This article by Robert MacMillan is a very interesting read on unstructured data, enterprise rights management and data leakage prevention.

Robert a proponent that IT Administrators are expected to manage permissions to data without knowledge of the business context of the information makes a strong argument for endpoint security tools like enterprise rights management and data leakage prevention within the enterprise to control access to unstructured documents.

You can access this article by clicking here

I was reading a short article on the Computer Weekly website about the recent data breach at ACS:Law. The article echoes what I have been saying for quite some time about the security of unstructured documents. Amichai Shulman, chief technology officer at Imperva commented that the recent data breach highlights a hidden security weakness in unstructured data.

Many organisations have spent millions on securing their databases (structured), leaving a big security hole in not addressing the security of unstructured data. What many organisations forget or miss is that all the data in the database is not very helpful to executives and managers if it cannot be interpreted in a way that makes sense.

Read More

As you know Enterprise Rights Management also referred to as Information Rights Management is all about protecting unstructured data. Derek Brink of Aberdeen Group gave an interesting webinar on BrightTalk in May of 2009 on how organisations manage and address security for unstructured data and how best-in-class manage to serve and protect their unstructured data.

To access this webinar you need to create an account with BrightTalk if do not have one. This webinar is located under Governance, Risk and Compliance under Information Technology. The research paper on which this webinar is based can be accessed via the Aberdeen Group website.

You can access the webinar here.

Length of webinar: 33 minutes

In today’s world cyber-criminals are becoming more and more sophisticated. They know that businesses keep all kinds of confidential and sensitive data on their computer systems. From Intellectual property to product designs, strategy documents, specification documents, customer records and bank details, all these have the potential to be monetized once accessed. A recent case is Daniel Houghton a rogue MI6 agent who wanted to sell confidential documents to the Dutch intelligence services for £2M GBP ($3M USD)

Through Trojans and other forms of malware, a cyber-criminal can access business data indefinitely and undetected. This provides the criminal with an illegal revenue stream for long period. 72 percent of British companies with 50-500 staff suffered an average of 15 incidents a year. Apart from this employees make honest mistakes in the way they handle confidential data, and example is sending an email to the wrong recipient, see the Eli Lilly example.

IT security today has to extend beyond perimeter security i.e. erecting a firewall. The question is not if your firewall is breached, but when it is breached what measures have been taken to prevent criminals getting at your core company data. Endpoint security is core to any organisation that wants to make sure its confidential data stays within the business.

Enterprise rights management (ERM) software is an endpoint tool that manages and enforces information access policies and use rights of electronic documents within an enterprise; its development has been predicated on digital rights management (DRM) technology. Digital rights management (DRM) was developed to provide a systematic approach to copyright protection for digital content, generally by means of a suite of software employing the following technologies: identity/role management, privilege management, tamper-detection, cryptography and persistent security. Using Enterprise rights management, creators of digital content may assign rights to future users to take subsequent actions on that ERM-protected content (e.g., opening, printing, editing, copying, or forwarding the content).

2010 has seen an increase in uptake of enterprise digital rights management and analysts from Gartner, Forrester and Aberdeen are optimistic about the growth trends over the next 5 years. Many organisations are beginning to realise they can no longer effectively control and manage their security perimeter and are moving their data security to endpoints. This is a responsible move, and will gain popularity over the next decade now that the cost barriers are falling with a simple and effective installation costing as low as $6,000.

Every CIO, CSO, IT Security manager and data compliance manager spend most of their time trying to outsmart hackers and prevent corporate confidential data from being leaked into unauthorised hands. It’s almost an everyday occurrence that systems and networks have been breached, and in the process important data has been compromised.

When a data breach occurs, the risks are plentiful: damage to brand equity, the burdensome costs of notifying affected customers, possible exposure of intellectual property, and failure to comply with government regulations.

According to research by the Ponemon Institute the average total cost—including notification costs, loss of customers, and increased difficulty in acquiring new customers—was £1.4 million per breach in the UK for 2008.

If you are a high profile organisation, be it in the private or public sector, your networks will be regularly tested by hackers for weaknesses in the network. Some organisations report even experience hourly attacks on their networks.

The question is what happens when or if the hackers successfully gain access to your network? When this happens you want to make sure that all confidential data is impossible to get at.

All your data will exist in file formats, the data in these file formats could be structured or unstructured. Structured data could be in form of database formats and spreadsheet formats, while unstructured data could be word processor formats, graphic formats, presentation formats and other generic formats like emails and text. If these file formats are protected by a level of encryption that makes it easy for the legitimate file owners to distribute those files to whomever they want, but at the same time keep the unauthorised users out.

Enterprise Rights Management, commonly called Enterprise Digital Rights Management (eDRM) is your last line of defence against hackers. Loosely defined, eDRM refers to products that allow enterprises to enforce confidentiality and need-to-know restrictions on file contents. So when all your efforts of protecting your network’s data have been compromised, eDRM persistently protects your data wherever it may be located.

Failed attempts to access files protected by eDRM are even logged; hence eDRM solutions contain strong monitoring and reporting components. These provide compliance auditors or security investigators with detailed records of “who, what, and when” on a file-by-file or user-by-user basis.

Apart from being the last line of defence against a security breach eDRM is helping organisations to take control of their confidential data and is especially good fit for firms with a well-understood pool of valuable confidential data used in day-today business processes. Examples of this type of data include financial spreadsheets, strategy documents, new product development presentations, merger and acquisition plans, human resource compensation reports, sales information legal contracts and intellectual property.

I recently read the Aberdeen’s research brief on Enterprise Rights Management titled “Enterprise Rights Management: Persistence Pays Off” by Derek Brink. This was a well written paper focusing on how best in class companies take steps to protect their unstructured data, and serves as a good barometer for the reader to see how they perform against these organisations.

This paper acknowledges the challenges that unstructured data presents in terms of how easy it is to replicate, how far it can travel throughout the organisation, how employees given the choice will disregard any security policy if they feel it will impede the smooth running of their regular tasks and finally, that unstructured data is ubiquitous through out the enterprise.

However, it is the statistics around the growth of unstructured data that is worth highlighting. For example, in a survey carried out 9 out of 10 (86%) respondents reported a year on year increase in the volume of unstructured data. This confirmed what I always knew since 90% of the structured data in an organisation is interpreted in unstructured document.

This paper is worth its weight in gold and gives businesses the imperative to take control of their unstructured content, especially documents that represent the organisation’s intellectual property. They is also a mention of other technologies apart from enterprise rights management used to protect unstructured documents like normal encryption, content management systems and data loss prevention with emphasis on the superiority of enterprise rights management.

To obtain this paper visit the Aberdeen Group website