In today’s world cyber-criminals are becoming more and more sophisticated. They know that businesses keep all kinds of confidential and sensitive data on their computer systems. From Intellectual property to product designs, strategy documents, specification documents, customer records and bank details, all these have the potential to be monetized once accessed. A recent case is Daniel Houghton a rogue MI6 agent who wanted to sell confidential documents to the Dutch intelligence services for £2M GBP ($3M USD)

Through Trojans and other forms of malware, a cyber-criminal can access business data indefinitely and undetected. This provides the criminal with an illegal revenue stream for long period. 72 percent of British companies with 50-500 staff suffered an average of 15 incidents a year. Apart from this employees make honest mistakes in the way they handle confidential data, and example is sending an email to the wrong recipient, see the Eli Lilly example.

IT security today has to extend beyond perimeter security i.e. erecting a firewall. The question is not if your firewall is breached, but when it is breached what measures have been taken to prevent criminals getting at your core company data. Endpoint security is core to any organisation that wants to make sure its confidential data stays within the business.

Enterprise rights management (ERM) software is an endpoint tool that manages and enforces information access policies and use rights of electronic documents within an enterprise; its development has been predicated on digital rights management (DRM) technology. Digital rights management (DRM) was developed to provide a systematic approach to copyright protection for digital content, generally by means of a suite of software employing the following technologies: identity/role management, privilege management, tamper-detection, cryptography and persistent security. Using Enterprise rights management, creators of digital content may assign rights to future users to take subsequent actions on that ERM-protected content (e.g., opening, printing, editing, copying, or forwarding the content).

2010 has seen an increase in uptake of enterprise digital rights management and analysts from Gartner, Forrester and Aberdeen are optimistic about the growth trends over the next 5 years. Many organisations are beginning to realise they can no longer effectively control and manage their security perimeter and are moving their data security to endpoints. This is a responsible move, and will gain popularity over the next decade now that the cost barriers are falling with a simple and effective installation costing as low as $6,000.

This month the ISACA Singapore Chapter is organizing a dinner talk and networking session on Wednesday, July 21. Amitpal Singh Dhillon, one of our security experts in Singapore, is presenting on the topic of “Information Rights Management - How secure are your confidential documents?”. Those who are CISA certified will attain 2 hours towards ongoing certification with this talk.

Details of the event are (sign up here);

• Time: 6:00pm - 9:00pm (Registration: 6:00pm; Dinner 6:30pm - 7:15pm; Presentation 7:15pm - 9.00pm)
• Venue: National Library Board Building, Level 5, Imagination Room, 100 Victoria Street, Singapore 188064
• Cost: S$30.00 (ISACA/IIA Members), S$45.00 (Non-Members), S$15.00 (Students) / Refer Student Registration below
• CPE: 2 Hours
• Dinner: Buffet Dinner Included (no pork no lard)
• Who Should Attend?: Information Security Managers, Analysts and Architects, IT Managers, IT Auditors, Academia and researchers involved with information systems security awareness, training, education, and professionalism.

The speaker, Amitpal Singh Dhillon is well versed in Information Rights Management and is an Identity Management Security Architect for Oracle in the Asia region. Prior to joining Oracle, Dhillon worked as an Information Systems Engineer on Corporate IdM initiatives at Applied Materials in the Silicon Valley. In addition, he has experienced the typical diversity of products from multiple vendors, including Microsoft, SUN and IBM whilst responsible for implementation of such solutions in an SAP environment. To attend the dinner sign up here. For more information on the event visit the ISACA Singapore Chapter website and look in the current events section.

Digital Rights Management, commonly known as DRM, refers to the ability to protect various types of electronic media.   In recent years, DRM technology has become topical because of its role in protecting digital music and movies that make their way online. However, DRM also plays an important role in the financial transaction world offering security to those who share documents online in Virtual Data Rooms……

Every CIO, CSO, IT Security manager and data compliance manager spend most of their time trying to outsmart hackers and prevent corporate confidential data from being leaked into unauthorised hands. It’s almost an everyday occurrence that systems and networks have been breached, and in the process important data has been compromised.

When a data breach occurs, the risks are plentiful: damage to brand equity, the burdensome costs of notifying affected customers, possible exposure of intellectual property, and failure to comply with government regulations.

According to research by the Ponemon Institute the average total cost—including notification costs, loss of customers, and increased difficulty in acquiring new customers—was £1.4 million per breach in the UK for 2008.

If you are a high profile organisation, be it in the private or public sector, your networks will be regularly tested by hackers for weaknesses in the network. Some organisations report even experience hourly attacks on their networks.

