Marrying data and security

security software and devices to create a fortified border. But recent incidents of data loss involving stolen laptop PCs and missing storage devices demonstrate the limitations of traditional strategies. Sensitive data can escape an agency’s control despite the investments IT departments make in firewalls,intrusion-detection systems and other security technologies.Recently, some security professionals have shifted their focus to the data itself. They say IT security should be persistent and remain with data as it moves within organizations and across organizational boundaries.“There’s been interest in protecting the network and protecting the devices, but only in the past three years has the focus shifted to protecting the data itself,” said Steve Roop, vice president of marketing at security vendor Vontu. “Everyone has firewalls, and everyone has [intrusion-detection systems], and everyone has identity and access management. Yet all these breaches have still occurred.”Several technology vendors are focused on the challenge of creating persistent data security. Enterprise rights management (ERM) products attach usage policies that remain with the documents wherever they go. Content monitoring and filtering products focus on activities such as data discovery, classification and policy enforcement. Encryption and content management also play roles in persistent data security.A comprehensive data security solution, however, depends on integrating the various products. Today, that integration is in its infancy, industry analysts say.“It’s pretty early days for bringing together a coherent strategy,” said Scott Crawford, research director of security and risk management at Enterprise Management Associates. “Most [organizations] are looking at individual tools to solve pieces of their problems, to get a handle on some of the worst issues.”The problems are enormous. Forty-seven percent of the 227 North American enterprises surveyed by Enterprise Strategy Group said they would classify at least half of their data as confidential. Another 26 percent of the respondents said more than 75 percent of their organization’s data is deemed confidential. Conventional security methods fail to provide adequate protection for confidential data, according to the group’s white paper.“Technologies like firewalls, access controls and gateway filters can grant or deny access but can’t provide granular enforcement of acceptable-use policies that define what users can and cannot do with confidential data,” the white paper states.Traditionally, content management vendors have offered a degree of protection for confidential files in their document repositories. Xythos Software, which markets a document collaboration application, offers document-level security through the use of tickets, or secure URLs, that define permissions such as read/write access to a particular document. Users send trusted colleagues links that allow them to access documents in the Xythos repository. Users can also password-protect the links.Lawrence Berkeley National Laboratory is testing Xythos as a possible replacement for its older, Novell-based file service, said Mark Rosenberg, workplace collaboration services group leader at the lab. He added that Xythos’ ticket mechanism provides security while giving external users direct access to files. Users can even put a time limit on a ticket so access rights expire after a certain period of time.“We’re using tickets to share files with other folks, and that seems to work pretty well,” Rosenberg said. “In the past…people would just send a document off in e-mail, and once you’ve done that, you’ve lost any kind of control. In this case, you still retain the documents locally and just give [recipients] a link to the document.”Unlike the data protection offered by collaboration software, ERM and enterprise digital rights management (EDRM) software offer file security outside a specific file repository.ERM software applies the same digital rights management mechanism to documents that copyright owners use to restrict the use of digital music and video. ERM lets organizations set policies to restrict how documents can be used. For example, a document can be read-only or people can have the right to edit, copy and print it.ERM solutions use encryption to prevent authorized users from reading or tampering with documents. Major ERM products include Microsoft’s Rights Management Services (RMS), Adobe Systems’ LiveCycle Rights Management ES and Liquid Machine’s ERM products, which include Document Control. In addition, EMC has built ERM into its Documentum content management software offerings through the acquisition of Authentica.Ed Gaudet, senior vice president of corporate development at Liquid Machines, said ERM has sparked interest in the public and private sectors.