I was speaking to a senior executive last year who asked what could happen if I don’t use Enterprise Rights Management? My reply was many things, although I could not remember everything single point listed below from the top of my head, I was able to articulate the salient points about the potential risks. So here are some events that could happen if you don’t employ Enterprise Rights Management.

1. The perceived value of your business is eroded slowly through the loss of your intellectual property to competitors that former employees join or new startups by former employees.
2. Investor confidence in your business’ ability to safeguard trade secrets begins to wane.
3. You really don’t have full control of where your information assets are located and as such you cannot know when your confidential information gets into the wrong hands.
4. You cannot control how your confidential information or sensitive data is used once you send it to a third party.
5. Staff could mail confidential documents or sensitive data to the wrong recipient after which you have no control.
6. You might never know when your intellectual property is taken without permission and used in a way that is counter-intuitive to your business.

So is your business at risk? Find out what enterprise rights management can do to stem the flow of your confidential information and intellectual property to your competitors.

Yesterday the car manufacturer Renault filed a criminal complaint on an industrial espionage case in which it asserts that a foreign company sought to obtain secrets related to its electric car program.

The case involved 3 executives which have since been suspended. In an age where technology is advancing at a pace never seen in our lifetime, organizations will continue to jostle for dominance. In jostling for dominance like the 3 executives that have been suspended on suspicion to sell corporate intellectual property to a rival car manufacturer, there similar executives who will lay aside corporate ethics to pay for stolen confidential information.

You would think that becoming an executive means that you have earned the trust of your employer, considered to be a person of integrity and on the path to an accomplished career. Therefore considering the risk of being found out and ending a career due to industrial espionage, such an offer is completely out of the question. If you are that promising executive will you will blow the whistle on such an offer? What happens if your are offered say $750K or anything north of $1m for such information, will you say “NO”?

Read More

Sachar Paulus of Kuppinger Cole and I rarely agree on the future of Enterprise Rights Management. First of all he still continues to refer to ERM as Digital Rights Management despite that many closely associated with ERM have explained the difference to him. Secondly, he continues to refer to Apple when talking about ERM, unfortunately as great a company Apple is it does not have its own ERM solution.

In his latest post titled “Without standards for DRM and IRM Cloud Security will remain a daydream” Sachar said there is a need for standards on Enterprise Rights Management, again I commented on the post disagreeing with his view that creating a standard for ERM is the last thing that is needed for this security tool.

I come from an interoperability viewpoint and I strongly back the need for interoperability because it will enable ERM clients to switch from one vendor to another as and when they choose to, and I’ll soon expect them to demand this feature.

As far as ERM is concerned I could say that we are still at the primitive level of interoperability which enables the administrator of the document to run a utility that will remove the security on a document or set of documents. This can then be secured using another ERM solution. At this stage not all ERM vendors provide this solution.

Now creating a standard for Enterprise Rights Management is a different ball game altogether. Creating a standard means exposing the architecture of the ERM application, this makes it an target for security breach. All you need is someone to create an algorithm to crack ERM and all solutions out there become vulnerable.

Finally, I may be ranting on about nothing and someone out there disagrees with me. I’ll like to hear your viewpoint; Standards or Interoperability?

Enterprise rights management has been around for over 10 years and it still baffles me how many data security consultants, IT journalists and bloggers still get it all wrong when it comes to understanding what enterprise rights management can and cannot do. On the other hand it may be there is a lack of effective communication from many of the enterprise rights management vendors.

In an article I commented on over the weekend, the writer referring to enterprise rights management said “this type of protection typically applies only when the document is in transit”. If I were to write on a technology I do not have the full facts, I am under obligation to my audience to do some research, understand what the facts are, and communicate those facts in a fair and objective manner.

So as the first blog post of the year I’ll like to do a quick primer of what enterprise rights management can do.

The 3 States of Data: If you are a regular reader of this blog you will know that enterprise rights management does more than protect data in transit. Like the 3 states of water; liquid, solid and gas, data has 3 states in which it can exist.

Data can be at rest i.e. stored on a server, laptop, USB key, or on any mobile device to name a few. Data can also be in use i.e. the content is being read, edited, printed or copied. And finally data can be in transit over a network via email or ftp.

Enterprise rights management has the ability to protect data at any of these 3 states. If the solution you are being offered cannot protect your data at all three states it is not enterprise rights management. The ability to secure data at all 3 states is referred to as “persistent security”

Policy creation and management: Enterprise rights management helps data custodians to define what users can and cannot do with the data secured with this tool. The policy defined for a document generally revolve around the following controls:-

1. Editing
2. Reading
3. Copy/Paste (including screen capture)
4. Printing

Other issues around policy management is the ability to revoke access to a file or document no matter where it is located in the world. Many enterprise rights management vendors alert the document custodian when a file has been accessed for the first time.

Decentralized administration: One of the key challenges of data security has been that a data security administrator had access to data that was above his or her pay grade. With enterprise rights management the security of the data is administered by the data owner. This considerably reduces the risk of a data breach.

Auditing: Enterprise rights management should and must provide an audit trail of how all documents secured by it are used. This can be a very effective tool when a data breach has occurred.

Integration: Enterprise rights management should have the ability to integrate into other enterprise wide systems like enterprise content management, customer relationship management, email management, message archiving, eDiscovery and a myriad of cloud based systems.

This ability to integrate with enterprise based systems does not mean that enterprise rights management has to be deployed at an enterprise level.

