Yesterday in Michigan, USA a former Ford employee admitted to a theft of $50 million worth of trade secrets and pleaded guilty. The problem with news like this one is the focus is always on the villain and how he or she carried out the crime.

The question that comes to mind for me is how on earth could Ford be so vulnerable to enable an employee steal so many documents in the first place? This should never happen in the first place, especially where you are dealing with something that represents the life blood of an organization.

Read More

There is a new enterprise rights management web resource called enterprisedrm.net and has been put together to enable you access information on Enterprise Rights Management. This web resource is a vendor neutral portal that contains articles, references to white papers, blogs and the latest news on enterprise rights management marketplace.

The aim of the site is to educate executives, CIOs, security strategists, and information managers the role enterprise rights management has in their overall corporate security strategy.

There is also a discussion forum where anything enterprise rights management can be discussed. Expect to see a lot of useful information on data leakage prevention as there an increasing convergence between both endpoint data security tools.

If you have an interest in enterprise rights management and/or data leakage prevention we would like to hear from you on how we can improve this resource for you and others.

If there is any resource that you would like to add to the site, please send it in to info@enterprisedrm.net and we would add it to the site. The site is a work in progress so expect to see many changes to it.

We are also flexible in that we could also reference white papers, research papers and new items directing them to your website, all you have to do is write an introduction.

We look forward to your contribution to this resource with the aim of educating the marketplace about the importance of persistent security and the role enterprise rights management and data leakage prevention play to achieve that security.

Last month Gartner released another research paper titled “Getting Your Organization Ready to Deploy Enterprise Digital Rights Management”, authored by Eric Quellet who has written many papers on Enterprise Rights Management at Gartner. This paper is based on 4 key findings, 3 of which I think are very significant namely;

• The overcomplication of deployments by attempting to accomplish to many goals.
• A lack of proper preplanning and predeployment activities to successfully leverage Enterprise Rights Management.
• Sometimes Enterprise Rights Management is not the right solution required to protect sensitive documents.

Read More

Yesterday, I wrote a post titled “What Global Companies Are Spending on Google” in which confidential information about advertising spend on some of Google’s major accounts was leaked to the public domain. From an outside perspective one may ask what is all the fuss about that information becoming public? Well here is one reason, one can roughly work out who is paying less or more for their advertising and come to the conclusion that they are operating on different price lists. So you can see why this information is so critical to Google that this information is tightly secured.

Read More

I was reading a recent article where an employee of the Manchester Police lost a USB drive. The Daily Star that reported the breach wrote that a high-ranking source in the department said whoever lost the drive was in for “a right rollicking”. Meaning some punishment of some sort will be awarded to the person responsible.

But who should be blamed for a data breach, employee or employer? Whenever there is a data breach, it is the person that looses the data who is made the scapegoat. There are many information security endpoint tools that can help users keep confidential data safe from prying eyes. I believe organisations should take a serious look at their internal processes whenever there is a data breach, and ask what can be done to reduce human error or a deliberate effort to steal data. We are all humans and things get lost and forgotten, the question is what needs to be done to make the confidential data inaccessible to unauthorised persons?

Read More

Since the last election the current UK coalition government has outlined plans to cut £6.2bn, most of what the new government calls “wasteful spending” to start to reduce the budget deficit. The government plans to cut £95m from its IT spending as part of its effort to save £6.24bn in its first round of cuts. Many within IT circles are concerned that this makes government both at the central level and local levels more vulnerable than ever before to all sorts of computer and data security attacks.

Read More

The Office of Inadequate Security recently reported a major data breach at East Devon District Council where the personal data of almost 2,000 council workers was leaked. The incident happened when a former manager of the council sent the data in an excel file to a private email address.

The council says the incident was “unauthorised” and affects 1,891 staff, councillors, employees of Leisure East Devon and pensioners formerly employed at the council. This is a situation that could have been prevented using both Data Leak Prevention (DLP) and Enterprise Rights Management (ERM).

Read More

Yesterday, 2nd September 2010 John Stringer, the DLP product manager at Sophos did a guest post on Graham Cluley’s blog. The aim of the post was to explore how Sophos’ Data Loss Protection (DLP) technology can help companies tackling Information Rights Management. I wanted to comment on that post, but found comments were not allowed. The disadvantage of having a blog that does not allow comments, especially if you sell products and services is the perception of a closed or insular company that wants to tightly control everything that is being said. I owe it to my audience to be able to comment on my posts, especially if they don’t agree with what I have written. Moreover, if I sell products and services it is a great opportunity to get feedback from my customers. I am disappointed that comments were not allowed this blog. However, this does not take away what Graham has achieved through his work.

Read More

Simon Thorpe of Oracle Information Rights Management has just released another interesting post on how Information Rights Management and Data Leakage Prevention are becoming more integrated solutions. It’s a short post that gives you an idea of the capabilities of both security tools, enjoy.

To access the blog post click here….

