You may be in control of all within the perimeter of corporate security, but when data leaves that safe haven, information rights management is essential, argues security partner of Deloitte, Paul Boichat.

Controlling access to the most sensitive information and data in an organisation is an age-old problem with a trusted technical solution, but is it fit for purpose in today’s environment.

Click here to access the remaining article……..

Cara Garretson has written an interesting article in the State Tech Magazine on using Enterprise Rights Management tools to help government agencies protect their most sensitive documents.

Cara puts forward a solid case why agencies should adopt Enterprise Rights Management. I believe that 2011 would see the highest rate of adoption for Enterprise Rights Management, as WikiLeaks remains centre stage and many emerging nations turn a blind eye to intellectual-property theft.

To read Cara’s article in the State Tech Magazine click here.

The UK government cancelled a highly lucrative contract last week because the company that won the contract illegally gained access to confidential information that allegedly gave it competitive advantage over other businesses bidding for the same contract.

According to the BBC the cancellation of a deal which would have privatised the UK’s search and rescue helicopters raised “serious questions” because the private consortium Soteria that had been named as preferred bidder for the £6bn contract, which was due to run by 2012 had gained access to commercially sensitive information according to the Ministry of Defence.

There have been many occasions access to such sensitive information could lead to a competitive advantage, however, on this occasion it has resulted in a £6bn loss in revenue. This is an situation where going through a due and fair process is the best route to follow even if you loose the contract.

The military police are currently investigating how a former RAF officer now working with Soteria was able to gain access to commercially sensitive information and pass it on to his current employers.

It will be interesting to see how the whole story unfolds, but for now it is unlikely that the contract will be awarded to the private sector and will remain under the Royal Air Force operations.

This story reveals that information security is still not watertight at some of the UK’s most important and strategic organizations and a lot of work still needs to be done to make it highly secured when it comes to managing confidential information.

Over the weekend I read an article posted on Infosec Island titled “Putting an End to Data Breaches as We Know Them” by Robert Siciliano. Having read the article and the comments I came to the conclusion that even information or data security experts do not fully understand what enterprise rights management is.

So here is the underlying problem; if IT security experts do not understand the full capabilities of enterprise rights management, how can they effectively communicate the benefits or shortcomings to their employers or clients? For me the article on Infosec Island revolves around whether ZafeSoft is enterprise rights management or not.

Even though throughout the website the phrase ‘enterprise rights management’ or ‘information rights management’ is not used, the writer deemed it to be superior to “other” enterprise rights management solutions out there. On the other hand having read through the ZafeSoft website and the features of their products I came to the conclusion that ZafeSoft is enterprise rights management.

Read More

ProSTEP iViP is hosting a seminar targeted at engineering companies titled “Protecting Engineering Data with Enterprise Rights Management” in Stuttgart, Germany from February 9-10, 2011. With a rise in the theft of intellectual property in 2010, engineering companies need to invest in their future and the future of their employees by deploying Enterprise Rights Management. Companies like Intel have adopted Enterprise Rights Management, come and see the reason your company should.

Attend this seminar to have all your questions answered on protecting your IP and confidential data with Enterprise Rights Management. Call Yvonne van der Steeg on +49 (0) 6151-9287-446 or email her at yvonne.vandersteeg@prostep.com for a late registration as there may be a few places left.

For further information please visit the ProSTEP iViP website.

Intel recognises enterprise rights management as core to its future and the future of its employees according to its IT performance report for 2010 - 2011 titled “Delivering Competitive Advantage through IT” in which it said,

“We are implementing a secure integrated collaboration solution for our design engineers, with the goal of protecting Intel’s intellectual property while helping to accelerate silicon design. The new solution protects information at all times during creation, storage and transmission, using encrypted files and content repositories with enterprise rights management. This helps engineers be more productive by eliminating the need to secure data using manual methods. We began piloting the solution in 2010 in preparation for widespread deployment in 2011”.

Intel is surely leading the way for companies that depend highly on their intellectual property to survive, and if it is important for Intel to invest heavily in data security, it should serve as a wake up call for businesses especially technology businesses that have a liberal attitude towards the protection of its intellectual property.

Two weeks ago I read a press release about WatchDox about the latest round of funding for this online document security business. In his comments Moti Rafalin, the WatchDox CEO said “Legacy enterprise digital rights management and data loss prevention products are failing to address the problem, and enterprises are realizing documents need to be seamlessly protected and controlled wherever they go.”