Conclusion

There are other features that are provided by the various enterprise rights management vendors and it is always a good things to do an evaluation based on your organisation’s specific requirements. If you require help in choosing a enterprise rights management tool drop me a line.

Employers warned over data security as High Court data theft disputes rise by 313% and first Data Protection Act fines are issued.

Read the entire article on the Telegraph website: http://www.telegraph.co.uk/finance/businessclub/8157244/Companies-warned-as-data-theft-disputes-surge.html

Yesterday in Michigan, USA a former Ford employee admitted to a theft of $50 million worth of trade secrets and pleaded guilty. The problem with news like this one is the focus is always on the villain and how he or she carried out the crime.

The question that comes to mind for me is how on earth could Ford be so vulnerable to enable an employee steal so many documents in the first place? This should never happen in the first place, especially where you are dealing with something that represents the life blood of an organization.

Read More

Control and Audit document use with LockLizard PDF DRM Software

If you are looking to control who is using your PDF documents, and how they are being used, then look no further than LockLizard Safeguard Enterprise PDF Security.

Safeguard Enterprise PDF Security, is LockLizard’s latest Digital Rights Management (DRM) software product providing PDF DRM protection to the large publisher or corporate enterprise.

Apart from preventing intellectual property theft by controlling document use, Safeguard Enterprise PDF Security enables publishers to track how authorized users are using their documents (when they are viewed, when and how many times they are printed, etc.).

Safeguard Enterprise PDF Security prevents PDF copying, sharing, modifying and screenshots, controls document expiry, stops printing (or lets you control the number of prints allowed) and enforces dynamic watermarks.  Individual user details can be displayed on documents when they are viewed and/or printed to deter casual copying by digital cameras or photocopies. If publishers feel their documents are being misused then they can instantly revoke access to them.

Safeguard Enterprise PDF Security entry level pricing is just $4995 for a subscription license, with perpetual and own server licenses available. More information can be found at http://www.locklizard.com/pdf_drm_security.htm

Swiss bank UBS lost out on a major revenue stream when it was discovered that an employee leaked details about the impending GM IPO. This leak meant that GM is required by law to disclose the e-mail in a filing with the U.S. Securities and Exchange Commission.

Up till November 3 UBS was listed as a proposed underwriter in GM’s IPO, however it was dropped without reason. The person who leaked the email, the details of email content and how wide the email was distributed is unknown, but GM said the e-mail went to various institutional investors.

GM has claimed the e-mail does not reflect its views, while GM’s disclosure limits the company’s liability. It’s also unlikely that UBS or the employee would face any repercussions from the SEC but that revenue dent is already made.

It is known that up to 80% of all data breaches do not become public knowledge, and here is a typical case. If it was’nt for the disclosure in the IPO filing the public would be non the wiser. There must be at least 10 major data breaches happening everyday that are impacting revenue, jobs and investor confidence. Data leaks through emails is a big challenge to information security but progress seems to be very slow in this area.

Enterprise rights management have solutions that prevent employees from sending emails to wrong recipients, this solution with data leak prevention or context sensitive DRM can prevent scenarios like the one that happened to UBS. It is estimated that UBS lost £6.2m in revenue as a result of being dropped by GM.

The first enterprise rights management seminar was hosted in London, last week hosted by Documentti and sponsored by Fasoo.com. During the event Jason Sohn the International Business Development Manager at Fasoo identified the key reason why enterprise rights management has been rapidly adopted in Asia more than any other parts of the world.

He said it is not uncommon for an employee to leave one company and turn up in another company in another with the intellectual property of their former employer. Once your Intellectual property is out there you really don’t have any control over who gains access to it. This means your corporate strategy for the next 5 or 10 years could be undone in a few keystrokes.

Read More

Simon Thorpe of Oracle IRM has just written a post on what follows on from data classification in his quick guide series. For each use case Simon walks through the important decisions made and resulting context design to help you understand how enterprise rights management is used in the real world. This is a must read article with great insights.

To access this interesting post click here

On November 11, 2010 Fasoo.com one of the leading enterprise rights management vendors and Documentti Inc, a UK based partner to Fasoo and the company I work for as a partner will be hosting an enterprise rights management seminar. Keynote speech will be given by Steve Gold, the technical editor of InfoSecurity Magazine. Come and learn why you need to protect your sensitive documents and confidential information. You will also get insights into how enterprise rights management strategically sits within your overall information security strategy.

To register for the seminar click here. We have made every effort to make your stay at the seminar convenient, there will be WIFI access to enable you stay in touch and lunch will be served (please let us know during registration if you have any special dietary requirements). The Grange City Hotel has fantastic access to all means of transport within central London. Click here to see directions to the hotel.

All enquiries about the seminar should be sent to the London Seminar Enquiry

This article by Robert MacMillan is a very interesting read on unstructured data, enterprise rights management and data leakage prevention.

Robert a proponent that IT Administrators are expected to manage permissions to data without knowledge of the business context of the information makes a strong argument for endpoint security tools like enterprise rights management and data leakage prevention within the enterprise to control access to unstructured documents.

You can access this article by clicking here

After last week’s high-profile data breach at ACS:Law, BT wants to halt legal applications to obtain customer details of people alleged to have take part in illegal online file sharing. The telecoms company called for the moratorium and it is likely that other telecoms companies will follow the same route.

This really should not be a big issue since the solution to solve this problem has been around for a while. It is called Enterprise Rights Management and works on the principle of persistent security which means the data cannot be used beyond what has been specified by the data owner, whether the data is in use, at rest or in motion.

Read More