Enterprise rights management has been around for over 10 years and it still baffles me how many data security consultants, IT journalists and bloggers still get it all wrong when it comes to understanding what enterprise rights management can and cannot do. On the other hand it may be there is a lack of effective communication from many of the enterprise rights management vendors.

In an article I commented on over the weekend, the writer referring to enterprise rights management said “this type of protection typically applies only when the document is in transit”. If I were to write on a technology I do not have the full facts, I am under obligation to my audience to do some research, understand what the facts are, and communicate those facts in a fair and objective manner.

So as the first blog post of the year I’ll like to do a quick primer of what enterprise rights management can do.

The 3 States of Data: If you are a regular reader of this blog you will know that enterprise rights management does more than protect data in transit. Like the 3 states of water; liquid, solid and gas, data has 3 states in which it can exist.

Data can be at rest i.e. stored on a server, laptop, USB key, or on any mobile device to name a few. Data can also be in use i.e. the content is being read, edited, printed or copied. And finally data can be in transit over a network via email or ftp.

Enterprise rights management has the ability to protect data at any of these 3 states. If the solution you are being offered cannot protect your data at all three states it is not enterprise rights management. The ability to secure data at all 3 states is referred to as “persistent security”

Policy creation and management: Enterprise rights management helps data custodians to define what users can and cannot do with the data secured with this tool. The policy defined for a document generally revolve around the following controls:-

1. Editing
2. Reading
3. Copy/Paste (including screen capture)
4. Printing

Other issues around policy management is the ability to revoke access to a file or document no matter where it is located in the world. Many enterprise rights management vendors alert the document custodian when a file has been accessed for the first time.

Decentralized administration: One of the key challenges of data security has been that a data security administrator had access to data that was above his or her pay grade. With enterprise rights management the security of the data is administered by the data owner. This considerably reduces the risk of a data breach.

Auditing: Enterprise rights management should and must provide an audit trail of how all documents secured by it are used. This can be a very effective tool when a data breach has occurred.

Integration: Enterprise rights management should have the ability to integrate into other enterprise wide systems like enterprise content management, customer relationship management, email management, message archiving, eDiscovery and a myriad of cloud based systems.

This ability to integrate with enterprise based systems does not mean that enterprise rights management has to be deployed at an enterprise level.

Conclusion

There are other features that are provided by the various enterprise rights management vendors and it is always a good things to do an evaluation based on your organisation’s specific requirements. If you require help in choosing a enterprise rights management tool drop me a line.

On December 16, 2010 Bill Blake spoke about how to avoid data breaches and leaks in your office during a Webinar sponsored by Toshiba America Business Solutions (TABS).  With all the recent attention about sensitive information showing up on WikiLeaks, Bill discussed how you can avoid threats to your company’s confidential documents. 

Bill gives some insight into the history of WikiLeaks and how a breakdown in security in the US government gave an insider the opportunity to steal information and make it available to the world.  He shows how the perfect storm of means, motive, and opportunity crystalized into a large embarrassment and potential harm for the US government.  Preventing a similar occurrence takes a combination of policy, process and technology.  Bill shows some simple techniques and technologies to help you control and protect your most important information so this doesn’t happen to you.

Click here to listen to the webinar. 

Jon Oltsik of the Enterprise Strategy Group is one the data security consultants that I follow and respect. He put across a rational view on WikiLeaks and Cyber Security, I suggest that you read his recent blog post on this topic.

You can access this blog post here….

The recent Wikileaks revelation has revealed that protecting confidential data is not about whole disc encryption or simple file encryption, but persistent security such that only those who are entitled to access the documents can do so, and no one else.

Above all, you can track and trace the usage of those sensitive documents no matter where they are located. I truly believe the US government documented comments and conversations that are all now in the public domain, could have been prevented if this type of security was employed.

Organizations should really take a look at what Enterprise Rights Management has to offer and how it can protect the reputation of an establishment be it in the public or private sector, but with the likes of Wikileaks and the insatiable appetite for curiousity it is now becoming an essential tool for information security.

Read More

Employers warned over data security as High Court data theft disputes rise by 313% and first Data Protection Act fines are issued.

Read the entire article on the Telegraph website: http://www.telegraph.co.uk/finance/businessclub/8157244/Companies-warned-as-data-theft-disputes-surge.html

In light of the recent fines imposed by the Information Commissioners’ Office I am yet to read any criticisms as to why it imposed the fines on the Hertfordshire County Council and Sheffield-based A4e. In fact what I am hearing is that the penalty did not go far enough.

According to eWeek Europe online, British consumers would be in favour of stronger regulations for organisations that expose the personal data of their customers, with four out of five supporting mandatory breach disclosure laws, according to a survey carried out by OnePoll and published on Thursday by LogRhythm.

