Analyst Chat #35: An Overview of Enterprise Information Protection

Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an analyst and advisor at KuppingerCole analysts. My guest today is Annie Bailey. She's an analyst at KuppingerCole as well. She's working out of Stuttgart. And today we want to talk about enterprise information protection.
Hello Matthias, thanks for having me,
Especially when it's around such a more or less new topic for us. This is something that we have not yet covered in this podcast. And so we want to dive a bit into this market segment of enterprise information protection. You did a market compass, a survey document about this topic. Can you tell me a bit more about this, this overall market segment about what is EIP about what are the benefits?
Yeah, absolutely. So it's always helpful to have a bit of the backstory to know why enterprise information protection is important. So it's following the story of the organization and how they typically handle security of information. And so organizations, once upon a time were exclusively on premise or at least much more so than today, but we have a different situation. Organizations are working in a totally different environment today. And this is from a lot of different reasons from people accessing information from different devices, both corporate and personal from accessing this information from many different locations, from home on a work trip from the office. And in many cases, right now, many more people are accessing this information from home from personal devices. And of course the need for collaboration has increased between internal and external partners. And so the sensitive information is always on the move and it's definitely not staying in place on premise the way it used to. So that's the, the need for enterprise information protection for this EIP types of solutions.
So what are the major use cases when it comes to enterprise information protection? So what, what types of information is protected and how can that be achieved?
So we have the protection of information like intellectual property, which is really intrinsic to running and operating as a business. So this information is definitely protected. You have this in regulated industries. So for sure in defense, there's a lot of classified information. This also applies to PCI and PII data. So that of customers that a partners simply handling data in a, in a way that reflects its sensitivity. And then as an extension of this, another use case, which is writing is to facilitate more collaboration. So as people, even as internal employees are working more and more from home, they have to collaborate with each other, which requires sensitive information, quote unquote, remaining within the organization, but still having to be bounced around between many different devices and locations.
So we are protecting information that is sensitive on devices that are considered basically as hostile. So we need to really protect the information from the environment and from most probably also evil actors as well.
Yes, absolutely. And from the inside threat as well, many data breaches or loss of data happens from internal employees without any malicious intent, but from mishandling or without being totally aware of who has access to that data or where it's been sent or who's downloaded it or printed it. So there's a lot of risks coming from insight as well from well-intentioned people.
Right. So it's really also protecting the organization from just yeah. From human error as well.
Yeah, absolutely. So when these solutions are really done well, they work with the employees. So this is really to protect information in the flow of normal business as usual. And so it really has to fit with people's normal habits for working with information and for collaboration. Otherwise the information won't be protected, they won't comply or use the solution. But on the other hand, it has to have enough strength, enough protective strength that it only allows the appropriate people to have access to this information for the appropriate function. Right?
So, and as we were speaking, there was this a recent development that the European court of justice just does not longer accept this concept of the U S privacy shield. So this concept of enterprise information protection could also be applied to protect the data within the systems that are outside of the EU to protect that information outside there is.
Yeah. Yeah. So this is a very, a new use case that may be a response to organizations needing to quickly move their cloud hosting out of the U S so EIP solutions may be able to give organizations more control and more, more security in sharing the information that they need to while having to adjust their, their cloud hosting situation.
So now that we know what we want to protect and where we want to protect it, how do we do that? What are the functionalities that you looked at in this market compass?
Yeah, so this market space is still really dynamic. There are a lot of different vendors that use different technologies in different combinations to achieve the same purpose. And so there's a big, long list of technologies that are being used in different ways. So one of those is encryption. This really helps to protect the sensitive information in the documents, both of the folder and the file level document repositories are sometimes part of a solution for secure storage. And this is really nice for a lot of highly regulated industries that want the storage to be on-premise, but these can increasingly be hosted in the cloud, but what's something that is really important and unique to enterprise information protection is that these repositories have to have strong access controls because that's where the protection and the fine-grain assignment of entitlements to different users comes from. And that leads us right into this idea of information, rights management, which was really dealing with providing entitlement management and this, again, it, it ties into access management.
So these really go hand in hand to outline what users are able to do with this incident information. So that breaks down into being able to edit or not be able to edit if you want to restrict users to only viewing or perhaps only viewing, but not printing or making screenshots. And this can of course be also controlled and limited by your location dependent on IP address by the time, if your organization is only active in one time zone, and you don't have any business travelers, then it doesn't make any sense for somebody to access a sensitive file in the middle of the night. So these are also some controls which can be given over access to sensitive information,
Right? So if you are using a potentially untrusted device, solar restricting this, this, these entitlements to only being able to, to view or without being able to print or make screenshots makes perfect sense so that the document could even be used or that the file storage could even be used from such a device without any danger of exfiltrating, any data from here.
Yeah, absolutely. Another thing to be on the lookout for is the breadth of this protection, you know, is your file protected at all times. And so that's kind of broken down into three stages to making sure that the file is protected at rest. So when it's in storage, not being used, you have to protect the file while it's in motion. And particularly for the collaboration use case, it has to be protected in use. So especially with multiple parties, viewing or editing, these all have to be paid attention to, right? This
Is also something that we see in our advisory work as coping our codes, that we collaborate with our customers through these secured platforms where we can securely share and collaborate with documents together with our customers, without the danger of these documents being compromised during our work. And that it's really unimportant.
And one thing which is really helpful, especially when tracking the protection in youth is to have document versioning. And so this really helps for auditability, but also it it's simply as really useful when you're cycling a document from multiple collaborators and needing to check who made what changes at what time or revert back to an old version. So protection also needs to be present for all major file types. So depending on your industry, you use different files, more frequently, like CAD files and this office across the board, but also image and audio files should be supported.
When we talk with our customers, we also often apply yeah. Risk analysis processes when it's committed, comes to yeah. Protecting information at the right level in the right systems. Does that tie in here as well? So classification making sure that this is top secret, this is public and some documents that are in between, does this tie in, into this enterprise information protection? Yeah.
Yeah. So in a larger sense, classification is absolutely part of the information protection life cycle. For this particular report. We didn't focus as much on classification because there are so many standalone classification vendors or vendors that really specialize on that capability that we didn't include it here, but it is really important for an overall information protection approach.
Right. So as you did this report, I assume it is already published. Is it available already on our work?
Yes, it is. Yeah. It's available on KC plus it covers a lot of different vendors again, who look at this problem from different ways and, and meeting different industry needs. So it's yeah, it's available for you to read.
Perfect. Thank you very much. So thank you very much. Any for giving us a short insight into this interesting obviously emerging market segment as well, our audience, if you're interested in learning more about that, of course, they can go to KC plus two KuppingerCole dot com and just search for enterprise information protection and have a look at that document. Of course, there's even more interest. Of course you can get in touch with us at KuppingerCole just get in touch via one of our feedback channels. And then you can get in touch with me or with Annie and learn more about enterprise information protection, anything to add from your side,
Nothing from my end, it's a really dynamic space. So it's great to get yourself caught up now, and then you can stay up to date as changes happen as new approaches become more solidified in this space. So
You can learn how to tie this into an overall cybersecurity strategy as well. So that would be then one building block of that. So thanks again, Annie, for joining me today. And I'm looking forward to having you in one other episode soon. Thank you very much, Annie.
Thank you, Mathias. Bye. Bye. Bye