Do you work with external partners and suppliers? Do you have to share confidential or sensitive information with these partners and suppliers, but worried about that information going beyond the permitted parties? This video from Fasoo explains how you can secure information that travels beyond your firewall, with the ability for you to monitor and control that information.
This video tells you about the capability of enterprise rights management, which is also known as information rights management and how it can help secure your sensitive documents.
What Check Point’s acquisition of Liquid Machines means for Enterprise Rights Management.
This week saw the acquisition of the Enterprise Rights Management software vendor Liquid Machines by Check Point. This acquisition is a confirmation of further consolidation and integration needed to raise the profile of enterprise rights management software.
In a number of past blog posts I mentioned the superiority of Enterprise Rights Management over full disk encryption and file encryption, and Check Point’s acquisition confirms this because it already has its own file encryption tools. This is a recognition that the benefits of enterprise rights management around persistent security will always be the main advantage it has over any other encryption tool.
From Check Point’s perspective, this acquisition helps the company to leverage their suite of security tools, helping the company to draw from a wider selection of possible tools when recommending solutions to their clients.
I am hoping Check Point has not has not paid way above the market price as there are current pressures for enterprise rights management price tags to come down as price is another key factor to wider acceptance of this technology.
I believe that there will be further mergers and acquisitions in the enterprise rights management area over the next 12 months, but because of the downward pressure on product prices and implementation costs, return on investments will take longer than initially expected. Finally, this acquisition indicates that enterprise rights management is coming of age and will have its place in the enterprises’ overall information security strategy.
Data Loss Prevention and Enterprise Rights Management; Complimentary or alternative?
Enterprise Rights Management is all I write about, so when I first started this blog it occurred to me that I might not find sufficient material to write on this very narrow topic, but this has been the contrary and I always get a kick from finding something to post on my blog. I recently read an article by Yuval Shavit titled “Data security: Alternatives to data leak prevention” on the search security channel website. He listed Enterprise DRM among other encryption tools as an alternative to Data Loss Prevention but I am reticent to use the term “alternative”.
Data leak prevention or data loss prevention (DLP) technology monitors and blocks anyone who tries to send potentially sensitive or confidential data outside the corporate firewall. Enterprise DRM on the other hand persistently secures a file no matter where it is located. Unlike file encryption or hard disk encryption, Enterprise DRM secures the content of the file while it is on the move, stored on a hard drive or in use (i.e. being read, printed, or edited).
Regarding Enterprise DRM, Yuval described it as “the most advanced alternative to data leak prevention software”. Unfortunately, this is an inaccurate description of Enterprise Rights Management or Enterprise DRM as it is also called. This evident in the partnerships between both DLP and ERM vendors like Liquid Machines, GigaTrust, McAfee and Symantec who have described their technologies as complimentary and not alternatives.
Yuval also described Enterprise DRM as client-side software. Hmmm! I wonder what he meant by client-side, because it is the server that grants access to DRM secured files by checking the access rights and the defined policies. The server also keeps the audit trail of the file over its entire life. Fasoo has an Enterprise Rights Management file server solution that enables users to drag confidential files to a DRM protected folder, thereby allowing the file to be bound by the policy defined for that folder.
Also in this article Enterprise DRM software is described as a much more expensive alternative to data leak prevention which is not entirely the case. Today you can get a server based Enterprise DRM solution for just under $5,000. While companies like OneHub are among the pioneers in providing Enterprise DRM cloud based solutions making it more accessible to small businesses and individuals costing a few dollars per month.
However, I do agree with Rob Eggebrecht, senior partner and CEO of BEW Global, a Castle Rock, Colo.-based security consultancy who in the same article said “Whereas Enterprise DRM technologies can be applied company-wide, Enterprise DRM is better kept as a tactical tool deployed only in a few key departments” Very good point Rob.
What left me a bit confused was at the end of the section on Enterprise DRM where Yuval said “Depending on your client’s company, you may want to recommend complementing a company-wide DLP deployment with Enterprise DRM in the most at-risk departments, or it may be enough to protect just those departments”. So the question is complementary or alternative?
Interesting article on open source software for DLP, Data Loss Prevention or Data Leakage Prevention. I wonder if you’ll be able to integrate it with Information Rights Management in the future?
A new development idea for Information Rights Management
Some organisations may not see the reason for implementing Information Rights Management because in their view the “cat has been let out of the bag” i.e. confidential documents have been copied many times over. This is a wrong approach, because things will not get better but get worse resulting in a potential embarrassing moment like a data breach.
Implementing Information Rights Management across an organisation can sometimes be challenging especially if the very documents that you want to secure have been copied a number of times all over the organisation. The next step for Information Rights Management vendors is to develop software that can crawl the enterprise’ network and secure all documents that have been copied from the original document. Once a copied document has been identified the policy that was applied to the parent document should be applied to it.
Yes there are a number of questions that still need to be answered, but the benefits could be immense. Maybe this is an idea someone somewhere is already working on!