The question is what happens when or if the hackers successfully gain access to your network? When this happens you want to make sure that all confidential data is impossible to get at.

All your data will exist in file formats, the data in these file formats could be structured or unstructured. Structured data could be in form of database formats and spreadsheet formats, while unstructured data could be word processor formats, graphic formats, presentation formats and other generic formats like emails and text. If these file formats are protected by a level of encryption that makes it easy for the legitimate file owners to distribute those files to whomever they want, but at the same time keep the unauthorised users out.

Enterprise Rights Management, commonly called Enterprise Digital Rights Management (eDRM) is your last line of defence against hackers. Loosely defined, eDRM refers to products that allow enterprises to enforce confidentiality and need-to-know restrictions on file contents. So when all your efforts of protecting your network’s data have been compromised, eDRM persistently protects your data wherever it may be located.

Failed attempts to access files protected by eDRM are even logged; hence eDRM solutions contain strong monitoring and reporting components. These provide compliance auditors or security investigators with detailed records of “who, what, and when” on a file-by-file or user-by-user basis.

Apart from being the last line of defence against a security breach eDRM is helping organisations to take control of their confidential data and is especially good fit for firms with a well-understood pool of valuable confidential data used in day-today business processes. Examples of this type of data include financial spreadsheets, strategy documents, new product development presentations, merger and acquisition plans, human resource compensation reports, sales information legal contracts and intellectual property.

I recently read a blog post titled “Security Turns off Millennials”. The post refers to a report commissioned by Cisco Systems, in which it claims that overly rigid security requirements and strict policy enforcement do turn off millennials in the workplace. We have always known that this generation are less concerned with sharing their private details publicly compared to the older generations, but I think this may be a wrong stereotype to place on the millenials.

As more of this generation enters the workplace you have a conflict of values no matter the age and size of the organisation. It therefore becomes imperative that organisations remain competitive by locking down their intellectual property. Access to such property should not only be locked down with tools like Enterprise Rights Management, but should have a comprehensive log of who accessed what information and when. This helps employees to become more careful in the way they use the information accessed.

Organisations that allow employee personal devices better have the security tools to manage the threats that come with such leverage. It could be an opportunity for organisations to train this generation the overall impact of a lack of proper IT security controls on a business, its competitiveness and jobs.

Case studies from organisations like Ford, HSBC, Heartland, etc that have suffered serious data breaches should be well documented and communicated to all staff on a regular basis as part of the ongoing IT security strategy. Businesses that take a serious view to IT security could help its employees secure data on their own personal machines by purchasing anti-virus and firewall licenses, and in the future enterprise rights management licenses.

Finally, the millennials are the social media generation, and organisations should endeavour to communicate their message through social media sites. Organisations that do this will be amazed to find out that the generation that is less concerned with IT security have the best ideas to reduce the IT threats in the workplace.

By Ron Arden

Did you ever wonder if your customer lists and other confidential data is walking out the door when people leave the organization?  Here is something that I came across when working with a client.

This organization uses multiple FTP and other file sharing sites to share documents internally and with partners and customers.  Some of these are sanctioned by the organization, but many aren’t.  The reason there are so many is because IT is very busy and hasn’t gotten around to creating an easy-to-use collaboration site for everyone.  They also make it very difficult to implement anything as basic as a secure collaboration site without having to get vice presidential justification and jumping through hoops.  There are Windows file servers for some internal projects and Microsoft SharePoint sites for others.  People use email, free sites, like drop.io and YouSendIt, and FTP sites to exchange documents with outside people.  Employees have resorted to “roll your own” because of the IT can’t meet the need in a timely way.

So here’s the bad part.  One of these FTP sites has the same password they used 3 years ago.  This is an external site that anyone can access.  One division uses this site to share documents with their customers, including invoices and purchase orders.  It has a simple password and people share it all around the company.  The site is easy to use and works fine.  Unfortunately no one is actively managing this site or thinking about changing the password.  People who left the company can still access that site and a lot of confidential information.  Talk about a security hole.

This is one of the problems with most FTP sites.  They are easy to use but their security is very rudimentary.  They usually have a single password for user access with no ties into a directory service, like Microsoft Active Directory or LDAP.  Hence, no one changes the password, because you would have to notify a lot of people that it changed; that’s a hassle and people would complain.  By using a directory service, access is individualized and each user’s password controls access to the site.  When an employee or contractor leaves your organization, you can shut down their access by disabling their user account.  Now you have to worry about changing the password on this one site and notifying the users every time someone leaves.   

