Security Framework for the “New New World” of Smartphones

Most technology experts predicted that the last year and 2012/2013 are going to be years of the handheld devices. As more information gets accessed by these handhelds and stored on the cloud, information security will have to adapt some practices and create new ones. This post looks at options for creating a security framework for the “new new world”.

Smartphones are goldmines of personal and professional information and are constantly targeted by hackers, spywares and malwares to get sensitive information. The challenge of providing security for handheld devices is that, very often, the device and the data are owned by different entities i.e. the device by the individual and the data by the enterprise. This is in stark contrast to traditional desktop / laptop based computing environments where devices, applications and data are owned by the same entity and therefore security systems can be completely driven by enterprise's preferences. Coupled with this is the challenge of much more frequent device loss / theft.

“People represent the weakest link in the security chain and we are chronically responsible for the failure of security systems.” - Schneier (2004)

The characteristics of a security solution for handhelds therefore become :

1. Should provide for enterprise control of data
2. Should provide for individual control of device
3. Should prevent breaches in case of theft / loss of device
4.Should be phone / OS agnostic since enterprises will not be able to control the individual device preferences of users.
5.Should take into consideration the handheld's form factor and computing resources.

IRM presents a unique solution to solving the handheld security challenge. Enterprises can control data which is resident on end user devices (reminds me of BYOD !!) and still allow authorized individuals to use it whenever / wherever. The challenge of device / OS independence is however not small.

At Seclore, we have always given high priority to handheld device security. The priority however is not for security as a stand alone goal but to provide security without hampering on the individual's productivity. The Web Connect platform already provides a device / OS independent method of accessing confidential information. The framework provides app developers an easy integration with FileSecure so that apps related to securing information and accessing secure information could be provided easily to the customers. Situations like device theft, employee status change and device vulnerabilities are easily dealt with the IRM systems.

In conclusion, handhelds provide a great opportunity and a great threat to provisioning information and the right combination of collaboration and security technologies have to be used to achieve the sometimes mutually conflicting goals of security and collaboration. IRM technology has the potential to help enterprises achieve these goals together.

Offbeat Information Security Predictions for 2012 - Part 2 of 2

In this season of new year resolutions and predictions we, at Seclore, have come up with our own "top 10". This is the last part.

Governments & Enterprises are increasingly targeted by overlapping surges of cyber attacks from within, from criminals and nation-states seeking economic or military advantage. This article lists the top 5 security risks in front of such organizations for 2012 and recommends ways to deal with them :

1. Insider Threats : Threats of information breaches from "trusted" people and groups like employees, vendors, customers is already the largest threat and is going to grow in importance. This one is right at the top because its probability directly increases with the number of people in the trusted network and also because of the high amount of damage it can do. Besides obvious controls like access management and privileged user activity monitoring, organizations need to be able to control the flow and usage of information within and outside the enterprise. Enterprises should evaluate identity management, DLP and IRM technologies to mitigate this risk."I don't need enemies ... I got enough friends to deal with"

2. Cloud Adoption : Enterprises are adopting the cloud, in most cases without realizing it themselves ! Extremely easy to use systems like Drop box and Skype are essentially cloud based services which users adopt without informing any central security decision maker. In most cases the cloud adoption requires nothing more than a URL and only in few cases does it require the person to actually seek IT help. What users do not realize is that cloud adoption, irrespective of the form (SaaS, PaaS, IaaS... ) needs to be carefully evaluated at the enterprise level and not adopted by the individual without understanding the risks. Enterprises can start with a policy for using cloud based services and then translate that into controls over access which can be gradually relaxed as the specific cloud service is deemed safe. Enterprises should evaluate content filtering and IRM technologies to mitigate this risk."Things are looking very cloudy for enterprise security"

3. Un-Managed Devices : Till a few years ago the rules of internal network and application access were very simple i.e. only devices owned and managed by the enterprise's IT team were allowed to access the IT resources. This has changed rapidly where personal devices like smartphones, tablets and even personal computers are accessing corporate emails, knowledge portals and applications. Enterprises are evaluating and sometimes deploying a Bring-Your-Own-Device (BYOD) strategy ! Traditional tenets of endpoint security systems i.e controlling devices from becoming rogue are therefore falling. The rules for un-managed devices should be defined very stringently. Data which is allowed to go the device should be protected. Enterprises should evaluate virtualization technologies to mitigate this risk by reducing the amount of data going to the un-managed device."Who is the stranger in the house??"

4. Mobility : Mobility presents the greatest opportunity and also one of the greatest threats for enterprises today. Mobile devices and operating systems are coming closer to the capabilities of the desktop ones but still lag behind in terms of security. Adoption rates are growing faster than what security teams of enterprises can grapple with. Enterprises are best advised to start with policy formulation and then extend to technology controls on mobile devices for enterprise applications. Data going to the mobile device should be protected. Private mobile app store is an option to control the flow of apps to the mobile enterprise workforce but is not feasible for small enterprises. Enterprises should evaluate the multitude of mobile security systems available today."The network follows me and so do the threats"

5. Social Media : Use of social media platforms by the workforce is growing rapidly. In this use, distinguishing between personal information and corporate information is becoming difficult. This leads to personnel and enterprises coming under the attack of social engineers and espionage. Starting with guidelines, enterprises need to increase awareness on appropriate use of social media and may evaluate Data Loss Prevention (DLP) technologies to do content based filtering on social media access."Man is a social animal and its a jungle out there"

The Case For Content Aware IRM.

An IRM system which can transfer the responsibility of protection from human beings to a content aware automated process will be extremely valuable in case of large organizations.

The need to integrate DLP and IRM is critical

Lots have been written about famous data breaches and the need for Data Loss Prevention. I will spare the reader the aggravation of reading it again here. There are hundreds of data security systems designed to control and prevent data breaches, and yet, every week we here about a new Data Breach. It is clear that users and administrators are unable to fully protect sensitive data. The main problem is that Data changes all the time. Users are focused on doing their job and not on data security. Aggravating the problem is that Hackers, Malware, Spyware and Viruses are focused on extracting such data from the perimeter.
What is a CSO to do?

Content awareness and the 4 W's

A good solution is to provide Content-Aware Information Rights Management System. Automatic Content visibility transfers the obligation of Data Security from users to a process. Imagine a system that automatically identifies files containing Credit Cards, Source Code, Images or any other intellectual property. Furthermore, imagine a process in which pre-defined IRM Policies are automatically enforced on such files as soon as they are saved on desktops or files-hares. Such policies are the 4 W’s that are so crucial to protecting Data.

The 4 W’s – Who – What – Where and When

Access controls and usage control are two aspects of Data Security that are often ignored. Mapping the content discovery to the IRM policies (see example picture below) provides automatic control of the 4 W’s:

WHO can access the information: The IRM system's identity establishment method, LDAP or non-LDAP databases as defined in custom applications and portals.

