Making your collaboration and messaging app enterprise ready with sensitivity.io

Developers often struggle to bring their applications to the next level by making them enterprise-ready and so break into the lucrative big business market. Oftentimes this is a question of app security, the need to make sure confidential information is kept private and there is no danger of data leakage. sensitivity.io offers cybersecurity APIs for Cloud, Apps, and Services that inject security and compliance policies into the core of apps and help them achieve unmatched sensitive data visibility and compliance that bring them closer to enterprise-readiness.

One of the many types of applications sensitivity.io can be integrated into are collaboration and messaging apps. A common feature in most companies nowadays, messaging and collaboration apps have become necessary for a smooth running, more efficient way for employees to share information, work together and keep each other up to date with projects and clients. But just how easy is it to integrate sensitivity.io APIs into such an application? Let’s find out!

Mattermost + sensitivity.io

Let’s take Mattermost, a sleek Slack-compatible open source service that makes it easy to self-host team communications. It brings messaging and file sharing into one place, is accessible across PCs and mobile and comes with archiving and search features. It integrates with a range of out-of-the-box apps and is extendable so you can build custom functionalities on top of the Go (golang)/ React core.

Our goal was to integrate cybersecurity features into Mattermost to manage Intellectual Property and Personally Identifiable Information (PII), regulations like PCI, GDPR, HIPAA and others, while making sure collaboration, communication, and productivity were unaffected. On top of showcasing sensitivity.io’s scanning and classification engine, we also wanted to show how easy you can implement DLP and remediation features in virtually any application that integrates our API.

Why messaging and collaboration apps?

We love Go here at sensitivity.io. We use it in production as the primary development language for everything related to web APIs, websites, automation tools, tests and benchmarks. We chose it because we run our own Cloud-based API and SaaS for Data Storage Services that handles massive amounts of data from both Applications and Cloud Storage providers (Box, Dropbox, etc.) resulting in dozens of concurrent requests per second and the need for real-time data analysis.

We’ve also been successfully using Mattermost internally for a few years now and it has served our needs very well. It’s a messaging and collaboration tool that we could freely use in-house and whose without having to resort to more commercial communication tools that we have no control over. What this great chat app lacks though is security features: data protection, remediation actions for sensitive data and hiding of confidential information. To us, this seemed like one of the biggest issues standing in the way of enterprise adoption of such open-source tools like Mattermost, so we aimed to improve it.

Posting company credit card numbers inside a chat room seems like a bad idea to begin with and while some might dismiss it outright as an unlikely event, countless data leaks testify to the contrary. Mistakes happen: imagine you copied 100 Credit Card numbers to your clipboard from your invoicing software and then you move to chat with your colleagues on a public channel and you accidentally paste the entire clipboard there and press send before realizing what has happened. Or worse, it could happen on the contractors and partners channels…All it takes is one moment of carelessness and the push of a button and your sensitive data is compromised.

File blocked

Receiver file blocked

How we did it

Mattermost offers great integration for posts and files through their web based API or webhooks, but we felt that this was not ideal, nor efficient enough for our use case, as we would have had to create an additional service that would inspect the messages and files posted by members. A different approach was needed and since we knew that Github hosts Mattermost’s source-code, we turned to that.

Finding out it was written in Go made our job extremely easy since we already had a Go SDK for sensitivity.io. The Go changes in Mattermost to add sensitivity.io were finished in less than a day by our Go engineers. The UI, on the other hand, turned out to be a totally different story, as nobody in our team had used React before. We thought of contracting it out, but it took us just a couple of hours to figure things out and make it work the way we needed it to. Some of the settings on the configuration page under the System Console appear there only as proof of concept for the sort of actions you can add to manage your sensitive data. The Data Scanner, Protection Profiles, Service API menus however are all functional.

Details of installing sensitivity.io C API

Our powerful scanning engine is written in C++ which helped us create complete cross-platform system APIs that customers can use on Windows, Mac, Linux, iOS and Android. It’s also lightweight, requiring under 5 MB of additional space on most operating systems. We offer already-built binding for C which makes our API very easy to integrate with Go, Python, PHP etc. We also support native Java, C, C++, .Net/C#, Objective-C/Swift or Java Android with our official SDKs.

For the demo application, we chose CentOS 7, so we installed the RPM packages available for download on our Control Panel. After that, we hooked into the Post and Files code and, based on the settings in the System Console, we scanned and identified threats inside posted messages and uploaded files.

sensitivity.io Configuration Options inside Mattermost System Console

There are lots of settings you can configure: you can set a threshold for the scanner to stop after the first or a specified number of threats are identified, mask found results so they don’t get logged in plain-text, but the most important configuration is found under the Protection Profile page. Through it, you can easily instruct the scanning engine to identify Social Security Numbers, Credit Card Numbers, other Personal Identifiable Information or your custom dictionary of confidential and sensitive terms, depending on what is most relevant to you or a company’s policies.

Scanner settings

We added some extras under the Found Threats page. This is the place where you can select remediation actions like Block, Report, Block & Report or you can simply allow the posting of sensitive data if the user provides a justification for it. You can also set up an email address that will receive reports when sensitive data is being posted. Other useful actions include encrypting uploaded files that contain credit card numbers or personal identifiable information, without affecting confidential information-free documents. Files can also be quarantined until further actions are allowed by a manager or auditor.

