Several years ago, Flextronics was struggling with a thorny security issue: figuring out how to prevent sensitive and proprietary information from going astray once it was in the hands of authorized users.
Like most large enterprises, the global manufacturing services firm had built strong defenses against attacks from the outside, according to Brian Bauer, who was vice president of global IT strategy at the time. (Flextronics’ current CIO declined to speak on the record for this story.)
Even so, the company’s defenses didn’t necessarily apply to employees, customers and contractors.
One of the sticking points was ensuring that customers and contractors gained access only to the parts of Flextronics databases that applied to their projects. The company designs and builds products for some of the world’s leading router, video game and medical device companies, many of which are rivals.
Bauer’s group also needed a way to prevent, or at least deter, design engineers from leaking valuable and sensitive information, says Bauer, who is currently managing partner at information services consulting firm Bauer & Associates. In his experience, about 70% of data losses are due to mistakes, not deliberate theft, he says.
Flextronics’ IT group initially tried to “lock everything down” by prohibiting employees from including sensitive information in a wiki or blog post, bringing flash drives or cameras to work, or even using the Internet, says Bauer. Not surprisingly, this irritated engineers, who complained that they couldn’t get the information they needed to do their jobs.
The company’s ended up turning to an enterprise rights management (ERM) platform that combines a policy engine with data loss prevention and information rights management, NextLabs’ Enterprise DLP.
Setting policies vs. assigning granular rights
Data loss prevention (DLP) software scans information being sent beyond the firewall and applies security policies to that data. Policies are typically content-based; for example, a rule might state that if information contains a certain key word or phrase, it doesn’t belong on a specific type of device or can’t leave the company unencrypted.
For its part, information rights management (IRM) applies granular, user-based access rights to digital data objects outside the corporate firewall. For example, an employee on the road might be able to read and change a file on his BlackBerry but not e-mail the file or download it to a USB device. A contractor might be able to read a document but not print it or send it to a colleague.
With enterprise DLP controls in place at Flextronics, design engineers can access information and collaborate with colleagues on the Web, and bring their USB flash drives (but not cameras) to work, Bauer says.
When NextLabs’ Enterprise DLP software catches an employee attempting to share proprietary design information on a wiki, send it out via unsecured Web mail or download it onto a USB device, it either blocks the action or sends the employee a reminder of company policy. Often, the reminder is sufficient, Bauer reports. The product can also automatically create audit files that keep track of who complies and who doesn’t.
IRM and DLP are complementary technologies that address two critical and connected security areas, says Jon Oltsik, a managing partner at Enterprise Strategy Group (ESG). “DLP allows IT to block all the stuff leaking out on e-mail attachments, mostly through human error,” he notes. Once a document goes outside the corporate network, however, it’s out of DLP’s control. “If you want granular enforcement at the application, document and user level, outside the firewall you need IRM,” says Oltsik.
Some DLP products can scan an organization’s internal databases and storage devices, classify information according to preset policies and alert administrators about information that resides in the wrong place.
Controlling intellectual property over the Web
BCA Research, for example, uses FileOpen’s IRM software to control what paying customers can do with its intellectual property (IP) once they’ve downloaded it, says Paul Chow, director of information technology for the global investment research firm. “Our research can be rather expensive and unique, and the Internet makes it easy to abuse IP rights,” he adds.
Compliance is another major driver. IRM, for example, helps IT managers deal with federal regulations that hold their firms liable if sensitive data gets compromised by a partner. Pharmaceutical companies and aerospace and defense contractors, in particular, need to follow strict government security regulations when sharing data with their overseas sites and contractors.
Health care providers are being pressured by the federal government to both share protected health information and comply with HIPAA security regulations. “If the American Cancer Registry wants to know how many cancer patients you see, IRM lets you send a document with consolidated data but with patient identities blanked out,” says Jack Wagner, executive consultant at Vitalize Consulting Solutions.
Some ERM products also provide auditing, so that when regulators or litigators come knocking, a company can show who looked at what and when, as well as prove that proper security controls are in place, Wagner notes.
Today’s ERM market is very much in flux, with a fair amount of consolidation going on. DLP players include EMC subsidiary RSA, Symantec, McAfee, Websense, Code Green and CA. IRM vendors include Microsoft, Liquid Machines, Gigatrust, Oracle and LockLizard. NextLabs claims to offer both technologies on an integrated platform that also includes a policy engine.
Shopping tips: Client-device support is key
Companies shopping for an ERM product need to ensure that their choice matches not just their security needs, but those of internal and/or external customers as well.
One important question to ask upfront is which document formats and applications a product supports. Most IRM offerings work with Adobe PDF and Microsoft Office documents, but some go much further. Gigatrust, for example, supports a range of CAD and engineering formats. Liquid Machines claims to support over 400 file types, while LockLizard supports Flash and HTML.