WHAT can recipients do with the information: Control specific allowed actions on files: View, Edit, Print (Print Screen), Forward/Share, Copy/Paste.

WHEN can each user access the information: IRM can control the time-span in which the recipient has access to the file. A document may have allowed access from August, 20, 4 pm to August 23rd, midnight. Alternatively time span may be defined as 2 days from first access.

WHERE the information can be used : This important Control restricts usage of the information to only a pre - specified list of computers identified by the hardware (mac address) or to a specific range of IP addresses or networks. CSO’s can now control Data even if such data is outside the perimeter. This is a very good way to provide data protection for Smart Mobile Devices. One can prevent such devices from ever seeing the data. Users, who have such credentials, may view the files with the local Browser.

The discovery agent must be monitoring the system constantly so that anytime a file is saved; it is scanned for a pattern or fingerprint and then the mapped IRM Policy is enforced.





Detecting the data correctly

It is worth mentioning here that there are two types of Data: Structured and unstructured Data. In my many meetings with CSOs I found that this is somewhat confusing. Here I refer to the need to protect files which hold either Intellectual Property or data in the file that also resides in the Database. Intellectual digital Property is any file that is deemed sensitive or confidential. Database Data is often multiple fields residing in an email or a file and is typically comes from the Human Resource Database, the CRM or any other application utilizing a Database. Such data may be the Last Name and the Salary of an employee.

Discovery systems use multiple detection engines to detect data inside files. The detection technique can be divided to Precise Algorithms and Imprecise Algorithms. Precise Algorithms are those that use fingerprints or registered data for exact data matching. Among them are Cyclical hashes, Rolling hashes, Watermarking/tagging, Recursive Transitional Gaps (GTB proprietary). Of course, not all fingerprinting engines are the same. One has to avoid false positives and false negatives at all cost.

Imprecise Algorithms are those that use Data Patterns, Bayesian analysis and Statistical analysis. Such engines prove to be highly inaccurate and present an unacceptable rate of false positive. It is highly recommended to test these techniques and to determine the acceptable level of false positives and of false positives. Of course, much attention must be paid to the array of file types supported by such engines. Naturally, a Bank may be interested in support for Microsoft Office, while Engineering Company may be more interested in support for DXF files or binary fingerprinting.

Organization will be well advised to use the appropriate detection technique based on the data they want to protect.

Conclusions

The marriage of Content-awareness and IRM provide organization comprehensive access control on sensitive data for internal and external constituents. Sensitive or confidential data is automatically encrypted based on file content and access to such data is controlled by either the File Owner or designated Administrator. External constituents may also have access rights to such files but only if they have been approved. This way organizations are able to secure files even after such files are circulating outside the perimeter.

Guest Blogger Mr. Uzi Yair is the CEO of GTB Technologies , the Next Generation DLP company. Mr. Uzi Yair has 20 years executive management experience with software companies ranging from $1.5 million to $22 million in annual revenue. Mr. Yair attained his MBA from Columbia Business School and his BS in Computer Science and Mathematics from Hofstra University.

What happens outside stays outside.

Transactional Systems and Data Security

Almost all medium to large organizations depend on various transactional systems for their day to day operations like - ERP, CRM, planning and optimization, inventory management etc. Some organizations consolidate their corporate data across multiple systems into data-warehouses or reporting data stores which may be used for ongoing analysis and reporting.

Data access within the transactional system is usually well controlled via access rights logic to ensure that users access only the data that they are authorized to access. Very often users are allowed to extract or download reports from the systems for analysis or offline reporting purposes. The data extracted from the system is no longer governed by the access rights logic. However, data once available to the ‘authorized’ user is not limited to that user only. This user can share the data with ‘anybody’ without ‘any limitations’ once it is outside the system. Every report or data extract that is ‘outside’ the system, is a source of corporate data leakage.

A competitor could use this vulnerability to cause significant damage to the organization’s assets.

Access rights logic can be used to secure the application data which resides within the boundaries of the application, but it cannot help to secure the data outside the application.

How can data be controlled outside the system?

Information Rights Management technologies like Seclore FileSecure can be integrated with any transaction system to ‘protect’ the report or data extract before it is made available to the ‘authorized’ user.

The protection policies are applied automatically as part of the report execution or data extraction process. The policies governing the use of this information are managed centrally and can be changed at any time as per organization’s requirements.

The security policy for a report will govern:

WHO has access i.e. users or groups of users that are allowed access.
WHAT access is to be given i.e. can the user print, edit, forward or copy from the report.
WHEN the access expires i.e. user access can be given for a few days, few weeks or few months after which the data is unavailable.
WHERE the access is available i.e. user can only access it from within the office network (LAN or WAN) and not from outside.

Data audits and usage reports

Once data is protected with the Seclore FileSecure policy, every access to the report is logged and tracked in a central repository. This helps to maintain an audit trail and log of information flow outside the application boundary. This audit log is comprehensive, with every activity by every user being logged and it is made available to the document owner.

Sample case 1: Consider an insurance company that has a sales reporting process to provide weekly sales figures of each of its intermediaries to the executive sales team.

MIS users sitting at each of the regional head offices i.e. North, South, East and West are responsible to extract this data from the transactional system for their regions and send it to the head office. The MIS team is required to modify or massage the data and aggregate it before sending it to the head office. This data is very sensitive and should not fall into the wrong hands. With a solution like Seclore FileSecure, the MIS team can ensure that the access to this data is limited to the MIS team and the executive sales team at the head office. Further, every access to this data will be tracked and any misuse can be traced to the individual.

"Important questions to ask before deploying IRM"

A quick intro to IRM

An IRM solution protects sensitive information from un-authorized access, and the good part is, the controls remain with the information in spite of where the information goes and how it goes.
IRM solutions are used to protect sensitive information such as financial data, intellectual property, business plans, client or personal information. In its present shape and IRM technologies focus on unstructured forms of data like documents, emails, web pages, designs and images.

Few questions to ponder
Any successful technology implementation needs to start with the end purpose in mind, rather than technology and the same is true for IRM solutions. In my experience, clients need to have answers for five key questions before starting an IRM implementation.

1.Do you have a Data Governance and Classification policy?
An IRM solution will help an organization implement their data classification and protection policy. Does your organization have a data classification and protection policy? If not, what are you going to use the IRM solution for?You need to define your organizations policy for data classification and protection. What is sensitive, what is confidential and what is public, needs to be clear. What is allowed and what is not allowed needs to be defined and documented.

2.Do you know what and where is critical data in your organization?
So your data protection policy is defined, great! You now know data is critical in your organization.But do you know who creates it, who uses it, where it is stored? Most organizations do not have visibility on how data flows within or outside the organization. A data flow analysis is needed to understand this in detail and more importantly to get buy-in from the business on what is critical and what is not.

