Monday Nov 03, 2008

Oracle IRM and Data Loss Prevention (DLP) technologies

Just before Oracle Open World 2008 I spoke with a customer who is researching technologies which can help them secure sensitive documents and emails within their organization. I went to see them with our Information Rights Management product manager, Andy Peet, and IRM was of course the main topic of discussion. However they were also researching Data Loss Prevention (DLP) and wondered how the two technologies fitted together. So the following is an overview of DLP, its benefits and limitations, and its fit with Information Rights Management.

First some definitions:

  • Information Rights Management (IRM) refers to technologies that use encryption to persistently protect information contained in documents and emails from unauthorized access inside and outside the organization.
  • Data Loss Prevention (DLP) refers to technologies designed to detect and prevent the unauthorized transmission of information from the computer systems of an organization to outsiders.
The definitions sound quite similar, but under the hood the two technologies represent quite different approaches to two closely related problems.



DLP overview

DLP products are content- and context-aware filtering products that monitor outbound information flows from the network, servers and endpoints in order to detect and prevent the unauthorized transmission of information to outsiders. The core intellectual property in DLP is the natural language filtering used to classify information into categories such as PCI, PII, ITAR, GLBA, SOX, etc. Information categories can then be associated with policies, and policy violations logged and automatically remediated.


DLP systems are typically made up of the following components:


  • MONITOR – Passive network monitoring and reporting (“data-in-motion”), typically operating at the Internet gateway in an appliance form factor.
  • PREVENT – Active remediation by the network component. Remediation actions include alerting, warning, blocking, quarantining, encrypting, self-remediation, etc.
  • CAPTURE – Stores reconstructed network sessions for later analysis and rule tuning (only supported by a few DLP vendors).
  • DISCOVER – Discovers and classifies information (“data-at-rest”) in repositories and on endpoints.
  • ENDPOINT – DLP capabilities extended to desktop application-operating system interfaces such as local file systems, removable media, wireless, etc.

Benefits of DLP

The network monitoring and discovery components of DLP can be relatively easy to deploy, without IRM’s requirement for an endpoint agent. They do tend to immediately generate a bewildering number of policy violations so it is important that (a) the DLP reporting engine can be tuned to exclude most violations and focus on high-priority applications, e.g. PCI (b) the DLP classification engine not generate too many business-disruptive false positives (we are still far from Terminator-style artificial intelligences, fortunately ;).


The reports from DLP network monitoring and discovery provide a useful information security feedback loop: identifying compliance “hot spots” and poor working practices, mapping the proliferation of sensitive content throughout (and beyond) your enterprise and enabling organizations to tune their existing access control systems.

Limitations of DLP

With all the best will in the world DLP is only ever going to be a partial solution. There are simply too many information flows to monitor and too many violations to process. For all the claims of the vendors true natural language “understanding” remains a pipe dream, and some classification engines are little more than regular expression pattern matching. DLP cannot monitor encrypted information or information that leaves the corporate network to partners, customers or suppliers.


Most DLP customers would agree that moving from passive detection to active prevention is a massive leap. The shortcomings in the classification algorithms result in too many false positives (non-sensitive information mis-classified as being sensitive) and false negatives (where sensitive information is not classified as such), which combined with crude blocking techniques, such as cryptic network drops, wreak havoc on business productivity. Most of the real-world value of DLP is in monitoring and feedback, not active prevention. DLP tells you that you forgot to close stable door, which horses bolted and in what direction.

DLP classification filters are complex and in a global enterprise will require localization into all the languages in which data may be leaked. This makes maintaining and extending these filters difficult, slow and expensive.

DLP vendors have been forced to add endpoint components because of the numerous channels for data leaks from the endpoint, invisible to network DLP components. These components are for the most part very rudimentary, for example only scanning information sent to removable disks, but not to file shares, DVDs, printers, etc.

