Intel recognises enterprise rights management as core to its future and the future of its employees according to its IT performance report for 2010 - 2011 titled “Delivering Competitive Advantage through IT” in which it said,

“We are implementing a secure integrated collaboration solution for our design engineers, with the goal of protecting Intel’s intellectual property while helping to accelerate silicon design. The new solution protects information at all times during creation, storage and transmission, using encrypted files and content repositories with enterprise rights management. This helps engineers be more productive by eliminating the need to secure data using manual methods. We began piloting the solution in 2010 in preparation for widespread deployment in 2011”.

Intel is surely leading the way for companies that depend highly on their intellectual property to survive, and if it is important for Intel to invest heavily in data security, it should serve as a wake up call for businesses especially technology businesses that have a liberal attitude towards the protection of its intellectual property.

Two weeks ago I read a press release about WatchDox about the latest round of funding for this online document security business. In his comments Moti Rafalin, the WatchDox CEO said “Legacy enterprise digital rights management and data loss prevention products are failing to address the problem, and enterprises are realizing documents need to be seamlessly protected and controlled wherever they go.”

So what does Rafalin mean by Legacy enterprise digital rights management and data loss prevention products? Considering that both document security tools are less than 10 years old, what makes them legacy? To understand what he meant by legacy I revisited the WatchDox website to try and understand what WatchDox does that other enterprise rights management solutions don’t do.

First of all I watched the video and everything demonstrated in this video is what most other vendors like Oracle, Fasoo, NextLabs, Covertix and CheckPoint to name a few also have the capability of doing also. So what does Rafalin actually mean by his criticism of WatchDox’s competitors?

On the web page titled “WatchDox vs. DRM, IRM or eDRM”, 4 key differentiators are mentioned between WatchDox and enterprise rights management, namely:-

• Ease of use
• Facilitating sharing and collaboration
• Extended control
• Cost

Under ease of use the main claim is WatchDox’s no client installation; no passwords; no enterprise deployment; no IT; and no hassle. Like WatchDox other vendors like NextLabs and Covertix offer the same no client installation, while a majority of the other vendors offer the remaining features like no passwords and it does not have to be an enterprise deployment, and apart from the server software installation, no further IT involvement is required.

Under facilitating sharing and collaboration WatchDox mentions that traditional DRM solutions typically deal with the insider threat. I definitely know that this is not the case as Fasoo, NextLabs and Oracle have always had a view to providing security both inside and outside the corporate firewall.

Under extended control WatchDox claims that it allows tracking, updating, revoking and changing document permissions even after they had been sent. Again, these are standard features that other enterprise rights management vendors offer in their software.

Regarding cost, other vendors are providing cheaper solutions. Fasoo has a file server solution that costs $5,000 and is implementing a number of SaaS solutions through its partners to lower the entry barrier. Costs from other vendors are also falling in line with the current economic situation in order to remain competitive.

So is WatchDox an enterprise digital rights management solution? I am certain it is, but is it any different from other vendors out there? Yes it is on the basis that it only offers a web based solution. However, there are opportunities for non web based solutions which its competitors offer.

WatchDox is an innovator in the enterprise rights management space because as a business has found a way to lower the barriers to entry from a cost perspective and will continue to challenge the status quo, but is not any significantly different from any other enterprise rights management solution in the marketplace.

I was speaking to a senior executive last year who asked what could happen if I don’t use Enterprise Rights Management? My reply was many things, although I could not remember everything single point listed below from the top of my head, I was able to articulate the salient points about the potential risks. So here are some events that could happen if you don’t employ Enterprise Rights Management.

1. The perceived value of your business is eroded slowly through the loss of your intellectual property to competitors that former employees join or new startups by former employees.
2. Investor confidence in your business’ ability to safeguard trade secrets begins to wane.
3. You really don’t have full control of where your information assets are located and as such you cannot know when your confidential information gets into the wrong hands.
4. You cannot control how your confidential information or sensitive data is used once you send it to a third party.
5. Staff could mail confidential documents or sensitive data to the wrong recipient after which you have no control.
6. You might never know when your intellectual property is taken without permission and used in a way that is counter-intuitive to your business.

