Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Enterprise rights management and keeping data in-house

ERM locks down corporate secrets but still allows employees to do their jobs
Page:

Several years ago, Flextronics was struggling with a thorny security issue: figuring out how to prevent sensitive and proprietary information from going astray once it was in the hands of authorized users.

Like most large enterprises, the global manufacturing services firm had built strong defenses against attacks from the outside, according to Brian Bauer, who was vice president of global IT strategy at the time. (Flextronics' current CIO declined to speak on the record for this story.)

Even so, the company's defenses didn't necessarily apply to employees, customers and contractors.

One of the sticking points was ensuring that customers and contractors gained access only to the parts of Flextronics databases that applied to their projects. The company designs and builds products for some of the world's leading router, video game and medical device companies, many of which are rivals.

Bauer's group also needed a way to prevent, or at least deter, design engineers from leaking valuable and sensitive information, says Bauer, who is currently managing partner at information services consulting firm Bauer's; Associates. In his experience, about 70% of data losses are due to mistakes, not deliberate theft, he says.

Flextronics' IT group initially tried to "lock everything down" by prohibiting employees from including sensitive information in a wiki or blog post, bringing flash drives or cameras to work, or even using the Internet, says Bauer. Not surprisingly, this irritated engineers, who complained that they couldn't get the information they needed to do their jobs.

The company's ended up turning to an enterprise rights management (ERM) platform that combines a policy engine with data loss prevention and information rights management, NextLabs' Enterprise DLP.

Setting policies vs. assigning granular rights

Data loss prevention (DLP) software scans information being sent beyond the firewall and applies security policies to that data. Policies are typically content-based; for example, a rule might state that if information contains a certain key word or phrase, it doesn't belong on a specific type of device or can't leave the company unencrypted.

For its part, information rights management (IRM) applies granular, user-based access rights to digital data objects outside the corporate firewall. For example, an employee on the road might be able to read and change a file on his BlackBerry but not e-mail the file or download it to a USB device. A contractor might be able to read a document but not print it or send it to a colleague.

With enterprise DLP controls in place at Flextronics, design engineers can access information and collaborate with colleagues on the Web, and bring their USB flash drives (but not cameras) to work, Bauer says.

When NextLabs' Enterprise DLP software catches an employee attempting to share proprietary design information on a wiki, send it out via unsecured Web mail or download it onto a USB device, it either blocks the action or sends the employee a reminder of company policy. Often, the reminder is sufficient, Bauer reports. The product can also automatically create audit files that keep track of who complies and who doesn't.

IRM and DLP are complementary technologies that address two critical and connected security areas, says Jon Oltsik, a managing partner at Enterprise Strategy Group (ESG). "DLP allows IT to block all the stuff leaking out on e-mail attachments, mostly through human error," he notes. Once a document goes outside the corporate network, however, it's out of DLP's control. "If you want granular enforcement at the application, document and user level, outside the firewall you need IRM," says Oltsik.

Some DLP products can scan an organization's internal databases and storage devices, classify information according to preset policies and alert administrators about information that resides in the wrong place.

Page:

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Adobe, BCA, BlackBerry, CA Technologies, DLP, EMC, etwork, Flextronics, LP, McAfee, Microsoft, Oracle, RSA, Symantec, Websense
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: data breach, Data Loss Prevention, Enterprise rights management, information rights management, security
Latest Blog Posts
Whitepapers
  • Eliminating Tape
    When it comes to storage and backup, the old tape may not ‘cut the mustard’ in today’s world. But how does one move on from tape? This Computerworld Australia Guide, sponsored by EMC, examines whether the Cloud will provide a viable long-term archiving option to magnetic tape. This guide also looks at eliminating tape by examining storage and backup alternatives, taking examples of organisations that have managed to overcome problems with tape. Read more.
    Learn more »
  • Business Intelligence Best Practices for Dashboard Design
    Even if a dashboard’s appearance looks professional and is aesthetically pleasing, appearances can be deceiving. Although visual design is important, it is also important to ask yourself: Is the data reliable? Is it timely? Is any data missing? Is it consistent across all dashboards?. This paper offers an overview of best practice business intelligence (BI) dashboard design principles and discusses data integration options for getting data into a dashboard.
    Learn more »
  • Information Security Policies, Standards and Procedure
    As a result of the adjustments in the way business is conducted, ownership of information does not carry the same clear accountability it once did. Physical and behavioural boundaries used to exist around information management but these can be missing in the modern workplace. Clearly thought-out information security policies, standards and procedures addressing internationally supported standards, will go a long way to addressing the risk exposure these changes have created. In this third paper, “Policies, Standards and Procedures,” we discuss guidelines for effective information security management.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments