Sachar Paulus of Kuppinger Cole and I rarely agree on the future of Enterprise Rights Management. First of all he still continues to refer to ERM as Digital Rights Management despite that many closely associated with ERM have explained the difference to him. Secondly, he continues to refer to Apple when talking about ERM, unfortunately as great a company Apple is it does not have its own ERM solution.

In his latest post titled “Without standards for DRM and IRM Cloud Security will remain a daydream” Sachar said there is a need for standards on Enterprise Rights Management, again I commented on the post disagreeing with his view that creating a standard for ERM is the last thing that is needed for this security tool.

I come from an interoperability viewpoint and I strongly back the need for interoperability because it will enable ERM clients to switch from one vendor to another as and when they choose to, and I’ll soon expect them to demand this feature.

As far as ERM is concerned I could say that we are still at the primitive level of interoperability which enables the administrator of the document to run a utility that will remove the security on a document or set of documents. This can then be secured using another ERM solution. At this stage not all ERM vendors provide this solution.

Now creating a standard for Enterprise Rights Management is a different ball game altogether. Creating a standard means exposing the architecture of the ERM application, this makes it an target for security breach. All you need is someone to create an algorithm to crack ERM and all solutions out there become vulnerable.

Finally, I may be ranting on about nothing and someone out there disagrees with me. I’ll like to hear your viewpoint; Standards or Interoperability?

In light of the recent fines imposed by the Information Commissioners’ Office I am yet to read any criticisms as to why it imposed the fines on the Hertfordshire County Council and Sheffield-based A4e. In fact what I am hearing is that the penalty did not go far enough.

According to eWeek Europe online, British consumers would be in favour of stronger regulations for organisations that expose the personal data of their customers, with four out of five supporting mandatory breach disclosure laws, according to a survey carried out by OnePoll and published on Thursday by LogRhythm.

Read More

Yesterday in Michigan, USA a former Ford employee admitted to a theft of $50 million worth of trade secrets and pleaded guilty. The problem with news like this one is the focus is always on the villain and how he or she carried out the crime.

The question that comes to mind for me is how on earth could Ford be so vulnerable to enable an employee steal so many documents in the first place? This should never happen in the first place, especially where you are dealing with something that represents the life blood of an organization.

Read More

After last week’s high-profile data breach at ACS:Law, BT wants to halt legal applications to obtain customer details of people alleged to have take part in illegal online file sharing. The telecoms company called for the moratorium and it is likely that other telecoms companies will follow the same route.

This really should not be a big issue since the solution to solve this problem has been around for a while. It is called Enterprise Rights Management and works on the principle of persistent security which means the data cannot be used beyond what has been specified by the data owner, whether the data is in use, at rest or in motion.

Read More

By Ron Arden

I was reading an interesting article in SC Magazine about how a transportation strike in London may be a cause for data loss in the workplace.  The article quotes Mark Darvill, director at AEP Networks, saying about the strike that “… will drive employees to take vast amounts of confidential data out of the office leading to ‘briefcases around the capital becoming data loss ticking timebombs’.”

I never really thought about a strike, or bad weather, or even a holiday being a potential security breach.  Many of us take information home on our laptops to work during the evenings or weekends.  Much of it is not confidential, but there is probably a percentage that is.  It may depend on the industry you are in.  If you are in financial services or healthcare, you probably have access to more confidential information on customers or patients than someone in the transportation business. 

Most businesses and government agencies have procedures for handling confidential and private information as long as you are inside the company or agency.  If you have to work on something at home, there is usually a VPN to connect you to the company network.  That’s good for email and databases, but a lot of us tend to copy things locally when we work on them.  Even if they’re stored in a document management system, when you check them out, they are on your laptop.

Of course one answer to this is to never let anyone copy these documents onto laptops or other portable devices.  That might sound good, but it’s not practical.  There is a tradeoff of productivity versus security.  If there’s a snowstorm and I can’t get to my place of business, I still need to work, so I need access to documents.  If I have to go on an airplane, the same is true.  If I can’t, nothing gets done.

So how can you make sure that a tube strike doesn’t open your company up to a potential data breach? 

First make sure that any communications between workers at home and the business is through a secure connection, like a VPN.  If you have web based access to information, either using SaaS or an on-premise application, make sure it’s using https. 