Read More

Yesterday in Michigan, USA a former Ford employee admitted to a theft of $50 million worth of trade secrets and pleaded guilty. The problem with news like this one is the focus is always on the villain and how he or she carried out the crime.

The question that comes to mind for me is how on earth could Ford be so vulnerable to enable an employee steal so many documents in the first place? This should never happen in the first place, especially where you are dealing with something that represents the life blood of an organization.

Read More

Control and Audit document use with LockLizard PDF DRM Software

If you are looking to control who is using your PDF documents, and how they are being used, then look no further than LockLizard Safeguard Enterprise PDF Security.

Safeguard Enterprise PDF Security, is LockLizard’s latest Digital Rights Management (DRM) software product providing PDF DRM protection to the large publisher or corporate enterprise.

Apart from preventing intellectual property theft by controlling document use, Safeguard Enterprise PDF Security enables publishers to track how authorized users are using their documents (when they are viewed, when and how many times they are printed, etc.).

Safeguard Enterprise PDF Security prevents PDF copying, sharing, modifying and screenshots, controls document expiry, stops printing (or lets you control the number of prints allowed) and enforces dynamic watermarks.  Individual user details can be displayed on documents when they are viewed and/or printed to deter casual copying by digital cameras or photocopies. If publishers feel their documents are being misused then they can instantly revoke access to them.

Safeguard Enterprise PDF Security entry level pricing is just $4995 for a subscription license, with perpetual and own server licenses available. More information can be found at http://www.locklizard.com/pdf_drm_security.htm

Swiss bank UBS lost out on a major revenue stream when it was discovered that an employee leaked details about the impending GM IPO. This leak meant that GM is required by law to disclose the e-mail in a filing with the U.S. Securities and Exchange Commission.

Up till November 3 UBS was listed as a proposed underwriter in GM’s IPO, however it was dropped without reason. The person who leaked the email, the details of email content and how wide the email was distributed is unknown, but GM said the e-mail went to various institutional investors.

GM has claimed the e-mail does not reflect its views, while GM’s disclosure limits the company’s liability. It’s also unlikely that UBS or the employee would face any repercussions from the SEC but that revenue dent is already made.

It is known that up to 80% of all data breaches do not become public knowledge, and here is a typical case. If it was’nt for the disclosure in the IPO filing the public would be non the wiser. There must be at least 10 major data breaches happening everyday that are impacting revenue, jobs and investor confidence. Data leaks through emails is a big challenge to information security but progress seems to be very slow in this area.

Enterprise rights management have solutions that prevent employees from sending emails to wrong recipients, this solution with data leak prevention or context sensitive DRM can prevent scenarios like the one that happened to UBS. It is estimated that UBS lost £6.2m in revenue as a result of being dropped by GM.

The first enterprise rights management seminar was hosted in London, last week hosted by Documentti and sponsored by Fasoo.com. During the event Jason Sohn the International Business Development Manager at Fasoo identified the key reason why enterprise rights management has been rapidly adopted in Asia more than any other parts of the world.

He said it is not uncommon for an employee to leave one company and turn up in another company in another with the intellectual property of their former employer. Once your Intellectual property is out there you really don’t have any control over who gains access to it. This means your corporate strategy for the next 5 or 10 years could be undone in a few keystrokes.

Read More

Enterprise Rights Management over the years has made great inroads into the protection of computer aided design files. 95% of CAD files represent intellectual property of businesses around the world, however the dark-side to CAD is that in electronic format can be emailed or transferred to another party without the knowledge of the owner of the content.

Today many designs are sent to countries like China, Indonesia and India for manufacturing with confidential disclosure contracts binding on the manufacturer, but what happens if a rogue employee gets hold of the designs and sells it on to other businesses? As an owner of intellectual property like computer aided designs you owe it to the survival of your business to make sure you can monitor where your IP is and be in control of it no matter where it may be located.

Read More

Simon Thorpe of Oracle IRM has just written a post on what follows on from data classification in his quick guide series. For each use case Simon walks through the important decisions made and resulting context design to help you understand how enterprise rights management is used in the real world. This is a must read article with great insights.

To access this interesting post click here

On November 11, 2010 Fasoo.com one of the leading enterprise rights management vendors and Documentti Inc, a UK based partner to Fasoo and the company I work for as a partner will be hosting an enterprise rights management seminar. Keynote speech will be given by Steve Gold, the technical editor of InfoSecurity Magazine. Come and learn why you need to protect your sensitive documents and confidential information. You will also get insights into how enterprise rights management strategically sits within your overall information security strategy.

To register for the seminar click here. We have made every effort to make your stay at the seminar convenient, there will be WIFI access to enable you stay in touch and lunch will be served (please let us know during registration if you have any special dietary requirements). The Grange City Hotel has fantastic access to all means of transport within central London. Click here to see directions to the hotel.

All enquiries about the seminar should be sent to the London Seminar Enquiry