3.How does the Authentication work?
Authentication is one of the primary prerequisites of any security system. When authentication fails, the entire security of the system is vulnerable to attacks leading to loss of information.The authentication strategy of any IRM system is absolutely critical. Whether single sign on with existing authentication infrastructure, a new authentication system within IRM itself or a combination, the authentication piece needs to be in place. For critical data a multi-factor authentication should also be considered.

4.What happens after implementation?
Most technology projects are focused on technology selection and implementation. But what happens after successful sign-off? Is the project complete? Are the end-objectives met?
In security, the critical phase starts after technology implementation. It is absolutely necessary to monitor effectiveness of the IRM solution. Are users using it or not? If not, why not? What are the true positives? Is it getting recorded, is it getting escalated? Is new information getting created? Are new partners getting added? A lot of questions, that can only be answered if a strong sustenance and optimization process is implemented. The key is to ensure the IRM life-cycle is managed well.

5.What about auditing and compliance?
Generating a detailed audit trail listing details like, who tried to access the information, time of access, what action taken by the user, what IP address. Audit trails are required to prove that security measures are effective and prevent information flow when the organization is meeting regulatory compliance such as, SOX, HIPAA, and Gramm-Leach-Bliley. These regulations require organizations to protect their information from unauthorized access.
Conclusion

As with all technologies, you cannot put the cart before the horse. End goals and process frameworks have to come before technology solutions.

IRM solutions are critical components in the security arsenal of an enterprise and builds on the defense-in-depth principle. It empowers the business and users to protect sensitive information not only within the boundaries of the organization, but also once it leaves the enterprise. Hence it is critical to ensure we take a holistic view to the entire IRM deployment, not just implementation but also through-out the life-cycle.

Guest Blog by John Prathab is a senior consultant in the Secure Development Lifecycle (SDL) practice at Aujas Networks. His works span multiple products and technologies to solve real-world information and application management problems. His special areas of interest are secure software development framework, information and application security, cloud security, Information Rights Management and convergence of logical and physical access.He holds M.Sc Software Engineering and MBA in Sales & Marketing.

Data Theft Booming in Health Care

Startling revelation in Health care and pharmaceutical sectors have come up because they have claimed a mysterious disappearance of their important documents facing an unaccounted loss of important documents such as product patents, product dossiers from their systems. Data security has always been one of the top priorities for any organization. Loss of important data posses a critical threat in almost all the business sectors across the world. Lately, health care and allied companies have been facing a similar menace and have been targeted as well.

This vertical has lost most of their electronic medical records and has been facing a problem of data being leaked to unknown source. Pharmaceutical products consisting of formulations of medicines and clinical research records are prone to leak into the hands of competitors and other undesired sources. Besides the report also placed Hospitals and health sector firms in the third position and claimed 15.6% of such organizations hit by the similar menace. Most of the data loss have occurred during their transfer from one system to other system or presumably hacked by third party users and in other cases displaced by the internal staff of organizations.

Loss of data from hospitals and health care facilities has resulted to disappearance of millions of Electronic Medical Records belonging to patients from US and other countries. This has indeed caused a panic among CEOs of health care companies worldwide as loss of medical records have contributed to rise in identity theft business. Black market has been profiting from records relating to health insurance plans, medical transcripts and other sensitive medical documents belonging to various people.

Might this sort of misuse of information bring deprivation and hidden handicaps to so many people and medical service providers? While conventional hospital information management systems may prove vulnerable against high tech thieves and may be unable to safeguard their important documents. Data breach and its theft can be either traced to the internal affairs within organization or an external breach by the third party individual or a group. Stolen medical records have been giving rise to identity theft market and cause health care organizations to lose their reputation in the eyes of their valued customers.

The prevalent problem at hand is that so many organizations are unable to afford a better security package to store and safeguard their data. In addition to this, the conventional security programs implemented by health care organizations may not be well equipped to face technologically advanced threats or many organizations are unable to afford for enhanced security measures due to restricted budget.
Information Rights Management (IRM) is one such solution that offers a unique security solution to such a menace. IRM solutions have dynamic security features with various tools and functionality and are easy to use.

IRM solution can provide with a complete package of database management like data tracking, cyber forensics and enhanced encryption such that it can travel within and beyond the network boundary of any organization without any risk of data theft or cyber piracy. It can provide complete details regarding the IP location of the user who is accessing the particular information document. Along with its unique security features, it is also economic and can easily be implemented in the regular budget of any organization.

These discrepancies emanating from the ill orders of the system in place need to be plugged and probable solution as suggested above should be taken into account. It is better to eliminate the scar before it gets matured for surgery.

Criteria for evaluating IRM technology – Part 6 of Many – Screen grabbing prevention capabilities

This is a multi-part blog entry on important criteria based on which enterprises must evaluate rights management technologies before investing significant amounts of time and money.

Please note that not all criteria might be important for any given enterprise so you will have to pick and choose the ones which are important, give appropriate weight-ages and then decide on the best technology.

To view all the blog posts in this series please go to http://blog.seclore.com and then select "IRM evaluation" from the tag list.

Over a period of time there have been many comments and views about the importance and feasibility of protecting irm protected documents from being "exposed" via screen grabbing functionality

Screen grabbing can be done in one of the following ways :

1. Using the print screen functionality
2. Using screen grabbing tools like Snag It, Camtasia, .... OR using a virtual machine or virtualized desktop
3. Using remote desktop / web meeting tools like Webex, GotoMeeting
4. Using actual cameras and pointing to the screen
5. Using hardware based VGA recording systems similar to video recorder

The above list is fairly comprehensive and approximately in the increasing order of risks that they pose to confidential information. The list is also in increasing order of complexity of the solution i.e.

1. Blocking print screen functionality is almost trivial and can be done by various methods like keyboard hooking etc.

2. Blocking screen grabbing tools is more difficult because of the variety of technologies used by such software from video memory copy to driver mirrors there is hardly any method which is not used for this purpose

3. Blocking remote desktop functions is even more difficult because a summary blocking of a tool like Webex would mean collaboration loss

4. Blocking camera clicks is more difficult because it is virtually impossible to do without significantly compromising on the user experience i.e. blocking the whole screen except for a "spotlight" around the cursor appears to be the only solution and is usually unacceptable to users. The risks of this are becoming higher as pocket cameras and phone become more powerful. The alternate solution would be to physically block phones with cameras which is also becoming increasingly difficult.

5. Blocking hardware based VGA recording systems is virtually impossible .. it would mean blocking VGA output to all devices except for the attached monitor and would cause an impossibly high loss to basic activities like projection. However the risks with this are lesser because these devices are rare and can be physically blocked easily.