So is your business at risk? Find out what enterprise rights management can do to stem the flow of your confidential information and intellectual property to your competitors.

Yesterday the car manufacturer Renault filed a criminal complaint on an industrial espionage case in which it asserts that a foreign company sought to obtain secrets related to its electric car program.

The case involved 3 executives which have since been suspended. In an age where technology is advancing at a pace never seen in our lifetime, organizations will continue to jostle for dominance. In jostling for dominance like the 3 executives that have been suspended on suspicion to sell corporate intellectual property to a rival car manufacturer, there similar executives who will lay aside corporate ethics to pay for stolen confidential information.

You would think that becoming an executive means that you have earned the trust of your employer, considered to be a person of integrity and on the path to an accomplished career. Therefore considering the risk of being found out and ending a career due to industrial espionage, such an offer is completely out of the question. If you are that promising executive will you will blow the whistle on such an offer? What happens if your are offered say $750K or anything north of $1m for such information, will you say “NO”?

Read More

Sachar Paulus of Kuppinger Cole and I rarely agree on the future of Enterprise Rights Management. First of all he still continues to refer to ERM as Digital Rights Management despite that many closely associated with ERM have explained the difference to him. Secondly, he continues to refer to Apple when talking about ERM, unfortunately as great a company Apple is it does not have its own ERM solution.

In his latest post titled “Without standards for DRM and IRM Cloud Security will remain a daydream” Sachar said there is a need for standards on Enterprise Rights Management, again I commented on the post disagreeing with his view that creating a standard for ERM is the last thing that is needed for this security tool.

I come from an interoperability viewpoint and I strongly back the need for interoperability because it will enable ERM clients to switch from one vendor to another as and when they choose to, and I’ll soon expect them to demand this feature.

As far as ERM is concerned I could say that we are still at the primitive level of interoperability which enables the administrator of the document to run a utility that will remove the security on a document or set of documents. This can then be secured using another ERM solution. At this stage not all ERM vendors provide this solution.

Now creating a standard for Enterprise Rights Management is a different ball game altogether. Creating a standard means exposing the architecture of the ERM application, this makes it an target for security breach. All you need is someone to create an algorithm to crack ERM and all solutions out there become vulnerable.

Finally, I may be ranting on about nothing and someone out there disagrees with me. I’ll like to hear your viewpoint; Standards or Interoperability?

In light of the recent fines imposed by the Information Commissioners’ Office I am yet to read any criticisms as to why it imposed the fines on the Hertfordshire County Council and Sheffield-based A4e. In fact what I am hearing is that the penalty did not go far enough.

According to eWeek Europe online, British consumers would be in favour of stronger regulations for organisations that expose the personal data of their customers, with four out of five supporting mandatory breach disclosure laws, according to a survey carried out by OnePoll and published on Thursday by LogRhythm.

Read More

Yesterday in Michigan, USA a former Ford employee admitted to a theft of $50 million worth of trade secrets and pleaded guilty. The problem with news like this one is the focus is always on the villain and how he or she carried out the crime.

The question that comes to mind for me is how on earth could Ford be so vulnerable to enable an employee steal so many documents in the first place? This should never happen in the first place, especially where you are dealing with something that represents the life blood of an organization.

Read More

Swiss bank UBS lost out on a major revenue stream when it was discovered that an employee leaked details about the impending GM IPO. This leak meant that GM is required by law to disclose the e-mail in a filing with the U.S. Securities and Exchange Commission.

Up till November 3 UBS was listed as a proposed underwriter in GM’s IPO, however it was dropped without reason. The person who leaked the email, the details of email content and how wide the email was distributed is unknown, but GM said the e-mail went to various institutional investors.

GM has claimed the e-mail does not reflect its views, while GM’s disclosure limits the company’s liability. It’s also unlikely that UBS or the employee would face any repercussions from the SEC but that revenue dent is already made.

It is known that up to 80% of all data breaches do not become public knowledge, and here is a typical case. If it was’nt for the disclosure in the IPO filing the public would be non the wiser. There must be at least 10 major data breaches happening everyday that are impacting revenue, jobs and investor confidence. Data leaks through emails is a big challenge to information security but progress seems to be very slow in this area.

