The Case For Content Aware IRM.

An IRM system which can transfer the responsibility of protection from human beings to a content aware automated process will be extremely valuable in case of large organizations.

The need to integrate DLP and IRM is critical

Lots have been written about famous data breaches and the need for Data Loss Prevention. I will spare the reader the aggravation of reading it again here. There are hundreds of data security systems designed to control and prevent data breaches, and yet, every week we here about a new Data Breach. It is clear that users and administrators are unable to fully protect sensitive data. The main problem is that Data changes all the time. Users are focused on doing their job and not on data security. Aggravating the problem is that Hackers, Malware, Spyware and Viruses are focused on extracting such data from the perimeter.
What is a CSO to do?

Content awareness and the 4 W's

A good solution is to provide Content-Aware Information Rights Management System. Automatic Content visibility transfers the obligation of Data Security from users to a process. Imagine a system that automatically identifies files containing Credit Cards, Source Code, Images or any other intellectual property. Furthermore, imagine a process in which pre-defined IRM Policies are automatically enforced on such files as soon as they are saved on desktops or files-hares. Such policies are the 4 W’s that are so crucial to protecting Data.

The 4 W’s – Who – What – Where and When

Access controls and usage control are two aspects of Data Security that are often ignored. Mapping the content discovery to the IRM policies (see example picture below) provides automatic control of the 4 W’s:

WHO can access the information: The IRM system's identity establishment method, LDAP or non-LDAP databases as defined in custom applications and portals.

WHAT can recipients do with the information: Control specific allowed actions on files: View, Edit, Print (Print Screen), Forward/Share, Copy/Paste.

WHEN can each user access the information: IRM can control the time-span in which the recipient has access to the file. A document may have allowed access from August, 20, 4 pm to August 23rd, midnight. Alternatively time span may be defined as 2 days from first access.

WHERE the information can be used : This important Control restricts usage of the information to only a pre - specified list of computers identified by the hardware (mac address) or to a specific range of IP addresses or networks. CSO’s can now control Data even if such data is outside the perimeter. This is a very good way to provide data protection for Smart Mobile Devices. One can prevent such devices from ever seeing the data. Users, who have such credentials, may view the files with the local Browser.

The discovery agent must be monitoring the system constantly so that anytime a file is saved; it is scanned for a pattern or fingerprint and then the mapped IRM Policy is enforced.





Detecting the data correctly

It is worth mentioning here that there are two types of Data: Structured and unstructured Data. In my many meetings with CSOs I found that this is somewhat confusing. Here I refer to the need to protect files which hold either Intellectual Property or data in the file that also resides in the Database. Intellectual digital Property is any file that is deemed sensitive or confidential. Database Data is often multiple fields residing in an email or a file and is typically comes from the Human Resource Database, the CRM or any other application utilizing a Database. Such data may be the Last Name and the Salary of an employee.

Discovery systems use multiple detection engines to detect data inside files. The detection technique can be divided to Precise Algorithms and Imprecise Algorithms. Precise Algorithms are those that use fingerprints or registered data for exact data matching. Among them are Cyclical hashes, Rolling hashes, Watermarking/tagging, Recursive Transitional Gaps (GTB proprietary). Of course, not all fingerprinting engines are the same. One has to avoid false positives and false negatives at all cost.

Imprecise Algorithms are those that use Data Patterns, Bayesian analysis and Statistical analysis. Such engines prove to be highly inaccurate and present an unacceptable rate of false positive. It is highly recommended to test these techniques and to determine the acceptable level of false positives and of false positives. Of course, much attention must be paid to the array of file types supported by such engines. Naturally, a Bank may be interested in support for Microsoft Office, while Engineering Company may be more interested in support for DXF files or binary fingerprinting.

Organization will be well advised to use the appropriate detection technique based on the data they want to protect.