NextLabs’ IRM software is format- and application-independent because it works at the operating system level, according to product manager Andy Han. This limits its ability to control certain functions such as watermarking and content redaction (blocking out words). However, NextLabs supplies a plug-in that provides these features for documents generated by Microsoft Office, Han says.
Another key shopping criterion: which client devices are supported. IRM vendors are just beginning to support mobile devices, allowing IT to curb employees’ unfortunate tendency to ignore or forget corporate security policies while on the road. IRM’s embedded security controls could prevent a traveling sales representative from sending customer records to a colleague via unsecured Web mail, for example. And if the mobile device gets lost or stolen, the information remains encrypted and inaccessible, says ESG’s Oltsik.
Broad support of client devices is also important for customer satisfaction. BCA’s customers “don’t just want to read our research on their desktops, they want it on their laptop, the computer in the car, at home, on iPhones, BlackBerries, Kindles,” says BCA’s Chow. Some IRM vendors currently support the BlackBerry; some are promising iPhone support soon. Kindles, not so much.
Deployment can be tricky
Even with the right tools, ERM deployments can be challenging. A potentially hairy issue is convincing customers, particularly at other companies, to agree to install IRM software on their client systems.
“ERM’s limitation is, if I want to share documents with a partner or [outside] customer, I have to install a client and have that be part of my security domain,” says Oltsik.
This can make the other firm’s IT staff quite nervous. In most instances ESG is aware of, where a company successfully deployed IRM security on partner sites, the firm had “lots of clout in their market ecosystem,” Oltsik notes.
One way to minimize resistance is to pick an IRM product whose client code is relatively unobtrusive and nonproprietary.
BCA, for example, stopped using LockLizard’s IRM product because it required installing a proprietary PDF reader that was not Adobe’s, Chow says. “For our client base, that just wouldn’t work.” In contrast, FileOpen supplies a plug-in to users’ existing Adobe readers that can be installed in 30 seconds, he adds.
Even so, customers still balk sometimes, Chow says. “IT says, ‘What is this — is this clean? What kind of information is it sending back to you? We need a security audit on this plug-in.’ “
Some partners’ IT departments simply refuse, in which case BCA asks the company to sign an agreement under which it promises not to share or abuse proprietary information. “We actually find that very effective,” Chow says.
Before deploying an ERM platform, businesses need to define the policies that IRM and DLP controls will enforce. This can be quite challenging, especially if a company wants to protect a wide variety of information both inside and outside the corporate firewall.
Oltsik advises starting with a small number of policies and enforcement mechanisms, “or you’ll have users, help desk personnel and policymakers struggling” to cope with the new rules. It’s also wise to hire an experienced professional service provider that can help sort through policy and enforcement issues, he adds.
If you plan to deploy a complex set of policies, pick an ERM product that provides development tools and some kind of rules engine for managing and deploying policies. Most ERM policy tools are largely proprietary and stand-alone at the moment. However, some IRM and DLP vendors have been partnering to provide an integrated policy system.
Even more promising is growing industry support for Extensible Access Control Markup Language (XACML), an industry standard that would enable different policy engines to share information. A number of ERM vendors have tied into Microsoft’s Active Directory (AD) and Rights Management Services, enabling their products to automatically propagate AD access rights.
Link to existing enterprise apps
That would be a big help to BCA, which is considering using FileOpen’s IRM, or perhaps DLP, to “impose controls on internal employees so they can’t just send out unencrypted research to whomever,” says Chow. The research firm’s IT group currently uses AD to push user access-rights policies to various internal security systems, but not to FileOpen. “If we do deploy IRM internally, we might tie it into AD,” says Chow.
Of course, simpler ERM installations that do not involve complex security rules may not require a policy engine.
Select Milk Producers, for example, uses LockLizard’s IRM product to provide its customers and board members, who are all dairy farmers, with secure access to the information on its Web server. “These are dairy farmers, not high-end users, and sometimes they don’t log off or save passwords to their Web site,” says Craig Card, Select Milk’s systems hardware analyst. The dairy farmers are also often competitors with one another, and only some are board members; therefore, it’s important they get access only to the information they are entitled to.
“LockLizard provides security that works automatically, with minimal user involvement,” says Card. The DRM product has no policy engine, but with only about 125 users and 25 board members, manually setting up the policies wasn’t a big deal, he adds.
Similarly, BCA has so far deployed only a limited number of FileOpen’s access controls on the research documents it sells to customers, Chow says. “Some of our clients pay us a lot of money for research. If you tell them they can only read a document online and not print it, or if their access rights expire after such-and-such a date, you can lose the client.”
Indeed, successful ERM implementers need to walk a fine line between meeting security priorities and not stepping too hard on customers’ toes, whether external or internal, industry sources agree.
At Flextronics, for example, “we wanted to be proactive, not reactive” when it came to enforcing security rules, says Bauer. “Most security tools use a traffic-cop model: OK, I caught you speeding — but the guy gets away with speeding first. [ERM] helps us prevent people from speeding so we don’t have to give a ticket.”