Marrying data and security

Partial solutions exist for providing persistent protection, but getting all of them to work together will be the next challenge

Harmonizing ERM standards

Some industry analysts say incompatibility among enterprise rights management products is dampening market acceptance of the technology. Lack of standardization was one factor that prompted the National Archives and Records Administration to ban the use of ERM on permanent records that agencies transfer to NARA for archiving.

“The hardware/software dependence of ERM-protected materials may make it difficult to ensure access to long-term records to which this technology is applied,” Archivist Allen Weinstein wrote in an April 30 NARA bulletin.

Vendors are working to make their products compatible. Liquid Machines, for example, said its software will function as a trusted broker, enabling the integration of various ERM systems.

Ed Gaudet, senior vice president of corporate development at Liquid Machines, said the company lets users access and work with protected content encrypted according to different ERM policies via Microsoft’s Rights Management Services or Liquid Machines’ proprietary technology.

That approach assumes that employees are provisioned as trusted users of those policies, he added.

Gaudet said the company’s technology can support third-party ERM providers such as Adobe Systems and EMC.

But Liquid Machines, a Microsoft partner, focuses on the software most enterprise customers are adopting, he said. And that predominately is Microsoft RMS and Liquid Machines, he added.
EMC is exploring co-existence options with Microsoft, said Mayank Choudhary, EMC’s principal product manager for Documentum Information Rights Management.

The first phase of that cooperation involves the ability of Documentum IRM to decrypt Microsoft RMS content. A beta release of that capability is scheduled for later this year.

- John Moore

HHS takes stock of its data

The Health and Human Services Department is evaluating enterprise rights management, but if the department deploys ERM, it would be part of a larger data security strategy.

Jaren Doherty, chief information security officer at HHS, said the department is in the initial stages of considering ERM and where it might fit in the organization. For example, ERM might not be the best solution for older systems that already have good access control and audit capabilities.

“We would have to show there was a significant risk before adding the additional control of encrypting the data,” Doherty said.
Rights management might be a better fit for new systems under development, he added.

In the meantime, HHS has data governance initiatives under way. For example, the department has inventoried all systems that contain personally identifiable information and conducted a data privacy review, Doherty said.

HHS also monitors its systems to ensure that it maintains role-based security, Doherty said.

The department scans application code for security vulnerabilities before deploying it, and officials have extended the Office of Management and Budget’s mandate regarding full-disk encryption on laptop PCs to include other mobile devices such as thumb drives.

— John Moore

Security Series

Look for these previous stories in FCW’s security series:

Virtual security

Security management challenges of server virtualization

Creating a response team

Five steps for building a computer security incident response team

Find links to these stories on FCW.com’s Download at www.fcw.com/download.

security software and devices to create a fortified border. But recent incidents of data loss involving stolen laptop PCs and missing storage devices demonstrate the limitations of traditional strategies. Sensitive data can escape an agency’s control despite the investments IT departments make in firewalls,
intrusion-detection systems and other security technologies.

Recently, some security professionals have shifted their focus to the data itself. They say IT security should be persistent and remain with data as it moves within organizations and across organizational boundaries.

“There’s been interest in protecting the network and protecting the devices, but only in the past three years has the focus shifted to protecting the data itself,” said Steve Roop, vice president of marketing at security vendor Vontu. “Everyone has firewalls, and everyone has [intrusion-detection systems], and everyone has identity and access management. Yet all these breaches have still occurred.”

Several technology vendors are focused on the challenge of creating persistent data security. Enterprise rights management (ERM) products attach usage policies that remain with the documents wherever they go. Content monitoring and filtering products focus on activities such as data discovery, classification and policy enforcement. Encryption and content management also play roles in persistent data security.

A comprehensive data security solution, however, depends on integrating the various products. Today, that integration is in its infancy, industry analysts say.

“It’s pretty early days for bringing together a coherent strategy,” said Scott Crawford, research director of security and risk management at Enterprise Management Associates. “Most [organizations] are looking at individual tools to solve pieces of their problems, to get a handle on some of the worst issues.”

The problems

The problems are enormous. Forty-seven percent of the 227 North American enterprises surveyed by Enterprise Strategy Group said they would classify at least half of their data as confidential. Another 26 percent of the respondents said more than 75 percent of their organization’s data is deemed confidential. Conventional security methods fail to provide adequate protection for confidential data, according to the group’s white paper.

“Technologies like firewalls, access controls and gateway filters can grant or deny access but can’t provide granular enforcement of acceptable-use policies that define what users can and cannot do with confidential data,” the white paper states.

Traditionally, content management vendors have offered a degree of protection for confidential files in their document repositories. Xythos Software, which markets a document collaboration application, offers document-level security through the use of tickets, or secure URLs, that define permissions such as read/write access to a particular document. Users send trusted colleagues links that allow them to access documents in the Xythos repository. Users can also password-protect the links.

Lawrence Berkeley National Laboratory is testing Xythos as a possible replacement for its older, Novell-based file service, said Mark Rosenberg, workplace collaboration services group leader at the lab. He added that Xythos’ ticket mechanism provides security while giving external users direct access to files. Users can even put a time limit on a ticket so access rights expire after a certain period of time.

“We’re using tickets to share files with other folks, and that seems to work pretty well,” Rosenberg said. “In the past…people would just send a document off in e-mail, and once you’ve done that, you’ve lost any kind of control. In this case, you still retain the documents locally and just give [recipients] a link to the document.”

