Last Updated on June 29, 2021
If your business needs to comply with the Cybersecurity Maturity Model Certification (CMMC) framework, you may have heard about PreVeil Drive, a cost-effective, end-to-end encryption solution for email and file sharing. Many SMBs in the US defense industrial base (DIB) are using PreVeil Drive to meet demanding CMMC Level 3 encryption requirements or quickly improve a NIST 800-171 self-assessment score, versus migrating their Microsoft 365 environment to GCC High.
What is the real-world time and effort required to deploy PreVeil Drive as a mechanism for handling files and emails that contain Controlled Unclassified Information (CUI)? And how does PreVeil impact users and your IT environment?
To fully understand PreVeil Drive’s value proposition for SMBs in the defense sector, a recent episode of The Virtual CISO Podcast featured PreVeil co-founder and CEO Sanjeev Verma. John Verry, Pivot Point Security’s CISO and Managing Partner, hosts the show.
High Value, Low Investment
“What I like about PreVeil is you get a lot of this value with a relatively low investment of effort,” shares John, who has worked with multiple organizations (including Pivot Point Security itself) that use PreVeil. “What did it take for a 100-person company to bounce their [DFARS self-assessment] score up by 30 to 40 points or some significant amount? How long did that take them and what did it involve?”
“This firm that achieved near-perfect NIST 800-171 scores [at a DIBCAC audit] did a few things right,” notes Sanjeev. “One, they worked with a consultant that gave them an early start. So they developed a nice System Security Plan (SSP), and the consultant looked at their strengths and weaknesses. When it came to CUI, the consultant said, ‘Look, we recommend that you go with the PreVeil system.’”
“And the actual act of deploying PreVeil onto the customer’s network took a few hours,” states Sanjeev. “Our onboarding team onboarded them. Now you might say, ‘That sounds too good to be true.’ But there’s a technical reason why you can be onboarded in a couple of hours as an enterprise, and the reason is because the PreVeil electronic mail and file-sharing system—even though it’s fully integrated with your file system and with your Outlook or Gmail, etc.—is not actually touching your Microsoft 365 commercial, etc. So the actual onboarding can occur and you can be off and running with PreVeil in a matter of a few hours.”
Easily Share Legacy CUI
Sanjeev continues: “The next step is to take your legacy CUI data and drag-and-drop it into your
PreVeil Drive, which is just a series of folders [in your file system]. And you can go and right-click and share them with whoever you want. [The effort to] take control of your legacy data can vary by organization from a few hours to days, or it can take a few weeks if you’ve got a ton of legacy data and you want to just basically drag-and-drop it at your pace that’s convenient.”
The PreVeil usage metaphor is similar to Dropbox, for example. A key difference is that the CUI you store in PreVeil Drive is encrypted and uploaded to AWS GovCloud, a highly secure environment that meets CMMC Level 3 and NIST 800-171 requirements.
“That’s the master copy, and when you change anything on your end it’ll be synced with that,” notes Sanjeev. “The nice thing is since the system is end-to-end encrypted, all that is sitting on GovCloud is an encrypted copy, and neither Amazon nor PreVeil can look at it. And so neither can the attacker.”
“We’ve seen recently where even a sophisticated server like the Microsoft Exchange Server got breached on a massive scale: 250,000 servers, 30,000 organizations,” Sanjeev points out. “And the way the breach occurred was, exploit a vulnerability, get to the server, since the server can see the information so could the attacker. With the PreVeil data that is sitting on AWS GovCloud, since it’s end-to-end encrypted, the server sees nothing. So in the event that either an attacker gets to the server or an Amazon admin is breached or an admin on your end is breached or a PreVeil admin, nothing [but non-decryptable gobbledygook] is visible because we have no access to the information whatsoever. … But to the end-user it looks no different from any other file on your system.”
If you’re a defense contractor looking to “lower the bar” to CMMC Level 3 or NIST 800-171 compliance, be sure to catch this podcast episode with PreVeil CEO Sanjeev Verma.