Next, make sure that any documents going home are encrypted using an Enterprise Digital Rights Management system to control their access.  Even if they get into the wild, you can shut down their access, so they are useless to anyone other than the intended recipient.

Last is to make sure all anti-virus and malware software is current and functioning on laptops, desktops and servers.  This way a worker at home can’t accidentally upload a virus or malware into the corporate network.

This way you can let employees be productive when a strike hits your city or town, without worrying about giving away the keys to the castle.

Ron Arden is the Vice President, Strategy & Marketing at eDocument Sciences LLC a document solutions and enterprise rights management solutions company based in Amherst, New York. This post was originally posted on the eDocument Sciences blog.

Photo credit Annie Mole

Last week I was reading the evening standard while on the train on my way home and my attention was drawn to the story on the recent data theft at Foxtons, the upmarket estate agent chain based around West London. What happened at this company is a classic case of a business not using technology to enforce protection on its intellectual property.

The preference for policy, procedure and discipline to enforce compliance, without using technology to guarantee information security is futile and is clearly not working. If I were a client of Foxton’s and I know that my data can be misused by any employee other than the intended purpose, I will be very worried considering the type of clients it has on its list are mainly high net worth individuals.

Read More

I was reading a recent article where an employee of the Manchester Police lost a USB drive. The Daily Star that reported the breach wrote that a high-ranking source in the department said whoever lost the drive was in for “a right rollicking”. Meaning some punishment of some sort will be awarded to the person responsible.

But who should be blamed for a data breach, employee or employer? Whenever there is a data breach, it is the person that looses the data who is made the scapegoat. There are many information security endpoint tools that can help users keep confidential data safe from prying eyes. I believe organisations should take a serious look at their internal processes whenever there is a data breach, and ask what can be done to reduce human error or a deliberate effort to steal data. We are all humans and things get lost and forgotten, the question is what needs to be done to make the confidential data inaccessible to unauthorised persons?

Read More

The Office of Inadequate Security recently reported a major data breach at East Devon District Council where the personal data of almost 2,000 council workers was leaked. The incident happened when a former manager of the council sent the data in an excel file to a private email address.

The council says the incident was “unauthorised” and affects 1,891 staff, councillors, employees of Leisure East Devon and pensioners formerly employed at the council. This is a situation that could have been prevented using both Data Leak Prevention (DLP) and Enterprise Rights Management (ERM).

Read More

Enterprise Rights Management Video Promotion (30 seconds)

Watch this 30 second clip on why you are better of with Enterprise Rights Management than resulting to legal action to recover your stolen intellectual property.

I recently read an interesting blog post by Bill Blake of eDocument Sciences, while it made for fascinating reading there is an irony to it, because a lot of organisations do not fully know the extent to which they are exposed to corporate espionage. Some organisations think that they are too small to be spied upon, while others cannot imagine the possibility of being spied upon, but all this does not really matter because unless the organisation takes the necessarily takes the right steps to protect their confidential data it is still vulnerable, and once vulnerable it impacts the net worth of the organisation.

Read More

A few weeks ago I referred in one of my blog posts that Gartner has had its radar on Enterprise Rights Management. I also mentioned in my post that I will review the 2 most recent papers on Enterprise Rights Management, and that is what I intend to do here by reviewing the first paper published in May this year.

Enterprise Digital Rights Management by Eric Quellet is a must read paper for any organisation that is considering Enterprise Rights Management. It helps decision makers consider the implications of using Enterprise Rights Management to protect its intellectual property and how best to implement it. Eric starts of with the latest key findings about this security tool in which he refers to the proprietary nature of current EDRM solutions to which there are no industry wide standards. This has benefits from my perspective because it drives innovation for EDRM to become more user friendly and help reduce the total cost of ownership. There is something inherent about standards that slows the pace of innovation and development.

Read More

In line with what many IT and security analysts have been predicting Seclore Technology a major player in the Enterprise Rights Management* (ERM) marketplace and Websense a leading Data Loss Prevention (DLP) solution provider have teamed up to provide an integrated solution that will help organisations protect their intellectual property and confidential data, as well as lower the total cost of ownership.

The integrated solution will enable companies to reduce the application of manual rights, as well as reduce cost and complexity, and ensure that policies are applied consistently and pervasively. As a result, customers will be able to automatically discover, tag, and protect confidential information within and outside of the enterprise.