Enter ERM

Unlike the data protection offered by collaboration software, ERM and enterprise digital rights management (EDRM) software offer file security outside a specific file repository.

ERM software applies the same digital rights management mechanism to documents that copyright owners use to restrict the use of digital music and video. ERM lets organizations set policies to restrict how documents can be used. For example, a document can be read-only or people can have the right to edit, copy and print it.

ERM solutions use encryption to prevent authorized users from reading or tampering with documents. Major ERM products include Microsoft’s Rights Management Services (RMS), Adobe Systems’ LiveCycle Rights Management ES and Liquid Machine’s ERM products, which include Document Control. In addition, EMC has built ERM into its Documentum content management software offerings through the acquisition of Authentica.

Ed Gaudet, senior vice president of corporate development at Liquid Machines, said ERM has sparked interest in the public and private sectors.

“They face the same problem,” Gaudet said. “They want to be able to protect sensitive content and yet share it based on business process and workflow requirements.”

Liquid Machines began focusing on the public sector about 18 months ago. In July, the company joined Cisco Systems, EMC and Microsoft to offer the Secure Information Sharing Architecture, a framework designed to help government agencies share and protect sensitive information. Liquid Machines provides content protection that extends the capabilities of Microsoft’s RMS, company officials said.
However, ERM remains an early-adopter technology, said Eric Ouellet, a research vice president at Gartner. Typically, organizations use ERM for highly focused, short-term deployments. An example would be two parties that want to safely exchange documents during a merger or acquisition. A mass-scale deployment would be fairly cumbersome given the current state of ERM, he said.

“Most of these technologies are still not simple to deploy,” he added.

EMC cited a congressional committee as a user of its rights management product. But overall, the government’s use appears to be limited.

“I haven’t seen a lot of ERM deployment,” said John Bordwine, senior director of security engineering at McAfee. He said the size of agencies and the amount of data they house make deployment difficult.

Jaren Doherty, chief information security officer at the Health and Human Services Department, said HHS is considering rights management but has not yet adopted the technology. Doherty said he believes rights management will become “one of the tools in our toolbox” in a couple of years.

Among ERM’s limitations is its lack of a “universal client that works with everything,” Ouellet said. If an organization uses Microsoft’s RMS to create rights management in a document, the recipient must use the same client technology to open the document. That “can be pretty limiting from a deployment perspective,” he said.

Another limiting factor: ERM relies on employees to assign appropriate rights and privileges to documents when they create them. They must know whether to label a document as sensitive, private or confidential, for example.

Employees are trained to do their jobs, but that doesn’t typically include functioning as classification officers, Ouellet said.

Integration vision

Industry executives have thought of ways to deal with ERM’s limitations. Some say the answer lies in integrating ERM with other technologies, such as content monitoring and filtering. Those products, often categorized as data loss prevention (DLP), identify and monitor sensitive data so it doesn’t leave an organization unless it adheres to its security policies. An agency could use content monitoring/DLP to automatically route e-mail containing confidential data to an appliance that would encrypt it rather than rely on users to remember to encrypt the data.

The first major deployments of content monitoring/DLP facilitate the use of encrypted e-mail, said Ouellet, who sees a similar situation with ERM.

Experts say DLP products can potentially improve document security on two fronts. First, DLP’s data-discovery component could identify and tag the data that requires special handling via ERM. “You can’t manage what you don’t know,” Crawford said. “Knowing what you have would be a pretty good starting point” for handling data more securely.

Second, organizations could use DLP’s policy enforcement capabilities to automatically distribute sensitive documents to an ERM server for encryption. That way, organizations wouldn’t have to train employees in the use of rights management technology, Ouellet said, adding that integration is necessary for the broad acceptance of rights management.

“EDRM won’t come into its own until [content monitoring] or DLP is integrated,” Ouellet said.

Crawford said content monitoring/filtering and rights management both have value. Content monitoring tracks and enforces enterprisewide policy, and rights management applies that policy to specific information or documents. Those two functions must be part of a complete data security strategy, Crawford said.

Ouellet said a full realization of that strategy could be a few years away. But vendors claim they are already making headway.
Reconnex, a DLP vendor, categorizes data according to an organization’s intellectual property definitions and then applies encryption or rights management policies, said Faizel Lakhani, the company’s vice president of marketing.

Lakhani said DLP’s core capability is based on understanding content and knowing how to treat it.

Reconnex’s appliance-based DLP system can be integrated with PGP’s encryption tools and Liquid Machines’ products to gain the benefits of ERM. Reconnex is also working with Microsoft and its RMS solution.

EMC, too, is making integration moves. The company’s RSA security division said it plans to acquire Tablus, a DLP vendor, in a deal expected to close in October. Mayank Choudhary, principal product manager for Documentum Information Rights Management, said EMC plans to integrate that tool with DLP once the acquisition closes.

Roop said using DLP to apply ERM policies could lead to much broader adoption of rights management. “It’s really going to take an advancement in automating policy enforcement for the [ERM] market to flourish,” he said.

Although Vontu markets DLP solutions, the company isn’t currently integrating with ERM wares. But Roop said some early adopters of the technology are beginning to push for that.

Ouellet said he expects the ERM market to expand when integration with content monitoring/DLP becomes commonplace.

“The moment you can do that,” he said, “EDRM becomes one of these breakaway technologies that people aren’t going to be hesitant to deploy anymore because it’s going to be relatively simple to manage.”

The 2014 Federal 100

Get to know the 100 women and men honored this year for going above and beyond in federal IT.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above