Over the weekend I read an article posted on Infosec Island titled “Putting an End to Data Breaches as We Know Them” by Robert Siciliano. Having read the article and the comments I came to the conclusion that even information or data security experts do not fully understand what enterprise rights management is.

So here is the underlying problem; if IT security experts do not understand the full capabilities of enterprise rights management, how can they effectively communicate the benefits or shortcomings to their employers or clients? For me the article on Infosec Island revolves around whether ZafeSoft is enterprise rights management or not.

Even though throughout the website the phrase ‘enterprise rights management’ or ‘information rights management’ is not used, the writer deemed it to be superior to “other” enterprise rights management solutions out there. On the other hand having read through the ZafeSoft website and the features of their products I came to the conclusion that ZafeSoft is enterprise rights management.

Read More

Last month Gartner released another research paper titled “Getting Your Organization Ready to Deploy Enterprise Digital Rights Management”, authored by Eric Quellet who has written many papers on Enterprise Rights Management at Gartner. This paper is based on 4 key findings, 3 of which I think are very significant namely;

• The overcomplication of deployments by attempting to accomplish to many goals.
• A lack of proper preplanning and predeployment activities to successfully leverage Enterprise Rights Management.
• Sometimes Enterprise Rights Management is not the right solution required to protect sensitive documents.

Read More

This is an interesting blog post by Ritu Kirti Prakash of Seclore Technology regarding the recent infamous wikileaks. Ritu reminds us that most of the time an organisation if it were to fall it is because the enemy is already within. In the case of wikileaks putting a simple information rights management solution in place will serve as a deterrent to staff printing one document let alone thousands because there will be an audit trail of all activity recorded in the log.

I encourage you to read this interesting post and then ask yourself, can my organisation become famous on wikileaks because we have not put in place the right controls to prevent confidential information getting into the wrong hands? If the answer is yes, then you need to consider information rights management and the persistent security it offers.

Read full post here…..

In light of the latest intellectual property theft at General Motors, below is a list of data breaches that could have been prevented by Enterprise Rights Management. After you have gone through the list ask yourself am I as vulnerable as any of these organisations that have been affected?

1. In 2010 a former General Motors engineer and her husband conspired to steal trade secrets about hybrid technology and use the information to make private deals with Chinese competitors.
2. In 2010 a rogue MI6 agent attempted to sell MI6 confidential documents to the Dutch intelligence services for £2M GBP ($3M USD)
3. In 2010 bank details relating to a significant number of companies who do business with Tralee Town Council in Ireland was sent to rival suppliers by email.
4. In 2010 Motorola Inc, the US maker of mobile phones and two-way radios, sued rival Huawei Technologies Co for allegedly conspiring with former employees to steal trade secrets.
5. In 2009 a former Ford product engineer steals over 4000 confidential documents containing trade secrets from his former employer.
6. In 2008 a former Intel Corp. design engineer was charged with theft of trade secrets from the chip maker while secretly working for rival Advanced Micro Devices (AMD) Inc.
7. In 2008 one of Eli Lilly’s (a major pharmaceutical) outside lawyers at Philadelphia-based Pepper Hamilton had mistakenly emailed highly confidential information on settlement talks with the US government to New York Times reporter Alex Berenson instead of Bradford Berenson, her co-counsel at another law firm Sidley Austin. The content of the email was regarding a $1b secret settlement on the Zyprexa drug investigation.
8. In 2008 an HP employee distributes trade secrets he received while at his former employer IBM

There are occasions when information that has been protected by Information Rights Management is no longer required, this could mean information can be put out into the public domain to encourage further innovation, to address past issues, adopt lessons learnt or to abide by some regulatory or legislation requirement about making information accessible to everyone.

This key factor should be considered when information or data owners should consider when choosing an Information Rights Management solution. I have seen many occasions where there has been a very high emphasis on protecting data with information rights management, but no question has been asked how to remove the protection so that it becomes accessible to all.

For example in the United States the Freedom of Information Act that was signed into law in 1966 allows for the full or partial disclosure of previously unreleased information and documents controlled by the United States Government. In the United Kingdom the Freedom of Information Act 2000 is an Act of the Parliament that introduces a public “right to know” in relation to public bodies in which members of the public can demand for information not in the public domain.  The full provisions of the act came into force on 1 January 2005. In the private sector there have been occasions where businesses have released trade secrets into public domain to encourage further innovation.

