Swiss bank UBS lost out on a major revenue stream when it was discovered that an employee leaked details about the impending GM IPO. This leak meant that GM is required by law to disclose the e-mail in a filing with the U.S. Securities and Exchange Commission.

Up till November 3 UBS was listed as a proposed underwriter in GM’s IPO, however it was dropped without reason. The person who leaked the email, the details of email content and how wide the email was distributed is unknown, but GM said the e-mail went to various institutional investors.

GM has claimed the e-mail does not reflect its views, while GM’s disclosure limits the company’s liability. It’s also unlikely that UBS or the employee would face any repercussions from the SEC but that revenue dent is already made.

It is known that up to 80% of all data breaches do not become public knowledge, and here is a typical case. If it was’nt for the disclosure in the IPO filing the public would be non the wiser. There must be at least 10 major data breaches happening everyday that are impacting revenue, jobs and investor confidence. Data leaks through emails is a big challenge to information security but progress seems to be very slow in this area.

Enterprise rights management have solutions that prevent employees from sending emails to wrong recipients, this solution with data leak prevention or context sensitive DRM can prevent scenarios like the one that happened to UBS. It is estimated that UBS lost £6.2m in revenue as a result of being dropped by GM.

I read this interesting article by Marilee Veniegas and Zachary Price and posted by Valerie Levine on her blog. This article discusses why email and document security is no longer simply an option for companies, it is a necessity. According to the article implementing encryption solutions doesn’t have to be a financial burden. Enterprise rights management solutions are now accessible small to medium-sized businesses or sole-proprietorships too. Small Business Rights Management(SBRM) solutions provide businesses of a smaller scale an equal level of enterprise rights management and encryption previously available to large enterprise business.

To read the full article click here

This week saw the acquisition of the Enterprise Rights Management software vendor Liquid Machines by Check Point. This acquisition is a confirmation of further consolidation and integration needed to raise the profile of enterprise rights management software.

In a number of past blog posts I mentioned the superiority of Enterprise Rights Management over full disk encryption and file encryption, and Check Point’s acquisition confirms this because it already has its own file encryption tools. This is a recognition that the benefits of enterprise rights management around persistent security will always be the main advantage it has over any other encryption tool.

From Check Point’s perspective, this acquisition helps the company to leverage their suite of security tools, helping the company to draw from a wider selection of possible tools when recommending solutions to their clients.

I am hoping Check Point has not has not paid way above the market price as there are current pressures for enterprise rights management price tags to come down as price is another key factor to wider acceptance of this technology.

I believe that there will be further mergers and acquisitions in the enterprise rights management area over the next 12 months, but because of the downward pressure on product prices and implementation costs, return on investments will take longer than initially expected. Finally, this acquisition indicates that enterprise rights management is coming of age and will have its place in the enterprises’ overall information security strategy.

Forrester has just released a market overview on Enterprise Rights Management by Brian Hill and Andrew Jaquith. This is a well written research document with the latest perspective on the Enterprise Rights Management market. Products from 8 key vendors are evaluated namely Adobe Systems, Covertix, EMC, GigaTrust, Liquid Machines, Microsoft, NextLabs and Oracle. Forrester believes that Enterprise Rights Management is among the most robust information protection technologies available to organisations today, yet it is regarded as optional.

This paper asserts that Enterprise rights management enquiries are not as high data loss prevention and is described as a “tweener technology” with very few enterprisewide deployments. The largest deployment I know is 50,000 seats at Samsung in Asia through the software vendor Fasoo, after which many other deployments I know of are 1,000 seats or less. Forrester also expressed that high costs are still a concern and a barrier to adopting this technology, but I can see this barrier being lowered with cost effective solutions now becoming available.

Forrester is optimistic about the future growth of enterprise rights management and describes strategies for deployment. The future for Enterprise rights management lies in further integration with other security tools like DLP and resource management tools like document management systems.

Although this market overview does not cover all the major enterprise rights management vendors; Brainloop, Fasoo and Seclore Technology are among the vendors missing from the list. I highly recommend that any organisation or department considering how to protect their information assets refer to this paper before a final decision is reached.

To obtain this document please go to the forrester website via the following link.

This is part 2 of a 2 part article. This article describes Information Rights Management (IRM) features applied to Exchange Server 2010, and the various methods you can apply to set it up based on your business requirements. Elie Issa describes the various decryption options, as well as the manual and automatic application of rights policy templates.

Highly recommended technical read.

By Vishal Gupta

Through the evolution of the IRM (Information Rights Management) technology it has been associated with multiple TLA (Three letter acronyms) i.e. ERM (Enterprise Rights Management), E-DRM (Enterprise Digital Rights Management) and has also been called Document Usage Control.
 
IRM is a technology which allows for information (mostly in the form of documents) to be ‘remote controlled’. This means that information and its control can now we separately created, viewed, edited & distributed.
 
