As a global leader in cyber threat intelligence, this company handles highly sensitive data on a daily basis. Thus, it’s not surprising to learn that their IT team has implemented robust security controls for purposes of governing identities, endpoints, networks, and applications. And given their level of cyber sophistication, it’s not surprising to learn how they took additional strategic steps in 2023 to further strengthen their Zero Trust security posture by embracing data-centric policies and granular controls on sensitive data flowing in and out of the business via email, file, and SaaS workflows.
Inside of the company, the initiative was called “Data Accountability” and according to the company’s cyber security leader, it was “priority one” for everyone in the business, from the CEO on down. Specifically, the goal was to overhaul their data storage, transmission, and sharing policies to improve accountability. This included expanding their classification program to tag different data sensitivity levels, and enforcing stricter controls around customer data.
The Search for An Easy, Scalable Data Security Solution
To accomplish this new goal, a key ask from this organization’s internal research group was client-side encryption for Google Drive, since existing free tools were too complex.
“[CSE for Google Drive] is free for a reason,” he said. “It works and it doesn't work sometimes. You have a lot of engineering. So we had to kind of escalate that to find a key partner."
They needed a solution that made data-centric security easy to use without disrupting employee workflows or requiring extensive training. Ease of use was critical, as "the number one way to lose your audience is to bring on a tool that's too challenging."
Virtru's Data Accountability Capabilities
Virtru provided the right balance of security and usability with Virtru for Gmail, Virtru Private Keystore for Google Workspace CSE (client-side encryption), and Virtru Secure Share. Key features that supported the organization’s data accountability goals included:
- Key Manager for Google CSE (client-side encryption) The security leader and his team wanted to store sensitive data in Google Drive, but didn’t want anyone else to have access to it — not even Google. So, CSE was a perfect fit: It allowed them to keep control of their own encryption keys. "You know, [CSE] sounds simple until you get to plugging in,” he said.
CSE requires users to select a key management partner, and Virtru was the clear winner for this cybersecurity leader. The reason: Virtru Private Keystore brought ease and simplicity to the CSE process. He also discovered that Virtru filled several other data sharing gaps for the organization, a win-win-win for Data Accountability.
- Secure large file transfer and Zendesk encryption. The company also needed an easy and secure way to transfer large and very sensitive files to and from external research partners. It was a huge bonus to learn that Virtru could also cover this requirement with Virtru Secure Share. Another win: Virtru Secure Share integrates with Zendesk, which is another key security need. “We have a very robust support structure with SLA working with clients. Our support team would have to get out of Zendesk and spin up a Box account and transfer files. And those files could be everything from single sign on certificates to HAR files. We have to protect that data. So [we embedded] Virtru in our Zendesk, again, making the process easier.”
- Persistent access controls over shared data. This cybersecurity leader also wanted to maintain perpetual control over data shared externally. A unique facet of Virtru Secure Share is that it allows teams to share sensitive data and revoke access any time. This capability allows their researchers to share sensitive information with third-party partners without sacrificing security or control over that data.
- Detailed audit trails showing data access Virtru provides an important audit trail to demonstrate what sensitive information has left the organization. Virtru answers the questions,‘What did you send?’ and ‘When did you send it?’ “You know, those are all very important pieces that we need for accountability," the cybersecurity leader said. Granular activity tracking aids security analysis and incident response.
All of these capabilities allowed this organization to extend data-centric protections beyond Google Drive to other collaboration apps. Employees could easily track data access and revoke permissions if needed to enforce internal data policies.
The Impact: A Trusted Partner in Zero Trust Data Accountability
With Virtru, this organization consolidated multiple disjointed file sharing systems into one cohesive platform with stronger controls. With this proactive approach to data accountability, this organization is demonstrating what a full-spectrum Zero Trust security transformation looks like — and differentiating themselves against competitors.