On December 16, 2010 Bill Blake spoke about how to avoid data breaches and leaks in your office during a Webinar sponsored by Toshiba America Business Solutions (TABS).  With all the recent attention about sensitive information showing up on WikiLeaks, Bill discussed how you can avoid threats to your company’s confidential documents. 

Bill gives some insight into the history of WikiLeaks and how a breakdown in security in the US government gave an insider the opportunity to steal information and make it available to the world.  He shows how the perfect storm of means, motive, and opportunity crystalized into a large embarrassment and potential harm for the US government.  Preventing a similar occurrence takes a combination of policy, process and technology.  Bill shows some simple techniques and technologies to help you control and protect your most important information so this doesn’t happen to you.

Click here to listen to the webinar. 

In line with what many IT and security analysts have been predicting Seclore Technology a major player in the Enterprise Rights Management* (ERM) marketplace and Websense a leading Data Loss Prevention (DLP) solution provider have teamed up to provide an integrated solution that will help organisations protect their intellectual property and confidential data, as well as lower the total cost of ownership.

The integrated solution will enable companies to reduce the application of manual rights, as well as reduce cost and complexity, and ensure that policies are applied consistently and pervasively. As a result, customers will be able to automatically discover, tag, and protect confidential information within and outside of the enterprise.

Read More

In May 2010 details relating to a “significant” number of companies who do business with Tralee Town Council in Ireland was sent to rival suppliers by email.

The incident was a result of an error using a mail merge application used in the generation of pre-electronic fund transfer checks. This resulted in emails being issued out of sequence. Consequently, bank details of companies who do business with the council were released to other companies.

A similar breach occurred when in 2008 when one of Eli Lilly’s (a major pharmaceutical) outside lawyers at Philadelphia-based Pepper Hamilton had mistakenly emailed highly confidential information on settlement talks with the US government to New York Times reporter Alex Berenson instead of Bradford Berenson, her co-counsel at another law firm Sidley Austin. The content of the email was regarding a $1b secret settlement on the Zyprexa drug investigation.
 
To prevent embarrassing moments like these, Enterprise Rights Management can prevent situations like these where an email that contains confidential information like financial details, trade secrets, and boardroom communications are encrypted and need to be authenticated before access to the content is granted.

This solution does not have to be deployed across the enterprise but only in business units that deal with confidential data on a daily basis. If you think that your current operations could expose you to the same risk as Tralee Town Council or Eli Lilly, then you need to investigate how Enterprise Rights Management can resolve this problem

If you have any questions on Enterprise Rights Management, send me your comments.

Some organisations may not see the reason for implementing Information Rights Management because in their view the “cat has been let out of the bag” i.e. confidential documents have been copied many times over. This is a wrong approach, because things will not get better but get worse resulting in a potential embarrassing moment like a data breach.

Implementing Information Rights Management across an organisation can sometimes be challenging especially if the very documents that you want to secure have been copied a number of times all over the organisation. The next step for Information Rights Management vendors is to develop software that can crawl the enterprise’ network and secure all documents that have been copied from the original document. Once a copied document has been identified the policy that was applied to the parent document should be applied to it.

Yes there are a number of questions that still need to be answered, but the benefits could be immense. Maybe this is an idea someone somewhere is already working on!

File Encryption, Full Disk Encryption and now Enterprise Rights Management! What does all this mean, and how are they all different?