Taking a completely technical view, the IRM system should provide an on/off switch to the user for the screen grabbing functionality. Within the on/off switch itself there should be more granular controls like should a "spotlight" functionality be enabled or not OR should the hardware based recorder be blocked or not.

Once we overlay this more technical view with usability and convenience considerations of the end user AND the policy definition complexity of the policy administrator .. the most optimal criteria appears to be :

• Using the print screen functionality - Should be blocked

• Using screen grabbing tools like Snag It, Camtasia, .... - Should be blocked

• Using remote desktop / web meeting tools like Webex, GotoMeeting - Should be blocked with an option to enable

• Using actual cameras and pointing to the screen - Not necessary as it would cause too much user inconvenience

• Using hardware based VGA recording systems similar to video recorder - Not necessary as the risks are low

In most cases we have found this to be the most pragmatic approach to dealing with the screen grabbing issue.

Finally, a really determined user may just pick up the pen and jot down the important parts of a document or if its small enough then even memorize it. Till the time we have memory erasers however we will have to live with those risks. Are the folks at Men-In-Black listening ??

Seclore and its partners regularly advise customers on their IRM requirements so please do not hesitate to contact us.

Workflow management systems and How IRM adds value

Workflow Management System (WMS) today form an integral part of any Enterprise Content Management (ECM) System. Simply put, a WMS allows an administrator to create a set of rules which govern the flow of work within a process. “Work” typically moves with a set of documents in tow.

For instance, an invoice passes through an approval process and then is routed to the accounts-payable department. Dynamic rules allow for branches to be created in a workflow process. An example would be to enter an invoice details and depending on the amount the workflow follows different routes.

In a lot of cases “work” means making changes to editing / approving documents, images and drawings. As the workflow moves from one person to another, the copies of information locally downloaded tend to remain on the local computer. The user has complete control on this information and can view, edit, print, copy content from the data and use it is unintended/malicious purpose even after the workflow has moved on to a new state. This is undesirable since the confidentiality of the data might change as the workflow progresses i.e. A listed company is announcing its quarterly results. As the results are compiled the documents become more and more confidential. After the results are announced the information becomes publicly available.

In an ideal case the confidentiality attached to the information should change as the workflow progresses. In an individual step of the workflow the person who is expected to do the work should have specific rights required to do the work i.e. view, edit, print, copy-paste, etc.

Click on image for enlarged view

Information Rights Management (IRM) combined with a WMS system can help enterprises achieve this. The administrator can give selective rights to users of a workflow depending on their role and also control the rights of users automatically as the workflow moves from one person to another. Let’s consider a simple workflow of document editing (A) -> verification (B) -> approval & printing (C) ->Archival (D). When the WMS is integrated with IRM user A can be given view + edit rights only, user B can be given view only rights and user C can be given view + print only. Additionally, as the workflow moves from one user to another, their access on the downloaded document can automatically be enabled or disabled irrespective of where the document is residing (i.e. on the computer, removable media, etc). For instance, when the workflow moves from state A to state B, A’s original rights (view + edit) on the document can be automatically rescinded. The below diagram gives a diagrammatically view of the above process the way IRM can dynamically control the rights of users on the document as it flows though the workflow.

Apart from controlling the usage rights of users on document in a workflow, the IRM system also maintains a complete report of all the activities performed by different users on the document. A complete history of Who (users) has done What (view, edit, print, copy-paste, print-screen, etc) with the information, When (time) and from Where (location and computer) is completely tracked and logged. This helps organizations comply with regulatory and compliance norms like ISO 2700-1, PCI, HIPPA, etc.

IRM systems can thus add tremendous value to workflow systems. A judicious decision on defining the correct usage rights that users should have at any given state helps reduce intentional and un-intentional loss of information and in the end reputation of the organization.

The Unique Identity (UID) India project : Implications and concerns

The Aadhaar (http://uidai.gov.in) technical team organized their first developer seminar in Bangalore couple weeks back to give a first glimpse of aadhaar internals to the techies. Seclore's technical team was, of course, there for the session and notes from the session follow.

For the uninitiated audience, Aadhaar is a "Unique Identity" project of Government of India. Under this project, every citizen of India will get a unique identity which will be stored centrally. This is similar to the Social Security Number in United States. However, in this case, this central database will also store the person's biometric information (10 finger prints and 2 iris) which can be used for de-duplication and authentication.

When we first thought of the scale of the project, we were awe struck. 1200000000 (don't count the zeros - it is 1.2 billion) people's identities need to be stored and validated through the Aadhaar system along with the mammoth task of making sure that there is no duplication using the biometric matching. Nothing of this scale has been attempted before. The problem is further complicated by India's demographic diversity, dominant illiteracy and telecom access in remote parts. The Aadhaar team has got itself the mother of all project management challenges.

We were however struck by the simplicity of the "product definition". The team has defined the "Aadhaar" boundary so clearly that it has kept them out of all the messy problems while still making it very useful. This is one the main reasons why this project has been delivered so fast i.e. Less than 2 years.


Aadhaar is primarily about validating the user identity in a YES / NO manner. This can however prove immensely useful. There is already a lot of innovation around this in years to come and we will find applications that we can not even imagine today. Some of the most obvious applications are to enroll new customers in bank, financial institutions as well as making the public distribution system more efficient. More interesting applications will emerge by correlating some of the completely disparate systems e.g. your search patterns correlated with your airline check-in information might throw some buying suggestions for the city you are traveling to. Aadhaar can act as a universal glue to connect all these disparate systems together and allow applications to correlate various information.

Few other examples of this can be the way your medical information is stored and shared or the way your personal financial data is managed. There can be central repositories that store and manage access to such personal information.

One obvious concern is the security of all this information as it flows from one entity to another .. e.g. If my medical information is released to some hospital that I want to consult with, what happens after the information is given out. How will this information get secured throughout it's lifecycle ? What if I no longer want to consult with that hospital ? How will it put the controls of access to such information in the hands of the real owner ? While Aadhaar kind of systems can make the information more fluid, it also increases the possibility of information breach or misuse. A solid framework needs to be put in place for this.

Information Rights Management (IRM) can provide the framework that can enable sharing of the information while keeping the citizen fully in control of his/her information. Individuals may be able to share information with other individuals while ensuring that the information can not get mis-used. One big advantage of using the Aadhaar authentication is that there is almost zero chance of spoofing. One can not share his/her Aadhaar ID with someone else as there can be biometric authentication required.

However, the IRM system needs to have certain characteristics -

1. Integration friendliness with Aadhaar : It should be integrable with any external authentication system like Aadhaar including two factor authentication mechanism. This is very important since Aadhaar needs - in most cases - biometric validation. In many cases, applications may mandate regular userid/password alongwith Aadhaar authentication as the third factor. IRM systems that are heavily dependent on specific authentication platforms like LDAP systems will not work here.

