The Case For Content Aware IRM.

An IRM system which can transfer the responsibility of protection from human beings to a content aware automated process will be extremely valuable in case of large organizations.

The need to integrate DLP and IRM is critical

Lots have been written about famous data breaches and the need for Data Loss Prevention. I will spare the reader the aggravation of reading it again here. There are hundreds of data security systems designed to control and prevent data breaches, and yet, every week we here about a new Data Breach. It is clear that users and administrators are unable to fully protect sensitive data. The main problem is that Data changes all the time. Users are focused on doing their job and not on data security. Aggravating the problem is that Hackers, Malware, Spyware and Viruses are focused on extracting such data from the perimeter.
What is a CSO to do?

Content awareness and the 4 W's

A good solution is to provide Content-Aware Information Rights Management System. Automatic Content visibility transfers the obligation of Data Security from users to a process. Imagine a system that automatically identifies files containing Credit Cards, Source Code, Images or any other intellectual property. Furthermore, imagine a process in which pre-defined IRM Policies are automatically enforced on such files as soon as they are saved on desktops or files-hares. Such policies are the 4 W’s that are so crucial to protecting Data.

The 4 W’s – Who – What – Where and When

Access controls and usage control are two aspects of Data Security that are often ignored. Mapping the content discovery to the IRM policies (see example picture below) provides automatic control of the 4 W’s:

WHO can access the information: The IRM system's identity establishment method, LDAP or non-LDAP databases as defined in custom applications and portals.

WHAT can recipients do with the information: Control specific allowed actions on files: View, Edit, Print (Print Screen), Forward/Share, Copy/Paste.

WHEN can each user access the information: IRM can control the time-span in which the recipient has access to the file. A document may have allowed access from August, 20, 4 pm to August 23rd, midnight. Alternatively time span may be defined as 2 days from first access.

WHERE the information can be used : This important Control restricts usage of the information to only a pre - specified list of computers identified by the hardware (mac address) or to a specific range of IP addresses or networks. CSO’s can now control Data even if such data is outside the perimeter. This is a very good way to provide data protection for Smart Mobile Devices. One can prevent such devices from ever seeing the data. Users, who have such credentials, may view the files with the local Browser.

The discovery agent must be monitoring the system constantly so that anytime a file is saved; it is scanned for a pattern or fingerprint and then the mapped IRM Policy is enforced.





Detecting the data correctly

It is worth mentioning here that there are two types of Data: Structured and unstructured Data. In my many meetings with CSOs I found that this is somewhat confusing. Here I refer to the need to protect files which hold either Intellectual Property or data in the file that also resides in the Database. Intellectual digital Property is any file that is deemed sensitive or confidential. Database Data is often multiple fields residing in an email or a file and is typically comes from the Human Resource Database, the CRM or any other application utilizing a Database. Such data may be the Last Name and the Salary of an employee.

Discovery systems use multiple detection engines to detect data inside files. The detection technique can be divided to Precise Algorithms and Imprecise Algorithms. Precise Algorithms are those that use fingerprints or registered data for exact data matching. Among them are Cyclical hashes, Rolling hashes, Watermarking/tagging, Recursive Transitional Gaps (GTB proprietary). Of course, not all fingerprinting engines are the same. One has to avoid false positives and false negatives at all cost.

Imprecise Algorithms are those that use Data Patterns, Bayesian analysis and Statistical analysis. Such engines prove to be highly inaccurate and present an unacceptable rate of false positive. It is highly recommended to test these techniques and to determine the acceptable level of false positives and of false positives. Of course, much attention must be paid to the array of file types supported by such engines. Naturally, a Bank may be interested in support for Microsoft Office, while Engineering Company may be more interested in support for DXF files or binary fingerprinting.

Organization will be well advised to use the appropriate detection technique based on the data they want to protect.

Conclusions

The marriage of Content-awareness and IRM provide organization comprehensive access control on sensitive data for internal and external constituents. Sensitive or confidential data is automatically encrypted based on file content and access to such data is controlled by either the File Owner or designated Administrator. External constituents may also have access rights to such files but only if they have been approved. This way organizations are able to secure files even after such files are circulating outside the perimeter.

