something that's protected and it's owned by the corporate enterprises themselves. So we give them from enterprise perspective, a phone, they can do email, and then we can just wipe those devices.
We can go ahead and control those if they get lost and we can try protecting those information within enterprises, as we generate information, as we, you know, take a look at working with teams that are geographically dispersed around the world, there's a great need to be able to collaborate ideas. We need to share some information. And in a traditional sense, what we, what we do is create these secure websites and diff areas where they can go ahead and act access it. And we make sure no external people have access to information.
So we allow them to collaborate, but in a very protected kind of manner. So within that type of information, where information is structured, I put great barriers or build these walls around that information to take a look at that. Now we take a look at the introduction of unstructured information, meaning things like emails and this collaboration within SharePoint, these mobile devices on trying to fix that into these compartments, where I'm trying to safeguard that information within my enterprise and become a little bit more challenging.
And we're just gonna throw up some, a few statistics to give you a sense of how much information our it departments are trying to control within enterprises around the world. The first step we have, if we take a look at within emails, for example, in 2012, there are 144 billion emails per day. So with an enterprise, that's quite the challenge. We're not saying it's all within one enterprise, but there's a good chunk of emails flowing through your enterprises. And you're trying to figure out which one of those emails are actually sensitive. That need protection.
They need encryption, they need blocking or maintain within the enterprise. So that's quite a challenge for their it department to try to handle that information. And we take a look at people who are creating documents. So people are using Microsoft office here. We have a stats of 500 million estimated users today. This is something for Microsoft, themselves, where people are creating documents, they're creating draft documents of budget information. And they're taking a look at dis correspondence and generating all kinds of information.
That's not being stored in these structured areas that are proliferating through the enterprise. They are in these laptops of people losing their, you know, a little bit everywhere within our infrastructure and outside, or being emailed home to work on, to take a look at that. So that's quite the number of inf documents being created by users on every day that we're trying to protect within this framework that we're trying to establish for these enterprises. The next stats we have here is we come back to those cell phones.
So as we started in this journey with enterprises, people had enterprise devices. Now we're looking at, at almost three quarters of these businesses around the world are introducing, bring your own devices. So people are buying their own phones. They're they're, they need access to that information that's being sent. They want access to their corporate emails. So there's quite the challenge with enterprises trying to protect information and trying to decide what information is needs protecting on those devices.
It is forecasting within the next few years that almost every enterprise will throw the world will need to support this whole D Y O D bring your own device initiative. That's being created just makes sense from a, a maturity perspective within enterprises and last but not least, we take a look at the fact that we're collaborating. We're seeing a great number of enterprises looking at SharePoint to maintain information. And whereas before we try to control access, we need people to have access to that data. That's maintained within these sites.
The real challenge is how do I know what information within, within these collaboration sites that need to be protected and which one should be shared with people to make sure they have access to it. So those are type of the challenges that exist within the unstructured world, within the enterprise data that we have today. And as we go through and we try to protect that those walls we built in to try to protect information, just can't cope with the type of information that's flowing through. So the challenges within the unstructured world, how do I bring order?
How do I look at protecting information within there? And Mike has talked a little bit about the whole information stewardship and data classification will obviously be an important part of that to allow us to take some control back over the unstructured data that's flowing through our networks today.
So the first step we need to do to look at controlling that unstructured information is figure out who's actually generating all that information, whether it's cross collaboration, email documents, those office users, and bring, bring your own device to those cell phones and iPads and tablets, all that information's being generated by that person in the middle. Who's responsible for the creation information and also the person who has that information stewardship that, of that data that's being created within those enterprises.
So now that we understand, you know, that's where the information's being generated, we need to provide that person with the right tools. We'll talk about communication. We'll talk about education, changing culture, which Micah's already talked about to help that user help us identify the value of that data. And then we'll look at trying to protect that data once that's been identified. So the second step is we need to identify and classify your data.
So we need to come up with a simple process to categorize that information that needs protection and those that don't need the same levels of protection. If I have public information, that's tagged, our gateways can let that flow through. If it's general business, I can take different precautions within that data. There's been a number of years where technology's been trying to automatically figure out the value that information.