2. Integrability with Applications : In most cases, the IRM system will not work in isolation. It will have to work alongside innumerable applications that will be developed around Aadhaar. These could be simple document repositories or records management systems or complex reporting systems for bank transactions etc. There should be a easy mechanism for these third party applications to be able to integrate with a central IRM infrastructure.

3. Support for most of the common file formats : It should support most of the commonly used file formats including MS Office, Open Office, PDF, images etc. Different applications may be storing data in different formats and the IRM systems needs to work across all these. e.g. some medical systems use image formats extensively to store all the imaging information.

This problem is so stark that these questions were raised right in the conference by multiple members in the audience. This is one area where I think the Aadhaar team needs to really think hard and include this framework as a part of their core infrastructure. It can make information sharing not just seamless but equally secured !

Aadhaar is not good enough, we need Aadhaar ++ i.e. Aadhaar plus a solid information security framework.

DLP ? IRM ? Both OR None ??

This quadra-choice question appears to be more and more common within enterprises .. Some help on this question and at least where to start looking …

What is DLP ? (And please lets have the layman's view ...)

DLP prevents information leakage by scanning into the document / email / ... and searching for pre-defined key-words and regular expressions. If a match is found then the DLP system would tag the document and block outbound ports (removable media, CD, internet) of information transfer. It thus controls distribution at the senders side.
The DLP system can do this at multiple points i.e.


1.At the desktop level for documents residing on the computer
2.At network FileShare level for documents residing on the computer
3.At the Email gateway level for outbound emails.

And what about IRM ?

IRM also prevents information leakage by granular-ly defining the “right” receivers of information and then controlling usage actions (view, print, edit, etc) of the receivers of the information.

In short, DLP controls the information distribution at the sender's end and IRM controls the information usage at the receivers side.

It might appear that the deployment of one of the above negates the need for the other. This however is not true in most cases … so lets get under the hood now ..

Lets look at the stuff that DLP and IRM companies won't tell you :

DLP :
Since it is a “transmission control” technology it is useful for organizations which want to control the transmission of information and restrict it to a specific “perimeter”. The perimeter definition is flexible here and may be defined based on devices, networks or (in some cases) applications.

For using any “new – age” concept like cloud computing or mobile computing the DLP system will take a all-or-none approach i.e. either it will completely block the technology or be ineffective when the technology is adopted. So most DLP systems do not have mobile versions and do not really know how to deal with companies looking for cloud adoption.

The “steering wheel” in case of a DLP system is in the hands of the IT / IS team.

IRM :
Since it is a “usage control” technology it is useful when information knows no perimeter and needs to cross boundaries of devices, networks and applications.

IRM systems leave control and decision making in the hands of the end users. End users awareness or willingness (or the lack of it) carries forward in the efficiency of the solution.

The “steering wheel” in case of an IRM system is decentralized and is in the hands of the business users. Good IRM systems usually provide a flexibility of not providing “end users” the right to define policies but with business unit administrators instead.

So now with this context the 30,000 feet answer to the question is …
DLP systems are useful in cases where there is a boundary within which information has to be retained. The boundary for different kinds of information could be different but there is a boundary.

IRM systems are useful where security needs to be ensured without boundaries of computers, geography or networks.

Both are required for organizations where detection and classification of information has to be followed by defining boundaries for certain kinds of information and defining rules for rightful use outside of the boundary for other kinds of information. The way these technologies would work together is that whenever information is sent to a receiver, the DLP system would scan for relevant keywords and pattern matching and if found would call the IRM system to protect the document with the relevant IRM policy. Thereafter, the document remains persistently protected irrespective of the location (inside or outside the organization) of the document.

None of the technologies are useful when the information to be protected is not voluminous i.e. If the information is small enough to be memorized or jotted down then other kinds of security (including physical security) is the best option.

Privacy and Rights Management

Privacy as a concept and its relevance to companies and businesses in India has been gaining focus off late – earlier it used to be the preserve of civil and personal liberty rights of individuals rather than business.

Privacy : A Definition
Wikipedia states that Privacy is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively.

Privacy has been often associated with Western Cultures. However, one can no longer afford to take this view as it has become relevant in the Indian Context as well.

Why Privacy in India ?
Distinct Cultural shift in India – The Internet & mobile has already become integral to an individual’s day-to-day life in Urban India, especially amongst youngsters, and this is bound to accelerate further as broadband and mobile penetration increases. With this reality, as more and more people get onto the net and start conducting their daily transactions online, networking via social media and communicating via the Internet, their personal data starts surfacing at various places. And hence protecting the sensitive aspects of this data and ensuring its privacy is maintained becomes paramount to all entities in the ecosystem.

To complement the above, both the government and businesses are in the process of digitizing the data they store and use – or have already done so. New initiatives start activities from day 1 with digital data. Naturally, maintaining the privacy of personal data which forms a part of this data comes into picture in the above scenario

Further, the IT/ITES industry caters to global clients – and deals with sensitive data of the customers of their clients. Hence they have to adhere to the privacy guidelines that their clients have to comply with. The industry has been facing many challenges in addressing its clients’ requirements in the absence of a specific privacy law in India

The Legal front
Taking cognizance of the above, as a first step, the government has made provisions for data protection and privacy in its amendment to the Information Technology Act 2000, which is now the IT Act 2008. In addition to this, work has started on the drafting of a separate, overarching Privacy Act too.

In the immediate term, the rules under IT Act 2008 have been formalized and are to be published in THE GAZETTE OF INDIA, EXTRAORDINARY, Part II, Section 3, Sub-section (i). These rules come under Sections 43A and 79 of the IT Act 2008. A copy of the rules is available here

The rules, formally known as the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, deal with specifics of how sensitive data is defined, what are the roles and responsibilities of various entities that collect and store sensitive data, etc.

Some rules that I would like to highlight here are:
Rule 5 (4) Body corporate or any person on its behalf holding sensitive personal data or information shall not retain that information for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force..

Rule 5 (8) Body corporate or any person on its behalf shall keep the information secure as provided in rule 8.

Rule 6 (4) The third party receiving the sensitive personal data or information from body corporate or any person on its behalf under sub-rule (1) shall not disclose it further.

Rule 8 Reasonable Security Practices and Procedures.— (1) A body corporate or a person on its behalf shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. In the event of an information security breach, the body corporate or a person on its behalf shall be required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and information security policies

Information Rights Management

Considering the stringent rules discussed above along with others that corporate and government bodies have to adhere to, they have to look at technologies that can help in complying with the above. Information Rights Management or IRM is one such powerful technology that can help address the challenges thrown up.

Since IRM gives corporates the power to control and manage its data in perpetuity and persistently, it can help them control all sensitive data that they collect, store and process – whether done in-house or outsourced to third parties.