Guest Blogger Mr. Uzi Yair is the CEO of GTB Technologies , the Next Generation DLP company. Mr. Uzi Yair has 20 years executive management experience with software companies ranging from $1.5 million to $22 million in annual revenue. Mr. Yair attained his MBA from Columbia Business School and his BS in Computer Science and Mathematics from Hofstra University.

Data Theft Booming in Health Care

Startling revelation in Health care and pharmaceutical sectors have come up because they have claimed a mysterious disappearance of their important documents facing an unaccounted loss of important documents such as product patents, product dossiers from their systems. Data security has always been one of the top priorities for any organization. Loss of important data posses a critical threat in almost all the business sectors across the world. Lately, health care and allied companies have been facing a similar menace and have been targeted as well.

This vertical has lost most of their electronic medical records and has been facing a problem of data being leaked to unknown source. Pharmaceutical products consisting of formulations of medicines and clinical research records are prone to leak into the hands of competitors and other undesired sources. Besides the report also placed Hospitals and health sector firms in the third position and claimed 15.6% of such organizations hit by the similar menace. Most of the data loss have occurred during their transfer from one system to other system or presumably hacked by third party users and in other cases displaced by the internal staff of organizations.

Loss of data from hospitals and health care facilities has resulted to disappearance of millions of Electronic Medical Records belonging to patients from US and other countries. This has indeed caused a panic among CEOs of health care companies worldwide as loss of medical records have contributed to rise in identity theft business. Black market has been profiting from records relating to health insurance plans, medical transcripts and other sensitive medical documents belonging to various people.

Might this sort of misuse of information bring deprivation and hidden handicaps to so many people and medical service providers? While conventional hospital information management systems may prove vulnerable against high tech thieves and may be unable to safeguard their important documents. Data breach and its theft can be either traced to the internal affairs within organization or an external breach by the third party individual or a group. Stolen medical records have been giving rise to identity theft market and cause health care organizations to lose their reputation in the eyes of their valued customers.

The prevalent problem at hand is that so many organizations are unable to afford a better security package to store and safeguard their data. In addition to this, the conventional security programs implemented by health care organizations may not be well equipped to face technologically advanced threats or many organizations are unable to afford for enhanced security measures due to restricted budget.
Information Rights Management (IRM) is one such solution that offers a unique security solution to such a menace. IRM solutions have dynamic security features with various tools and functionality and are easy to use.

IRM solution can provide with a complete package of database management like data tracking, cyber forensics and enhanced encryption such that it can travel within and beyond the network boundary of any organization without any risk of data theft or cyber piracy. It can provide complete details regarding the IP location of the user who is accessing the particular information document. Along with its unique security features, it is also economic and can easily be implemented in the regular budget of any organization.

These discrepancies emanating from the ill orders of the system in place need to be plugged and probable solution as suggested above should be taken into account. It is better to eliminate the scar before it gets matured for surgery.

Build security-in before locking the doors

Data leakage must be plugged and there are a number of Data Leak / Loss Prevention (DLP) solutions available that take care of this risk. Current day DLP solutions provide controls to monitor hardware and software systems keeping track of access and movement of data in violation of defined policies.

Until DLP solutions were not available, organizations had to depend on simple solutions like disabling hardware copying devices, restricting access to sensitive data only by trusted employees.

Technology moves quick and with new threats being identified with every development, DLP solutions are found to be weak in defending against the risk of document access controls. While the DLP solution may restrict access to a class of users, it is not be able to provide user rights controls. It is like locking the door but leaving the window open.

Effective Information Rights Management (IRM) systems provide the solution to plug the weakness in a DLP system.

Seclore FileSecure is a state-of-the-art IRM system that works seamlessly with leading DLP products from global vendors. The Seclore solution will allow an organization to exercise an effective control on it’s documents, and in turn, it’s data. This is accomplished by providing a solution where user rights for copying, editing, printing or sharing can be defined. Data in the form of documents, email or free form can be secured via a simple user friendly GUI. The application works with popular Windows applications like word processors, spreadsheets, presentation software etc.