Conclusions

The marriage of Content-awareness and IRM provide organization comprehensive access control on sensitive data for internal and external constituents. Sensitive or confidential data is automatically encrypted based on file content and access to such data is controlled by either the File Owner or designated Administrator. External constituents may also have access rights to such files but only if they have been approved. This way organizations are able to secure files even after such files are circulating outside the perimeter.

Guest Blogger Mr. Uzi Yair is the CEO of GTB Technologies , the Next Generation DLP company. Mr. Uzi Yair has 20 years executive management experience with software companies ranging from $1.5 million to $22 million in annual revenue. Mr. Yair attained his MBA from Columbia Business School and his BS in Computer Science and Mathematics from Hofstra University.

Criteria for evaluating IRM technology – Part 6 of Many – Screen grabbing prevention capabilities

This is a multi-part blog entry on important criteria based on which enterprises must evaluate rights management technologies before investing significant amounts of time and money.

Please note that not all criteria might be important for any given enterprise so you will have to pick and choose the ones which are important, give appropriate weight-ages and then decide on the best technology.

To view all the blog posts in this series please go to http://blog.seclore.com and then select "IRM evaluation" from the tag list.

Over a period of time there have been many comments and views about the importance and feasibility of protecting irm protected documents from being "exposed" via screen grabbing functionality

Screen grabbing can be done in one of the following ways :

1. Using the print screen functionality
2. Using screen grabbing tools like Snag It, Camtasia, .... OR using a virtual machine or virtualized desktop
3. Using remote desktop / web meeting tools like Webex, GotoMeeting
4. Using actual cameras and pointing to the screen
5. Using hardware based VGA recording systems similar to video recorder

The above list is fairly comprehensive and approximately in the increasing order of risks that they pose to confidential information. The list is also in increasing order of complexity of the solution i.e.

1. Blocking print screen functionality is almost trivial and can be done by various methods like keyboard hooking etc.

2. Blocking screen grabbing tools is more difficult because of the variety of technologies used by such software from video memory copy to driver mirrors there is hardly any method which is not used for this purpose

3. Blocking remote desktop functions is even more difficult because a summary blocking of a tool like Webex would mean collaboration loss

4. Blocking camera clicks is more difficult because it is virtually impossible to do without significantly compromising on the user experience i.e. blocking the whole screen except for a "spotlight" around the cursor appears to be the only solution and is usually unacceptable to users. The risks of this are becoming higher as pocket cameras and phone become more powerful. The alternate solution would be to physically block phones with cameras which is also becoming increasingly difficult.

5. Blocking hardware based VGA recording systems is virtually impossible .. it would mean blocking VGA output to all devices except for the attached monitor and would cause an impossibly high loss to basic activities like projection. However the risks with this are lesser because these devices are rare and can be physically blocked easily.

Taking a completely technical view, the IRM system should provide an on/off switch to the user for the screen grabbing functionality. Within the on/off switch itself there should be more granular controls like should a "spotlight" functionality be enabled or not OR should the hardware based recorder be blocked or not.

Once we overlay this more technical view with usability and convenience considerations of the end user AND the policy definition complexity of the policy administrator .. the most optimal criteria appears to be :

• Using the print screen functionality - Should be blocked

• Using screen grabbing tools like Snag It, Camtasia, .... - Should be blocked

• Using remote desktop / web meeting tools like Webex, GotoMeeting - Should be blocked with an option to enable

• Using actual cameras and pointing to the screen - Not necessary as it would cause too much user inconvenience

• Using hardware based VGA recording systems similar to video recorder - Not necessary as the risks are low

In most cases we have found this to be the most pragmatic approach to dealing with the screen grabbing issue.

Finally, a really determined user may just pick up the pen and jot down the important parts of a document or if its small enough then even memorize it. Till the time we have memory erasers however we will have to live with those risks. Are the folks at Men-In-Black listening ??

Seclore and its partners regularly advise customers on their IRM requirements so please do not hesitate to contact us.