Consider Rule 5(4) stated above – about not retaining information for longer than required. IRM enables the corporate to do exactly this – and further create clear audit trails and evidence of having put this requirement into practice. This ability to “retire” data after it has outlived its necessity in a fool-proof manner is set to becomes a powerful tool in the hands of corporate.

Next, consider Rules 5(8) and 6(4). They require not just the corporate to keep sensitive data secure but also third parties in the eco-system to maintain this secure thread downstream / upstream. Think of the onus on all these corporate bodies to ensure the above. Today, various measures – some technical but mostly procedural – are adopted to ensure this by those corporates who’s nature of business or clients demand it. Now, with almost the entire eco-system of businesses who collect / have access to sensitive data having to do this, think of the challenge that lies ahead.

Here also, IRM can play a very big role. For example, if sensitive data is being given out to a third party service provider for processing, the corporate can not only retain complete control over the data even while it is in the hands of the third party but can also maintain comprehensive evidence of its having done so. This holds true for internal teams as well – teams who are not required to access sensitive data can be prevented from doing so or, if required, be given highly restrictive access accompanied by an evidential audit trail. This enables the corporate to be in command, at all times.

Overall, IRM is a powerful tool to help corporates manage and comply with the stringent rules above. With IRM as one of the tools in its kitty, corporates in India can perhaps breathe a bit easy as they gear up to take on the challenge ahead in complying with the privacy rules of the IT Act 2008.

Guest blog by Shivangi Nadkarni has been associated with the field of Information Security & Risk Management and Internet Technologies for the last 15 years. A strong proponent of security being a key enabler of business, she has worked in various domains of security including Data Protection & Privacy, Identity & Access Management, Encryption, Digital Signatures & PKI, Application Security and Fraud Management doing consulting, launching & managing products and services and running multiple lines of business. She is currently the Co-Founder & CEO of Arrka e-Security Solutions. She has worked earlier with Wipro Technologies, where she headed their Global Identity & Application Security Practice, and Sify, where she set up and managed India’s first Licensed Certifying Authority (SafeScrypt) in collaboration with VeriSign.”

Criteria for evaluating IRM technology – Part 4 of Many - Identity infrastructure support

This is a multi-part blog entry on important criteria based on which enterprises must evaluate rights management technologies before investing significant amounts of time and money.

Please note that not all criteria might be important for any given enterprise so you will have to pick and choose the ones which are important, give appropriate weight-ages and then decide on the best technology.

To view all the blog posts in this series please go to http://blog.seclore.com and then select "IRM evaluation" from the tag list.

Identity Infrastructure support

IRM technology's effectiveness is dependent on the effectiveness of the underlying identity framework which is used to identity the creators and consumers of information. This is of course a good and bad aspect i.e. If the underlying identity gets compromised then there is a potential breach of even IRM protected information .. On the other hand the linkage to underlying identity infrastructure means that identity management could be centralized.

This criterion for evaluation of IRM technology is critical from an adoption perspective.

There are various methods by which an identity of the creator and consumer within an IRM system can be established. Lets list down the various methods in order of increasing maturity i.e.

1. Crudest way : Creation of a fresh identity for the IRM system itself : This is the crudest mechanism of managing identity for the IRM system in which all users of the IRM system would effectively be forced to create a new identity. The identity creation process could be "managed" i.e. a referral / approval system could be followed for creating / approving identities.

2. Less crude way : "Public" providers of identity without verification : In this method the identity of an individual is the one povided to him by a third party identity provider like Open ID, Google, Facebook or Yahoo. The common factor amongst all these identity providers is that they are all "unverified" identities i.e. None of these identity providers actually verify the identity of the individual before creating a user for him / her. In effect there is nothing which prevents Tom Moody from creating a login in the name of Barack Obama on any of these identity providers. Establishing a "trust" relationship with an identity system managed by a different enterprise also falls within this category.

3. Mature way but with some "holes" :"Public" providers of identity with verification : In this method the identity of the individual is the one provided to him by a third party identity provider but this identity provider actually does some kind of verification. Mobile phone numbers & digital signatures are examples of identities where there is some element of verification (in most countries) albiet by a third party. This "verification" will prevent Tom Moody from getting a digital signature in the name of Barack Obama and also will also prevent his mobile phone number from being listed in Mr. Obama's name. The good way of establishing identity in this manner is that this identity is trusted by the "government" and therefore legally irrefutable.

4. Mature way : Private identity establishment using an existing "external" system in use by the enterprise : Most enterprises today already interact with "external" entities like vendors (vendor / e-tendering portal), customers (customer portal / online banking system), partners, auditors, lawyers, board members etc. using some transactional / workflow system. The IRM system could use the identity already established by these systems so that the creator / consumer does not need to remember / manage another identity and is able to interact with the enterprise using the identity that he already has. The underlying transactional / workflow systems already have some method of verification and therefore this system of identity management is fairly mature. There are also existing processes in most enterprises for managing the identities within these systems and therefore there is no overhead of identity management due to the IRM system.

5. Mature way : Private identity establishment using an existing "internal" system in use by the enterprise : This is similar to the previous method except that in this case the system is largely internal facing i.e. for employees. The most dominant example of this is Microsoft Active Directory and other similar identity infrastructures. In most cases there are existing processes for managing the identities within this system and therefore again there is no process overhead due to the IRM system.

A good IRM system should

1. Allow different methods of establishing identities
&
2. Provide flexibility to the enterprise to change the identity infrastructure at a later point of time

In most cases a combination of multiple methods of establishing identities needs to be used. In typical scenarios the identity infrastructure requirement will look as follows :

Example 1
1. For employees : Microsoft AD (Should support forest, trusted relationships, sub-domains etc.)
2. For vendors : Vendor portal
3. For customers : Creation of identity based on email addresses

Example 2
1. For employees : Using Lotus Notes identity system (Directory Server)
2. For customers : Online banking system
3. For temporary consultants and auditors : Creation of identity based on email addresses

Overall the need for having a built in identity federation framework within the IRM system is critical to ease the adoption of IRM technology.

Seclore and its partners regularly advise customers on their IRM requirements so please do not hesitate to contact us for any such requirements.

Criteria for evaluating IRM technology – Part 2 of Many - Format and application support case study 1 -

This is a multi-part blog entry on important criteria based on which enterprises must evaluate rights management technologies before investing significant amounts of time and money.

Please note that not all criteria might be important for any given enterprise so you will have to pick and choose the ones which are important, give appropriate weight-ages and then decide on the best technology.



To view all the blog posts in this series please go to http://blog.seclore.com and then select "IRM evaluation" from the tag list.

Continuing from our previous blog post , here is an analysis of the format and application support requirements for a large financial services group.