There can be widespread employee antipathy towards what is perceived as “big brother” monitoring or enterprise spyware, and some corporations may believe that in terms of policy violations “ignorance is bliss”, i.e. if they detect a million policy violations someone is going to expect them to fix a million policy violations, which is going to be expensive.

DLP and IRM compared

From the above discussion it should be seen that DLP and IRM address similar problems, but not the same problem.


DLP is more useful when an organization wants to protect itself from data leaks but doesn’t really know what information it needs to protect, or where that information resides. It can then use DLP network monitoring and discovery to map the proliferation of its sensitive information and use that map to improve its existing access control systems or apply new systems, such as IRM.

IRM is more useful when the enterprise already knows which information it needs to protect, and wants it secured and tracked both inside and outside the enterprise.

IRM’s value proposition is more towards providing higher assurance security for an enterprise’s most sensitive IP, for example trade secrets or draft financials. Once encrypted all copies of that information are secured and tracked, regardless of location or distribution mechanism.

DLP’s value proposition is more as a feedback/tuning mechanism for other more proactive access control mechanisms, than as an access control system in its own right. Having a means of observing the information actually flowing out of your existing applications and repositories is nevertheless tremendously useful.

IRM and DLP overlap in terms of cost of deployment. Network-based DLP monitoring and discovery are easier to deploy, since they do not require an endpoint agent, but have a huge blind spot in terms of endpoint activity. Introducing endpoint agents can make DLP more costly to deploy, since it now needs to manage gateway, server and endpoint agents compared to IRM’s endpoint-only agent.

Bottom line

The bottom line is that IRM and DLP are more complementary than competitive.


Standalone they address similar but different problems. DLP and IRM vendors have long talked about integrating the two technologies, to provide a solution greater than the two parts. This would mean a DLP solution automatically applying IRM encryption to content discovered “at rest” or “in motion”, so that it remains secure and tracked “in use”, inside and outside the firewall. The link between DLP discovery and IRM is particularly attractive, since if content were IRM-encrypted at source then all subsequent copies would automatically remain secure “at rest”, “in motion” and “in use”, even on unmanaged systems.

Both technologies are highly extensible and offer comprehensive APIs, making their integration straightforward. I am not aware of many real-world integrations to date, but I’m sure this will change.

Thursday Oct 16, 2008

Cisco research reveals common data loss mistakes

Cisco_logo.gif Cisco have just released a study into the behavior of corporate employees and their attitudes to security. The study was designed to understand behavior rather than look at the use of technology. John N. Stewart, chief security officer of Cisco comments that,
"Security is ultimately rooted in users behavior, so businesses of all sizes and employees in all professions need to understand how behavior affects the risk and reality of data loss ... Simply put, security practices can be more effective when all users realize what their actions result in."

The report highlighted 10 findings of note, I've highlighted two of these which relate to the sharing or use of confidential documents and emails.

Sharing corporate devices: In a sign that data isn't always in the hands of the right people, almost half of the employees surveyed (44 percent) share work devices with others, such as non-employees, without supervision.


Losing portable storage devices: Almost one in four (22 percent) employees carry corporate data on portable storage devices outside of the office. This is most prevalent in China (41 percent) and presents risks when devices are lost or stolen.

This highlights two obvious issues. Firstly that there are indeed security risks but also that people do want to legitimately share information with other people and people do carry corporate data outside the office and enterprise perimeters. What corporations need are security tools to ensure that employees can continue to share and use information but at the same time allow the corporation to retain control over the most sensitive data. This is where IRM is a good solution, it can help prevent unauthorized access to such data when shared or lost. So even if a corporate device is accessed by non-employees, any IRM protected documents would be inaccessible. Another finding which I found quite interesting:

Altering security settings on computers: One of five employees altered security settings on work devices to bypass IT policy so they could access unauthorized Web sites. This was most common in emerging economies like China and India. When asked why, more than half (52 percent) said they simply wanted to access the site; a third said, "it's no one's business" which sites they access.
John Stewart
"Today, data is in transit, in use, within programs, stored on devices, and in places beyond the traditional business environment, such as at home, on the road, in cafes, on airplanes and trains."
John N. Stewart, VP and Chief Security Officer, Cisco Systems, Inc.