If you are thinking about implementing a risk management strategy or a data governance plan, the first thing to look at it is where you are putting your data.  If you are using FTP sites, take a look at their security.  I would get rid of them and use a secure file transfer service or a secure extranet portal that has individual user credentials.  These are better options than an FTP site to let your employees, customers and partners securely share information.

If you suspect confidential documents walking out the door, check your FTP sites.  Of course that assumes you can even find them all.

Ron Arden is the Vice President of Strategy & Marketing at eDocument Sciences, LLC based in Amherst, New York. Ron can be reached via their corporate website at www.edocumentsciences.com.

This is the first of a set of articles designed to assist with the successful installation, configuration and deployment of a document security solution using Oracle Information Rights Management. This article goes through a set of simple instructions which detail how to download, install and configure the Information Rights Management server, the starting point for building a document security solution. This article contains a subset of information from the official documentation and is focused on installing the server on Oracle Enterprise Linux. If you are planning to deploy on a non-Linux platform, you will need to reference the documentation for platform specific information…….

I find it duty bound to follow what is going on in the enterprise rights management marketplace, and in doing so I came across a post Sachar Paulus of the consulting firm Kuppinger-Cole. Sachar strongly believes that there will be a convergence between enterprise rights management and digital rights management used to protect audio and video content. In my response I completely disagreed with him saying that majority of the current enterprise rights management vendors have tried to distant themselves DRM from because of how unpopular it has been over the last 20 years.

However, one thing struck me in this argument. Most of the generation that rebelled against DRM are now managers or are moving into management positions. Will their current status have changed their minds such that they will now buy into DRM, let alone allowing it to converge with enterprise rights management? I don’t think so, but your opinion is what matters.

We also had a debate over whether Apple is a player in the enterprise rights management marketplace. Sachar said yes because many books, pictures etc. (so, content) are delivered as through the iTunes store as an application. But does this qualify it as enterprise rights management? My view, no because enterprise rights management is all about content.

However, let’s look at this from an analytic viewpoint. If user ‘A’ has downloaded an app to their iPad which enables her to read an ebook. ‘A’ buys an ebook from the App Store, that ebook belongs to ‘A’ and the app enables the reader access the document. I would want to believe that when the ebook was downloaded, the policies guiding the ebook was downloaded to the app which is the container for eBook. Based on this analysis you can see why it is the content that needs protecting and not the app. Can someone more knowledgeable about Apple help me out, so I can know whether I am off track?

Anyway, for the exchange of comments between myself and Sachar please access the following link. It will be good to hear from you regarding your views.

By Vishal Gupta

Data leakage, theft, hacking, compromise, accidental / intentional disclosure are here to stay and it is the responsibility of the employer / owner organization and the user to collectively ensure security while ‘at rest’ and when ‘in transit’.
Policies and procedures require users to ingrain best practices into their work culture but there is always the risk of human error or a slip-up even in highly mature workplaces or even if the users are highly trained and disciplined. An example is the incident of an army Major who had classified data on his computer and this was hacked. The full story can be read here - “Major’s comp hacked, info leak feared”

As the affected organization is the Army it is natural to assume there are strong controls in place and this is clearly this is a case of non-compliance on the part of the officer. Again, though controls are in place and the users are a disciplined and trained lot, this non-compliance has led to a security breach (a worst case scenario) and there is no rollback here. Classified data has been compromised and seems to be in the hands of enemies. There is no telling what will be the repercussion of this loss, and one cannot expect that the Army is going to be sharing any details of their investigation or findings.

While everything seems to be in place it is also obvious that the data would be much safer had it been protected by an Information Rights Management (IRM) system like Seclore. The Information Rights Management solution would have provided the organization with the means to withdraw the rights for all the classified documents on the machine for the user (machine owner) and thus render those documents un-accessible.

Data losses can happen anywhere and anyhow. People carry work home and assume it is safe but risks manifest themselves in different locations in different variants. It is necessary to be safe rather than sorry. A data breach, if not measurable in monetary terms, will cause intangible losses which (eventually) will finally lead to loss of confidence and trust from stakeholders.

This leads to the necessity that security controls extend beyond the enterprise perimeter and an Information Rights Management solution provides this capability. An Information Rights Management solution will allow the organization to establish controls based on document lifecycle policies that address classification, distribution controls and user rights with due consideration of business responsibilities and requirements. The system can be configured to apply these policies by default on the data being created. Alternatively policies can be applied manually and a user can create additional customized controls if needed.

In effect an Information Rights Management solution will provide the means for end-to-end control of data or documents throughout it’s lifecycle. The unique value brought about by this solution is that it allows the owner (individual or organization) to enforce data classification, monitor location of distributed data, actively log data access and retain control of access rights for the data irrespective of its location.