And some information is easier, easier to identify such as credit card information, pretty straightforward, but we start taking a look at intellectual property and things of, of that nature, where you need to figure out the context of the data. Those types of information becomes a lot more complicated for automated system to discover. So let's focus on that user and giving them the right tools to help classify and tag that information.
So we need to create a nice, simple classification policy, something that they can relate to within their day to day activities, and then provide them with the right tools to enable them to tag the information that we've asked them to do once we've changed that culture. So that we'll take a look at some examples of how we can help that user tag or classify that information. And then once we've got that established, we'll need to push it out.
And one important note here is we need to make sure from a communication perspective, that user understands the need for that classification and tagging in order to protect it. So within an email context here, we're just showing a, a simple example where as you create an email, we can get, provide them some buttons and some, perhaps some tool tips or some help along the way or suggest classifications, but really it's up to that end user to have the, the, the, the, the knowledge of understanding the data they're working with.
We can help 'em by detecting attachments and so on, but it's really to help them drive the importance of creating that classification. As they're creating these documents within Microsoft office.
For example, here we have a compensation form that's being filled in, and as they come to save that we could help them just by popping up a quite small questionnaire, something that's simple for them to relate to where they can mark this as HR information and the appropriate metadata attach that email, thus allowing for the protection of the information here we're receiving the end result of document's been protected or tagged. We would not just apply metadata, but also apply in visual markings to educate and raise the awareness of the users of the sensitivity information they might find.
Hopefully not for those photographers who are on that street, just outside your, your government street, which you may not see there as a watermark of watermark as well, the same aspect within bring your own devices as they are accessing emails through these devices. We need to give them the tools to be able to classify tags information or quite possibly just be able to block certain sensitive information from being accessed from those devices or allow it depending where they are in the world from a location based perspective.
But again, it comes back to understanding the value of that data across all these platforms. If we take a look at once, we tagged the information. So we've given the user the tools necessary across outlook with an office within any kind of document type. So within mobile devices, we start looking at enhancing the information protection strategy for those enterprises by leveraging the information that's being tagged by the user.
So we start off by having visual labels, perhaps technologies that they can't read metadata can go ahead and look at the visual labels, being applied to the document, to understand the sensitivity, and then act on that information. So we are add adding some structure to the information that's being driven by the user and every day, and allowing us to protect that information.
Once it's been tagged with metadata or visual labels, we can look at these other technologies to help protect information, whether it be data loss prevention tools from all the major vendors out there, whether it's just from a guard to gateway technology or encryption, we don't necessarily need those users to understand how these work or we will allow the it department to figure the right protection depending on the sensitivity. But we can tie that into those technologies over time.
And as Mike has talked about earlier, we're talking about information stewardship and the life cycle, complete lifecycle security information security platform would be provided to the enterprises, allowing them to do things like retention periods for information. Are you gonna get rid of the information if it's a certain sensitivity or do you need to maintain them for a longer period? Because of the classification of that information also mentioned by Mike was the fact that we need to log the information audit the information's being generated.
So all the activities from a what type of information, people hand they can be handled by these SIM vendors that are out there today. From an example, I'll take a look at providing security to documents that I'm working on here. We have a user creating information. Doesn't need to worry about figuring what kind of protection required. We want to get that away from the end user and only have them focus on the sensitivity data and let the system handle the protection based on their decision from a classification perspective.
So here we have documents that are tagged, whether it be public or internal or secret. And then we can look at other technologies such as DLP to enhance the protection of that, whether it be on the desktops themselves, the endpoints, or within the networks where they can, instead of analyzing information, they can leverage the information of the metadata. That's applied to the document by the user, and then turning in these DLP solutions to actually block the information as opposed to record the fact that they've lost that data. So it's a great integration moving forward.
And on the encryption side here, we're seeing an example of once the information that's classified this as HR information in this example, that we will automatically apply the appropriate protection. In this case, we're showing Microsoft rights management being automatically applied because of the classification, whether to very well be a PGP or any other favorite encryption technology that you have either on the client itself or downstream within your environment as well.
And the important part here is that we are focusing on providing the right technology for the sensitivity of the information and not spending your time teaching people how to use the encryption technology. But that should just be an automatic piece that we can trigger as the information cation strategy matures within the enterprises. We did talk about collaboration. People are looking at SharePoint as a great collaboration platform to share information, but what's important is to be able to make sure the right people are accessing the right information.
