Thursday Jun 02, 2011

Growing Risks: Mobiles, Clouds, and Social Media

ics2 logoThe International Information Systems Security Certification Consortium, Inc., (ISC)²®, has just published a report conducted on its behalf by Frost & Sullivan.

The report highlights three growing trends that security professionals are, or should be, worried about - mobile device proliferation, cloud computing, and social media.

Mobile devices are highlighted because survey respondents ranked them second in terms of threat (behind application vulnerabilities). Frost & Sullivan comment that "With so many mobile devices in the enterprise, defending corporate data from leaks either intentionally or via loss or theft of a device is challenging.". Most respondents reported that they have policies and technologies in place, with rights management being reported as part of the technology mix.

Cloud computing was ranked considerably lower by respondents, but Frost & Sullivan highlighted it as a growing concern for which the security professionals consistently cited the need for more training and awareness.

The security professionals also reported that their two most feared cloud-related threats are:

  • "Exposure of confidential or sensitive information to unauthorised systems or personnel"
  • "Confidential or sensitive data loss or leakage"

These two concerns were ranked head and shoulders above access controls, cyber attacks, and disruptions to operation, and concerns about compliance audits and forensic reporting.

Rather contrarily, the third trend is highlighted because respondents reported that it is not a major concern. Frost & Sullivan observe that many security professionals appear to be under-estimating the risks of social computing, with 28% of respondents saying that they impose no restrictions at all on the use of social media, and most imposing few restrictions.

So, interesting reading although no great surprises - and reason enough for me to write three pieces on what Oracle IRM brings to the party for each of these three challenging trends.

A comment on mobile device proliferation is already available here.

A comment on cloud adoption is available here

Tuesday Sep 28, 2010

PwC 2011 Global State of Information Security Survey

PwC has just released the findings of an information security survey by PricewaterhouseCoopers, CIO Magazine and CSO Magazine. The survey contains responses from more than 12,840 CEOs, CFOs, CIOs, CSOs, vice presidents and directors of IT and information security in 135 countries. Quite a wide audience. The report focuses on the business drivers for information security spending and reveals that in general spending on security has flat lined or at least dropped in the past 12 months. Mostly due to lack of funds after a wildly unpredictable economic financial climate. There were some elements of the report I found intriguing given my knowledge of IRM and the problems it solves.


While the impacts of the downturn linger, risks associated with weaker partners have increased

So whilst organizations are not spending money on security, they do recognize that the risks of sharing information externally with partners is increasing because... their partners are also not investing in adequate security. It is a very obvious point to make, everyone is not adequately investing in security and yet there is a growing trend to outsourcing where more and more of your information is shared beyond your existing security perimeter. There is now much higher risk when relying more on external partners for your business to be effective but its a necessary evil. What if that partner is your cloud storage provider and you are about to undertake a migration of your content into their platform? Will it be secure?



Visibility of security breaches/incidents is increasing, as are the costs

The report also finds a healthy increase in the knowledge of security incidents. I would guess this is primarily an impact of regulatory requirements forcing the issue. More and more companies have to report data loss incidents and therefore they are deploying technologies and processes to become more visible of the events.



Yet growing in the other direction is the cost awareness of data loss. In three years this number has doubled. So it's a simple summary. People know a lot more about the loss/breach of important information and it is costing them more. The graph below shows the significant increase in both the area of financial loss to the business as well as the loss of critical intellectual property. These results tally with the issues we've seen in the news over the past year. GM losing masses of hybrid research, Ford also losing lots of intellectual property. The health care industry is also reporting data loss incidents at an alarming rate.


Another main areas this risk is coming from is, and i'll quote the report "traced to employees and former employees, in line with the higher risks to security associated with salary freezes, job instability, layoffs and terminations and other HR challenges that rise during economic stress." The technology that is presenting the greatest risk is the social network. The channels of communication into and out of your business environment are increasing dramatically. No longer is it appropriate to monitor just email and the firewall. But you have to worry about USB devices, web based storage, social networks... and a lot of this activity happens outside the office whilst people are at home, in a hotel or on the move with their cell phones.


How does IRM help?

So where does a document security solution like IRM play into this? First let me summarize up what I think all the research is telling us...


Companies are more aware of security incidents and the threat is moving to the partners who are not spending enough to secure your information. The costs of losing information are increasing from both the impact to the business and the technology you need to buy to defend against the loss in the first place. More and more ways to lose information are now invading the enterprise and often they are beyond your control.

So consider the following advantages of a document security solution like Oracle IRM.