Features built in to Seclore FileSecure include asset (document) tracking, policy based inventory and classification; data access time and dates can be restricted and documents can be marked for deletion by setting appropriate policy parameters.

While it is necessary to build security-in as one implements security controls in the organization business processes, it is necessary to ensure that all known risks are identified and addressed before one locks down the doors.

Having IRM in place is a higher level of assurance for the security aware organization in providing effective controls to safeguard their information assets.

Incident - HP Slate Price and Product information disclosed

Today, HP is faced by a public disclosure of their internal presentation providing details of pricing and features of the HP Slate in comparison to the Apple iPad. The company had released a couple of demo videos for the Slate and these came out pretty soon after the iPad launch.

No one wants the world to know what you are developing before you are ready to make the product presentation on your own terms. Not HP, not Apple or Microsoft or you, for that matter.
Keeping data inside the “perimeter of trust” is paramount to safeguard your ideas, strategies and plans and if this perimeter is breached there is bound to be lot of grief. A mature Information Rights Management system will ensure that the perimeter is not breached and will effectively safeguard the data that needs to be protected.

Information Rights Management allows the user to be able to define the rights for viewing, editing, copying and distribution the document that is being shared. In this case, if the HP presentation was secured under control of the Seclore File Secure rights management system it would be difficult anyone to get “scoop” out ! They would not be able to open the document as they would (in all probability) not be authorized to access the same. In any case, if anyone did try to force the document open (another very difficult task requiring great amounts of resources / cost) it could attract charges of theft and hacking since this would clearly establish that that person is accessing a document for which he/ she has no authorization.

Small events, sometimes, provide guidance for preventive safeguards that help ensuring that there is no major (or minor) incident. As they say, there is a 100% certainty that an incident will occur if you let things be. Controlling data and document chaos using the Seclore FileSecure Information Rights Management system is the solution to effectively address the risk of unauthorized data access that leads to such security breaches and embarrassing disclosures.

Recipe for data compromise - a (fe)mole, unauthorised access and enemy agent provocateur

Yesterday (4/27/10), breaking news across all media channels, was about the arrest of a Ms Madhuri Gupta working as Second Secretary at the Indian High Commission in Pakistan, on charges of spying. Initial investigations have revealed that she had been passing on information to her local handlers for over two and a half years. The motivation was revenge or ‘trying to prove herself’ against her superiors.

While it will take time for the truth to actually be exposed, in respect of her motive, the damage done and the identity of her handler and accomplices (if any), this can be classified as a highly damaging incident since it has happened in a country that is not on the list of friends of India.

This is a classic information security incident with the correct recipe for an insider threat to come true. Another risk that of unauthorized access, also seems to have occurred since it is reported that in her role she did not have access to any sensitive documents. The third risk event that has occurred is of data leakage / compromise as she passed it on to rogue outsiders.

Each of these risks is easily addressed by a robust Information Rights Management (IRM) solution, like Seclore FileSecure. The IRM solution will bring in a granular level of safeguards which is not possible with a DLP solution combined with end point security.

Policies in the IRM solution can be built to restrict access on ALL emails going out which would have addressed the route of the data leak in this case. All mails sent by her would have been ‘secured’ and any person outside the network would not have been able to read it. Additionally, since this is a highly sensitive location, it would be necessary to create a policy to secure ALL documents on the machine or network, and this control is good enough to stop any unauthorized viewing or editing, by default.

Our IRM solution provides the option of enabling the highest level of safeguards, by default. Controls can be established where it is not possible for any activity like viewing, editing, copying, printing and screen grabbing by any unauthorized user. A drive or folder can be FileSecure enabled at the time of creation so that any and all documents that are dropped into the designated location are automatically secured with the defined policy for the location. If the organization enables ‘global’ policy controls on storage locations and email clients the data created is automatically protected without user intervention.

