grandeduc - Fotolia


GhangorCloud suite checks if you've been good or bad

GhangorCloud focuses on data-leak prevention by fusing contextual and conceptual reasoning with an identity and role-based governance, risk and compliance model.

If you're going to launch a new security company conceived for the cloud computing age, assembling a leadership team with authorities from Symantec, McAfee, Trend Micro, Cisco, Juniper, Alteon and Array Networks would be a good way to start. That's exactly what GhangorCloud did.

The company's Information Security Enforcer (ISE) suite targets data leak prevention with security and compliance technology that combines contextual and conceptual reasoning with an identity and role-based governance, risk, and compliance, or GRC, model. The result, the company says, is advanced persistent threat protection.

GhangorCloud CEO Tarique Mustafa readily acknowledged that break-ins are going to occur, even as spending on IT security increases. "Most approaches to security, including antivirus and intrusion detection, have gone haywire," he said. "Even with the advent of zero-day patches, it is not enough. There is no winning situation."

Consider intrusion prevention, Mustafa said. "While it's possible to continually create new measures, the person sitting in his basement will always be a step ahead. So, why spend energy and money on a losing battle? Let the intruder come in, but don't let him go out. This is the way to defeat persistent threats." In other words, once the bot comes in, the object becomes blocking exfiltration, the unauthorized transfer of data.

Trapping those who break in is one thing, but that does not address personnel who already have legitimate access rights, but who are up to no good. "Those actors, such as [government document leaker] Edward Snowden, had malicious intent, but also had perfectly good access rights," Mustafa said. "Once that level of authorization is granted, ascertaining who is doing what and whether their intent is malicious becomes more difficult."

Let the intruder come in, but don't let him go out. This is the way to defeat persistent threats.
Tarique MustafaCEO, GhangorCloud

This approach of ascertaining whether an action is benign or malicious led systems integrator Powerbloc Generation, based in Kuala Lumpur, Malaysia, to install ISE at one of its clients, a financial services organization. "The most compelling aspect of GhangorCloud's solution is its holistic approach toward information security and compliance," said Sri Utami Devi, Powerbloc's general manager for information security. "The segmentation-of-duty approach to information security and data leak prevention was a good fit for this client's requirements."

Beyond its intended purpose of mitigating data compliance and leakage risks, the product provides enforcement of industry mandates and regulations, including the Health Insurance Portability and Accountability Act (HIPAA); the Financial Modernization Act of 1999 (popularly known as Gramm-Leach-Bliley); the Corporate and Auditing Accountability and Responsibility Act of 2002 (better known as Sarbanes-Oxley); the Payment Card Industry (PCI) Data Security Standard; and Personally identifiable information (PII). ISE is also designed to be flexible and extensible enough to incorporate future compliance requirements.

Key features of ISE include:

  • Identity and role-driven authorization, in which ISE provides a role-based model that enables control over users' access rights to relevant content, data and information within the enterprise. It uses pre-existing data to emulate the organization's structure. End-user actions are evaluated and either permitted or denied based on their authorized roles and security clearance levels.
  • Segmentation of duty-driven (SoD) policy enforcement is intended to reduce exposure to fraud and conflict of interest, while minimizing incidences of false positives. ISE supports auto-generated, SoD-driven policies.
  • Governance and compliance-driven security enforcement, which identifies and protects, in real time, confidential data as defined by industry compliance regulations such as PCI; PII; Gramm-Leach-Bliley; Sarbanes-Oxley; The Family Educational Rights and Privacy Act, or FERPA; Health Information Technology for Economic and Clinical Health Act; Federal Information Security Management Act, or FISMA; and others. It is designed to be flexible and adapt to future compliance requirements.
  • Automated data identification and classification, providing the ability to identify, categorize, and classify relevant content, data and information that needs to be protected in real time. ISE performs automated identification and classification of confidential and sensitive information in real time, even for newly created data.

GhangorCloud's Information Security Enforcer 1.5 is available now. Pricing depends on configuration.

Next Steps

The balance of cloud governance

Dig Deeper on Topics Archive