  • IRM moves your perimeter of security to the information itself. Instead of buying and deploying DLP, hard disk encryption, encrypted USB devices, simply deploy IRM and no matter where your sensitive documents and emails end up, they are only accessible by authorized persons and encrypted no matter where they are stored.
  • IRM can allow users to open, edit and review documents but prevent them from copying information from the document into an untrusted environment... Facebook, LinkedIn, unprotected Word and Excel documents. Of course it may not take much for a user to retype the information but one of the biggest issues around security is that of awareness. If a user can't easily copy information from a document, they know the information must be confidential.
  • Every single time an IRM protected document is created, opened, printed or saved, it is audited. This dramatically increases the visibility of who is doing what with your information. Also when end users know that by opening IRM documents they are leaving a trail of access, it decreases the likelihood they are going to misuse that information.
  • IRM is easy to deploy. The biggest advantage of IRM by far is that once a document has been secured, you have total control over who can open it. So the simplest deployment where you create one single classification for your entire business and secure all your confidential documents to it for use only by internal employees is quick and easy to do. Right now most organizations have millions, nay billions of documents floating around on partner file shares, employee laptops and the internet. IRM in one simple deployment brings a massive amount of value.
  • IRM does not suddenly impact your business effectiveness. Core to its design is a usable and scalable rights and classification model that puts the decision making on user access into the business. Enormous effect has been invested in making the use of Oracle IRM protected documents simple and easy for authorized users.


Have a look at some of the videos on our YouTube channel, or get in touch if you'd like to know more about how this solution works.

Friday Jul 23, 2010

Who cares about encryption & why hard disk cryptography is only part of the solution...

One of my favourite sources of IT news and information is The Register, a UK based IT news related website that is written with style and often makes what can be a dull subject of IT, compelling reading.

I just read an article by Jon Collins which details results of a recent poll asking about general use of encryption and what people thought were the main areas where cryptography should be used to protect sensitive information. Run by research company Freeform Dynamics, Jon points out that their polls typically attract those interested in the subject matter, so its safe to say my Mum wasn't answering the questions.

The first analysis from the article looks at the answers to "Which of the following drivers are likely to influence your organisation when it comes to requirements for encrypting data?" Pretty obvious results with compliance in first place, then protecting the storage of confidential information and protecting information due to an increasingly mobile workforce.


No surprises here, more and more regulatory controls specify that credit card data, patient information, etc needs to be encrypted. Companies with large amounts of sensitive information, such as financial data, intellectual property and trade secrets need to protect the storage of that data and also when it's used on a mobile device, typically a laptop.

However when the poll asked what the most important areas of encryption were, the results revealed concerns of the modern, mobile workplace. The question was "In an ideal world, which of the following do you think should be encrypted and to what degree?"


So the top three ideal-world targets for encrypting everything are, in order:

  • Data stored on notebooks used by mobile workers
  • Data stored on smartphones and other portable/handheld devices
  • Data stored on desktops/notebooks used in home locations


Combine this with the following quote from Jon's article... "The executive who found himself personally responsible for a data breach when his laptop was stolen from his house may have been taken by surprise, as there is a lingering mindset that security is a central infrastructure thing. But rules and regs like PCI are not fussy about which particular part of the IT infrastructure is involved, be it a SAN in the data centre, or an SD card in a phone. It's all just IT."

Information rights management is a perfect solution for these encryption challenges. But it goes beyond just the mobile or home use, IRM uses encryption at the document or email level. So no matter where the information is stored, it's always encrypted. Another really nice feature of IRM is that even when the content is in USE, it is protected. So the file on the hard disk, the file being sent over the network and the file in your Word/Excel/PowerPoint/Adobe Reader/Internet Explorer etc is ALWAYS secured with IRM.

Unfortunately the article ends with some not so good news. The poll finds that one of the main reasons not to encrypt information on notebooks, removable devices (DVD's, CD's, USB drives etc) is the "practicalities around implementation" and "challenges with key management". So people view that deploying an encryption solution for mobile devices is difficult. Yet IRM is actually pretty easy to deploy and use and Oracle IRM has excellent key management.

Finally, and this is the real killer for me, is Jon's closing message, "Meanwhile, the message to end-users is, if you haven't already encrypted your laptop data, you'd best get on with it - or at least ask your IT department how to do it". I would be that most IT departments are going to end up looking at hard disk encryption to secure documents stored on mobile devices. Yet this really doesn't solve the greatest risk.

The advantage of hard disk encryption is it protect every file stored on it, unlike IRM which applies encryption to a limited set of supported file formats. However, that is also one of its main weaknesses... hard disk encryption ONLY protects the information whilst it is stored on the disk. It doesn't do anything to protect against the following challenges.


