In May 2010 details relating to a “significant” number of companies who do business with Tralee Town Council in Ireland was sent to rival suppliers by email.
The incident was a result of an error using a mail merge application used in the generation of pre-electronic fund transfer checks. This resulted in emails being issued out of sequence. Consequently, bank details of companies who do business with the council were released to other companies.
A similar breach occurred when in 2008 when one of Eli Lilly’s (a major pharmaceutical) outside lawyers at Philadelphia-based Pepper Hamilton had mistakenly emailed highly confidential information on settlement talks with the US government to New York Times reporter Alex Berenson instead of Bradford Berenson, her co-counsel at another law firm Sidley Austin. The content of the email was regarding a $1b secret settlement on the Zyprexa drug investigation.
To prevent embarrassing moments like these, Enterprise Rights Management can prevent situations like these where an email that contains confidential information like financial details, trade secrets, and boardroom communications are encrypted and need to be authenticated before access to the content is granted.
This solution does not have to be deployed across the enterprise but only in business units that deal with confidential data on a daily basis. If you think that your current operations could expose you to the same risk as Tralee Town Council or Eli Lilly, then you need to investigate how Enterprise Rights Management can resolve this problem
If you have any questions on Enterprise Rights Management, send me your comments.
Google’s decision to start moving away from the Windows operating system because of its vulnerabilities in my opinion represents a seismic shift in the IT industry. Although Google is still silent on this matter, if true many big enterprises will start to look into the feasibility of migrating to other operating systems like Linux, OS X and in the future Chrome OS.
It could be that the security vulnerabilities that we have suffered over the last three decades have been due to our dependency on a predominant operating system namely Windows. Maybe, if we had ten or more operating systems to choose from, and all with equal share of the market we would be less vulnerable than we are today, who knows?
However, no matter how many operating systems are available to us in the future, there will still be the need to protect confidential information like trade secrets, boardroom communications, financial data etc both within the corporate firewall and beyond. So it is becoming imperative that Enterprise Rights Management software vendors begin to observe the current trends and begin to develop a strategy to support the other operating systems like Linux, OS X and Chrome OS.
Enterprise Rights Management vendors that are able to respond to these changes will competitively place themselves to capture the new opportunities on the horizon.
All comments are welcome
If you are familiar with my blog, you know there are many Enterprise Rights Management Solutions (also called Information Rights Management or Enterprise DRM) out there. This is a technology that is gaining in popularity, but you have to choose a solution that will meet your requirements. Remember, you don’t have to compromise.
So what are the 10 top must haves in the selection of your enterprise rights management solution?
- Support for all file formats
Must support all file formats within your organisation, and extendable to support native file formats - Scalability
Depending on your requirements, you should always ask what their largest deployment is by users. If this is going to be used by a small department then this requirement may not be pertinent. - Integration with all applications
The enterprise rights management solution must be application agnostic. In other words it will keep up with the updates of rendering applications no matter what file format. - Support for Role based policies
Role based policies ensures flexible access to protected documents instead using a person’s name. The individual name is entered under a policy, while the policy is applied to the document. - Support for both internal and external collaboration.
Your Enterprise DRM solution should enable you protect files within and outside your Firewall. - Integration with the Enterprise’s Identity and Access Management (IAM).
Using enterprise rights management integration feature will further the enterprise’s goal of using IAM to provide appropriate access to enterprise resources. IAM encapsulates people, processes and products to identify and manage the data used in an information system to authenticate users and grant or deny access rights to data and system resources. - Offline capability.
You should be able to work with enterprise rights management protected files even when offline or when a network is not available. - Less administrative overhead in terms of transparency to the user.
The Enterprise DRM solution selected must not significantly disrupt the way users perform their normal work. - Integration with Data Loss Prevention.
Depending on your network infrastructure your Enterprise DRM solution must integrate with data loss prevention solution or possess its own context sensitive solution. - Unpackage protected files.
There will be times when confidential documents no longer remain confidential and can be released into the general domain. You should be able to remove the Enterprise DRM protection on such documents.