In such a case a red flag event would be reported by the Seclore system when a user changes the default rights on a document. Again, a simple solution, for malicious or accidental leaks. One, that has demonstrated to successfully provide highly robust safeguards, for data at rest or in sharing or in transit. An agent provocateur has now embarrassed the establishment for the weaknesses exposed in the security setup, she would have had a tough time trying to circumvent the controls that are enabled by Seclore IRM.

Story of a failed data heist

Data is the new-age asset and is at risk from insiders and outsiders who may try every ruse in the book to steal. Personal data, ideas, plans, designs, patents, formulae financial information and such data have ready takers among your competition or in the underground market. Or worse, your data may be used to start up a new competitor! No wonder, information security grows increasingly important and just like one has uniformed guards on the physical perimeter; technology has to be leveraged to make sure that data assets are not pilfered.
High Flying Company Inc, (HFC) very nearly became a victim of a data heist when their Head of Delivery, John Turnbull, walked out to start his own venture ‘Fly Higher Corporation Inc. (FHC). What saved them was the foresight to invest in technology that helped safeguard data assets in a user friendly manner.
HFC has been in the business for more than a decade and John worked his way up the corporate ladder to a position of eminence as Head of Delivery. His responsibilities include interaction with internal teams, vendors and clients and over time he had built up a good reputation. Having helped the growth of HFC into a mature vendor, he was looking forward to being promoted as COO which did not happen, since the management hired Paul in this role.
Now John was hassled and unknown to all his friends and managers he starts working on a hidden agenda - go independent! Start up his own firm, hiring people on contract, using the ideas and designs he has worked on and getting a head start over many players in the market. In stealth mode, John adds to his collection of designs and corporate collateral he will carry along with him the day he leaves his job. Since he has access to sensitive / important data this is easy for him and he uses pen-drives and DVDs to copy all that he can use in his new venture.
Once this mission was fulfilled, and he had copied all the data, he put in his papers.
The management does not know John has stolen company assets and has planned to compete against them in the same markets, using their designs and data. His settlement done, John gets into action mode, incorporates his new firm Fly Higher Corporation Inc and starts wooing the same clientele and vendors.
John gets a team together and they start work of cloning the proprietary designs and plans of HFC to FHC in order to make their first bids. Work progresses well at the low level design phase and hits a roadblock when they try to access one of the critical design files. It just does not open and keeps asking for authorization. John team sweats as the team tries to open other files – low level and unnecessary files can be accessed easily but the important ones just do not respond.
Now FHC hires an unethical hacker to brute force the files but, unfortunately, this does not work since the encryption algorithms are on the FileSecure server at HFC (John’s ex company). And John realizes that his heist has failed, because the Information Security office at HFC had implemented Information Rights Management and all sensitive / critical / important data was secured using this technology.
Of course, John couldn’t go complain to the HFC management about this failed theft and now he is working hard to build original designs for presenting to potential clients. It is hard work and maybe will take FHC a decade or more to reach the position of eminence of HFC !
While it is true that crime never pays but in the technology age it is important to ensure technology controls are in place to secure one’s assets, rather than wait for a breach or an incident.
Data assets are the crown jewels for any organization, whether public or private, and for individuals and need to be protected in such a manner that they are available only to authorized persons. New age technologies like Information Rights Management go the extra mile to bring access and asset management together providing a highly secure system that is robust, works unobtrusively, enables regulatory compliance and is user friendly.

Beyond Disk Encryption

Organizations world wide are striving to protect their most critical asset – data. During the daily work process there is mass amount of bulk and individual transactions that takes place. These transactions have critical information that is shared between internal employees, external vendors (for data entry and bill printing) and customers. Information is shared via different mediums like emails, shared folder, usb disk drives, etc. There is also frequent movement of laptops between various departments. Due to the high mobility of data there is always an increasing risk of information theft. Full disk encryption is an important solution in the effort to protect data in laptops while the data is at rest (i.e. data is inside the laptop). However it only solves part of the problem. For e.g. – a few tantalizing and prodding questions like-

1. 
   
   How do you enforce protection of the same data once it leaves the laptop (via email, removable media, etc) ?


2. 
   
   How do you protect the information from other ways of extracting data like print-screen, screen grabbing tools, remote desktop sessions?


