Choice Cybersecurity has added a data discovery, encryption, and loss prevention solution from Actifile to its lineup of risk assessment, security, and compliance offerings for managed service providers.
The system, which has been available since earlier this year, arms MSPs with important capabilities for finding and protecting personally identifiable information (PII) at a time when regulations like HIPAA, GDPR, and the California Consumer Privacy Act (CCPA) are imposing increasingly strict data privacy requirements, according to Choice Cybersecurity CEO Steve Rutkovitz.
“They have to have really clear visibility not only into the firewalls, and PCs, and servers, and vulnerabilities like we’ve been working on very hard to do, but now you really have to understand what’s inside the data,” he says.
Actifile’s software eases that task, Rutkovitz continues, by automatically cataloging not only data at rest in storage systems, which Choice could already do for its customers, but also data in motion to and from endpoints.
“This is really game changing because now we know what’s leaking out of the company,” says Rutkovitz, who adds that the Actifile system regularly finds data in so-called “shadow IT” deployments that business owners aren’t aware of. “They didn’t even know people are using Gmail, because they [think they] only have OneDrive,” he says.
The Actifile solution’s discovery functionality produces an exact count of records containing PII as well. “One of the problems that I find when I talk to companies is they don’t know how many records they have,” says Rutkovitz, who notes that HIPAA and other regulations include requirements that apply only to breaches exceeding a specific quantity of files.
“All the fines are based on number of breached records,” he says. “Unless you know the number of records that potentially could be breached, you really can’t protect your customer.”
Once the Actifile system has inventoried all of an end user’s records, it estimates the potential financial impact of a breach. “It can tell you that you have a $30 million liability, you have a $300 million liability, whatever it is,” Rutkovitz says.
Significantly, the solution then safeguards PII-bearing records, including those in the cloud, by applying AES-256 encryption to them. Users can enable or disable that functionality with a single click, notes Rutkovitz. Actifile’s software encrypts individual files rather than entire drives, he adds, which means that regulated data remains inaccessible to unauthorized viewers no matter where it goes.
Additional features in the Actifile solution include a multi-tenant administration interface and the ability to enforce customized data loss prevention policies. “We can block files, we can alert on files, and we can also report on file transfers in and out of the organization,” Rutkovitz says. Users can employ the system in conjunction with incident response efforts after successful breaches as well.
“We have audit logs, so we can see exactly what files either came in or left, and we can see if they were encrypted or not encrypted,” Rutkovitz says. Organizations can use that information to prove to auditors or investigators that exfiltrated data falls under the “safe harbor” provisions in most privacy regulations, which spare companies from having to issue an embarrassing public breach notification when stolen records are encrypted.