With present day technologies, information and its control travel together i.e. If Richard sends a document (lets say an excel sheet) to Linda then Linda has pretty much complete control over that document after she receives it i.e. she can view it, print it, edit her copy, forward it to Susan as well as copy content from the document to another one. With IRM technology it is possible for Richard to send the excel sheet to Linda but be able to control, before and after sending the document, whether Linda can view, print, edit, forward that document. Not only that, but Richard can also audit exactly what actions are performed by Linda on her copy of the document.

More generally, it means that ‘owners’ of the information are able to control and audit some of the critical actions that are performed on the information wherever it goes. These critical actions typically mean control over viewing, editing, printing and distribution of the information. The significant difference between IRM and other document control technologies is that IRM focuses real time or dynamic control over usage of information, as compared to static or one-time control in distributed information.
 
Why IRM: security and compliance
IRM technology allows for the fine distinction between use and misuse. It is typically used for secure collaboration an i.e. case in which information needs to be shared with people for use and at the same be controlled so that they do not misuse the same. There are two primary reasons for using an IRM technology i.e.
 
Security: IRM technology provides security of information, irrespective of its location. From an information security perspective this means that organization security policies can be implemented irrespective of the location of the information. This is a boon for CISOs of large organizations where non-informization of security policies across systems is a huge task. Typical scenarios are:
 
1. Information shared with a potential acquirer during the process of an M&A transaction should be usage controlled i.e. Information should be ‘used’ for the purpose of due diligence but not ‘misused’ i.e. distributed or viewed after the due diligence is over
 
2. R&D information in the form of process, drawings, test results etc. should be ‘used’ for the purpose of furthering the company’s interests but not ‘misused’ for the purpose of distribution to others or sent out of the company’s offices by employees planning to leave the company.
 
3. Information received from customers under an NDA should be ‘used’ for the purpose of executing the project but not ‘misused’ for the purpose of another project or for distribution otherwise.

4. Information shared with vendors for the purpose of outsourcing of business processes like data entry and printing needs to be used but should not be misused for theft and sale.
 
Compliance: Most regulatory compliance frameworks like ISO - 27001, Sarbanes Oxley, HIPAA, and GLBA etc. have recommendations on specific controls that need to be put in place. Typical scenarios are:
 
1. ISO 27001 mandates that ‘digital assets’ are tracked for usage as they flow within and outside the organization and a complete audit trail is maintained of their access and usage.
 
2. Sarbanes Oxley section 404 mandates implementation of internal controls which provide access to erroneous data to personnel. It also recommends to protect and track confidential data from unauthorized personnel.

Vishal is the CEO at Seclore Technology a major player in the Information Rights Management space. Vishal is also an Enterprise Rights Management Evangelist and can be contacted via the Seclore Technology website.

Source: CXOToday.com

Brainloop a major player in the enterprise rights management marketplace now offers secure document sharing platform through a central application of persistent control over editing, printing, saving and forwarding for all major document types.

Last week we read about the case of a serious data breach at Gwent Police in the UK where a spreadsheet was mailed to a journalist by mistake. This has led to an investigation by the Independent Police Commission and a possible fine of up to £500,000 by the Information Commissioner’s Office.

The file sent contained records of thousands of individuals applying for sensitive jobs was mistakenly emailed to a journalist at The Register, an online IT news service.

The Microsoft Excel spreadsheet, which was not encrypted or password protected, contained the full names and dates of birth of 10,006 people in jobs or applying for jobs where a Criminal Records Bureau (CRB) disclosure was required, dating back to 2001.

Solution:
This problem should never happen, but it goes to the core of the problem facing establishments around the world, where backing up their IT security policy is not supported with the required solution to implement such policy. Once the sender of that file clicked on the send button, there was no comeback, but this need not be.

First, the information should have been encrypted, even if the file was never meant to be mailed. Enterprise Rights Management (ERM), also called Information Rights Management (IRM) ensures the security on the file is persistent. This means, unlike most encryption tools which require that the file be decrypted before it can be used, ERM will remain encrypted while the file is in use, in transit or at rest.

Second, if the file was protected by ERM and sent to a wrong person by error, they will never be able to access the content as they will not be listed in the policy of the document as having rightful access to the contents of the file.

Third, some ERM solutions now include DLP (Data Loss Prevention). Other ERM software vendors use context sensitive DRM. These both ensure that documents with predefined data formats do not leave the domain of an organisation without it being secured with ERM. For example, DLP or context sensitive DRM would recognise date of birth formats, social security number formats, address formats, etc.

Fourth, when the contents of a ERM secured document is copied to another document, the new document inherits the rights and policies of the descendant document which means your data is secured wherever it is copied too.

Conclusion
Right now the question you should be asking is, “Could what happened to Gwent Police happen to my organisation?” If your answer is yes or you are uncertain, then it is time to take action and avoid the reputation damage, fines and other fallout that could result from letting sensitive data leave the domain of your organisation unsecured. Finally employ the necessary tools to support your IT security policy.