Format	Application(s) used internally	Application(s) used externally
Doc / docx	Microsoft Office XP, 2003, 2007, 2010	Microsoft Office XP, 2003, 2007, 2010 Open Office / Free document readers
Xls / xlsx	Microsoft Office XP, 2003, 2007, 2010	Microsoft Office XP, 2003, 2007, 2010 Open Office / Free document readers
Ppt / pptx	Microsoft Office XP, 2003, 2007, 2010	Microsoft Office XP, 2003, 2007, 2010 Open Office / Free document readers
PDF	Adobe PDF reader	Adobe PDF reader, Foxit PDF reader
Email	Lotus Notes	MS Outlook, Lotus Notes, Gmail, Hotmail, many others, ...
Images	Usually just MS Paint	Not important

In such a case the format list if small but the list of applications which render these formats within and outside the enterprise is widespread. Any technology which (1) Does not support ALL version of MS Office and Open Office OR (2) does not provide a method to access IRM protected information otherwise is likely to fail in this scenario. Adobe PDF reader appears to be universal PDF access method in this case. For email however there is a problem again where any technology which is dependent on the recipient's email infrastructure is likely to fail.

Since the organization itself is using Lotus Notes email, a dependency on internal email system
might be OK but not the external email system.

The requirement for format and application support therefore become :

1. Application - MS Office (All versions), Open Office (or another free reader for office documents), Adobe PDF reader, Lotus Notes email (should not force the recipient to have any particular messaging system)

2. Formats - doc / docx / xls / xlsx / ppt / pptx / pdf / Lotus Notes email

This is a small but very important exercise in the evaluation of IRM requirements for any enterprise but our recommendation is that every enterprise do this exercise before considering an IRM system deployment.

Seclore and its partners regularly advise customers on their IRM requirements so please do not hesitate to contact us for any such requirements.

Control what belongs to you ! (intro to IRM and controls in respect of ownership, classification etc)

Data in all it’s forms is the property of the person or organization who created it and as it carries value, it is necessary to have effective safeguards to protect it. Unfortunately, data is produced at such an alarming rate that we lose out on classifying it and carrying out other housekeeping tasks like storage, lifecycle management, distribution and control of ownership.

The results are evident in any organization – data sprawl across storage and backup systems; multiple copies of documents on storage devices; data walking out of the door with insiders and contractors; sensitive and non-sensitive data stored and handled in the similar manner. While these may all be under control of Information Security best practices the risk of loss is high due to the lack of granular controls on the data and documents.

If you do not control what you own, how can ownership be established? And this leads to the next question - how can you own what you do not control?

Data control is essential in an organization as these assets will have value and any compromise can lead to tangible or intangible business loss. It is necessary to track and control data like designs, patents, corporate plans and statements, financial information, employee information, business information (sales, production, stocks etc) and other information that is sensitive for the business of the organization. Unauthorized access may happen by accident or may be intentionally carried out by competitors, crackers, disgruntled employees or persons leaving the organization.

Control on data means that one must have all information on hand about the same, during it’s lifecycle.

• Who are the persons that have been authorized to access the data
• What can these persons do when they access the data (can they print, copy, edit, distribute.. etc)
• When can these persons access the data (the time and date when the data is available for access by them)
• Where can they access the data (within the corporate network or outside)

In order to do any of the above, one has to step back and establish the policy that will be followed to set up the controls. This will help establish data classification and creation of authorized user groups. This extra bit of housekeeping that is essential in establishing effective ownership and control on data ensures that a structure is built in at the start of the control activity.

In the implementation of an Information Security Management System (ISMS) it is essential to have an Asset Management system. However it is common knowledge that this is a gigantic task and very complex and difficult to start (the implementation bit comes later!). As such ownership control cannot be really established.

An Information Rights Management (IRM) system will easily provide the user or the organization with the controls to establish “ownership” of the data. IRM provides the solution to control access, editing, printing, copying, distribution, sharing rights in respect of the data or documents. In addition, you are assured that your data will not be leave the perimeter established by you and that you can rescind the rights at any time for any external or internal user of that document remotely.

As the owner, the right to control who can or cannot access the document is yours. So is the right to destroy or update the data / document or you need to know who has done anything to the data “owned” by you.

Essentially – total control must rest with you because you must own what you have created. Now, IRM provides you with the means to have that control with yourself.

Seclore Technology provides state-of-the-art IRM technology that will bring data ownership within your control.

Incident - HP Slate Price and Product information disclosed

Today, HP is faced by a public disclosure of their internal presentation providing details of pricing and features of the HP Slate in comparison to the Apple iPad. The company had released a couple of demo videos for the Slate and these came out pretty soon after the iPad launch.

No one wants the world to know what you are developing before you are ready to make the product presentation on your own terms. Not HP, not Apple or Microsoft or you, for that matter.
Keeping data inside the “perimeter of trust” is paramount to safeguard your ideas, strategies and plans and if this perimeter is breached there is bound to be lot of grief. A mature Information Rights Management system will ensure that the perimeter is not breached and will effectively safeguard the data that needs to be protected.

Information Rights Management allows the user to be able to define the rights for viewing, editing, copying and distribution the document that is being shared. In this case, if the HP presentation was secured under control of the Seclore File Secure rights management system it would be difficult anyone to get “scoop” out ! They would not be able to open the document as they would (in all probability) not be authorized to access the same. In any case, if anyone did try to force the document open (another very difficult task requiring great amounts of resources / cost) it could attract charges of theft and hacking since this would clearly establish that that person is accessing a document for which he/ she has no authorization.

Small events, sometimes, provide guidance for preventive safeguards that help ensuring that there is no major (or minor) incident. As they say, there is a 100% certainty that an incident will occur if you let things be. Controlling data and document chaos using the Seclore FileSecure Information Rights Management system is the solution to effectively address the risk of unauthorized data access that leads to such security breaches and embarrassing disclosures.

Seclore FileSecure for easy compliance with ISO 27001

Increasing data volumes in the organization and continually evolving threats that can put it’s very existence at risk require high protection levels. Security controls must look at specific functions and provide protection in a manner that does not hamper normal business operations yet builds security into the DNA of the organization culture.

Many organizations have implemented an Information Security Management System (ISMS) conforming to ISO 27001 and are engaged in the continuous maintenance of the same in order to conform to the requirements of the standard. Within the above scenario, the organization must look at the inclusion of Information Rights Management (IRM) as an essential practice as it helps address the high risk area of document / information sharing and provides compliance with a number of ISO control objectives.

An IRM solution provides control on the distribution of information within and outside the organization, enabling management of the complete lifecycle of the data asset. Compliance with CO 6.2.2 (External Parties: Addressing security when dealing with customers) and CO 7.1 (Responsibility of Assets for inventory, ownership and acceptable use) is enabled since the IRM solution will allows the ownership of the document to be retained by the organization not just for documents that are shared with internal or external partners. A robust IRM solution will allow management of the inventory of floating copies of the document and ensure a risk classification at the time of creation. Document inventory and classification is a big issue as it requires additional effort (besides the creation of the document) and is usually considered to be a bother. However, the Seclore IRM solution provides a user friendly interface that allows the user to be able to classify and include management controls for the document.