3. 
   
   How do you put granular control on information such that certain users can view and edit the document while some others can only view and print the document?All the above questions bring us to the fact that Disk Encryption technology only protect the container in which the data resides and not the data itself!
   

Why protect the container when the content needs protection ???

Different ways in which data gets leaked out even when full disk encryption is in deployed are-

1. 
   
   Authorized employees parted with the content with unauthorized users in unencrypted form.


2. 
   
   Ex-employees who had access to the information share it with their new organization.


3. 
   
   Employees who had more rights than were required to perform their task manhandled the data (E.g. printing, doing print screen).


4. 
   
   Business partners and vendors received unencrypted information because they did not have the decryption utility at their end. This eventually results in data leaks.

The problem at the heart of the system is that disk encryption is a perimeter-centric technology! There is no way of protecting information once it is available in unencrypted mode or once it moves outside the organizations firewall (perimeter).
To mitigate the above threats, a more holistic and information level security approach needs to be taken. A solution which satisfies the following requirements needs to be taken-

1. 
   
   an information usage control system that would provide security to the content itself without compromising on information sharing


2. 
   
   Capability to control editing, printing, distribution of shared information for each recipient


3. 
   
   Persistent protection of data while it is at rest, in transit and in use


4. 
   
   Capability to control information after it leaves the organizations firewall (i.e. after distribution)


5. 
   
   Full audit trail of authorized and unauthorized activity on the document


6. 
   
   Ability to revoke the usage rights on shared information irrespective of its location

IRM to the rescue

IRM, enables the organization to enforce usage rights on documents. With IRM Document creators can give specific usage rights like WHO (people, groups) can use the information, WHAT (view, edit, print, forward, full control) can the person do with the information, WHEN (specific dates, time spans) can this be done & from WHERE (within the office, at business partner) can the information be used. Documents can also be “deprecated” such that access to old documents residing on desktops can be prevented. Some IRM technologies like the ones offered by Seclore also provide the “audit trail” feature. The audit trail not only guarantees compliance to regulatory standards (e.g. ISO 27000, SOX, HIPPA, Basel2) but also helps in detecting suspicious activities on documents by unauthorized users. Document rights can also be changed post distribution thereby providing additional control on distributed documents.

Thus, IRM solutions take information protection well beyond full disk encryption by ensuring that usage rights are propagated during normal information use. Unlike full disk encryption technology which protects Information only while at rest, IRM offers protection while at rest, when in motion and when in use. Information is protected throughout the entire lifecycle of creation-distribution-use and destruction. Thus with granular control in information even post distribution IRM puts control on information over and beyond what disk encryption offers.

Banks have something more valuable than our money….our personal information!

Each of us, who has opened a bank account or applied for a loan, knows first-hand how much private information banks require from their customers. These include addresses, PAN numbers, credit-card numbers, driver's license information, email IDs, phone numbers, salary slips and loads of other financial data. While some of this is required for carrying out transactions, others mandatory by law.Information is mandated by regulatory bodies and compliance norms.

Enter the banking of the new millennium, where the information in a bank's computer can be more valuable than the cash in their vaults. With the exponential increase in internet services provided by banks the quantity of such stored information is massive.

Here come in the modern day data thieves. Banks and financial institutions become their potential one-stop shops for large-scale data theft. An Anti-Phishing Working Group, which tracks Internet fraud, found that scampers target financial services more than any other industry. In December 2007, 89.3 percent of all identity-theft attacks targeted the financial industry, including banks, credit unions and credit-card associations.

So nothing is being done?
While regulatory and compliance norms have been the main drivers for bringing focus onto the concern of data security, much more needs to be done from the legal perspective. Data theft is no theft by law. Kaviraj says “it is reiterated that our laws need to be updated expeditiously, with a view to ensure maximum protection to 'Data', which is critical, for retaining the creditability of the Indian I.T. industry.

