An interview with Tod Ewasko, Director of Product Management at AccessData.
CCBJ: Explain your background and your role at AccessData.
Tod Ewasko: Currently, I am the director of product management and development. I have spent the last 11 years of my career in the e-discovery industry, starting out with a focus on legal processing solutions, then moving into forensics, with a focus on the workflow and tools for data collection.
Throughout those 11 years, I have spent a significant amount of time interfacing with corporate entities to understand their current workflow and challenges. Having this dialogue with our customers and future clients helps me better understand their problems and pain points, so we can build out our tools to help address those issues.
What are some of the most common challenges you’ve identified in those conversations? Is there a reoccurring theme in the issues you’re hearing about?
Definitely. Most clients we talk to indicate one of their biggest challenges is dealing with all of the different compliance regulations today. With heightened data security concerns and regulations in place to protect customer data, compliance is―and should be―a top priority for organizations. No one wants to have their company in the headlines or face steep fines. Interestingly, as we’ve talked with clients, we’ve discovered that the solution to those problems can be addressed in the collection of data. It's collecting bits of data to determine whether it matches a type of compliance or regulation, then alert, collect or remediate. This can be challenging though when data is spread across their network and on numerous devices, personal devices and in the cloud. Keeping track of where your data resides is half the battle.
You mention data on personal devices. We've seen many companies move to a BYOD – bring your own device – policy over the years. What have you seen in terms of BYOD, and what has surprised you the most about the shift?
What always surprises me about BYOD is how much control IT departments have lost in maintaining and forcing a standard within their organizations. When I started in my career, if you had a company phone, you had a certain type. IT was able to collect that phone at any point in time, and the company’s methods and abilities were honed to those devices. They could buy specific technology, get any fixes, get any updates associated with a certain subset of operating systems.
When that changed, it became open-ended. BYOD seems like a cost savings initially, but on the other side of the coin, it becomes a nightmare for IT to manage. When we're looking at forensic collections and e-discovery collections, getting data off those devices is a big problem. Ensuring that employees aren't taking corporate assets or IP off the network is a very difficult thing to monitor when you're allowing them to bring their own devices with their own level of encryption onto the premises as well as onto the network. Even something as simple as ensuring they’re password protecting their device is nearly impossible to monitor and enforce.
What are some of the devices capturing company data or being used in litigation or other investigations that people might not expect?
With our focus on forensics at AccessData, we have an advantage of being able to spot trends around data types in the forensic market first, before they start to emerge in the commercial market. New data types producing evidence will usually show up in law enforcement about five years before they become a pain point for corporations. Some of the trends we’re seeing now include use of IoT devices and even cases where law enforcement needs to get into GPS in cars and reviewing logs from devices that they're capturing to locate crucial evidence in a case.
I know of two specific cases in which a GPS device in a car was the compelling piece of evidence to lead them to significant locations. One was for a murder. The other was for a smuggling operation. There were GPS coordinates in both situations that led to an airfield for the smuggling case and to the body in the other case. These are the same types of devices in some corporate cars, in taxis. A ton of devices store data that is substantial, and that changes the amount of data types that we have to deal with in an organization. We’re already seeing these new types of data in the corporate environment, and I predict that will continue to grow.
The amount of devices that have information about what's going on in your network has expanded exponentially. The initial BYOD push really came from the C level, surrounding Apple. Top executives said, "I like my Apple laptop, and I'm bringing it to work." That has opened up to a much larger change, and we're not just talking about wearables here. Where data is stored today has actually expanded to unexpected areas, like the refrigerator in the office convenience center that can now track when the door was opened and when it was closed. Imagine one day when refrigerators are an alibi because you said you were at work and now there's a log that says it was opened between this time and that time.
Even something as simple as a WiFi-connected printer has information in it, logs that can be collected that can prove or disprove a case. That's a reality of our world today. We're surrounded by all of these devices, whether you're carrying them directly or not, whether it's a router log or a camera or something as simple as a door key card log. All of these points of access and data tell a story and bring you to a conclusion of what happened in a situation.
What are the potential risks or opportunities of these new, different kinds of data? Where is it stored?
No matter the device, if anything's electronic, there is something stored about what's going on in that system. It’s amazing to think about how many apps are streaming data up to Amazon Web Services or some other type of cloud repository. Just within the last few years it has grown exponentially. Take MapMyFitness for example. Some of the data for that app is stored on your phone. It will have GPS information stored about locations where you ran. But much of that information is uploaded as well, as a recent hack revealed.