Transparency means that for full disclosure protection has to be completely removed from all documents previously protected with information rights management, but partial disclosure means that information protection has to be organised in a logical order to take into account the need to release part of that information into the public domain without compromising information that still needs to be protected.

A lack of strategy to address putting information previously addressed as confidential into the public domain could prove to be more of a headache than implementing Information Rights Management if not adequately addressed during the planning stage. Whatever information rights management solution you decide to go with you need to be assured that you can easily remove the rights protection on any data as easily as you can put it on.

I write about all things concerning Enterprise Rights Management and Microsoft is one of the solution providers in this area, so it is to my disappointment to say that Microsoft has been naughty by not using its own pill to heal itself.

According to the daily telegraph article the PowerPoint presentation contained details about Windows 8 was apparently aimed at an HP executive dated April 2010 and explains what is to be expected in the new operating system. There is no reason why Microsoft should suffer data leaks like this considering that Windows RMS, is its own Enterprise Rights Management solution.

As a solution provider, it is your responsibility to use the technology in-house when communicating confidential information because if you don’t use the technology and the word gets out that you suffered a data leak, you make your work harder convincing your customers to use the technology?

Microsoft Windows RMS comes packaged with Microsoft Office and requires a number of steps to switch on and use with the MS office tools. I hope Microsoft will communicate this leaked document to its entire organisation and prevent such a leak from happening again.

By Ron Arden

Did you ever wonder if your customer lists and other confidential data is walking out the door when people leave the organization?  Here is something that I came across when working with a client.

This organization uses multiple FTP and other file sharing sites to share documents internally and with partners and customers.  Some of these are sanctioned by the organization, but many aren’t.  The reason there are so many is because IT is very busy and hasn’t gotten around to creating an easy-to-use collaboration site for everyone.  They also make it very difficult to implement anything as basic as a secure collaboration site without having to get vice presidential justification and jumping through hoops.  There are Windows file servers for some internal projects and Microsoft SharePoint sites for others.  People use email, free sites, like drop.io and YouSendIt, and FTP sites to exchange documents with outside people.  Employees have resorted to “roll your own” because of the IT can’t meet the need in a timely way.

So here’s the bad part.  One of these FTP sites has the same password they used 3 years ago.  This is an external site that anyone can access.  One division uses this site to share documents with their customers, including invoices and purchase orders.  It has a simple password and people share it all around the company.  The site is easy to use and works fine.  Unfortunately no one is actively managing this site or thinking about changing the password.  People who left the company can still access that site and a lot of confidential information.  Talk about a security hole.

This is one of the problems with most FTP sites.  They are easy to use but their security is very rudimentary.  They usually have a single password for user access with no ties into a directory service, like Microsoft Active Directory or LDAP.  Hence, no one changes the password, because you would have to notify a lot of people that it changed; that’s a hassle and people would complain.  By using a directory service, access is individualized and each user’s password controls access to the site.  When an employee or contractor leaves your organization, you can shut down their access by disabling their user account.  Now you have to worry about changing the password on this one site and notifying the users every time someone leaves.   

If you are thinking about implementing a risk management strategy or a data governance plan, the first thing to look at it is where you are putting your data.  If you are using FTP sites, take a look at their security.  I would get rid of them and use a secure file transfer service or a secure extranet portal that has individual user credentials.  These are better options than an FTP site to let your employees, customers and partners securely share information.

If you suspect confidential documents walking out the door, check your FTP sites.  Of course that assumes you can even find them all.

Ron Arden is the Vice President of Strategy & Marketing at eDocument Sciences, LLC based in Amherst, New York. Ron can be reached via their corporate website at www.edocumentsciences.com.

Welcome to the second article in this quick quide to Oracle Information Rights Management 11g. Hopefully you’ve just finished the first article which takes you through deploying the software onto a Linux server. This article walks you through the configuration of this new service and contains a subset of information from the official documentation and is focused on installing the server on Oracle Enterprise Linux. If you are planning to deploy on a non-Linux platform, you will need to reference the documentation for platform specific information………

by William Kent

ArtistScope DRM (Digital Rights Management) is a total control solution for the access rights management of documents, images and web pages where an author can assign different permissions per user or group of users. When DRM rights are assigned the document becomes “for their eyes only “and any copies of that document forwarded on cannot be viewed by others unless they also have rights of view.