Other names for Enterprise Rights Management are:-
1. Enterprise DRM
2. Enterprise Digital Rights Management
3. Information Rights Management
4. Intelligent Rights Management and
5. Document Rights Management
Fasoo Secure File-Server - An Enterprise Rights Management Solution
Do you need a central place where to store all your sensitive and confidential documents safely? Do you have to share these confidential or sensitive information with other employees in the business but worried about that information going beyond the permitted parties? This video explains how you can secure information on a file server and at the same time grant easy access to whoever needs it, with the ability for you to monitor and control that information.
This video presents the capability of enterprise rights management using Fasoo Secure File Sever one of the many solutions of a suite of products and how it can help secure your sensitive documents. Enterprise Rights Management is also known as information rights management or enterprise drm.
I recently read the Aberdeen’s research brief on Enterprise Rights Management titled “Enterprise Rights Management: Persistence Pays Off” by Derek Brink. This was a well written paper focusing on how best in class companies take steps to protect their unstructured data, and serves as a good barometer for the reader to see how they perform against these organisations.
This paper acknowledges the challenges that unstructured data presents in terms of how easy it is to replicate, how far it can travel throughout the organisation, how employees given the choice will disregard any security policy if they feel it will impede the smooth running of their regular tasks and finally, that unstructured data is ubiquitous through out the enterprise.
However, it is the statistics around the growth of unstructured data that is worth highlighting. For example, in a survey carried out 9 out of 10 (86%) respondents reported a year on year increase in the volume of unstructured data. This confirmed what I always knew since 90% of the structured data in an organisation is interpreted in unstructured document.
This paper is worth its weight in gold and gives businesses the imperative to take control of their unstructured content, especially documents that represent the organisation’s intellectual property. They is also a mention of other technologies apart from enterprise rights management used to protect unstructured documents like normal encryption, content management systems and data loss prevention with emphasis on the superiority of enterprise rights management.
To obtain this paper visit the Aberdeen Group website
Enterprise Rights Management is all I write about, so when I first started this blog it occurred to me that I might not find sufficient material to write on this very narrow topic, but this has been the contrary and I always get a kick from finding something to post on my blog. I recently read an article by Yuval Shavit titled “Data security: Alternatives to data leak prevention” on the search security channel website. He listed Enterprise DRM among other encryption tools as an alternative to Data Loss Prevention but I am reticent to use the term “alternative”.
Data leak prevention or data loss prevention (DLP) technology monitors and blocks anyone who tries to send potentially sensitive or confidential data outside the corporate firewall. Enterprise DRM on the other hand persistently secures a file no matter where it is located. Unlike file encryption or hard disk encryption, Enterprise DRM secures the content of the file while it is on the move, stored on a hard drive or in use (i.e. being read, printed, or edited).
Regarding Enterprise DRM, Yuval described it as “the most advanced alternative to data leak prevention software”. Unfortunately, this is an inaccurate description of Enterprise Rights Management or Enterprise DRM as it is also called. This evident in the partnerships between both DLP and ERM vendors like Liquid Machines, GigaTrust, McAfee and Symantec who have described their technologies as complimentary and not alternatives.
Yuval also described Enterprise DRM as client-side software. Hmmm! I wonder what he meant by client-side, because it is the server that grants access to DRM secured files by checking the access rights and the defined policies. The server also keeps the audit trail of the file over its entire life. Fasoo has an Enterprise Rights Management file server solution that enables users to drag confidential files to a DRM protected folder, thereby allowing the file to be bound by the policy defined for that folder.
Also in this article Enterprise DRM software is described as a much more expensive alternative to data leak prevention which is not entirely the case. Today you can get a server based Enterprise DRM solution for just under $5,000. While companies like OneHub are among the pioneers in providing Enterprise DRM cloud based solutions making it more accessible to small businesses and individuals costing a few dollars per month.
However, I do agree with Rob Eggebrecht, senior partner and CEO of BEW Global, a Castle Rock, Colo.-based security consultancy who in the same article said “Whereas Enterprise DRM technologies can be applied company-wide, Enterprise DRM is better kept as a tactical tool deployed only in a few key departments” Very good point Rob.
What left me a bit confused was at the end of the section on Enterprise DRM where Yuval said “Depending on your client’s company, you may want to recommend complementing a company-wide DLP deployment with Enterprise DRM in the most at-risk departments, or it may be enough to protect just those departments”. So the question is complementary or alternative?
I’ll be glad to hear your thoughts?