So what does Rafalin mean by Legacy enterprise digital rights management and data loss prevention products? Considering that both document security tools are less than 10 years old, what makes them legacy? To understand what he meant by legacy I revisited the WatchDox website to try and understand what WatchDox does that other enterprise rights management solutions don’t do.

First of all I watched the video and everything demonstrated in this video is what most other vendors like Oracle, Fasoo, NextLabs, Covertix and CheckPoint to name a few also have the capability of doing also. So what does Rafalin actually mean by his criticism of WatchDox’s competitors?

On the web page titled “WatchDox vs. DRM, IRM or eDRM”, 4 key differentiators are mentioned between WatchDox and enterprise rights management, namely:-

• Ease of use
• Facilitating sharing and collaboration
• Extended control
• Cost

Under ease of use the main claim is WatchDox’s no client installation; no passwords; no enterprise deployment; no IT; and no hassle. Like WatchDox other vendors like NextLabs and Covertix offer the same no client installation, while a majority of the other vendors offer the remaining features like no passwords and it does not have to be an enterprise deployment, and apart from the server software installation, no further IT involvement is required.

Under facilitating sharing and collaboration WatchDox mentions that traditional DRM solutions typically deal with the insider threat. I definitely know that this is not the case as Fasoo, NextLabs and Oracle have always had a view to providing security both inside and outside the corporate firewall.

Under extended control WatchDox claims that it allows tracking, updating, revoking and changing document permissions even after they had been sent. Again, these are standard features that other enterprise rights management vendors offer in their software.

Regarding cost, other vendors are providing cheaper solutions. Fasoo has a file server solution that costs $5,000 and is implementing a number of SaaS solutions through its partners to lower the entry barrier. Costs from other vendors are also falling in line with the current economic situation in order to remain competitive.

So is WatchDox an enterprise digital rights management solution? I am certain it is, but is it any different from other vendors out there? Yes it is on the basis that it only offers a web based solution. However, there are opportunities for non web based solutions which its competitors offer.

WatchDox is an innovator in the enterprise rights management space because as a business has found a way to lower the barriers to entry from a cost perspective and will continue to challenge the status quo, but is not any significantly different from any other enterprise rights management solution in the marketplace.

Sachar Paulus of Kuppinger Cole and I rarely agree on the future of Enterprise Rights Management. First of all he still continues to refer to ERM as Digital Rights Management despite that many closely associated with ERM have explained the difference to him. Secondly, he continues to refer to Apple when talking about ERM, unfortunately as great a company Apple is it does not have its own ERM solution.

In his latest post titled “Without standards for DRM and IRM Cloud Security will remain a daydream” Sachar said there is a need for standards on Enterprise Rights Management, again I commented on the post disagreeing with his view that creating a standard for ERM is the last thing that is needed for this security tool.

I come from an interoperability viewpoint and I strongly back the need for interoperability because it will enable ERM clients to switch from one vendor to another as and when they choose to, and I’ll soon expect them to demand this feature.

As far as ERM is concerned I could say that we are still at the primitive level of interoperability which enables the administrator of the document to run a utility that will remove the security on a document or set of documents. This can then be secured using another ERM solution. At this stage not all ERM vendors provide this solution.

Now creating a standard for Enterprise Rights Management is a different ball game altogether. Creating a standard means exposing the architecture of the ERM application, this makes it an target for security breach. All you need is someone to create an algorithm to crack ERM and all solutions out there become vulnerable.

Finally, I may be ranting on about nothing and someone out there disagrees with me. I’ll like to hear your viewpoint; Standards or Interoperability?

Enterprise rights management has been around for over 10 years and it still baffles me how many data security consultants, IT journalists and bloggers still get it all wrong when it comes to understanding what enterprise rights management can and cannot do. On the other hand it may be there is a lack of effective communication from many of the enterprise rights management vendors.

In an article I commented on over the weekend, the writer referring to enterprise rights management said “this type of protection typically applies only when the document is in transit”. If I were to write on a technology I do not have the full facts, I am under obligation to my audience to do some research, understand what the facts are, and communicate those facts in a fair and objective manner.

So as the first blog post of the year I’ll like to do a quick primer of what enterprise rights management can do.

The 3 States of Data: If you are a regular reader of this blog you will know that enterprise rights management does more than protect data in transit. Like the 3 states of water; liquid, solid and gas, data has 3 states in which it can exist.

Data can be at rest i.e. stored on a server, laptop, USB key, or on any mobile device to name a few. Data can also be in use i.e. the content is being read, edited, printed or copied. And finally data can be in transit over a network via email or ftp.