So here we're seeing Alexei who's part of research and Bob who's part of marketing accessing the same site, but because of the information that, or the metadata that you're seeing in the department classification field, we're allow, we can trim those views. So they only have access to the right information they need to access. Okay.
So some of the important facts we're taking a look at from our, our discussion around classification is some of the takeaways that you should take are unstructured information is causing traditional information protection balls to crack the amount of information that's being created and the ability for it to be able to control that is something that's not sustainable on its own. We need to provide the right tools, the right capacity within those enterprises to be able to handle that information.
And one way of doing that is introduce the classification perspective so that we can understand how to treat the information that's being generated and not necessarily looking at automatic tools to do that. Users are at the core of that information. So they are generating the information. We need to have users part of that strategy, to be able to identify the information they are in the best position to, to tell us what the information is that they're creating in that we need to handle special care within certain documents.
We also need to make sure they have tools to help them in case they do inadvertent mistakes. So they added credit card information. They thought it was public, but we should be able to detect that and alert them and suggest a higher tagging, a higher classification level. As we look at, you know, things they're keeping enterprises awake at night, we started talking about it at the beginning. The structured world was very controlled. They understood how to protect information in those databases.
The information in the unstructured world being generated terabytes of information is what's keeping people awake at night within enterprises, and they large enterprises throughout the world, looking at information classification is that way to bring that structure so that they can start protecting or stop the bleeding within their enterprises to help them move forward. And we take a look at the information that they have under control that structured data we said, you know, is well handled by enterprises.
That's typically only about 20% of the overall data flowing throughout the enterprises that you need to protect that unstructured information. That data is being generalized users on a day-to-day basis, sits around 80% of the total enter data within those enterprises. So bringing classification to that, to that percentage, the data is a great way to help them control the information.
That's my slides I've just stopped or finish on the fact that we are having a data classification conference here in Ottawa at the end of June, where we're gonna take a look at large enterprises coming in, speaking about their experiences around data classification and how that's working within their enterprises folks like Deutsche bank and Dell and Booz Allen will be looking at coming to talk to people about how data classification is working within enterprises and how they've been successful. Thank you. I'll turn that back over to Mike. Okay. Thank you very much. Indeed.
Steph, that was a very interesting summary of the, the things that you've been doing in Titus. So now we move on to the point where we're going to open the event up to questions from the audience. So if you have any questions, then you should be able to see that there is a questions button on your, on your little webinar screen.
So please, will you ask your questions in that way now in the meanwhile, if you are, while we're waiting for you to overcome your shyness, I I'll, I've got a couple of questions for Steph here. So the first one of these is, is what is it that normally drives organizations to move forward with data classification? Is he often a reluctance?
What is, what are the business drivers that make that happen, Steph? Well, that's a great question, Mike. Thanks. So as we travel and we've been doing this for good number of years now, and we've seen a change the last couple of years where people are being either there's compliance within governments, we see even within your own country there, Mike, within the UK, where they have a GPMs where they're forced to mark all information within the government so they can understand and protect that government information.
So we see as that as a great driver, within certain sectors in manufacturing, we're seeing a good drive from an intellectual property perspective where people are creating documents or very sensitive documents of their need to share with the right people. And they're looking at classifications, great ways to enhance their security structures, or there's a simple one that we see quite often, there are people who make the newspaper and don't want to be there, right? People are being fined, these fines, and now be being announced publicly that need to take a look at that.
So we see these all factors within some of the, the business drivers over the last little while that have been moving people within a data classification space. Okay. Okay. So I've actually had a question from the audience which asks, how does the document classification work in conjunction with retention periods? That's an interesting perspective because many organizations now have very strong records management policies to do with, with this kind of area. So Steph what's, what's your answer to that? Sure. Great.
Well, lemme just start by saying within a Microsoft office, we are a plugin that just fits quite nicely within the office suite. So as I create a document, it would pop up and ask about some information. And then the result of that was we apply some metadata in a standard way within those documents to allow third party tools, to take a look at that. Now we worked with governments and some military space as well, and within a commercial space as well around retention. And specifically, they're looking at ways of identifying the sensitivity of documents so they can decide when to get rid of that.