Reference:
Data security: Alternatives to data leak prevention by Yuval Shavit, Features Writer at the SearchSecurityChannel.com
This article’s level of difficulty is rated as intermediate
Some organisations may not see the reason for implementing Information Rights Management because in their view the “cat has been let out of the bag” i.e. confidential documents have been copied many times over. This is a wrong approach, because things will not get better but get worse resulting in a potential embarrassing moment like a data breach.
Implementing Information Rights Management across an organisation can sometimes be challenging especially if the very documents that you want to secure have been copied a number of times all over the organisation. The next step for Information Rights Management vendors is to develop software that can crawl the enterprise’ network and secure all documents that have been copied from the original document. Once a copied document has been identified the policy that was applied to the parent document should be applied to it.
Yes there are a number of questions that still need to be answered, but the benefits could be immense. Maybe this is an idea someone somewhere is already working on!
There are 2 types of information that need to be protected across the enterprise. The first is structured data which is the data you find in database repositories like Oracle, Sybase and Microsoft’s SQL Server. The other is unstructured data which can be protected by a number of other means like file encryption, full disk encryption, access authentication, information rights management and a number of other means.
Structured Data: Security in this area has moved on in leaps and bounds over the last 10 years, but according to the Enterprise Strategy Group 86% of enterprises feel that their databases are secure, yet 56% have experienced a breach indicating that many organisations still have a false sense of security. One of the worst data breach cases has been Heartland Payment Systems that experienced a breach in 2008 and is still paying out millions in compensation. However, the good news about protecting structured data is that given the right advice and the right tools, the effort required to plug all the non-compliance holes and eliminating the data leak risks that may exist.
Unstructured Data: This is the most challenging type of data to keep a lid on because it is very easy to duplicate and very difficult to track, moreover structured data is always analysed in an unstructured format used to provide strategic direction for the organisation. This means it is easier for your competitors to know what you are doing if there is a rogue or disgruntled employee on the inside. The challenges in protecting unstructured data is defining the data categories, locating where this data is and classifying it before protecting it. Information rights management commonly called enterprise rights management and data loss prevention are at the forefront of protecting unstructured data which would normally exist as boardroom strategies, intellectual property, financial information, trade secrets, etc.
So as you move to protect your information assets there has to be a balance between protecting both structured data and unstructured data to ensure that focusing on only one area of data security does not make the other area of data protection vulnerable and vice verza.
Comments and feedback welcome.
I recently read the Forrester Thought Leadership paper called “The Value of Corporate Secrets – How Compliance and Collaboration Affect Enterprise Perceptions of Risk”. I found the content very interesting as it gave me a further insight into how organisations think.
So here is what I learnt from this paper. The bulk stops with the CISO when it comes to information security; as such the CISO is pulled in all directions for limited IT security resources, as a result there are some areas of information security that is allocated less resource than they require.
An organisation’s security program protects 2 types of resources. One is trade secrets that confer long-term competitive advantage and the other is custodial data assets that are protected by regulation. Unfortunately, it is compliance not security that drives the security budgets, but this results in an imbalance because corporate secrets comprise of two-thirds of the value of the firms’ information portfolio.
The enterprise is overly focused on the compliance requirements and hardly does enough to protect their corporate trade secrets. The reason why I think this happens is because when trade secrets are stolen, it hardly becomes public knowledge and it is within the organisation’s jurisdiction to keep breaches like this under wraps. However, when data that is subject to regulation, it is most likely that unreported breaches will bring about stiff penalties and damage to its reputation.
Sensitive information or corporate secrets stolen by an employee is ten times costlier per incident than data lost on information protected by regulatory requirements, but the news gets worse, because the more valuable the corporate information or trade secrets, the more incidents it will have. As such high value organisations are four times likely to have a security incident than low-value firms, because trade secrets generate revenues, increase profits and help maintain the competitive advantage.
In conclusion Forrester stated in clear terms that most enterprises do not actually know whether their data security programs work or not, and are under investing in programs created to protect their secrets. This is should be a wake up call to CISOs and businesses alike because it could mean that the real valuation of an organisation when it comes to intellectual assets may in the real sense be less than the paper value, and that is why organisations need to embark on radical programs to secure their corporate secrets. Security programs and policies that will effectively lock down corporate trade secrets need to be implemented in a controlled manner and should be non-intrusive to the way employees currently work.
