Securing documents in the WikiLeaks era
By Robert Smallwood
May 28, 2011
This is the first installment of a two-part series in which Robert Smallwood writes about the need for organizations to address the issue of electronic document security, the consequences that result from failure to employ security measures, the use of enterprise rights management (ERM) software in safeguarding information, roadblocks to implementing ERM, and Microsoft's role in that market. The second part of this series will include descriptions of others vendors in the e-document security space.
Plugging the gaps
Electronic document security has come to the forefront of the business and political world with the exposure of classified U.S. military documents in 2010 by the website publisher WikiLeaks. With the threat of more disclosures and examples of leaked information abounding, organizations are scrambling to plug gaps in electronic document security and communications.
Protecting e-documents goes far beyond protecting military secrets; in the private sector it means guarding financial data, price lists, product designs and blueprints, strategic plans, legal documents, personnel files and other private corporate data, which have real economic implications. Check Point Software Technologies has issued this statement, "Despite repeated examples of data loss the industry has witnessed over the past few years, and despite their disastrous consequences, many organizations still lack clear data security policies and fail to deploy the right security arsenal to prevent them. While they take all the necessary measures to protect their physical infrastructure and facilities—controlling and restricting access to their physical sites—they fail to protect their informational and digital assets. Yet, this is where a company's innermost secrets, intellectual property and value resides—confidential files, financial documentation, acquisition plans, customer information, sensitive e-mails, exclusive product releases and other corporate records. All are ultra-capital assets that need to be shielded from the outside world."
Software source code and other intellectual property are also at risk. According to the U.S. Commerce Department, intellectual property theft is estimated at more than $250 billion and costs over 750,000 jobs annually. The International Chamber of Commerce estimates the global fiscal loss to intellectual property theft is more than $600 billion per year—and rising.
In February 2010, the U.S. Justice Department announced the creation of an intellectual property (IP) task force(justice.gov/opa/pr/2010/February/10-ag-137.html) as part of its initiative to crack down on the growing number of domestic and international IP crimes. "The rise in intellectual property crime in the United States and abroad threatens not only our public safety but also our economic well-being," Attorney General Eric Holder said. "The Department of Justice must confront this threat with a strong and coordinated response."
Corporate espionage is not new, and it does have tangible costs. In 2009, a former Ford product engineer stole more than 4,000 confidential documents containing trade secrets from the company's computers to sell to a Chinese car manufacturer. The calculated loss to Ford was estimated to be $50 million to $100 million. In 2010, a General Motors engineer and her husband conspired to steal trade secrets about hybrid engine technology and sell them to Chinese competitors. In January, The New York Times reported that the car manufacturer Renault filed a criminal complaint on an industrial espionage case in which it asserts that a foreign company sought to obtain secrets related to its electric car program.
The threat is real
We live in a different world now, and the nature of internal threats has evolved. "Because of WikiLeaks and other high-profile espionage cases, managers now know the threat of stolen or misused documents is real, and for whistleblowers to reveal internal documents and memos is almost expected, which greatly raises the threat—and the need for securing internal communications," says Alon Samia, CEO of Covertix, which specializes in file level surveillance and control software. "A firewall isn't enough. Data loss prevention isn't enough. You need enterprise rights management on top of that."
Data loss prevention (DLP) software and appliances stop sensitive e-mails, documents and data from leaving the firewall, based on specified content. Enterprise rights management (ERM) provides embedded file level protections against unauthorized viewing, editing, printing, copying, forwarding or faxing, which travels with the document or data, regardless of media type.
"Persistent protection"
DLP is a good concept that is difficult to implement effectively. Steve Coplan, senior analyst, Enterprise Security Practice, at The 451 Group, says, "If you look at DLP and tell it to ‘catch everything,' it just can't do it in real time-the computing power and classification technology just isn't there. DLP as an enforcement technology has, overall, been a disappointment. But many organizations use DLP as a tool to discover where the gaps are, and who is doing what." In the ERM world, that is called "discovery," which is finding out what data flows where in an organization, and mapping it out.
A crucial technology deployed today to secure e-documents and communications is enterprise rights management software, originally termed enterprise digital rights management, and also often referred to as information rights management (IRM). (See related article in the April 2008 issue of KMWorld at kmworld.com/Articles/News/News-Analysis/E-DRM-plugs-ECM-security-gap-41333.aspx.) ERM/IRM controls and protects the use of e-documents and data wherever they may reside—even if they leave the organization. That is called "persistent protection."
Enterprise rights management protections can be added to all document types including e-mail, word processing files, spreadsheets, graphic presentations and computer-aided design (CAD) plans and blueprints. That security can be enforced globally on all documents or granularly down to the smallest level, protecting sensitive fields of information from prying eyes. It is true even if multiple copies of the e-documents are scattered on servers in varying geographic locations.
Enterprise rights management protections can be applied permanently or within controlled timeframes. For instance, a person may be granted access to a secure e-document for a day, a week or year. Also, ERM applies its persistent protection to electronic documents regardless of media type. So, even if a document is somehow copied to a thumb drive and taken out of the organization, its protections travel with it and usage is controlled, that is, the permissions or "rights" to be able to print, copy, forward, fax, edit or otherwise access the document are restricted.
Six consequences
According to Peter Abatan, an adviser in enterprise rights management who publishes a blog on the topic at enterprisedrm.info, there are at least six real consequences of failing to deploy enterprise rights management:
- The perceived value of your business is eroded slowly through the loss of your intellectual property to competitors that former employees join or new startups by former employees.