Any time you’re on an electronic device that's running, the amount of data that's stored across applications is substantial – location, messages, data that you don't even know is being pushed. Certain revelations have involved organizations pulling data across applications, matching contacts they keep on a full profile view based on that data. We are naive to think that there aren’t more companies like Cambridge Analytica out there, surveying data and piecing it together, creating a profile of our habits, our trends, what we search on, what URLs we visit, what types of sites. It is not coincidence that a product you google on your smartphone suddenly starts appearing in ads in your Facebook feed. That’s data analytics in use. The Facebooks and Googles of the world have copious amounts of data. And we continue to give them more data every time we add another application on our phones, another element they can interact with to understand more about you.
What are the best practices for corporations to manage all of these devices and data?
One of the first is to classify your data. If you're a company that cares about your IP, if there are certain servers that contain your source code for a software company, or something that has proprietary information that you don't want leaked, you're going to classify that as critical.
Once you've classified assets across your network, you can then come up with the procedures associated with those areas – who and what has access to it – then continue a process until risk is mitigated by procedures, policies and permissions. Once a plan is established, then conduct testing to ensure it worked. There are consultants that can help in this area, as well as software that can help maintain this for an organization. At AccessData we delved into this area some already, with a compliance tool that allows us to understand where data is located on a network. If you're looking for somebody who accidentally or purposely pulled down Social Security numbers or medical records that had specific codes, you can find that on the network and ultimately remove it.
Then after you've come up with a plan, scanned your network, and found if you have data that shouldn't exist outside of your main critical servers, the next step is to pull it off and remediate it. And that's something that we do also.
The final step is investigating how the data got off those critical servers. If you have set your permissions to where a secretary can't get to critical data, maybe your investigation will discover that it was somehow on her desktop. This is where forensic investigation tools are really important for compliance, HR, and cyber investigations, to help you look for root cause on a system in order to determine what happened that put your data at risk, so you can then take the necessary next steps, including enacting change in policy to prevent that in the future.
It's an iterative process—it has to be, really, to stay one step ahead of the changes that are evolving so rapidly. You're going to consistently go through that process from start to finish, constantly updating a policy to prevent leakage of your most important IP.
Can you cite any examples of how the data sets of these new devices played out in projects that you've worked on?
We are frequently asked to help IT departments perform collections from devices they don’t have access to. That's the biggest problem with bringing your own devices to work. Data exists that may be company related, maybe not. You had access to devices previously because IT gave employees the system. They usually created an admin password so they could get into it whenever they wanted to. Now it's user created, and IT has to ask the user to get into that device. We see that every day. Some companies end up closing their eyes from a corporate standpoint and saying, "I hope I don't get in trouble for it."
BYOD also raises challenges in litigation, if a corporate entity is getting sued and legal is telling IT "I want you to search the corporate network for communications from this person and that person, and I want to use these keywords.” What's not explicitly stated is this person has different chat handles on WhatsApp or Signal, game applications, you name it. BYOD allows them to install the apps they want, so how is IT to even know what apps should be included? The only way to know it even exists would be to unlock the phone. How do you maintain a system like that? It's a very difficult process. Many companies are implementing communication solutions, like Slack or Skype for Business so they have a centralized mechanism to produce chats. This didn’t solve all the problems in the cases I’ve seen, but it’s a start. Legal and IT need to work together closely from the onset to understand the company’s information governance, what devices may produce what data, etc. so that should they find themselves in litigation, Legal has a better understanding of what devices IT should be looking at, and can better inform IT in collection requests. After all, it’s legal in the meeting negotiating who is in a lawsuit and what data to collect. When they actually know what type of data should be included, it makes these compliance or e-discovery litigation collections much more efficient.
To take our Personal & BYOD Policy Survey, sponsored by AccessData, go to: surveymonkey.com/r/BYOD-2018
Tod Ewasko joined AccessData in 2008 as a Product Support Technician for Discovery Cracker, moving into roles within Global Support and now most recently, Product Management. As Director of Product Management, Tod is responsible for interacting with customers to understand their data problems and determine how AccessData can bring products to market that address those challenges. Tod earned his Computer Science degree from UNF with a minor in Business Administration. He currently resides in Florida with his wife and six children.
Published May 22, 2018.