Enterprise rights management have solutions that prevent employees from sending emails to wrong recipients, this solution with data leak prevention or context sensitive DRM can prevent scenarios like the one that happened to UBS. It is estimated that UBS lost £6.2m in revenue as a result of being dropped by GM.

After last week’s high-profile data breach at ACS:Law, BT wants to halt legal applications to obtain customer details of people alleged to have take part in illegal online file sharing. The telecoms company called for the moratorium and it is likely that other telecoms companies will follow the same route.

This really should not be a big issue since the solution to solve this problem has been around for a while. It is called Enterprise Rights Management and works on the principle of persistent security which means the data cannot be used beyond what has been specified by the data owner, whether the data is in use, at rest or in motion.

Read More

By Ron Arden

I was reading an interesting article in SC Magazine about how a transportation strike in London may be a cause for data loss in the workplace.  The article quotes Mark Darvill, director at AEP Networks, saying about the strike that “… will drive employees to take vast amounts of confidential data out of the office leading to ‘briefcases around the capital becoming data loss ticking timebombs’.”

I never really thought about a strike, or bad weather, or even a holiday being a potential security breach.  Many of us take information home on our laptops to work during the evenings or weekends.  Much of it is not confidential, but there is probably a percentage that is.  It may depend on the industry you are in.  If you are in financial services or healthcare, you probably have access to more confidential information on customers or patients than someone in the transportation business. 

Most businesses and government agencies have procedures for handling confidential and private information as long as you are inside the company or agency.  If you have to work on something at home, there is usually a VPN to connect you to the company network.  That’s good for email and databases, but a lot of us tend to copy things locally when we work on them.  Even if they’re stored in a document management system, when you check them out, they are on your laptop.

Of course one answer to this is to never let anyone copy these documents onto laptops or other portable devices.  That might sound good, but it’s not practical.  There is a tradeoff of productivity versus security.  If there’s a snowstorm and I can’t get to my place of business, I still need to work, so I need access to documents.  If I have to go on an airplane, the same is true.  If I can’t, nothing gets done.

So how can you make sure that a tube strike doesn’t open your company up to a potential data breach? 

First make sure that any communications between workers at home and the business is through a secure connection, like a VPN.  If you have web based access to information, either using SaaS or an on-premise application, make sure it’s using https. 

Next, make sure that any documents going home are encrypted using an Enterprise Digital Rights Management system to control their access.  Even if they get into the wild, you can shut down their access, so they are useless to anyone other than the intended recipient.

Last is to make sure all anti-virus and malware software is current and functioning on laptops, desktops and servers.  This way a worker at home can’t accidentally upload a virus or malware into the corporate network.

This way you can let employees be productive when a strike hits your city or town, without worrying about giving away the keys to the castle.

Ron Arden is the Vice President, Strategy & Marketing at eDocument Sciences LLC a document solutions and enterprise rights management solutions company based in Amherst, New York. This post was originally posted on the eDocument Sciences blog.

Photo credit Annie Mole

Last week I was reading the evening standard while on the train on my way home and my attention was drawn to the story on the recent data theft at Foxtons, the upmarket estate agent chain based around West London. What happened at this company is a classic case of a business not using technology to enforce protection on its intellectual property.

The preference for policy, procedure and discipline to enforce compliance, without using technology to guarantee information security is futile and is clearly not working. If I were a client of Foxton’s and I know that my data can be misused by any employee other than the intended purpose, I will be very worried considering the type of clients it has on its list are mainly high net worth individuals.

Read More

I was reading a short article on the Computer Weekly website about the recent data breach at ACS:Law. The article echoes what I have been saying for quite some time about the security of unstructured documents. Amichai Shulman, chief technology officer at Imperva commented that the recent data breach highlights a hidden security weakness in unstructured data.

Many organisations have spent millions on securing their databases (structured), leaving a big security hole in not addressing the security of unstructured data. What many organisations forget or miss is that all the data in the database is not very helpful to executives and managers if it cannot be interpreted in a way that makes sense.

Read More