Protection profile

Found threats

Stay tuned for more integrations and demo apps as we plan to cover at least a dozen of them, just because it’s fun, easy and takes almost no time at all! All you need is a day to add such extraordinary Cybersecurity and DLP-like features inside your apps, services or infrastructure and to us, that is time well spent!

If you have a specific scenario in mind and want to know if it’s possible with our SDKs and APIs, feel free to drop us an e-mail at team[at]sensitivity.io. We will be happy to offer additional information.

Introducing a new category of Data Loss Prevention

When we entered the Data Loss Prevention (DLP) market, all vendors were exploring the possibilities of an unknown territory. Most of them, including us, started with Device Control or USB security capabilities for organizations – to remotely control users’ access rights to USB devices, CDs, DVDs, HDDs, and other storage devices and to encrypt data on them. Slowly the market evolved to offer advanced content-aware DLP, either at network or endpoint level. Currently, the products’ offerings have aligned more or less, and what DLP means has been standardized to a certain level by analysts, industry experts, and security professionals.

Now, in 2017, we are introducing a new category to Data Loss Prevention and data scanning with sensitivity.io.
sensitivity.io is best characterized as a unique approach to DLP, offering SDKs and APIs that you can use to scan data in motion, data in use, in-app data, making DLP part of the apps, services, and programs that you build, use or sell. The product eliminates the traditional DLP products’ limitations, like false positives, lack of adaptability according to the organization’s environment, applications, infrastructure, business scope, lack of visibility into data at its origin, and others. But most importantly, sensitivity.io allows developers to integrate DLP and compliance functionalities at the source of data, where it is created, stored and processed and in any infrastructure, platform, software, application or service. Discovery of threats is done based on definitions of sensitive data available in the sensitivity.io Control Panel – file type, predefined content (Personally Identifiable Information, Credit Card Numbers, Social Security Numbers, etc.), keywords, and Regular Expressions.

How sensitivity.io works:

1. SDKs for in-app DLP

This is the most powerful solution in terms of what developers can accomplish with it. There is no boundary to what they can achieve.
Let’s consider an example: you are a software developer for a financial company building its own invoicing software. You developed a web-application where accounting is generating invoices, a desktop application and a mobile app for iOS and Android. This architecture covers all employees’ needs. Among your responsibilities in the development process is achieving regulatory compliance and data protection. To do that effectively, you need to know if and what threats exist at all levels of your invoicing software – the server, the desktop, and mobile apps. With our SDKs for in-app DLP, you have the option to bake in a scanning engine with compliance and predefined protection profiles in all your invoicing software components for a complete threats discovery. Subsequently, you can build on top of our SDK the remediation measures you want your software to take when it discovers relevant data security risks – to encrypt sensitive data, to delete it, to block its transfer, quarantine it, etc. All these can be customized according to what’s best for your company and the specifics of the software or app you’re developing, like the scenarios in which apps’ data is transmitted and to what destinations, how users are interacting with data, and many other factors.

2. SDKs for DLP Cloud Engine

The second option, which you can use together with the first one, or independently, gives you a straightforward method to detect confidential information within apps and services, by allowing scanning from our DLP Cloud Engine, with results being displayed in our Control Panel. All settings, definitions, protection profiles, etc. can be setup in the Control Panel and applications can be included in projects for better management. A project is a set of applications and services with certain protection profiles and common attributes, e.g. a project for cloud storage services to discover PCI-DSS information, a project for chat apps to detect Intellectual Property information, a project for invoicing software to detect financial records, etc.
For your convenience, we took care of all the setup, integration, and configuration on a local SDK and we provide you simple JSON Rest API calls for your data which can be in the format of strings, raw data or file uploads. You get SDKs, libraries, and code samples for all major platforms and programming languages. The best part is that data is automatically classified and analyzed, so your development efforts are reduced.

3. Remote Cloud Services Scanner

We thought of all possible use cases, so this third option is designed to optimize resource consumption, allowing you to include a scanning module in your cloud application by using our scanning infrastructure. You can trigger the remote scanner directly from your app to perform data inspection and retrieve results based on the settings you specified in your sensitivity.io account. You decide where results are displayed, in your app or in our Control Panel, where different analytics and alerts are available.
An alternative to the previously mentioned scenario is the use of the remote scanner with no additional changes in your application, just by making these two interact through our API. Let’s say you want to scan all data from your company Google Drive accounts to discover information security policy violations. You simply connect the sensitivity.io Remote Cloud Services Scanner to the Google Drive accounts and go to the sensitivity.io Control Panel where you initiate the inspection. You can then visualize threat elements in real time, see the returned results, set up alerts and make use of all the other features provided by the Control Panel.

Regardless of the solution that you choose, depending on what fits best with your organization’s needs, remember that it is only the beginning of a smart and complete data protection and compliance implementation. The beauty of sensitivity.io is the fact that it offers you a strong foundation with unmatched visibility upon which you can make solid decisions regarding cyber security.
If you have a specific scenario in mind and want to know if it’s possible with our SDKs and APIs, feel free to drop us an e-mail at team[at]sensitivity.io. We will be happy to offer additional information.

Post by Angela Lepadatu