Comforte offers a data security platform from the cloud. This system can identify and protect sensitive data wherever it is held, including stores on cloud platforms. The system provides an essential service for businesses that need to have the personally identifiable information (PII) of private individuals. Comforte is particularly successful in gaining customers in the financial sector to protect payment card data.
Many parts of the world now have specific legislation governing the protection and use of PII. So, businesses operating internationally will find that they need to comply with different rules depending on where their customers are. This complicated situation even applies to small companies operating in eCommerce. Failure to comply with the data protection standards can result in fines and lawsuits.
Few entrepreneurs are experts in data protection laws, so it is easier to contract in an enterprise data security system that takes all the necessary security measures and proves that all proper steps have been taken to comply with data privacy standards. In addition, automating much of the auditing and reporting functions needed for compliance saves a lot of time and money.
Comforte AG started operations in 1998 as a data transfer protection system. The service focused on the transmission of data from ATMs and point-of-sale devices. Based in Wiesbaden, Germany, the company expanded its service to protect data at rest. This combination of systems resulted in creating a cloud-based SaaS platform that offers data protection services to businesses of all sizes.
As well as its headquarters in Wiesbaden, the company maintains offices in New York, USA, Singapore, and Sydney, Australia.
What does Comforte do?
The Comforte Data Security Platform aims to control the use of sensitive data in a system. This doesn’t block access completely, but it varies controls according to user types and ensures that permitted access doesn’t lead to inappropriate use. The system also includes tools that allow the selective release of documents without disclosing PPI to third parties.
Comforte presents a five-stage program for data protection:
- Discover and Classify A continuous identification of instances of sensitive data
- Inventory Establish access needs and data exchange requirements
- Policy Define security enforcement rules: who gets access to what and how
- Protect Work out what tools are needed to implement the policies
- Deploy Implement the policies
The critical parts of the system are to identify sensitive data and control access to it. The definition of what constitutes sensitive data is influenced by what data privacy standards the business has to comply with. The implementation of controls is also affected by data privacy legislation or standards. For example, GDPR in the EU specifies PII storage and access location, but HIPAA in the USA does not.
Comforte Enterprise Data Security modules
The Comforte Data Security Platform is a SaaS package built up with several modules, which orchestrate to create complete protection for sensitive data. The modules are explained in detail below.
Data Discovery and Classification
Comforte Data Discovery and Classification search through your entire system. First, you need to enroll each network in your enterprise, and then the service will search through all devices, looking for data stores. Those data locations might not be the designated data stores that you expect. For example, many software packages that handle sensitive data can create their stores, that either provide the primary location for that data or form a staging area in addition to the final storage location.
The Comforte system is also able to search through cloud storage services. This encompasses both structured and unstructured data storage systems. Once a data location has been discovered, it is registered in the Comforte data management service for supervision. However, the discovery process is not a one-off event. Searches continue throughout the service life of the product. So, new locations will always be discovered.
As the holder of PPI, you are obliged to serve DSARs. These are Data Subject Access Requests – the people on whom you hold data are entitled to know the data that you hold on them. This means that you have to group all data stores relating to a specific person – that can be performed logically rather than a physical relocation of data sources.
The Comforte Data Discovery and Classification can present a list of all data held on a given individual. This search can be performed on-demand to satisfy a DSAR.
The classification of data depends on what data standard you need to comply with. This setting is rippled through to a recalibration of the data search and classification service.
While typical data loss prevention (DLP) systems focus on exfiltration points, Comforte focuses its data protection on each data location. Intrusion detection systems (IDSs) offer another method to protect data against theft. However, looking out for intruders misses the dangers of insider threats. Comforte decided to trust no one. Data protection is applied to the sources rather than by examining their passage out of the company.
The Comforte system’s approach to data protection works on the assumption that only the sensitive contents of a collection need to have security measures applied to them. Essentially, the system can redact data within files without permanently deleting it. So, those blanked fields can still be subjected to searches, and their values can be revealed to authorized viewers.
Comforte uses three methods to protect sensitive data:
Tokenization – This method is suitable for use in databases. The sensitive data is replaced by a token, which is a reference identifier. The ID and the original values are held in a reference table, secured in a similar scenario to a password locker. The actual values can be reinserted into output when accessed by an authorized user or process.
Encryption –This is the classic method used for data protection in most file-based systems. In many cases, such as where an entire file is sensitive, it is still the best option, so Comforte uses this strategy selectively. However, one problem with standard encryption systems is that they can change the digital profile, which could render them unacceptable to specific applications. Therefore, Comforte uses Format Preserving Encryption for files at rest.
Masking – This technique is used where applications require accurate data for testing. However, the exact values of the field are unimportant because they won’t result in output that will be sent to outsiders. In this case, an irreversible replacement of sensitive data fields in a masking scenario is suitable.
The Security Control module of the Comforte Data Security Platform ties all of the other elements together. For example, the system’s data protection is applied to sensitive data, but the Security Control module decides which method is used when and where and which types of data.
This is what most data loss prevention systems call security policies. The policies you apply to your data depending on the data privacy standards that you need to follow.
Security measures might render the data unusable to the applications that need them. In these instances, the Comforte system works in tandem with the data-using application. This switches out the data obfuscation at the last minute before passing it into the application. The decision over whether data is secure within that application is out of scope for the Comforte controls, which work with data at rest, not when it is in use.
The security controls should be applied to different user groups. To fully implement security policies to implement security policies fully, the system administrator needs to reassess access rights management in systems such as Active Directory.
