Multi-national banks send hundreds of sensitive documents each day. These contain highly valuable or private information pertaining to pending business transactions, customers’ personal information and internal business practices and strategy. If any of these documents are leaked or stolen, there’s a very good chance that the bank will suffer massive damage to its reputation, lose customers and partners and spend hundreds of millions of dollars to clean up the mess.
Multi-national banking customer
Our client, a multi-national bank earning over $11 billion a year in revenue with a presence in over 50 countries, came to us after costs from data leaks had mounted to levels they simply couldn’t write off any longer. They, like every other bank, regularly handled and shared documents and data inside and outside their corporate network boundaries but had little to no control over how documents were being handled by their own employees let alone partners and clients. They’d tracked the number of times significant quantities of these sensitive documents had been leaked and saw that not only was the rate increasing, but the size of the leaks and the costs incurred through settlements, lost business and security triage efforts had risen as well. They were sometimes able to track down how a leak occurred, but it was often a painstaking and costly process. If the leak happened after they’d sent a document to a partner or vendor, it was often impossible for them to narrow in on who leaked what and how it was done.
The bank’s challenges
This bank, which we won’t name to protect the security of its business practices, faced challenges common in the finance (and many other) industries, but it was also dealing with a few less common complexities. First and foremost, it needed the basics of secure document handling and sharing covered. But it also needed more advanced solutions, like a way to share all file tracking information with regulatory agencies.
Different departments at the bank had slightly different but overlapping uses for the Vaultize platform.
Business operations and development
The business operations department at the bank worked on various strategy documents and plans and frequently shared these items internally and with outside partners and vendors who played roles in the bank’s strategic moves. If these documents were leaked, it could cause serious damage, both monetarily and to the bank’s reputation. The bank needed to keep these documents wrapped in encryption, limit access to them by user and with enterprise-wide policies, upload new versions to cloud storage spaces without confusion or redundancy, revoke access to files that may have been compromised and regularly wipe corporate files from devices. BizOps was also concerned about recovering from ransomware and malware attacks.
Legal
The legal department had similar needs to business operations, but had more specific requirements for regulatory compliance. They had to keep records of every action taken on protected files, from who shared what with whom, where recipients accessed data, how it was edited or used by recipients, and so on. They then had to provide access to unalterable versions of these records to auditors who could verify that the bank was complying with regulatory requirements wherever it operated.
Processing
The processing department at this bank had an unusual problem for Vaultize to solve: it used an outside vendor for all its printing. Customer statements, notices and other documents that end up in paper form were all transferred to an outside party for handling and printing. The bank was concerned with how its documents might or might not be protected by printers and wanted a way to revoke access to one or many documents if it believed there was a likelihood of a breach. They needed to be able to share all documents as links that they could track and control access to.
Government regulation compliance and risk management
Leadership at the bank wanted all departments to track actions taken on protected files and for internal and external auditors to have access to those records. This would make the process of zeroing in on leakers and responding to incidents much more efficient, plus it would help streamline the annual reporting process the bank had to undergo to prove compliance with government regulations. So, the auditor system had to be in place company-wide, not just in the legal department.
Vaultize’s one-platform solution
Vaultize could solve all departments’ needs via its single platform. This simplified the deployment process and helped the bank reduce the cost of rolling out new software and training employees. We were also able to deploy the Vaultize secure software infrastructure flexibly, letting the bank make the right IT choices for its locations across the globe.
The business operations and legal departments were basically looking for a secure Dropbox alternative with data security, versioning and de-duplication features and EFSS-like behavior. At its core, this is what the Vaultize platform is.
Vaultize is designed to make access, sharing, modification, control and protection of unstructured data simple and easy in today’s mobile environment. It allowed the bank’s end users to quickly and easily access or share data while IT remained in full control of the data flow and usage. Our single platform wears many hats within the bank: Continuous data protection, enterprise file sync and share, managed data mobility, mobile content management (MCM), VPN-free anywhere access and end-to-end control, encryption and backup of all data.
The bank entered a new age of access control
Vaultize takes an information-centric approach to enterprise file security by ensuring that corporate information and data always stays under IT’s control. We gave the bank total control through U.S. patent-pending micro-containerization that embeds rights management (DRM/IRM) within documents themselves independent of file formats. The files shared across the corporate fence are DRM-encrypted and only usable by authorized recipients and within an authorized environment, even after they have been downloaded on a device not in IT’s control. They could be shared as trackable links too, which solved the bank’s printing problem.
For the first time, the bank had a unified endpoint backup & recovery
With Vaultize, department heads and IT admins could set policies to automatically version and back up every file, folder or entire drives continuously or at intervals. This made restoring endpoints to safe versions following a ransomware or malware attack easy, and prevented massive data loss if malware struck. Vaultize’s efficient file versioning stores copies of drives and individual files incrementally, and provides multiple ways for bank IT or users to self-restore endpoints or restore them remotely. Smart de-duplication at the data source combined with WAN optimization technology saved the bank 90% bandwidth and storage. Vaultize’s intuitive administrative console helped IT and admins define backup policies to automatically retrieve files and folders on end user devices and store them in airtight remote repositories. These policies could be designed and administered for individuals at the bank and groups, such as teams or entire departments. This allowed administrators to apply priorities based on specific organizational requirements.
Endpoint Encryption, File Tracking and Wiping
Vaultize performs policy-based file and folder encryption of on-disk data to protect it from unauthorized access after an endpoint device is either compromised, lost or stolen. Military-grade encryption is performed on files and folders on user devices without interruption to the user’s behaviors or workflows. Our selective encryption is more efficient than full disk encryption–it consumes less processing power and disk space–making it extremely BYOD friendly.
Remote Wiping and Device Tracking
Our remote, enterprise wiping feature allows bank IT administrators to securely erase protected corporate data from any device at any time, regardless of who owns the device. Vaultize enables selective wiping of files and folders based on certain patterns (geographic location, IP) and types – a feature essential for BYOD and containerization initiatives. Vaultize can also track the geographic locations, IP addresses and various other parameters of all types of devices.
The Vaultize platform features enhanced auditing capabilities (a rarity in our industry). This feature set allowed the bank to create an auditor role and easily manage and maintain compliance-friendly workflows and collect and package data for e-discovery processes. Auditors (some at the bank and some outside) were given access to an organization’s data without the possibility of interference even from administrators, guaranteeing compliance with most data-governance requirements. Administrators could control (and even mandate) formatting and wording of subject lines of emails sent internally and externally (i.e. to include a case number), the content of messages sent with secured data and the expiry of shared data. These capabilities allowed the bank to keep its information and user policies compliant and enable file auditing and versioning.
Results
The bank finally had a way to track, protect and control access to all its sensitive documents. Admins could set enterprise-wide and granular DRM policies that forbid vendors and staff from sharing documents with anyone beside intended recipients. As a result, the number of detected leaks at the bank went down by 87 percent, and bank IT could shut down access and remotely wipe all leaked documents within minutes of detection. Legal and compliance teams could streamline their data collection and e-discovery processes and reduced estimated time spent tracking and collecting data about how corporate information was shared by a significant margin. Reductions in damages and lost business from leaks and efficiencies in meeting regulatory requirements saved the bank about $600 million during the first year Vaultize was in use. This number is expected to increase significantly as more teams at the bank begin using our software.