Read More

In today’s world cyber-criminals are becoming more and more sophisticated. They know that businesses keep all kinds of confidential and sensitive data on their computer systems. From Intellectual property to product designs, strategy documents, specification documents, customer records and bank details, all these have the potential to be monetized once accessed. A recent case is Daniel Houghton a rogue MI6 agent who wanted to sell confidential documents to the Dutch intelligence services for £2M GBP ($3M USD)

Through Trojans and other forms of malware, a cyber-criminal can access business data indefinitely and undetected. This provides the criminal with an illegal revenue stream for long period. 72 percent of British companies with 50-500 staff suffered an average of 15 incidents a year. Apart from this employees make honest mistakes in the way they handle confidential data, and example is sending an email to the wrong recipient, see the Eli Lilly example.

IT security today has to extend beyond perimeter security i.e. erecting a firewall. The question is not if your firewall is breached, but when it is breached what measures have been taken to prevent criminals getting at your core company data. Endpoint security is core to any organisation that wants to make sure its confidential data stays within the business.

Enterprise rights management (ERM) software is an endpoint tool that manages and enforces information access policies and use rights of electronic documents within an enterprise; its development has been predicated on digital rights management (DRM) technology. Digital rights management (DRM) was developed to provide a systematic approach to copyright protection for digital content, generally by means of a suite of software employing the following technologies: identity/role management, privilege management, tamper-detection, cryptography and persistent security. Using Enterprise rights management, creators of digital content may assign rights to future users to take subsequent actions on that ERM-protected content (e.g., opening, printing, editing, copying, or forwarding the content).

2010 has seen an increase in uptake of enterprise digital rights management and analysts from Gartner, Forrester and Aberdeen are optimistic about the growth trends over the next 5 years. Many organisations are beginning to realise they can no longer effectively control and manage their security perimeter and are moving their data security to endpoints. This is a responsible move, and will gain popularity over the next decade now that the cost barriers are falling with a simple and effective installation costing as low as $6,000.

When I read that a former Ford product engineer had stolen over 4000 confidential documents containing trade secrets from his former employer, I began to wonder how many companies out there are as vulnerable to the same degree as Ford. Fortunately for Ford this employee got caught, but it remains unknown how many employees have successfully got away without Ford’s knowledge?

An extract from the article reporting the story writes “Xiang Dong Yu, a.k.a. Mike Yu, 47, of Beijing is charged with theft of trade secrets, attempted theft of trade secrets and unauthorized access to a protected computer”. This fascinates me. What is an unauthorized access to a protected computer? Is this not an oxymoron? If a computer is protected, I assume it is protected to keep prying eyes out. In the US an unauthorized access to a protected computer charge carries a maximum penalty of five years and a $250,000 fine, but this is not really a deterrent because many employees do not know or are ignorant of the consequences of their actions.

A protected computer of this nature should have the highest level security on it, for example:

1. When logged into it should notify the administrator of who logged into that machine, when, where and why? The system should also show a log of all activities on the computer.
   
   
2. Every single file on that protected computer should be encrypted with enterprise digital rights management software to ensure that even if the computer is hacked the files cannot be decrypted. Failed attempts to access these files could be logged and location identified if you need to get the police involved.
   
   
3. Disable all the access ports that could facilitate the data on the protected computer from being downloaded or uploaded.
   
   
4. Where downloading has to be allowed, this should also be logged and presented in form of a daily, weekly and monthly management report to see if there are possible trends of confidential data being used illegally.
   
   
5. There are other things that could be done like encrypting the hard disk during none core hours, i.e. out of office hours.

Theft of data on such a magnitude should be detected immediately and not after a prolonged investigation when the damage is already done. I want to believe that Ford could have done a great deal more to protect its intellectual property. In this day and age it is puzzling how a single person can steal over 4,000 confidential documents and go undetected until he has left the company.

Where confidential data is stolen by an employee and no immediate action is taken, you can guaranteed the damage is already done, if she or he walks out of the door. I do not believe businesses and organisations should be forced to protect their information assets under some sort of legislation, but they need to be more responsible to protect their data employing the best security and data protection tools on the market.

We live in the information age, and information is rapidly becoming the most valuable commodity in the market ready to be traded to the highest bidder. With the rapid growth of digitization in our lives, organisations and businesses will see their rise or fall based on the extent taken to protect their intellectual property and confidential data.