Is your organisation haemorrhaging corporate trade secrets? Do you know what steps to take and what tools to employ to lock down this information? If not it is important to consult with your IT security team and speak to other organisations with the aim of bringing in best practices. There are tools like Enterprise Rights Management and Data Loss Prevention that could lock down this information and keep an audit trail of how it is being used.
Reference:
Forrester Consulting March 2010: The Value of Corporate Secrets – How Compliance And Collaboration Affect Enterprise Perceptions of Risk.
Enterprise DRM: Desktop Solution.
This podcast is the seventh in the series (both written and audio) on Enterprise Rights Management solutions. This 3 minute podcast enables you to get a brief understanding what the Enterprise Rights Management Desktop or PC Solution does and how it can benefit your organisation.
Your feedback is appreciated and I hope you find it helpful.
Podcast Length: 4minutes 40seconds
Enterprise DRM: Web Solution.
This podcast is the sixth in the series (both written and audio) on Enterprise Rights Management solutions. This 3 minute podcast enables you to get a brief understanding what the Enterprise Rights Management Web Solution does and how it can benefit your organisation.
Apologies for the quality of the podcast, just learning with the hope of getting better soon.
Your feedback is appreciated and I hope you find it helpful.
Podcast Length: 3minutes
I have made an update to the blog due to an oversight. If you look at the right hand side of the screen, you will see that I have linked all the Enterprise Rights Management vendors to their respective websites, this makes it easier to get information on each individual vendor.
In the nearest future I am also going to create a product table for all the vendors, so that it will be easier for you to focus on which vendors better meet your needs, so watch this space.
Other terminologies for Enterprise Rights Management are:-
1. Enterprise Rights Management
2. Enterprise Digital Rights Management
3. Enterprise DRM
4. Information Rights Management
5. Intelligent Rights Management
6. Document Rights Management
7. Document Usage Control
This is part 1 of a 2 part article. It describes setting up Active Directory Rights Management (Also known as Enterprise Rights Management) services for Microsoft Exchange 2010. Elie Issa takes you through a step by step process starting with setting up the Active Directory Rights Management services and then configuring AD RMS to work with Exchange Server 2010.
Highly recommended technical read.
By Ashutosh Desai
The main concern companies raised about offsite hosted/managed services was that confidential data could be compromised, made public or sold to competitors. But chances of an internal leak (of information) are higher than that of an external attempt (intrusion) to steal a company’s intellectual property, source code, customer records, etc. Employees deal with company data of varying degrees of sensitivity on a regular basis. Information is routinely shared with service providers, business partners, etc. “Internal security risk is a complex and difficult challenge facing organizations today no matter what industry or region,” says Vikas Desai, lead technology consultant, RSA (India & SAARC)
How then can these organizations ensure that its employees do not misuse the data by sharing it with those who are not authorized to view it or unintentionally leave it for someone else to steal? One way would be to deploy a solution that provides the ability to assign policies, ‘reads’ file content stored in e-mail, an application or in storage, actively monitors access, and provide reports. The motive is to restrict or control the movement of internal data. This data could be resident on a storage device, travelling across a network or even being used. ‘content-aware’ data loss prevention (DLP) solutions available today can do these and more.
DLP cost may reduce as adoption increases
According to Gartner, the DLP space has witnessed steady growth through the last three years (2006-2009) and it is expected to continue to do so. Total gross revenue of US $50 million in 2006 reached US $215 in 2008. In June 2009, Gartner had predicted US $300 million for 2009. The research analyst even expects prices of content-aware DLP solutions to drop as adoption continues to increase over the coming two years. Additionally, IT companies have made acquisitions of vendors in the DLP space to boost their own security offerings.
Identify problem areas, prioritize data
According to Shantanu Ghosh, VP, product operations, Symantec India, “Preventing data breaches is all about risk reduction. To reduce risk, you must know where your data is stored, where it is going, and how it is used.” This way, organizations will be able to identify problematic practices, prioritize data and groups for phased remediation, and “staunch the flow of proprietary data leaving an organization.”