However, Banks have taken initial steps to address it. Multiple initiatives have been adopted which are a combination of processes and technology. Within the bank, most resort to rigorous access control policies and controlling distribution of information using approaches like DLP. But with the new age mantra of outsourcing, sensitive data is no longer resident within, but often has to be shared outside the organization for outsourced data processing. Data transfer is often through secured messaging and is encrypted too. In fact some go a step further and control the network of the vendor.But all these are just partial solutions that too at unreasonable cost.

Where is the real problem?
Conceptually, most of the initiatives adopted currently enable controlling access to information. For example, in retail banking much of the personal information of customers is stored digitally and access is provided to those who are authorized. But the authorized user is often the culprit, knowingly and sometimes unknowingly too. Also while outsourcing, often the last mile of the data's journey is open to vulnerabilities. After the secured data transfer has occurred, most of the times, the data is manually uploaded into an application for processing. Once the processing is completed, there is no control on the usage of the raw data and that continues to be accessible to the vendor organization.

What needs to be done?
While strong regulations and new norms are coming into play, financial institutions themselves need to change the approach to data security. The stress on sharing information within and outside of the enterprise is increasing. So are the methods of sharing it. It is going to become more and more difficult to monitor all entry and exit points for disseminating the information. A fundamental shift from context based or perimeter security to a more information centric security mindset is necessary. Information Rights Management approaches are built on this principles. Using IRM, granular security control can be made to travel with the information wherever it goes, instead of securing just the environment in which the information is used. Also, this control is dynamic and can be aligned to dynamic business relationships. A document shared with a vendor earlier can be made inaccessible remotely, in case the vendor moves out of the approved vendor list (AVL). Data outsourced can be made inaccessible through inbuilt expiry. The benefit in all this is that the owner organization retains the control to allow / disallow specific usages of information, in spite of freely sharing it. And this is how the information economy of tomorrow needs to be managed and governed

To know how such information security management can be achieved today read about FileSecure and InfoSource.

Data theft by employees

As early as 2004, the US Secret Service and Carnegie Mellon University published the first of series reports on threats of data leakage from inside the enterprise. The report examined corporate data thefts and identified that 84% of data thefts are the result of insiders sending confidential information outside the company. Recently, Lending Tree informed its customers of a potential compromise of their financial information by former employees. Though the news per se is alarming, the event of data theft by employees is not necessarily rare. It can and must be happening to every company in some form or the other. Before contemplating on how to address it some thoughts on why it happens in the first place:

1) Employees have a sense of “ownership” on the content generated by them, and thus keep personal copies. This is most common in "creative" businesses like advertising, architecture etc. where individuals create works on behalf of the enterprise.
2) Employees seek financial gain by leaking information. This borders on corporate espionage and typically happens when employees are in the process of leaving the organization.
3) Information is shared accidentally with unintended recipients
4) Devices on which data is stored are stolen / left unsupervised (pen drives, Laptops, portable hard disks, CDs etc)

Manifestation of the above is facilitated with some shortcomings / negligence by company data security policies:

1) Broadly, the most common data protection adopted is “access” control based. People either have access or not. But once access is provided, the recipient is generally free to copy, print, forward the information to others.
2) Most of the security measures deployed are perimeter centric. In other words, the data is secured as long as it is within some physical boundaries like applications, networks, devices etc. But as soon as the data leaves the boundary, there is no control
3) Business relations are dynamic, but security of information is not. Information once shared with partners, employees, customers, analysts, media etc is almost shared always. It is not possible to revoke access or re-call the documents once the recipient has already accessed it once.

A fundamental shift in the way information security policies are defined and technology is implemented is required. From a perspective of internal data thefts the thin line between "use" and "misuse" has to be defined and clearly marked.

For example, Richard, the sales director, viewing and forwarding sales data on 7th June might qualify as "use" but it would surely be "misuse" on 8th June when he has resigned from the company! Present information security technologies do not normally take care of such situations.

Information rights management technologies like Seclore FileSecure help define this fine line and ensure that Richard the sales director can "use" the information but will not be able to "misuse" it. This is provided by enabling Usage control, which helps to embed more granular restrictions on usage of information than just access control. Also, this control is dynamic and can be revoked or expanded on demand.