As a matter of interest I am always monitoring news and what is being said about Enterprise Rights Management. A couple of days ago I came across a blog post titled “ERM The forgotten data security space”, I posted a comment as a response to this post shown below. To read the blog post go here…

Peter’s response

I am not sure ERM was ever a forgotten data security space as mentioned in this post. Part of the challenge that Enterprise Rights Management faced stemmed from the overwhelming task of organisations having to classify their data to get it to work. Also ERM in its early days was not as feature rich as it is today.

Read More

A few weeks ago I referred in one of my blog posts that Gartner has had its radar on Enterprise Rights Management. I also mentioned in my post that I will review the 2 most recent papers on Enterprise Rights Management, and that is what I intend to do here by reviewing the first paper published in May this year.

Enterprise Digital Rights Management by Eric Quellet is a must read paper for any organisation that is considering Enterprise Rights Management. It helps decision makers consider the implications of using Enterprise Rights Management to protect its intellectual property and how best to implement it. Eric starts of with the latest key findings about this security tool in which he refers to the proprietary nature of current EDRM solutions to which there are no industry wide standards. This has benefits from my perspective because it drives innovation for EDRM to become more user friendly and help reduce the total cost of ownership. There is something inherent about standards that slows the pace of innovation and development.

Read More

In line with what many IT and security analysts have been predicting Seclore Technology a major player in the Enterprise Rights Management* (ERM) marketplace and Websense a leading Data Loss Prevention (DLP) solution provider have teamed up to provide an integrated solution that will help organisations protect their intellectual property and confidential data, as well as lower the total cost of ownership.

The integrated solution will enable companies to reduce the application of manual rights, as well as reduce cost and complexity, and ensure that policies are applied consistently and pervasively. As a result, customers will be able to automatically discover, tag, and protect confidential information within and outside of the enterprise.

Read More

This is a reminder to register for this much anticipated webcast if you have not done so.

When: Aug 05 2010 12:00 pm (EST)

Presenting: Jay Leek, Nokia, Global Manager, Corporate IT Security

It was not too many years ago when companies thought they were secure by simply deploying a firewall or other network security related solutions. Then came other infrastructure related security solutions, followed by the application security related buzz. While all of these solutions are important and still needed today, they often miss target of what’s most important to an organization protecting the data, or intellectual property, itself.

Read More

by Ritu Kirti Prakash of Seclore Technology

Are you working towards PCI-DSS compliance ? Are you engaged in continuous improvement of your PCI certified processes ? Then it is time to include best practices in Information Rights Management (IRM) as part of your document management (DM) or data leak prevention (DLP) efforts in the security processes.

The PCI_DSS standard prescribes 12 principles and an accompanying set of detailed requirements for compliance. Broadly, the standard requires the organization to encrypt data, define and enforce access rights, track and monitor data access and assign unique ID’s to users, among other requirements. The overall goal is to build a high level of security in organizations that are accepting or that transact credit card payments or handle data related to the same.

Such sensitive data is usually at rest in secured databases. However, at times, it is necessary for this data to be shared among various stakeholders in the course of day-to-day business, in the form of documents. To protect these sensitive documents while meeting PCI compliance requirements, a technology enabled solution like Seclore FileSecure will enable the organization to track and manage these documents or emails as they move over the network between internal and external stakeholders, while adhering to the principle of least privilege.

Seclore FileSecure will help the organization meet a number of provisions in PCI requirements 4, 7 and 10 in the process of data transmission and sharing amongst stakeholders. These identified requirements address encryption during transmission; restriction of access based on the user’s need-to-know; and, tracking and monitoring of network resources and cardholder data.

The Seclore IRM solution provides a user friendly method to restrict access to documents with sensitive cardholder data, eliminating the need for resource intensive (and user unfriendly) encryption / decryption of shared documents. Additionally the solution makes it easy for access rights to be assigned on a need-to-know basis at the start of the document lifecycle itself, with the facility to withdraw or add shares.

These features are supported by extensive logging to enable traceability and audit requirements as mandated by PCI. File access and related actions are logged in granular detail. These logs provide information about the document use, edits, machine, location, time of access etc.

Seclore FileSecure helps meet PCI-DSS compliance in the following areas

4. Encrypt transmission of cardholder data across open, public Networks
4.2a Verify that strong cryptography is used whenever cardholder data is sent via end-user messaging technologies
7. Restrict access to cardholder data by business need-to-know
7.1.1 Restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities
7.1.2 Assignment of privileges is based on individual personnel’s job classification and function
7.1.4 Implementation of an automated access control system
7.2.3 Default “deny-all” setting
10. Track and monitor all access to network resources and cardholder Data

While getting the benefit of an additional level of compliance assurance with PCI-DSS requirements in respect of the security of documents with sensitive data that are being shared over messaging networks, or in storage, it also serves as a default automated mechanism to deny access to persons who have left the organization or to those moving internally to different roles.

Considering the cost for cardholder data loss, it is imperative for organizations to enable multiple barriers in the form of controls that are business enablers.

IRM technology, though relatively new, addresses multiple concerns from the business perspective and makes it easy for users at all levels to be able to build security controls in at the start of the document lifecycle, and keep it protected throughout.

Reblogged from the seclore technology blog.