Vendors That Offer ERM Solutions
Adobe LiveCycle DRM, Avoco Secure, Brainloop, Documentum IRM, Fasoo DRM, GigaTrust, InDorse Technologies, Liquid Machines, LockLizard, Oracle IRM, Seclore Technology, and Microsoft Windows RMS. These are the leading ERM vendors that offer these easy to use solutions.

Reblogged from the eDocument Sciences Blog

Today at AIIM in Philadelphia, Fasoo and Onehub showed Onehub Transfers powered by Fasoo, an on demand Enterprise DRM service.  The companies combined an easy way to securely transfer and track sensitive electronic documents with a way to encrypt and control what the user can do with them.  With all the data and security breaches occurring in small and large companies, this is a great way to stop the bleeding.

I took a look at the product and it’s really easy to use.  It’s SaaS so the pricing model is pay-as-go, which makes it easy for any business to get started without a lot of fuss.  I talked to some people at the show about ways to use it and got a lot of excellent ideas.

An accountant told me that recently a lot of laws have passed in the US where CPAs and attorneys must send sensitive electronic documents to their clients encrypted.  The fines can be very stiff for just emailing me a tax return or K1 that’s not protected.  I also spoke to a government agency who talked about securely transferring sealed bids on projects.  She wanted to make sure contractor bids don’t leak to the public or other contractors before the agencies officially publicize them.

Since Fasoo Enterprise DRM encrypts electronic documents and lets the author control who can view, print, save, and edit them, a business has control of its documents no matter where they are.  Combining that with the collaboration and tracking features of Onehub make this a great tool.  One person who runs a channel sales organization for a large company told me that this is a great way to send monthly price lists to his resellers.  He can encrypt the documents so only the distributor’s sales people can view them and then set the file to expire after a month.  This way he controls who sees it, what they can do with it and also makes sure they can’t use an old price list.

By Marilee Veniegas

Small Business Rights Management (SBRM) is a term which reflects the shift ERM (Enterprise Rights Management) technology has taken as awareness of industry compliance issues and protection of original works has evolved and become implicit within businesses of under 50 employees. From published manuscripts to original cookie recipes, protecting original works, customer or patient records isn’t just “good business,” but in many industries a matter of compliance. The question is how can small firm businesses invest in ERM software at its current exorbitant cost?

The realm of protected digital documents, like many business solution advances has traditionally only been available to privileged large corporate enterprise businesses. This is no longer the case.

Technology mandates that it catch up with the populace. In the early 1980s, first generation laptops are a far cry from the lightweight Apple PowerBooks, or Dells. ERM software has itself has begun to slim down and no longer appears like the bulky over-priced, 24 pound Osborne1 (the first laptop computer).

Rights management solutions can now be for small to medium-sized businesses or sole-proprietorships too. SBRM solutions provide businesses of a smaller scale an equal level of user rights management and encryption previously available to large enterprise business.

Standard ERM or SBRM software gives content authors the power to determine how recipients may use their email and documents. For example, senders can prevent unauthorized distribution (no forwarding, printing) and prevent unauthorized editing (no cut, copy, paste) of content, i.e. copy prevention.

For some industries like finance, medical and legal, keeping communiqué, client/patient records and data is a matter of industry compliance. In finance, Sarbanes-Oxley protects investors and governs corporate responsibility. HIPAA the Health Insurance Portability and Accountability Act not only protects health insurance coverage for workers and their families when they change or lose their jobs, but also dictates that patient information be kept private. Compliance regulations in such industries are a cost of doing business, and are often pricey mandates. Government compliance issues for many industries often becomes a burden, forcing small neighborhood clinics, firms and businesses go under due the financial stress.

Compliance as it concerns digital data is finally catching up to the widening commercial sector which is highly impacted by the success of small businesses. Small firms dealing with compliance issues can turn to SBRM solutions to bridge the gap between staying current with industry regulations and staying in business.

About the author: Marilee Veniegas is an alumni of the University of Washington she joined the Marketing team at Essential Security Software, Inc.

Yesterday while watching CNN, some more information about Toyota’s unintended acceleration problem came to light leading to further reputation damage to its brand. Yes, Toyota should have come clean when it realised that it had a defect with some of its products, and damage limitation would have ensued. The problem with cover-ups is that one mistake always leads to another and things can get complicated; in this case Toyota got fined $16.4m and the leaked email from Irv Miller, Toyota’s top U.S. public relations executive led to the brand being further tarnished.

There will always be communications meant for internal use that if read by the outside world could tarnish its brand, especially if it is a public company. Most of this information appears in unstructured format and must be protected and destroyed once communicated to all the right channels. I hope all businesses will learn from Toyota’s mistakes and put in place a strategy on how to manage and secure all confidential internal communications.

For further reading on the latest Toyota story please visit http://www.freep.com/comments/article/20100408/BUSINESS01/4080421/Toyota-exec-Time-to-hide-troubles-over