Saturday Jun 11, 2011

Clouds Leak - IRM protects

leaky cloudIn a recent report, security professionals reported two leading fears relating to cloud services:

"Exposure of confidential or sensitive information to unauthorised systems or personnel"

"Confidential or sensitive data loss or leakage"


These fears are compounded by the fact that business users frequently sign themselves up to cloud services independently of whatever arrangements are made by corporate IT. Users are making personal choices to use the cloud as a convenient place to store and share files - and they are doing this for business information as well as personal files. In my own role, I was recently invited by a partner to review a sensitive business document using Googledocs. I just checked, and the file is still there weeks after the end of that particular project - because users don't often tidy up after themselves.

So, the cloud gives us new, seductively simple ways to scatter information around, and our choices are governed by convenience rather than compliance. And not all cloud services are equal when it comes to protecting data. Only a few weeks ago, it was reported that one popular service had amended its privacy assurance from "Nobody can see your private files..." to "Other [service] users cannot...", and that administrators were "prohibited" from accessing files - rather than "prevented". This story demonstrates that security pros are right to worry about exposure to unauthorised systems and personnel.

passwordAdded to this, the recent Sony incident highlights how lazy we are when picking passwords, and that services do not always protect passwords anything like as well as they should. Reportedly millions of passwords were stored as plain text, and analysis shows that users favoured very simple passwords, and used the same password for multiple services. No great surprise, but worrying to a security professional who knows that users are just as inconsiderate when using the cloud for collaboration.

No wonder then that security professionals put the loss or exposure of sensitive information firmly at the top of their list of concerns. They are faced with a triple-whammy - distribution without control, administration with inadequate safeguards, and authentication with weak password policy. A compliance nightmare.

So why not block users from using such services? Well, you can try, but from the users' perspective convenience out-trumps compliance and where there's a will there's a way. Blocking technologies find it really difficult to cover all the options, and users can be very inventive at bypassing blocks. In any case, users are making these choices because it makes them more productive, so the real goal, arguably, is to find a safe way to let people make these choices rather than maintain the pretence that you can stop them.

seal to protect cloud docsThe relevance of IRM is clear. Users might adopt such services, but sealed files remain encrypted no matter where they are stored and no matter what mechanism is used to upload and download them. Cloud administrators have no more access to them than if they found them on a lost USB device. Further, a hacker might steal or crack your cloud passwords, but that has no bearing on your IRM service password, which is firmly under the control of corporate policy. And if policy changes such that the users no longer have rights to the files they uploaded, those files become inaccessible to them regardless of location.  You can tidy up even if users do not.

Finally, the IRM audit trail can give insights into the locations where files are being stored.

So, IRM provides an effective safety net for your sensitive corporate information - an enabler that mitigates risks that are otherwise really hard to deal with.

Thursday Jun 02, 2011

Growing Risks: Mobiles, Clouds, and Social Media

ics2 logoThe International Information Systems Security Certification Consortium, Inc., (ISC)²®, has just published a report conducted on its behalf by Frost & Sullivan.

The report highlights three growing trends that security professionals are, or should be, worried about - mobile device proliferation, cloud computing, and social media.

Mobile devices are highlighted because survey respondents ranked them second in terms of threat (behind application vulnerabilities). Frost & Sullivan comment that "With so many mobile devices in the enterprise, defending corporate data from leaks either intentionally or via loss or theft of a device is challenging.". Most respondents reported that they have policies and technologies in place, with rights management being reported as part of the technology mix.

Cloud computing was ranked considerably lower by respondents, but Frost & Sullivan highlighted it as a growing concern for which the security professionals consistently cited the need for more training and awareness.

The security professionals also reported that their two most feared cloud-related threats are:

  • "Exposure of confidential or sensitive information to unauthorised systems or personnel"
  • "Confidential or sensitive data loss or leakage"

These two concerns were ranked head and shoulders above access controls, cyber attacks, and disruptions to operation, and concerns about compliance audits and forensic reporting.

Rather contrarily, the third trend is highlighted because respondents reported that it is not a major concern. Frost & Sullivan observe that many security professionals appear to be under-estimating the risks of social computing, with 28% of respondents saying that they impose no restrictions at all on the use of social media, and most imposing few restrictions.

So, interesting reading although no great surprises - and reason enough for me to write three pieces on what Oracle IRM brings to the party for each of these three challenging trends.

A comment on mobile device proliferation is already available here.

A comment on cloud adoption is available here

Monday Jul 12, 2010

LaFarge secures sensitive M&A documents in ICSA Blueprint Data Room with Oracle IRM


A very common use case for information rights management technologies is the requirement to protect very sensitive mergers and acquisition processes, Oracle themselves have been using IRM to do this since they acquired the technology. Such information is often shared beyond the classic corporate security infrastructure and there are quite a few companies who package the entire process of sharing and protecting this information into an online service in the "cloud".

These solutions have the challenge of providing an easy to use and simple but yet very secure system. One big problem is how do you ensure that once the documents have been downloaded from the cloud based service, you can still maintain total control over who can open, print, edit the information? Acquisition discussions often break down, which can result in a lot of sensitive information like financial plans, due diligence results and business strategy documents left at a potential acquisition company. This information is now exposed and the company may well be purchased by a competitor. That presents a serious risk to your business and often limits your ability to share information in the first place, hindering your ability to execute efficient M&A projects. "Blueprint Data Room shows excellent security qualities allowing us to fearlessly make our corporate records available."
Jérôme Vitulo (Assistant General Counsel)

This is where IRM technologies can help. Documents and emails secured with IRM are under your constant control allowing you to share information with the knowledge you can revoke access at any time. This can be especially important in the current trend to storing data in the cloud. Cloud data storage and collaboration services are very popular mainly due to cost, but also due to ease of use. Cloud based services are often built on very modern platforms with modern approaches to sharing and collaborating information. They also wrap up many complex processes in easy to use and govern, web based applications. Yet all the glamor of the cloud brings the fears of security. Are you really going to store your most important company information inside a website which is designed to make sharing that information simple and easy to do?

ICSA is a company offering one of those cloud based solutions and has teamed up with Oracle to reinforce its security when protecting their customers most valuable documents. One of ICSA's customers, building materials manufacturer LaFarge (currently the worlds largest producer of cement), have released a case study on how they rely on Oracle IRM to secure their information when used with the ICSA Blueprint Data Room service.


Why Choose Blueprint Data Room?

  • Facilitate communication - Blueprint Data Room allows you to securely store due diligence documents in a central location, easing the exchange of critical and sensitive business information with authorised third parties
  • Global access - Advisers are able to access due diligence documents anywhere, anytime via a standard web browser, a username and password, increasing world-wide business opportunities
  • Configurable - Companies can filter which documents they wish to publish using options such as relevant company or group of companies, category of documents, specific documents and/or date range
  • Highly secure - ICSA Software has teamed up with Oracle to reinforce its security. Its software, Oracle IRM, allows users to benefit from one of the strongest warranties against document fraud and misuse, giving a world-class security application. Oracle IRM extends security to documents that have left Blueprint Data Room by restricting actions on these documents such as printing, opening if not authorised and screenshots
  • User-friendly - Blueprint Data Room is a user-friendly tool allowing everyone to use the application without the necessity of training
  • Fully integrated with other Blueprint applications - No need to duplicate or export documents


Blueprint Data Room is transforming the way companies exchange critical information and is accelerating and significantly simplifying the M&A process. Oracle IRM is a key component to delivering this solution.


Oracle IRM protects and tracks your sensitive information no matter where it goes. It combines business friendly encryption with role based usage rights and auditing.

11g quick guide


« July 2016