Protecting Corporate Sensitive and Confidential Information Across the Enterprise.
There are 2 types of information that need to be protected across the enterprise. The first is structured data which is the data you find in database repositories like Oracle, Sybase and Microsoft’s SQL Server. The other is unstructured data which can be protected by a number of other means like file encryption, full disk encryption, access authentication, information rights management and a number of other means.
Structured Data: Security in this area has moved on in leaps and bounds over the last 10 years, but according to the Enterprise Strategy Group 86% of enterprises feel that their databases are secure, yet 56% have experienced a breach indicating that many organisations still have a false sense of security. One of the worst data breach cases has been Heartland Payment Systems that experienced a breach in 2008 and is still paying out millions in compensation. However, the good news about protecting structured data is that given the right advice and the right tools, the effort required to plug all the non-compliance holes and eliminating the data leak risks that may exist.
Unstructured Data: This is the most challenging type of data to keep a lid on because it is very easy to duplicate and very difficult to track, moreover structured data is always analysed in an unstructured format used to provide strategic direction for the organisation. This means it is easier for your competitors to know what you are doing if there is a rogue or disgruntled employee on the inside. The challenges in protecting unstructured data is defining the data categories, locating where this data is and classifying it before protecting it. Information rights management commonly called enterprise rights management and data loss prevention are at the forefront of protecting unstructured data which would normally exist as boardroom strategies, intellectual property, financial information, trade secrets, etc.
So as you move to protect your information assets there has to be a balance between protecting both structured data and unstructured data to ensure that focusing on only one area of data security does not make the other area of data protection vulnerable and vice verza.
Quick guide to the differences between Enterprise Rights Management, File Encryption and Full Disk Encryption.
File Encryption, Full Disk Encryption and now Enterprise Rights Management! What does all this mean, and how are they all different?
File Encryption
Encrypts individual files / folders
Requires authentication to decrypt and access files
May result in out-of-compliance status with mix of unencrypted and encrypted data
Encryption is not persistent once files are decrypted
Files protected by file encryption can only be accessed by the persons who have the right decryption key, but can be forwarded to unauthorised persons once decrypted
The access policy is no longer enforced once decrypted
You cannot withdraw access rights to the file once decrypted
Full Disk Encryption (FDE)
Encrypts entire hard drive
Replaces Master Boot Record with pre-boot environment
Decrypts automatically as files are accessed, once decrypted can be forwarded and distributed freely
Encryption is not persistent once files are decrypted
Files protected by full disk encryption can only be accessed by the persons defined as having rightful access to the hard disk.
The access policy is no longer enforced once it a file emailed or transferred from the disk
You cannot withdraw access rights to the file once it leaves the hard disk
Enterprise Rights Management (ERM)
Encrypts individual files / folders
Authentication to access files can be piggy backed on your corporate authentication systems e.g. Active Directory.
May result in out-of-compliance status with mix of unencrypted and encrypted data
Encryption is persistent even when files are accessed
Files protected by Enterprise Rights Management are secured and can only be accessed by the persons and groups defined in the policy of the file
The access policy can be enforced no matter the geographical location
You can withdraw access rights to a ERM protected file at any time
References: PGP Corporation: Building the Business Case for Endpoint Data Protection by Shilpi Dey, CISSP. Senior Product Marketing Manager
The impact of UK government cost cuts on Information Security.
As we all know the UK has a new government that has set out plans to cut costs resulting in a huge budget deficit. However, considering that the record of information security in the public sector has not improved much over the last few years, my concern is that many government bodies will see a drastic cut in their IT budgets which means information security will see cuts thereby making these government bodies more vulnerable a data breach.
While database security has improved across many government units, it is estimated that up to 80% of the units still have no means of protecting unstructured data from leaving their firewalls. Tools like Data Loss Prevention and Enterprise Rights Management are yet to experience the acceptance levels similar to that of the private sector.
If the government want to make sure the data breach figures continue to drop, this is definitely an area they need to increase cost rather than reduce costs otherwise the government might find itself paying more in compensation than it would have putting the right data security systems in place.
I have created a lens on Squidoo on Enterprise Rights Management to help businesses undertand what it is. It will always be a work in progress as I am seeking to create the perfect lens on this topic.
Any ideas and all contributions are welcome.
The current state of data security in Financial Services.
I was reading the Financial Services Authority’s (The UK’s financial authority body) manual on Data Security in Financial Services recently and I must say it is one of the most comprehensive and easy to read manuals on data security. Although this is a big manual of 100 pages, I began to ask why so many companies are yet to be fully compliant in the area of data security. Please find below some reasons.
A few reasons among many why many financial firms are failing to identify all aspects for data are:-
Many firms still do not appreciate the gravity of data security risk
Some firms do not have the expertise to assess the risk and devise ways of mitigating them.
Many firms fail to devote resources to address the risk because it is assumed to be a cost with no possible return
In medium and large firms there is a lack of co-ordination among relevant business areas giving opportunity to loopholes for financial data to be compromised.