  • Research shows that data loss incidents are usually by accident and by people outside your organization. So basically it's the supplier you sent your trade secret document to that stores it on an unencrypted USB key which gets lost on train. Encrypting your employee hard disks doesn't get close to solving that problem.
  • Hard disk encryption only protects the content whilst it is stored on the disk. As soon as that content is attached to an email, copied to a USB key or even just opened in Word, it now exists in an decrypted state. IRM is persistent in its security because the cryptography is applied at the document level and is combined with tight application integration to ensure that you can't even copy and paste sensitive data from a document into a non-encrypted world.


So whilst IRM is not the be all and end all of information security, combined with technologies like DLP, hard disk encryption, network encryption etc, it brings a huge difference in the reduction of the risk and exposure of an organization to losing control of their most sensitive information.

Tuesday Jul 13, 2010

Preliminary Results from Securosis Data Security Survey

Interesting initial results from a data security survey run by information security research and analysts Securosis is showing information rights management (Enterprise DRM in this survey) is high on the agenda. Full results are expected in the next 6 weeks or so, but in the meantime they report some fascinating findings. Look at the demographic information below, they hit a nice range of people in the responses to the survey.


  • 36% of respondents have 1-5 IT staff dedicated to data security, while 30% don't have anyone assigned to the job (this is about what I expected, based on my client interactions).
  • The top verticals represented were retail and commercial financial services, government, and technology.
  • 54% of respondents identified themselves as being security management or professionals, with 44% identifying themselves as general IT management or practitioners.
  • 53% of respondents need to comply with PCI, 48% with HIPAA/HITECH, and 38% with breach notification laws (seems low to me).


The main section of the survey was questions about security control effectiveness which asked about effectiveness for reducing number of breaches, severity of breaches, and costs of compliance. The results stated that "the top 5 security controls for reducing the number of data breaches were DLP, Enterprise DRM (IRM), email filtering, a content discovery process, and entitlement management. I combined the three DLP options (network, endpoint, and storage) since all made the cut, although storage was at the bottom of the list by a large margin. EDRM rated highly, but was the least used technology." and went onto find that "For reducing compliance costs, the top 5 rated security controls were Enterprise DRM, DLP, entitlement management, data masking, and a content discovery process."

So DLP and EDRM/IRM featuring high in a list of about 20 technologies. So this validates some of what we are seeing in Oracle. DLP vendors are working with us to integrate IRM into their DLP technologies and we are seeing an increase in activity, globally, around using IRM technology to protect a companies most sensitive information no matter where it ends up.

I'll be very interested to see the final results of this survey to see what the finer details are.

Thursday Jan 29, 2009

Capgemini predicts a more sensible approach to de-risking data loss



According to Jude Umeh from Capgemini, 2009 is going to be the year to look at and implement an Information Rights Management solution. He highlights that the uptake of such technologies has been relatively slow and blames the lack of obvious immediate return of investment. The pure play IRM vendors have now mainly been picked up by the larger corporations (but who's going to be buying Liquid Machines?). We were the fortunate ones being acquired by Oracle, our IRM technology is now being integrated and developed into Fusion Middleware making Oracle IRM the only true middleware IRM technology. Jude Umeh from Capgemini


Jude predicts that;

  • "The frequent reports of data loss incidents mean that the corporate world has had to start looking at ways to prevent future mishaps. However, even current initiatives like wholesale corporate data encryption and data loss prevention strategies are not totally fool proof; therefore many organisations are still likely to need a more effective approach towards managing and securing information, especially one that will work even after data is lost or misplaced."


    Even more so in this economic climate. With many companies concerned of how to survive through the next few years, top of their list will be to avoid any unwarranted press attention regarding loss of intellectual property, financial data or such. Such incidents have a direct affect on already very fragile stock prices and as the new US government comes up to speed, regulatory fines are going to be painful to pay when loss of data breaches government mandates.


  • "There are signs that ERM vendors are waking up to the key role they have to play in creating the ecosystem of solutions required to tackle data loss issues head-on. For example, some vendors have begun integrating their ERM products with existing Data Loss Prevention systems in order to provide effective control of information, both within and outside the enterprise security perimeter."


    Since our acquisition with Oracle we have already released integrations with the Oracle content management solutions and are continuing to create ways to integrate with other technologies. Also the 11G release of IRM sees a large port of the IRM technology into the Oracle Fusion Middleware stack enabling many out of the box capabilities that are just unavailable in any IRM technology today.


  • "A recent study of the ERM market shows a steady increase in awareness and adoption by organisations in various sectors like finance, healthcare and IT consulting among others."


    Our experience here in Oracle confirms this and we've seen sales in the past few quarters from a variety of companies in all sectors.



Oracle IRM protects and tracks your sensitive information no matter where it goes. It combines business friendly encryption with role based usage rights and auditing.

11g quick guide


« July 2016