Enterprise rights management has the ability to protect data at any of these 3 states. If the solution you are being offered cannot protect your data at all three states it is not enterprise rights management. The ability to secure data at all 3 states is referred to as “persistent security”

Policy creation and management: Enterprise rights management helps data custodians to define what users can and cannot do with the data secured with this tool. The policy defined for a document generally revolve around the following controls:-

1. Editing
2. Reading
3. Copy/Paste (including screen capture)
4. Printing

Other issues around policy management is the ability to revoke access to a file or document no matter where it is located in the world. Many enterprise rights management vendors alert the document custodian when a file has been accessed for the first time.

Decentralized administration: One of the key challenges of data security has been that a data security administrator had access to data that was above his or her pay grade. With enterprise rights management the security of the data is administered by the data owner. This considerably reduces the risk of a data breach.

Auditing: Enterprise rights management should and must provide an audit trail of how all documents secured by it are used. This can be a very effective tool when a data breach has occurred.

Integration: Enterprise rights management should have the ability to integrate into other enterprise wide systems like enterprise content management, customer relationship management, email management, message archiving, eDiscovery and a myriad of cloud based systems.

This ability to integrate with enterprise based systems does not mean that enterprise rights management has to be deployed at an enterprise level.

Conclusion

There are other features that are provided by the various enterprise rights management vendors and it is always a good things to do an evaluation based on your organisation’s specific requirements. If you require help in choosing a enterprise rights management tool drop me a line.

The recent Wikileaks revelation has revealed that protecting confidential data is not about whole disc encryption or simple file encryption, but persistent security such that only those who are entitled to access the documents can do so, and no one else.

Above all, you can track and trace the usage of those sensitive documents no matter where they are located. I truly believe the US government documented comments and conversations that are all now in the public domain, could have been prevented if this type of security was employed.

Organizations should really take a look at what Enterprise Rights Management has to offer and how it can protect the reputation of an establishment be it in the public or private sector, but with the likes of Wikileaks and the insatiable appetite for curiousity it is now becoming an essential tool for information security.

Read More

Employers warned over data security as High Court data theft disputes rise by 313% and first Data Protection Act fines are issued.

Read the entire article on the Telegraph website: http://www.telegraph.co.uk/finance/businessclub/8157244/Companies-warned-as-data-theft-disputes-surge.html

Yesterday in Michigan, USA a former Ford employee admitted to a theft of $50 million worth of trade secrets and pleaded guilty. The problem with news like this one is the focus is always on the villain and how he or she carried out the crime.

The question that comes to mind for me is how on earth could Ford be so vulnerable to enable an employee steal so many documents in the first place? This should never happen in the first place, especially where you are dealing with something that represents the life blood of an organization.

Read More

Swiss bank UBS lost out on a major revenue stream when it was discovered that an employee leaked details about the impending GM IPO. This leak meant that GM is required by law to disclose the e-mail in a filing with the U.S. Securities and Exchange Commission.

Up till November 3 UBS was listed as a proposed underwriter in GM’s IPO, however it was dropped without reason. The person who leaked the email, the details of email content and how wide the email was distributed is unknown, but GM said the e-mail went to various institutional investors.

GM has claimed the e-mail does not reflect its views, while GM’s disclosure limits the company’s liability. It’s also unlikely that UBS or the employee would face any repercussions from the SEC but that revenue dent is already made.

It is known that up to 80% of all data breaches do not become public knowledge, and here is a typical case. If it was’nt for the disclosure in the IPO filing the public would be non the wiser. There must be at least 10 major data breaches happening everyday that are impacting revenue, jobs and investor confidence. Data leaks through emails is a big challenge to information security but progress seems to be very slow in this area.

Enterprise rights management have solutions that prevent employees from sending emails to wrong recipients, this solution with data leak prevention or context sensitive DRM can prevent scenarios like the one that happened to UBS. It is estimated that UBS lost £6.2m in revenue as a result of being dropped by GM.

The first enterprise rights management seminar was hosted in London, last week hosted by Documentti and sponsored by Fasoo.com. During the event Jason Sohn the International Business Development Manager at Fasoo identified the key reason why enterprise rights management has been rapidly adopted in Asia more than any other parts of the world.

He said it is not uncommon for an employee to leave one company and turn up in another company in another with the intellectual property of their former employer. Once your Intellectual property is out there you really don’t have any control over who gains access to it. This means your corporate strategy for the next 5 or 10 years could be undone in a few keystrokes.

Read More