Implementing an Information Rights Management solution will allow Information Security managers to take the enterprise to a higher level of assurance as strong safeguards are embedded into the data assets at time of creation itself and remain so, until destruction or authorized removal.

Vishal is the CEO at Seclore Technology a major player in the Information Rights Management space. Vishal is also an Enterprise Rights Management Evangelist and can be contacted via the Seclore Technology website.

This article is a reblog from the Seclore Technology blog.

1. Enforce a subscription model and protect the value of your intellectual property.
2. Distribute important information and make its access/availability to a future date and time.
3. Communicate safely and effectively with partners outside your firewall in a way that does not compromise your intellectual property.
4. Protect your revenue stream by allowing only authorised sharing and copying of your intellectual property.
5. Revoke access to intellectual property to customers that do not maintain their subscription dues.
6. Carefully control how confidential matter is printed by watermarking printed documents with the user’s identity as part of the watermark.
7. Take a document out of circulation regardless of its location.
8. Continuously track document access and activity especially if an approval process is required.
9. Collaborate on the development of a confidential document or design and prevent unauthorised distribution of these documents/designs.
10. Achieve regulatory requirements through the use of a verifiable audit trail.

Fasoo Secure Exchange Server

Do you work with external partners and suppliers? Do you have to share confidential or sensitive information with these partners and suppliers, but worried about that information going beyond the permitted parties? This video from Fasoo explains how you can secure information that travels beyond your firewall, with the ability for you to monitor and control that information.

This video tells you about the capability of enterprise rights management, which is also known as information rights management and how it can help secure your sensitive documents.

Avoco Secure2trust

Avoco demonstrates a new and innovative application that shows the power of combining the Microsoft Windows 7 Touch interface, with the Windows Sensor platform & Avoco enterprise rights management software. This application utilizes windows 7 touch screen technology to control and apply persistent security to protect documents depending on the GPS location they opened in.

This week saw the acquisition of the Enterprise Rights Management software vendor Liquid Machines by Check Point. This acquisition is a confirmation of further consolidation and integration needed to raise the profile of enterprise rights management software.

In a number of past blog posts I mentioned the superiority of Enterprise Rights Management over full disk encryption and file encryption, and Check Point’s acquisition confirms this because it already has its own file encryption tools. This is a recognition that the benefits of enterprise rights management around persistent security will always be the main advantage it has over any other encryption tool.

From Check Point’s perspective, this acquisition helps the company to leverage their suite of security tools, helping the company to draw from a wider selection of possible tools when recommending solutions to their clients.

I am hoping Check Point has not has not paid way above the market price as there are current pressures for enterprise rights management price tags to come down as price is another key factor to wider acceptance of this technology.

I believe that there will be further mergers and acquisitions in the enterprise rights management area over the next 12 months, but because of the downward pressure on product prices and implementation costs, return on investments will take longer than initially expected. Finally, this acquisition indicates that enterprise rights management is coming of age and will have its place in the enterprises’ overall information security strategy.

Over the years I have seen many software applications become resource intensive that they cause a drag on other resources. Anti-virus programs are normally guilty of falling into this category commonly called as bloatware. Bloatware is normally a result of poor and inefficient programming techniques.

I have observed a new class of software which is persistent on hugging your system resources, and no matter what you do to terminate the application it simply does not go away. This type of software I’ll call goatware, derived from the four legged hoofed animal called goat.

The goat is a very stubborn animal in nature because it has the tendency to return to a crime scene no matter how much you take steps to chase it away, hence goatware. Goatware leads to computer rage and frustration, such as the one seen on Youtube where the man smashes his computer because of the persistent nature of the problem. Although I am a keen supporter for Enterprise Rights Management, my concerns are that as this software evolves it might go down the route of becoming goatware where it hugs system resources like some encryption tools and antivirus software we all know.

The success and continuous acceptance of Enterprise rights management is predicated upon having little or no impact on system resources, as well as not impacting the way users perform their normal duties. So it is imperative that all enterprise rights management software do not hug system resources in a way that will bring about its demise before it becomes a main stream product.

Redwood City, CA — June 09, 2010 

Check Point® Software Technologies Ltd. (Nasdaq: CHKP), the worldwide leader in securing the Internet, today announced the acquisition of privately held Liquid Machines, a leader in enterprise rights management.  Liquid Machines’ award-winning products prevent the misuse, modification, loss or theft of intellectual property and sensitive information residing in documents. Liquid Machines specializes in data protection and has 12 issued and pending patents for document encryption and content security. The acquisition……..