- Investor confidence in your business' ability to safeguard trade secrets can wane.
- The organization does not have full control of where information assets are located and as such cannot know when confidential information gets into the wrong hands.
- The organization cannot control how confidential information or sensitive data is used once it is sent to a third party.
- Staff could (accidentally or not) mail confidential documents or sensitive data to the wrong recipient after which there is no control.
- It will never be known when intellectual property is taken without permission and used in a way that is counterintuitive to the business.
So, it would seem that deploying ERM makes clear business sense, that it is a security imperative and that deployments should be exploding—but they have not—as yet. Brian Hill, senior analyst with Forrester Research, says, "The ERM market has been on a ‘slow burn' for a while. Organizations are starting to pay more attention to it, but ERM adoption remains limited to a dedicated minority of enterprises. And most ERM deployments are not enterprisewide, instead focusing on the needs of a specific business unit within an organization."
What is the holdup? Why aren't enterprise rights deployments more widespread? Mostly, the devil is in the details, which means creating usage policies for specific types or classes of documents and individual users, and maintaining those policies. In one installation, more than 200,000 policies were created, because the software required that policies be created for each user. It was replaced by newer software that applies policies by role, which drastically reduced the policy creation requirements to around 200.
The challenges
"What makes implementing ERM so difficult," says The 451 Group's Coplan, "is that you have to strike a balance between establishing policies that are broad enough to apply to groups of documents, yet specific enough to provide the protections for that particular document class. Also, people come and go in organizations, so there is a need for constant policy maintenance."
To explain the sluggishness of the enterprise rights management market, Forrester's Hill says, "High cost and difficulty of implementation, due to the rigidity of most ERM applications, have kept this market from taking off."
Companies needing to secure sensitive data have focused on easier targets. Coplan says, "These difficulties are why today most organizations concerned about document and data security are focusing on more finite approaches, such as database activity or file monitoring. They are much easier to implement."
New generation
The first wave of ERM software providers are now being challenged by new players utilizing new technology and new approaches. Covertix, based in Israel, started full operations in 2008, after receiving venture funding. It is just starting to market in Europe, with an eye on the United States. CEO Samia says, "This market had not taken off yet, so when we sat down to design our product, we asked, ‘Why isn't ERM widespread, if there is such a great need?' We found a couple of key reasons: First, implementations run into problems because of the constant changes to policies, so policy maintenance is generally an issue. Secondly, there is a ‘people' aspect to implementing, that is, ‘How do you make it easy to use?' So we addressed these issues in our product design. We use a business rule engine and define rules in a central repository, and apply it to the endpoint. That way there's no work on the user end. Also, we use ‘smart file' technology, which means that the rights and restrictions information travels with the document, wherever it goes."
The enterprise rights management marketplace is still forming, yet Microsoft is the leader in terms of number of licenses for its Active Directory Rights Management Services (AD RMS) product. This is due to the fact that the server side of the software has been bundled into server offerings (Windows Server 2003, 2008), and basic ERM is included now as part of the Windows 7 and Vista operating systems. But AD RMS also requires a client license and running a database, such as MS SQL Server. According to Microsoft's website, MS Office 2003/2007 Professional Edition is required, but Standard Edition users may view-but not create-rights-protected content. Client licenses for RMS access are $37 per user, which is inexpensive, but the greater costs lie in actual implementation and maintenance.
Hill explains, "Microsoft has thousands of RMS licenses out there-the most of any ERM product—yet many are not being utilized. Those organizations should consider RMS as a starting point, especially in SharePoint 2010. But they should first take a broader view to see where ERM fits in their overall information governance strategy." Hill expects that Microsoft customers are best off starting with the RMS option. "This year, newer versions of MS Exchange and SharePoint will make RMS more attractive and increase adoption for Microsoft shops," he says. "Other organizations will seek out alternative products to support non-Microsoft document formats and applications."
Delays in adoption
That is one downside of RMS—it does not provide protections for non-Microsoft applications or file types. But Hill says, "This increase in RMS licensees will help expand the overall ERM market, and make enterprises more aware of data and document security issues that can be addressed by ERM software."
The 451 Group's Coplan speculates, "RMS' adoption has been held up by some of the enrollment and rule hard-coding issues. And what you really want, unless you're in an all Microsoft environment, is an open, extensible platform with a classification process that is file agnostic." In other words, to be ideally suited for the long term, and for potential enterprisewide implementations, the rights management software protections should be able to be applied to any file type.
Some organizations may find that a hybrid approach works best. Andy Han, VP and general manager of NextLabs, says, "RMS is expensive to deploy and maintain, but we have customers who use it for their Microsoft Office documents, and they use our software to protect everything else."
According to a report issued by The 451 Group, Microsoft's Information Rights Manager, a desktop component, appears to be seeing an increase in units sold, as a result of explicit sales and marketing efforts. Microsoft has also put more effort behind cultivating RMS partners like TITUS, which provides e-mail encryption for RMS. Microsoft Information Rights Manager serves as an overlay on Windows Active Directory RMS and integrates with SharePoint Foundation, allowing for some autonomous file-level protection and enforcing restrictions on sensitive files and documents. The core functional component of Microsoft Information Rights Manager is the IRM Protector, which can be thought of as an integrated access control policy and encryption agent.
But also, according to Microsoft's website, MS IRM lacks key ERM functions: It cannot prevent content from being erased, stolen or captured and transmitted by malicious programs such as Trojan horses, keystroke loggers and certain types of spyware; and it cannot restrict content from being copied by using third-party screen-capture programs.