So we will apply metadata to it, which third party tools can then read it and then act on it, whether it be within archiving systems, whether it be within HP trim or some other ones as well, that exist from a document management perspective. Okay. Thank you. Thank you.
Now, in, in Europe, there is a lot of legislation around what you can and can't monitor employees doing. And so making employees do certain things like classified document might be construed to be some kind of monitoring.
Have, have you, have you had that as a problem or does it, does it come up as a problem in Europe and if so, how do you overcome it? Yeah, another great question. So we do spend quite a bit of time in Europe and that has come up a lot where we work hand in hand with DLP vendors, for example, and then the sensitivity part of that was where they're analyzing the data from a network perspective is seeing more of a privacy constraint, whether it's scanning context within the documents or emails that they're generating. But what we do is we work with the user so they can opt in.
They can take a look at the data. The audit logs are being generated could be sort strictly on the user. And we decide not to send that centrally. So people are not seeing those logs being, you know, viewed by it people within, within those enterprise. So we've seen that as a, a nice way to approach that challenge, where we focus at the user's desktop, I've had something similar but necessary within Europe, wherever I had a general come up to me, thank me for the tool, because he was able to fix the problem before he left his desktop.
So instead of having something downstream and something that looked at the information saying, no, I'm, you're sending to the wrong person based on classification. And they didn't have a, a Lieutenant walk up to the general and say that he did something bad from an it perspective. So I was actually quite an amusing one, but he liked the product just for that. And the fact that we analyze it as a desktop is something that seems to resonate quite well within, throughout Europe. Okay. Thank you. Thank you. So there's quite a number of questions coming in now.
So I'm going to look at the looking at next one. Is, are there any auditing features available within the type solution? Yes.
So again, the auditing is so everything that the user sees from, you know, classifying a document or they're being warned about some inappropriate information being sent to an external party, or perhaps even within the enterprise. For example, if someone sending research document to someone within sales or marketing may not make sense within enterprise, and we can help break that up. So all the activity that's happening at the desktop is actually being stored within locally on the client, in the event logs on the client itself.
And then we work with third party tools from, from a SIM perspective to collect that and produce reports on that. If appropriate, again, coming back to some legislation where some of that information cannot be centrally located, others will use tools such as arch site Splunk log rhythm. There's a wide variety of tools out there that can collect those logs and then report back on the, if appropriate within those enterprises.
Okay, great. Now this is an interesting question. That's come from one of the participants and it raises an interesting philosophical point that how, how does the classification compare with automated solutions?
You know, there, there are various solutions around that will scam documents for certain kinds of information, typically credit cards and dates of birth and social security numbers. Do you have any view for the relative efficiency or efficacy of the, the two approaches? Sure. In in fact, we sometimes are perceived as perhaps a competitor DLP because we're doing some of the checking at the client, but from a DLP perspective, they're looking at doing automated checks or automatic classification looking for those keywords.
So one of the things we talked about at the beginning of the presentation is the detection of that sensitivity or being able to suggest that classification is something that we looked at the reality is many of these systems that can do the automatic classification work well with sample information. And as they roll out that to the enterprise, we're finding a lot of these false positives being generated in the it department or people who are looking at information that, that becomes quarantine. It it's hard to identify that.
So we find that as, as a, for the easy information such as credit card and some of the stuff that could be identified by regular expressions, or if you have sample documents where you can take fingerprints. For example, the automated fashion works on the client side. We need to have that user input to maybe raise the, borrow that. So we can do some simple scanning on the client where we can look for those keywords, look for the regular expressions and, and patterns, and then come up to the user and say, looks like you have PI information. I think you need to make this confidential.
And the user can override that. And then where we see that compliment within larger solutions that they take that user input and then the automated systems can decide what to do with it. And now you have an automated perspective, these backend systems, and you have the user's input. If the user raised the bar high, then perhaps we'll go ahead and block it. We won't analyze it from an automated perspective, but if the user tags the public, maybe we'll do a Sandy check with some of the automated systems in the back. So long answer, hopefully that helps cover some of the question there.