A Data Loss Prevention (DLP) solution helps the organization ‘discover’ and ‘classify’ data based on the organization’s priorities and policies. “Not all data in an organization is of equal importance from a security perspective,” explains Desai. There is quite a process that needs to be followed before the actual deployment of a DLP solution. An enterprise must first determine which data is most sensitive, then prioritize efforts and define appropriate polices. But to figure out what data is sensitive, the organization’s business structure (departments and lines of business) must be understood. Based on this, regulatory and corporate compliance drivers need to be identified for each of these departments. Only after this can be the information can be grouped in ‘classes’.
High on awareness, low on implementation
Desai says, CIOs in India are becoming more and more conscious of this (information security) issue within the organization. They are aware of the fact that not all intrusions or breaches are related to data thefts. Sectors like banking, finance and insurance, IT/ITeS, telecom and manufacturing have invested in DLP. These are sectors where data is considered to be of a ‘high-risk’ nature. However, overall implementation of DLP does not map with general awareness of the need. A Symantec survey conducted by IDC revealed that even though 79 percent of Indian enterprises label data loss to be their top information security concern (even more than viruses or spam), only 15 percent of the surveyed enterprises had any form of data loss prevention measure in place.
Challenges
The biggest challenge, according to Ghosh, is the lack of awareness about the technology. Ghosh said nearly half of the respondents in the IDC survey, do not see the significance and need for DLP solutions. Nearly 30 percent enterprises are struggling with data classification and some view defining proper rules and policies to prevent data loss, a problem. “DLP systems essentially put the responsibility of defining and managing, policies related to data communication in the hands of a limited set of people within the organization,” opines Vishal Gupta, founder-CEO, Seclore Technology. Gupta explained that that if data that is confidential is not classified as being of sensitive in nature, it will not be covered by a policy. So even with a DLP system in place, minutes of a board meeting could still be leaked out because the company may have failed to define it as confidential, preventing the policy from being applied on it. On the flip side, Gupta says, an over-defined policy may restrict the sharing of information between teams. Employee salary information is confidential but it may need to be sent to a payroll processor or a regulatory body. The system will prevent the company from sharing this information. “It is a slightly difficult proposition to achieve the middle ground,” concludes Gupta.
In some cases, DLP may not be enough
Vishal Gupta feels DLP systems will work as long as information is within the organization. When information needs to shared with partners, legal counsellors, etc. DLP will not be able to control what the recipient does with this data. “Today a lot of collaboration is happening outside the enterprise also,” informs Gupta, “There has to be an IRM (Information Rights Management) system in place for highly collaborative enterprises.” This is because IRM maintains control over how a file can be used even after it has left the organization’s network. The necessity for implementation, however, depends on the business needs of the organization.
A layered security strategy or well-balanced, policy-driven implementation, DLP products are still in the evolutionary phase. They will continue to mature, in terms of ease of deployment, integration with other data protection technologies, more sophisticated analytics, etc. Enterprises must also start viewing data breaches, misuse, unintentional sharing — whatever they might be — as incidents that will seriously dent their credibility. Businesses must, at the same time, start assessing this road to risk mitigation and IP protection.
Ashutosh Desai is a senior correspondent at CXOtoday.com and can be contacted via the CXO Today website.
Source: CXOToday.com
The Enterprise DRM Mobile Device Solution recognises how mobile devices like BlackBerry and iPhone, as well as Symbian, Windows and Android based smartphones are becoming essential business tools that go beyond voice communication. What this solution does is extend the enterprise rights that you have on your the current computing infrastructure i.e. if you have read only rights to a particular document, then that will be the rights that will be extended to your mobile device. The overall goal of this solution is to protect confidential information on mobile devices in file format and email.
Fundamental to these mobile device solutions is a viewer that enables the user to view all the protected file formats. Persistent security is also a key feature that extends to mobile devices; this means your data is secured at rest, in motion and in use. Low level control over access and usage rights on mobile devices allows sensitive, yet business-critical information to be safely shared across the enterprise. This solution like other enterprise rights management solutions prevents access to files and emails sent to a recipient by mistake.
We have now looked at five Enterprise DRM solutions namely:-
1. Document Repository Solution.
2. Document Exchange Solution.
3. File Server Solution.
4. Print Solution.
5. Mobile Device Solution.
Please refer to earlier blog postings for an introduction to these solutions. Next time we will look into the web solution.