File Encryption

• Encrypts individual files / folders
• Requires authentication to decrypt and access files
• May result in out-of-compliance status with mix of unencrypted and encrypted data
• Encryption is not persistent once files are decrypted
• Files protected by file encryption can only be accessed by the persons who have the right decryption key, but can be forwarded to unauthorised persons once decrypted
• The access policy is no longer enforced once decrypted
• You cannot withdraw access rights to the file once decrypted

Full Disk Encryption (FDE)

• Encrypts entire hard drive
• Replaces Master Boot Record with pre-boot environment
• Decrypts automatically as files are accessed, once decrypted can be forwarded and distributed freely
• Encryption is not persistent once files are decrypted
• Files protected by full disk encryption can only be accessed by the persons defined as having rightful access to the hard disk.
• The access policy is no longer enforced once it a file emailed or transferred from the disk
• You cannot withdraw access rights to the file once it leaves the hard disk

Enterprise Rights Management (ERM)

• Encrypts individual files / folders
• Authentication to access files can be piggy backed on your corporate authentication systems e.g. Active Directory.
• May result in out-of-compliance status with mix of unencrypted and encrypted data
• Encryption is persistent even when files are accessed
• Files protected by Enterprise Rights Management are secured and can only be accessed by the persons and groups defined in the policy of the file
• The access policy can be enforced no matter the geographical location
• You can withdraw access rights to a ERM protected file at any time

References:
PGP Corporation: Building the Business Case for Endpoint Data Protection by Shilpi Dey, CISSP. Senior Product Marketing Manager

As we all know the UK has a new government that has set out plans to cut costs resulting in a huge budget deficit. However, considering that the record of information security in the public sector has not improved much over the last few years, my concern is that many government bodies will see a drastic cut in their IT budgets which means information security will see cuts thereby making these government bodies more vulnerable a data breach.

While database security has improved across many government units, it is estimated that up to 80% of the units still have no means of protecting unstructured data from leaving their firewalls. Tools like Data Loss Prevention and Enterprise Rights Management are yet to experience the acceptance levels similar to that of the private sector.

If the government want to make sure the data breach figures continue to drop, this is definitely an area they need to increase cost rather than reduce costs otherwise the government might find itself paying more in compensation than it would have putting the right data security systems in place.

I have created a lens on Squidoo on Enterprise Rights Management to help businesses undertand what it is. It will always be a work in progress as I am seeking to create the perfect lens on this topic.

Any ideas and all contributions are welcome.

I was reading the Financial Services Authority’s (The UK’s financial authority body) manual on Data Security in Financial Services recently and I must say it is one of the most comprehensive and easy to read manuals on data security. Although this is a big manual of 100 pages, I began to ask why so many companies are yet to be fully compliant in the area of data security. Please find below some reasons.

A few reasons among many why many financial firms are failing to identify all aspects for data are:-

1. Many firms still do not appreciate the gravity of data security risk
2. Some firms do not have the expertise to assess the risk and devise ways of mitigating them.
3. Many firms fail to devote resources to address the risk because it is assumed to be a cost with no possible return
4. In medium and large firms there is a lack of co-ordination among relevant business areas giving opportunity to loopholes for financial data to be compromised.
5. Some firms still do not understand the value of customer data to criminals. In most cases a little bit of data here an there can be used to build up a profile for identity theft.

Even with the new £500K maximum fine for a data breach this has not done anything to change the position of these financial services companies. There are still many data security holes, even in the bigger firms. Some of the bigger firms still view data security in terms of compliance and not falling foul of the law, rather than taking it on as responsibility to protect their customers.

You may be asking what all this has to do with Enterprise Rights Management. Well, why many firms use databases to store their data, it can be transferred to spreadsheets, text files, etc for analysis and reporting. At the same time smaller firms do not use databases, but use spreadsheets instead. This makes a case for persistent security on such files, which means it can only be accessed by authorised persons wherever they are located.

Reference:
Financial Services Authority’s manual on Data Security in Financial Services. April 2008.

Today a friend pointed me in the direction of MyBillsOnline (formerly OneVu Online), a website that lets you manage your gas, electric, water and other utility company bills online. My Bills Online service allows you to consolidate all of your ebills in one secure location, without having to remember multiple usernames and passwords. The reason why my firend showed me this website was because we had an idea very similar to this about 2 years ago, but it never took off.