Some firms still do not understand the value of customer data to criminals. In most cases a little bit of data here an there can be used to build up a profile for identity theft.
Even with the new £500K maximum fine for a data breach this has not done anything to change the position of these financial services companies. There are still many data security holes, even in the bigger firms. Some of the bigger firms still view data security in terms of compliance and not falling foul of the law, rather than taking it on as responsibility to protect their customers.
You may be asking what all this has to do with Enterprise Rights Management. Well, why many firms use databases to store their data, it can be transferred to spreadsheets, text files, etc for analysis and reporting. At the same time smaller firms do not use databases, but use spreadsheets instead. This makes a case for persistent security on such files, which means it can only be accessed by authorised persons wherever they are located.
Reference: Financial Services Authority’s manual on Data Security in Financial Services. April 2008.
I recently read the Forrester Thought Leadership paper called “The Value of Corporate Secrets – How Compliance and Collaboration Affect Enterprise Perceptions of Risk”. I found the content very interesting as it gave me a further insight into how organisations think.
So here is what I learnt from this paper. The bulk stops with the CISO when it comes to information security; as such the CISO is pulled in all directions for limited IT security resources, as a result there are some areas of information security that is allocated less resource than they require.
An organisation’s security program protects 2 types of resources. One is trade secrets that confer long-term competitive advantage and the other is custodial data assets that are protected by regulation. Unfortunately, it is compliance not security that drives the security budgets, but this results in an imbalance because corporate secrets comprise of two-thirds of the value of the firms’ information portfolio.
The enterprise is overly focused on the compliance requirements and hardly does enough to protect their corporate trade secrets. The reason why I think this happens is because when trade secrets are stolen, it hardly becomes public knowledge and it is within the organisation’s jurisdiction to keep breaches like this under wraps. However, when data that is subject to regulation, it is most likely that unreported breaches will bring about stiff penalties and damage to its reputation.
Sensitive information or corporate secrets stolen by an employee is ten times costlier per incident than data lost on information protected by regulatory requirements, but the news gets worse, because the more valuable the corporate information or trade secrets, the more incidents it will have. As such high value organisations are four times likely to have a security incident than low-value firms, because trade secrets generate revenues, increase profits and help maintain the competitive advantage.
In conclusion Forrester stated in clear terms that most enterprises do not actually know whether their data security programs work or not, and are under investing in programs created to protect their secrets. This is should be a wake up call to CISOs and businesses alike because it could mean that the real valuation of an organisation when it comes to intellectual assets may in the real sense be less than the paper value, and that is why organisations need to embark on radical programs to secure their corporate secrets. Security programs and policies that will effectively lock down corporate trade secrets need to be implemented in a controlled manner and should be non-intrusive to the way employees currently work.
Is your organisation haemorrhaging corporate trade secrets? Do you know what steps to take and what tools to employ to lock down this information? If not it is important to consult with your IT security team and speak to other organisations with the aim of bringing in best practices. There are tools like Enterprise Rights Management and Data Loss Prevention that could lock down this information and keep an audit trail of how it is being used.
Reference: Forrester Consulting March 2010: The Value of Corporate Secrets – How Compliance And Collaboration Affect Enterprise Perceptions of Risk.
This podcast is the seventh in the series (both written and audio) on Enterprise Rights Management solutions. This 3 minute podcast enables you to get a brief understanding what the Enterprise Rights Management Desktop or PC Solution does and how it can benefit your organisation.
Your feedback is appreciated and I hope you find it helpful.
This podcast is the sixth in the series (both written and audio) on Enterprise Rights Management solutions. This 3 minute podcast enables you to get a brief understanding what the Enterprise Rights Management Web Solution does and how it can benefit your organisation.
Apologies for the quality of the podcast, just learning with the hope of getting better soon.
Your feedback is appreciated and I hope you find it helpful.
I have made an update to the blog due to an oversight. If you look at the right hand side of the screen, you will see that I have linked all the Enterprise Rights Management vendors to their respective websites, this makes it easier to get information on each individual vendor.
In the nearest future I am also going to create a product table for all the vendors, so that it will be easier for you to focus on which vendors better meet your needs, so watch this space.
Other terminologies for Enterprise Rights Management are:-
1. Enterprise Rights Management 2. Enterprise Digital Rights Management 3. Enterprise DRM 4. Information Rights Management 5. Intelligent Rights Management 6. Document Rights Management 7. Document Usage Control
Welcome to the Enterprise Rights Management space (Also known as Information Rights Management). My name is Peter Abatan, an advisor in Enterprise Rights Management. I believe the potential for Rights Management is still greatly unknown, my prediction is that it will become the security tool that both businesses and individuals embrace.
Watch this space for ideas on how Enterprise Rights Management will become the key to driving new innovations on the web and within organisations.
In this space I would be evaluating software from all vendors namely:-
If you are an Enterprise Rights Management Software vendor and want to be listed please or need help with advice on Enterprise Rights Management click on the contact button on the right hand side of your screen.