The Discovery and Control module of Comforte is presented as an individual service, called SecurDPS Discover & Classify. The Data Protection and Security Controls functions are bundled together in a service called SecurDPS Enterprise.
Comforte also offers a service for guarding cloud resources. This is a cloud version of SecureDPS Enterprise, called SecurDPS Connect.
All of the Comforte services are delivered from a SaaS platform and can be subscribed to in combination.
How much does Comforte cost?
Comforte doesn’t publish its price list. The buyer’s journey into discovering the cost of the products offered by this SaaS platform begins with access to a demo.
Comforte Pros and Cons
Comforte has an imposing client list, which includes the world’s two largest credit card companies. Thanks to those clients, Comforte protects 60 percent of all credit card transactions in the world. This is a serious and respectable company with a secure protection service for sensitive data. Here are its good and bad points.
- A range of data protection strategies
- An automated and constant data discovery cycle
- AI-driven sensitive data classifications
- Identification of related data
- An adaptable security policy system
- It doesn’t include data exfiltration device control
- No email scanning or content inspection for outbound documents
Alternatives to Comforte
Comforte takes a unique approach to data loss protection that the company is confident should remove the need for device controls. Comforte reasons that preventing exfiltration doesn’t address the issue of inappropriate use of data or accidental disclosure. Instead, rendering sensitive data unusable at the source is the best approach to take.
If the Comforte strategy makes you uncomfortable, you will probably welcome information about other highly-respected data loss prevention systems.
What should you look for in a Comforte alternative?
We reviewed the market for sensitive data discovery tools and data loss prevention systems and analyzed the options based on the following criteria:
- An automated data discovery service that also categorizes acute data instances
- Extensive access logging and audit trails for data privacy standards compliance
- A flexible system that can automatically interpret all requirements for data privacy
- The ability to apply several data protection standards simultaneously
- Behavior anomaly detection
- A free trial or a demo system to provide a no-cost assessment opportunity
- A reasonable price that offers value for money concerning the services offered
The tools that we would consider the best DLP systems would need to be easy to implement and should not require specialist legal knowledge on the operator’s part. The DLP solution should provide an off-the-shelf compliance system that guarantees that it will be constantly updated as legislation changes.
The requirements to get a quick startup and constantly maintained software can be best delivered by SaaS platforms. A cloud-based solution also models the services of Comforte more closely.
Here is our list of the six best alternatives to Comforte Data Security Platform:
- Digital Guardian DLP This SaaS platform offers a data discovery and classification service to scour devices running Windows, macOS, or Linux for sensitive data and intellectual property. The package can audit Active Directory and improve user group definitions. This is necessary because the primary mechanism controls access to the discovered sensitive data to just those few user accounts and applications that need that information for business purposes. The platform also provides control mechanisms to monitor activity on USB devices, printers, emails, and other data movement channels.
- Endpoint Protector This service includes insider protection and doesn’t rely on the ability to spot intruders as its primary protection strategy. Instead, this service looks for unusual behavior, which could denote insider threats or account takeover as well as intrusion. This package offers sensitive data discovery and classification and security policy implementation for data privacy standards compliance. A close parallel to the Comforte system lies in the file integrity monitoring tool built into this service. Endpoint Protector also includes an audit of Active Directory to improve the granularity of user groups and enable fine-tuned access permissions to different categories of data. The Endpoint Protector system also offers device controls to prevent the unauthorized movement of data. Endpoint Protector is a SaaS platform, but the service can also be enrolled into an account with AWS, Azure, and GCP. The system will also run on-site as a virtual appliance. Access a demo of Endpoint Protector to assess the system.
- ManageEngine DataSecurity Plus This is an on-premises system that is offered in three packages. These services can be taken individually or as a collection under the name of DataSecurity Plus. These modules are File Server Auditing, which monitors and protects files. Data Leak Prevention controls data exfiltration channels and Data Risk Assessment, data discovery, and classification system. Services within these three modules include file protection through encryption. Control of USB slots, emails, printers, and faxes, and the ability to set security policies that implement data privacy standards. The software for DataSecurity Plus installs on Windows Server, and ManageEngine offers it for a 30-day free trial
- Teramind DLP This is a cloud-based system that is charged for by subscription. The system requires agents to be run on the monitored site – these will run on virtual machines. It is also possible to get the server software to run on-site as a virtual appliance. Teramind DLP is mainly focused on employee tracking. Modules include productivity logging, and the DLP service is a higher plan that implements security controls. The package offers the discovery and classification of sensitive data and control over data exfiltration points. Teramind DLP is available for a 14-day free trial.
- Azure Information Protector This is a service that operates on Azure cloud servers. However, its capabilities are not limited to protecting data stored on that platform. It can tack data access on other cloud platforms and also on any site. The data protection system centers on security policies, which can be applied from templates to implement a data privacy standard. The service includes data discovery and classification system and controls over file access. The tool will constantly scan network traffic for data movements, and these activities include monitoring emails. Features available in this system include document copy tracking and watermarking.
- Spirion Sensitive Data Manager This SaaS system focuses on identifying and protecting PII and variations that apply to healthcare and financial information. It can be used to implement the requirements of GDPR, CCPA, HIPAA, and PCI-DSS. This package’s data discovery and classification feature will run on endpoints on your site that run Windows, macOS, and Linux. It also scours cloud platforms for sensitive data instances. Other modules in the package provide an assessment of Active Directory settings and contents. The system then creates recommended security policies that match the data privacy standards that you enter into the dashboard. This system then implements data protection through file integrity monitoring, which applies encryption to sensitive data stores. The Spirion system also implements data exfiltration channel controls. You can request a demo of the Sensitive Data Manager.