Yes, I, I think this, the whole issue to do with classification is, is a, is a major problem. And as you've said, so there's another interesting question come up here, which says, how do you factor in role based access control into the overall concept of information governance now, in, in a sense role-based access control and access control are technologies or implementations of how you control people's access to information. Once you understand what that information is.
So, so, so clearly it's difficult to know what access, but should people have if we don't to have a classification for, for the, the information. But I wondered whether in your practice with, with your customers, whether this is the kind of issue that has been raised and if so, what your solutions have been to it, integration. Sure. Yeah.
With that, John, what would use that? Yes. Great question again, Mike. So on that one, it's obviously once you've tagged the information, you've got the classification set, the next step, or the next piece of that puzzle is understand how to control it. And a lot of enterprise have been looking for role based, whether it be active director groups or claims within the federated space to identify that person.
And, and know that conference coming up in Munich would be a great conference to talk that about that in detail. But we're looking at, within our own tools within our email product, for example, we can go take a look at the users, active directory groups, or attributes or things about that user that can identify that recipient as being someone who's allowed to get that information depending how it's pacified. It could be confidential for a specific research group. And if you're not part of that group, we won't give you access to the email.
Another way we've looked at that is within SharePoint itself. So SharePoint as we take a look at once the information's been tagged and the metadata is on the documents that reside within SharePoint is look at the user's role, whether it be claims based whether it be group membership based or attribute based, we will take a look at providing the right access to information within SharePoint.
So, so definitely something is important once that information's classified tagged is then how do you provide the right access to the right people to that? So it's great question. Okay. Thank you.
Well, we're, we're sort of coming to the end of the, of the, the event now. So I, I'm going to ask perhaps one or two more questions to finish off. And one of the interesting things is how, how do you find and get engagement with the people in the organization that are going to really drive this, this data classification?
What, what what's the critical steps that you think are necessary? Great, great question. So as we engage with those enterprises that express the desire to go down, you know, information governance or data classification to protect that information, we find it very important to get the right people on board. And typically that's, you know, you may think that the CISO is a great starting point, but we typically see better success. As we start taking a look at the legal department.
For example, there may be some compliance things that they need to comply to that if they don't they'll be stop some fines. And they're looking at the wellbeing of the company from a security perspective as well. So legal departments and business units that have that sense of information that they need to try to protect and been engaging with trying various encryption methodologies of protecting information. They seem to be some of the success points for us. Now that's just to get the right people saying they need the information for successful deployment.
We typically see is make communication plans for those users to make sure they understand why they're being asked to classify in the importance of that. And, and I can't stress that enough for that to be long-term successes, that they need to understand the value of that. And we've been to customers where they've been in transition between one company to another, and they said they missed some of that classification part. Cause they just thought it was an integral part of that culture where that person left.
And so we've been introduced next company that way from a culture perspective, they liked it. Lovely. Thank you. So is there one last thing that you would would like to say Steph, that you want to make sure that everyone remembers when they go away from this, this webinar? I just want to take a, an opportunity to thank everyone for joining us on this webinar.
And I think the data classification perspective within information, you know, governance is an important piece and I'm seeing that throughout the world, as people coming on board, looking at involving users, part of the information strategy, it's just been a great success success for us, and we hope to help others on the conference as well. I will see folks, I will be at the Kuppinger Kuppinger conference in Unix. So if you have any more questions or details or wanna say hi, please swing by and I'm happy to be there. Good.
Well, thank thank you very much, indeed. Steph for that very interesting presentation on Titu and what you are, what you are doing. And so you leg in very nicely to a final thought, which is that if you enjoyed this webinar, then I'm sure you will enjoy the European identity conference, even more in Munich, famous for its Bavarian specialties. And for those of you that like it, the very special beer that you can get in Munich, which of course you wouldn't be drinking during the conference. So as A comedian, I would not.
Yes, no. So thank you very much, everyone for joining the, the webinar. Remember that if you want to claim your CPEs for this, then you will have to take a test and you will be sent to link in a, in, in, in the follow up email for how you can take that test. So thank you very much to Steph the CTO of Titus and thank you all very much for your attention and for the very interesting questions that, that you post and hope to see you all. ATTC good afternoon, everyone.