“They face the same problem,” Gaudet said. “They want to be able to protect sensitive content and yet share it based on business process and workflow requirements.”Liquid Machines began focusing on the public sector about 18 months ago. In July, the company joined Cisco Systems, EMC and Microsoft to offer the Secure Information Sharing Architecture, a framework designed to help government agencies share and protect sensitive information. Liquid Machines provides content protection that extends the capabilities of Microsoft’s RMS, company officials said.However, ERM remains an early-adopter technology, said Eric Ouellet, a research vice president at Gartner. Typically, organizations use ERM for highly focused, short-term deployments. An example would be two parties that want to safely exchange documents during a merger or acquisition. A mass-scale deployment would be fairly cumbersome given the current state of ERM, he said.“Most of these technologies are still not simple to deploy,” he added.EMC cited a congressional committee as a user of its rights management product. But overall, the government’s use appears to be limited.“I haven’t seen a lot of ERM deployment,” said John Bordwine, senior director of security engineering at McAfee. He said the size of agencies and the amount of data they house make deployment difficult.Jaren Doherty, chief information security officer at the Health and Human Services Department, said HHS is considering rights management but has not yet adopted the technology. Doherty said he believes rights management will become “one of the tools in our toolbox” in a couple of years.Among ERM’s limitations is its lack of a “universal client that works with everything,” Ouellet said. If an organization uses Microsoft’s RMS to create rights management in a document, the recipient must use the same client technology to open the document. That “can be pretty limiting from a deployment perspective,” he said.Another limiting factor: ERM relies on employees to assign appropriate rights and privileges to documents when they create them. They must know whether to label a document as sensitive, private or confidential, for example.Employees are trained to do their jobs, but that doesn’t typically include functioning as classification officers, Ouellet said.Industry executives have thought of ways to deal with ERM’s limitations. Some say the answer lies in integrating ERM with other technologies, such as content monitoring and filtering. Those products, often categorized as data loss prevention (DLP), identify and monitor sensitive data so it doesn’t leave an organization unless it adheres to its security policies. An agency could use content monitoring/DLP to automatically route e-mail containing confidential data to an appliance that would encrypt it rather than rely on users to remember to encrypt the data.The first major deployments of content monitoring/DLP facilitate the use of encrypted e-mail, said Ouellet, who sees a similar situation with ERM.Experts say DLP products can potentially improve document security on two fronts. First, DLP’s data-discovery component could identify and tag the data that requires special handling via ERM. “You can’t manage what you don’t know,” Crawford said. “Knowing what you have would be a pretty good starting point” for handling data more securely.Second, organizations could use DLP’s policy enforcement capabilities to automatically distribute sensitive documents to an ERM server for encryption. That way, organizations wouldn’t have to train employees in the use of rights management technology, Ouellet said, adding that integration is necessary for the broad acceptance of rights management.“EDRM won’t come into its own until [content monitoring] or DLP is integrated,” Ouellet said.Crawford said content monitoring/filtering and rights management both have value. Content monitoring tracks and enforces enterprisewide policy, and rights management applies that policy to specific information or documents. Those two functions must be part of a complete data security strategy, Crawford said.Ouellet said a full realization of that strategy could be a few years away. But vendors claim they are already making headway.Reconnex, a DLP vendor, categorizes data according to an organization’s intellectual property definitions and then applies encryption or rights management policies, said Faizel Lakhani, the company’s vice president of marketing.Lakhani said DLP’s core capability is based on understanding content and knowing how to treat it.Reconnex’s appliance-based DLP system can be integrated with PGP’s encryption tools and Liquid Machines’ products to gain the benefits of ERM. Reconnex is also working with Microsoft and its RMS solution.EMC, too, is making integration moves. The company’s RSA security division said it plans to acquire Tablus, a DLP vendor, in a deal expected to close in October. Mayank Choudhary, principal product manager for Documentum Information Rights Management, said EMC plans to integrate that tool with DLP once the acquisition closes.Roop said using DLP to apply ERM policies could lead to much broader adoption of rights management. “It’s really going to take an advancement in automating policy enforcement for the [ERM] market to flourish,” he said.Although Vontu markets DLP solutions, the company isn’t currently integrating with ERM wares. But Roop said some early adopters of the technology are beginning to push for that.Ouellet said he expects the ERM market to expand when integration with content monitoring/DLP becomes commonplace.“The moment you can do that,” he said, “EDRM becomes one of these breakaway technologies that people aren’t going to be hesitant to deploy anymore because it’s going to be relatively simple to manage.”