The solution provides reasonable compliance with a number of additional ISO controls, such as Classification Guidelines (CO 7.2); Monitoring (10.10) for audit logs, use etc and protection of logs; Access controls (11.6); Cryptographic Controls (12.3); Incident / Event Reporting (13.1) and Compliance (15.1).

Managing data / document rights over the network using the Seclore IRM solution provides the organization with a wide range of functionalities that allow controls to be embedded into a user friendly system or included on-the-fly. As such, document classification is done by the user at the time of creation and this asset is monitored by Seclore FileSecure as it is accessed in and outside the organization with all locations and actions being logged. A high level of cryptographic controls are enabled and document access is restricted with unauthorized access and any malicious incidents being reported.

With this range of features aligned with industry best practices and standards the system automatically provides a high level of legal and regulatory compliance and this is true for the Seclore IRM solution too. It addresses data protection requirements, enables privacy controls and cryptographic controls regulations.

An IRM solution provides a reasonable level of compliance with a number of controls prescribed by ISO 27001 while automating manual processes in the document / data lifecycle and ensuring that ownership, along with complete control, always remains with the organization and that the assets always remain protected.

Avoid becoming famous on wikileaks ...

Wikileaks is well known as the repository of leaked sensitive documents in the past, but last week, they created a global sensation by posting 90,000 documents online about the Afghan war. These documents contain accounts of US engagements in the war zone, intelligence reports and videos – collectively providing inside (and classified) information about the US engagement in Afghanistan and much more.

The huge disclosure has embarrassed the US administration and left President Obama red-faced. Now administration officials have ‘requested’ Wikileaks not to put up the remaining 15,000 documents since the leak documents have put at risk, the lives of American soldiers and their Afghan collaborators.

The question is whether any CxO or Board wants an embarrassing document leak ! Of course the answer will be a resounding “NO” but just wishing away trouble does not qualify as a good risk management practice. 90K documents were provided to Wikileaks by an insider and an insider can be anywhere. The Indian epic Mahabharatha, which was written a thousand years earlier, also says “Ghar ka bhedi Lanka dhaye” which translates into “The trusted family member is the one who brings down the house”, and in modern times the translation can be rewritten to read “the insider is the biggest risk”.

Coming back to the question posed earlier – while we strongly accept that we do not want any embarrassing data leak nor do we want a data breach. No organization will sit by waiting for someone to take away their confidential data, plans, ideas, inventions or IP and release it to the competition or in a public forum. The damage to business and to reputation will be immense and in such situations heads will roll, non-budget expenses will eat into profits, employee morale will suffer etc. and every reaction will extract it’s own pound of flesh weakening the organization.

A simple solution to avoid such a situation is to deploy Information Rights Management (IRM) to define and control access rights to data or documents. A relatively new security technology, with increasingly wide acceptance and deployment globally, a robust IRM solution like Seclore FileSecure will help “protect” data or documents at the time of creation or if they are saved in a designated folder or drive that has been ‘protected’.

At it’s simplest best, IRM will disable access to the data / document by any person who is not authorised to access the document. Access rights for reading, editing, printing copying can be defined t varying levels of restriction and the screen grab function can also be disabled. Considering this scenario, if any person does obtain the authorization credentials it will be a mammoth task for him / her to somehow pull out the information from 90k records in different file formats.

Another well known habit of the insiders is to carry data when they leave employment of the organization. With an IRM solution it is possible to terminate the access rights of any such employee / insider and render all data inaccessible. Data that has been copied or shared by this person will not be accessible too.

The organization CISO will do well to ensure the highest level of protection and can assure the users that using IRM will not bring any difficulty in their day-to-day work. The Seclore solution design provides a user-friendly interface allowing the user to be able to protect and access protected documents easily.

PCI Compliance using Seclore FileSecure

Are you working towards PCI-DSS compliance ? Are you engaged in continuous improvement of your PCI certified processes ? Then it is time to include best practices in Information Rights Management (IRM) as part of your document management (DM) or data leak prevention (DLP) efforts in the security processes.

The PCI_DSS standard prescribes 12 principles and an accompanying set of detailed requirements for compliance. Broadly, the standard requires the organization to encrypt data, define and enforce access rights, track and monitor data access and assign unique ID’s to users, among other requirements. The overall goal is to build a high level of security in organizations that are accepting or that transact credit card payments or handle data related to the same.

Such sensitive data is usually at rest in secured databases. However, at times, it is necessary for this data to be shared among various stakeholders in the course of day-to-day business, in the form of documents. To protect these sensitive documents while meeting PCI compliance requirements, a technology enabled solution like Seclore FileSecure will enable the organization to track and manage these documents or emails as they move over the network between internal and external stakeholders, while adhering to the principle of least privilege.

Seclore FileSecure will help the organization meet a number of provisions in PCI requirements 4, 7 and 10 in the process of data transmission and sharing amongst stakeholders. These identified requirements address encryption during transmission; restriction of access based on the user’s need-to-know; and, tracking and monitoring of network resources and cardholder data.

The Seclore IRM solution provides a user friendly method to restrict access to documents with sensitive cardholder data, eliminating the need for resource intensive (and user unfriendly) encryption / decryption of shared documents. Additionally the solution makes it easy for access rights to be assigned on a need-to-know basis at the start of the document lifecycle itself, with the facility to withdraw or add shares.

These features are supported by extensive logging to enable traceability and audit requirements as mandated by PCI. File access and related actions are logged in granular detail. These logs provide information about the document use, edits, machine, location, time of access etc.

Seclore FileSecure helps meet PCI-DSS compliance in the following areas

4. Encrypt transmission of cardholder data across open, public Networks
4.2a Verify that strong cryptography is used whenever cardholder data is sent via end-user messaging technologies
7. Restrict access to cardholder data by business need-to-know
7.1.1 Restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities
7.1.2 Assignment of privileges is based on individual personnel’s job classification and function
7.1.4 Implementation of an automated access control system
7.2.3 Default “deny-all” setting
10. Track and monitor all access to network resources and cardholder Data


While getting the benefit of an additional level of compliance assurance with PCI-DSS requirements in respect of the security of documents with sensitive data that are being shared over messaging networks, or in storage, it also serves as a default automated mechanism to deny access to persons who have left the organization or to those moving internally to different roles.

Considering the cost for cardholder data loss, it is imperative for organizations to enable multiple barriers in the form of controls that are business enablers.

IRM technology, though relatively new, addresses multiple concerns from the business perspective and makes it easy for users at all levels to be able to build security controls in at the start of the document lifecycle, and keep it protected throughout.