Protect financial data and portfolios. Provide financial data and statistics to valued clients. ArtistScope DRM is the most secure DRM solution imaginable. Tokens cannot be forged and certificates cannot be copied and redistributed. When a document or web page is tagged for DRM the back end is checked for their rights of access.

Protect photographs, plans and drawings. Upload and protect various file types including Word, Html, PowerPoint, Excel and images for distribution as documents or for web pages which cannot be copied or printed unless you allow the privilege. Publish using any combination of DRM or copy protection rules or none at all.

Protect from anywhere. Administrate and distribute from anywhere. The creation of user accounts, document conversion and distribution can be managed online from any computer in the world. Create new users, assign administrators and other special users permitted to submit publications, update document permissions or suspend document availability at any time. Documents can be emailed to your group of users or provided as a download.

ArtistScope DRM Enterprise manages both documents and web pages from an online control panel that includes a extensive suite of server side tools for document conversion, image and web page encryption, member administration and distribution by email in zip format. ArtistScope DRM Anywhere will protect unauthorized access to web pages hosted anywhere.

• Restrict which users or groups can view a document or web page
• Set expiration on a document or web page validated by time server
• Allow or limit the number of views of documents and web pages per user or group
• Allow or limit the number of prints of documents and web pages per user or group
• Allow or limit access to documents and web pages by IP number or network
• Allow or limit a user to add/edit documents for shared distribution
• Create member accounts for authoring documents and web pages
• Upload, convert and protect almost any type of document or web page

ArtistScope DRM Enterprise will upload documents and images and convert them to encrypted format for display on web pages for documents to distribute over the web. The Enterprise version includes an online page maker for creating and editing the look of your pages according to templates that you can create, plus a universal document converter for the conversion of almost all types of files so that they are compatible with ArtistScope DRM options.

ArtistScope DRM utilizes the renown CopySafe technology for the copy protection of documents while in view, protecting them from all copying methods including Printscreen and screen capture.

DRM control pages can be translated into more than 25 different languages automatically. When the multi-language support option is enabled, all windows and messages (including member email notices) are translated to the user’s language.

For more information see www.artistscope.com

Try the online demo www.artisbiz.com

I find it duty bound to follow what is going on in the enterprise rights management marketplace, and in doing so I came across a post Sachar Paulus of the consulting firm Kuppinger-Cole. Sachar strongly believes that there will be a convergence between enterprise rights management and digital rights management used to protect audio and video content. In my response I completely disagreed with him saying that majority of the current enterprise rights management vendors have tried to distant themselves DRM from because of how unpopular it has been over the last 20 years.

However, one thing struck me in this argument. Most of the generation that rebelled against DRM are now managers or are moving into management positions. Will their current status have changed their minds such that they will now buy into DRM, let alone allowing it to converge with enterprise rights management? I don’t think so, but your opinion is what matters.

We also had a debate over whether Apple is a player in the enterprise rights management marketplace. Sachar said yes because many books, pictures etc. (so, content) are delivered as through the iTunes store as an application. But does this qualify it as enterprise rights management? My view, no because enterprise rights management is all about content.

However, let’s look at this from an analytic viewpoint. If user ‘A’ has downloaded an app to their iPad which enables her to read an ebook. ‘A’ buys an ebook from the App Store, that ebook belongs to ‘A’ and the app enables the reader access the document. I would want to believe that when the ebook was downloaded, the policies guiding the ebook was downloaded to the app which is the container for eBook. Based on this analysis you can see why it is the content that needs protecting and not the app. Can someone more knowledgeable about Apple help me out, so I can know whether I am off track?

Anyway, for the exchange of comments between myself and Sachar please access the following link. It will be good to hear from you regarding your views.

By Vishal Gupta

Data leakage, theft, hacking, compromise, accidental / intentional disclosure are here to stay and it is the responsibility of the employer / owner organization and the user to collectively ensure security while ‘at rest’ and when ‘in transit’.
Policies and procedures require users to ingrain best practices into their work culture but there is always the risk of human error or a slip-up even in highly mature workplaces or even if the users are highly trained and disciplined. An example is the incident of an army Major who had classified data on his computer and this was hacked. The full story can be read here - “Major’s comp hacked, info leak feared”

As the affected organization is the Army it is natural to assume there are strong controls in place and this is clearly this is a case of non-compliance on the part of the officer. Again, though controls are in place and the users are a disciplined and trained lot, this non-compliance has led to a security breach (a worst case scenario) and there is no rollback here. Classified data has been compromised and seems to be in the hands of enemies. There is no telling what will be the repercussion of this loss, and one cannot expect that the Army is going to be sharing any details of their investigation or findings.