I began to search the website immediately for information on how the bills are secured, and the website uses SSL (secured socket layer) which is the standard for transmitting information securely over the web. Then I began to ask questions like suppose I want an electronic copy of my bills in PDF format safely backed-up, how does My Bills Online help me to persistently secure my electronic bills? In other words, how does My Bills Online ensure that I am the only one who has access to my electronic bills and statements once I have downloaded that information to my computer? This is the feature that needs to complete the security picture.

While My Bills Online offers the following benefits listed below namely:-

   1. Save money - many billing companies offer discounts for turning off paper bills

   2. Save time by managing bills, even Direct Debits, from one secure place

   3. Save the planet! Help reduce the environmental impact of paper billing

The picture is incomplete because financial institutions like American Express and many other companies that use electronic billing and encourage you to view and download your electronic bills, need to go a step further to help their customers by providing persistent security on documents downloaded in a file format. This persistent security is provided in the form of Enterprise Rights Management, and provides a means to protect the customers from any form of malware or unauthorised access that might be deployed to obtain personal data.

Over the next 3 to 5 years online bill repositories will become a common place, but these businesses need to go the full length and provide security that persistently protects the customer’s data whether it is on the server or on the customer’s computer.

Causes of Data Breaches

Over the past few weeks I have covered a wide range of topics on Enterprise Digital Rights Management. What I will like to hear from you is whether the content meets your expectations? What would you like to see on this blog? What will you like to see me do?

I appreciate all feedback, both positive and negative with the aim of keeping your interest in the continuous development of Enterprise DRM. As I said in my first post, this is a journey and I hope you will participate in it.

Thank you for your interest and feedback.

Reblogged from the eDocument Sciences Blog

Today at AIIM in Philadelphia, Fasoo and Onehub showed Onehub Transfers powered by Fasoo, an on demand Enterprise DRM service.  The companies combined an easy way to securely transfer and track sensitive electronic documents with a way to encrypt and control what the user can do with them.  With all the data and security breaches occurring in small and large companies, this is a great way to stop the bleeding.

I took a look at the product and it’s really easy to use.  It’s SaaS so the pricing model is pay-as-go, which makes it easy for any business to get started without a lot of fuss.  I talked to some people at the show about ways to use it and got a lot of excellent ideas.

An accountant told me that recently a lot of laws have passed in the US where CPAs and attorneys must send sensitive electronic documents to their clients encrypted.  The fines can be very stiff for just emailing me a tax return or K1 that’s not protected.  I also spoke to a government agency who talked about securely transferring sealed bids on projects.  She wanted to make sure contractor bids don’t leak to the public or other contractors before the agencies officially publicize them.

Since Fasoo Enterprise DRM encrypts electronic documents and lets the author control who can view, print, save, and edit them, a business has control of its documents no matter where they are.  Combining that with the collaboration and tracking features of Onehub make this a great tool.  One person who runs a channel sales organization for a large company told me that this is a great way to send monthly price lists to his resellers.  He can encrypt the documents so only the distributor’s sales people can view them and then set the file to expire after a month.  This way he controls who sees it, what they can do with it and also makes sure they can’t use an old price list.

Having worked in Information Technology for almost 20 years I have learnt that we often do a very bad job at explaining what our technology does. I was reading a press release recently that I asked, who is this press release targeted at? It was littered with acronyms and jargons that could hardly be understood by many in IT let alone business people.

If we are selling to business and the business managers, not IT managers often make the final decision, why do we do a very bad job communicating what Enterprise DRM does? We need to keep it simple, in fact very simple. When I explain what Enterprise Rights Management, also called Enterprise DRM or Information Rights Management is, I want the person or persons who I am educating to go away with a good understanding of what it does. Not only do I want them to go away with a good understanding, but I want it to stimulate ideas in them through the questions they ask.

So when we write press releases, technical articles, blog posts, etc, we will do very well to remember that it is business that writes the cheques not IT, therefore we should help ourselves to help them understand what a particular technology does and keep it very simple.