While everything seems to be in place it is also obvious that the data would be much safer had it been protected by an Information Rights Management (IRM) system like Seclore. The Information Rights Management solution would have provided the organization with the means to withdraw the rights for all the classified documents on the machine for the user (machine owner) and thus render those documents un-accessible.

Data losses can happen anywhere and anyhow. People carry work home and assume it is safe but risks manifest themselves in different locations in different variants. It is necessary to be safe rather than sorry. A data breach, if not measurable in monetary terms, will cause intangible losses which (eventually) will finally lead to loss of confidence and trust from stakeholders.

This leads to the necessity that security controls extend beyond the enterprise perimeter and an Information Rights Management solution provides this capability. An Information Rights Management solution will allow the organization to establish controls based on document lifecycle policies that address classification, distribution controls and user rights with due consideration of business responsibilities and requirements. The system can be configured to apply these policies by default on the data being created. Alternatively policies can be applied manually and a user can create additional customized controls if needed.

In effect an Information Rights Management solution will provide the means for end-to-end control of data or documents throughout it’s lifecycle. The unique value brought about by this solution is that it allows the owner (individual or organization) to enforce data classification, monitor location of distributed data, actively log data access and retain control of access rights for the data irrespective of its location.

Implementing an Information Rights Management solution will allow Information Security managers to take the enterprise to a higher level of assurance as strong safeguards are embedded into the data assets at time of creation itself and remain so, until destruction or authorized removal.

Vishal is the CEO at Seclore Technology a major player in the Information Rights Management space. Vishal is also an Enterprise Rights Management Evangelist and can be contacted via the Seclore Technology website.

This article is a reblog from the Seclore Technology blog.

1. Enforce a subscription model and protect the value of your intellectual property.
2. Distribute important information and make its access/availability to a future date and time.
3. Communicate safely and effectively with partners outside your firewall in a way that does not compromise your intellectual property.
4. Protect your revenue stream by allowing only authorised sharing and copying of your intellectual property.
5. Revoke access to intellectual property to customers that do not maintain their subscription dues.
6. Carefully control how confidential matter is printed by watermarking printed documents with the user’s identity as part of the watermark.
7. Take a document out of circulation regardless of its location.
8. Continuously track document access and activity especially if an approval process is required.
9. Collaborate on the development of a confidential document or design and prevent unauthorised distribution of these documents/designs.
10. Achieve regulatory requirements through the use of a verifiable audit trail.

Enterprise rights management (ERM), a/k/a information rights management (IRM), is an offshoot of DRM technology designed to protect company confidential information instead of commercial media content.  With it, sensitive documents……

This is a post on Bill Rosenblatt’s Copyright and Technology blog

Fasoo Secure Exchange Server

Do you work with external partners and suppliers? Do you have to share confidential or sensitive information with these partners and suppliers, but worried about that information going beyond the permitted parties? This video from Fasoo explains how you can secure information that travels beyond your firewall, with the ability for you to monitor and control that information.

This video tells you about the capability of enterprise rights management, which is also known as information rights management and how it can help secure your sensitive documents.

This week saw the acquisition of the Enterprise Rights Management software vendor Liquid Machines by Check Point. This acquisition is a confirmation of further consolidation and integration needed to raise the profile of enterprise rights management software.

In a number of past blog posts I mentioned the superiority of Enterprise Rights Management over full disk encryption and file encryption, and Check Point’s acquisition confirms this because it already has its own file encryption tools. This is a recognition that the benefits of enterprise rights management around persistent security will always be the main advantage it has over any other encryption tool.

From Check Point’s perspective, this acquisition helps the company to leverage their suite of security tools, helping the company to draw from a wider selection of possible tools when recommending solutions to their clients.

I am hoping Check Point has not has not paid way above the market price as there are current pressures for enterprise rights management price tags to come down as price is another key factor to wider acceptance of this technology.

I believe that there will be further mergers and acquisitions in the enterprise rights management area over the next 12 months, but because of the downward pressure on product prices and implementation costs, return on investments will take longer than initially expected. Finally, this acquisition indicates that enterprise rights management is coming of age and will have its place in the enterprises’ overall information security strategy.