We are very familiar with the problems of losing laptops, USB drives and sharing information across typical enterprise security boundaries, but as the item above highlights, users are often actively trying to circumvent security controls put in place on their desktops. John goes on to suggest some practices to reduce these risks of data loss.

  • Know your data; Manage it well: Know how/where it's stored, accessed, used.
  • Treat data as if it's your own - Protect it like it's your money: Educate employees how data protection equates to money earned and money lost.
  • Institutionalize standards for safe conduct: Determine global policy objectives and create localized education tailored to a country's culture and threat landscape.
  • Foster a culture of trust: "Employees need to feel comfortable reporting incidents so IT can resolve problems faster," Stewart said.
  • Establish security awareness, education and training: Think globally, but localize and tailor programs for regions based on threat landscape and culture.
Reasons for altering security settings

The overall message is about educating your users with good practices when handling important corporate data. There are many aspects of the Oracle IRM technology which make achieving some of the above recommendations possible.
  • End user training and education required to use Oracle IRM protected content is small, often end users are not aware they are using content that has been secured until they attempt to do something for which they do not have authorization, such as print the document or edit it.
  • IRM protected content is protected no matter where it is stored and accessed from. Each and every time content is used that activity is audited.
  • Confidential documents and emails can be automatically protected in line with your corporate classification policies by integrating IRM with your applications which create/store this data, e.g. financial reporting applications, content management repositories.
  • Using pre-sealed templates, new content is automatically secured and classified without having to place extra burden on the end user about how to correctly secure their content.


Deploying Oracle IRM effectively can address the concerns found in this report and actually requires little education with the majority of your employees. Ensuring that sensitive corporate data is protected at source as soon as possible also reduces the burden on the employee to constantly make decisions about handling corporate information correctly.

John goes on to say:

"Without modern-day security technologies, policies, awareness and education, information is more vulnerable. Today, data is in transit, in use, within programs, stored on devices, and in places beyond the traditional business environment, such as at home, on the road, in cafes, on airplanes and trains. This trend is here to stay. To protect your data effectively, we need to start understanding the risk characteristics of business and then base technology, policy, and awareness and education plans on those factors."


You couldn't have a more well put statement for a reason to use IRM to ensure that in the modern workplace, where your sensitive data is being used in and across a wide variety of environments, your corporate data is protected.

Wednesday Oct 01, 2008

More personal data lost in health care

BlueCross and BlueShield Louisiana It seems to be happening every week, sensitive information is being lost from health care organizations. This time email is the culprit.

BlueCross & BlueShield of Louisiana have had to publicly announce details of an incident where a document was accidentally attached to an email sent to a group of about 1,700 brokers. The document contained social security numbers, phone numbers and addresses. Fortunately the information was about the same group of people the email was sent to, no customer information was involved. This demonstrates how easily mistakes like this can happen and how BlueCross & BlueShield are required, by law, to make this information public knowledge. Fines for such incidents can be incurred although no details of a fine have been reported in this case.

Louisiana Blue Cross confirms data breach


Oracle IRM can prevent such incidents in many ways. Firstly, if this document had been classified and protected using IRM and the recipients had not been given rights to the classification, then the document would never have been accessible by this group brokers. This is often the most valuable aspect of using an IRM technology. Having a classification which only allows access to confidential information to those within your organization so that if the document or email is accidentally lost, attached and forwarded via email or stolen, it is unusable for anyone outside your organization.

However what if the document had been protected incorrectly to a classification which the brokers did have access? Unlike many other similar technologies, Oracle IRM separates the rights to content from the documents and stores all this information on the centralized Oracle IRM server. In this case once the mistake has been realized/reported, the BlueCross & BlueShield classification manager could simply deny access to this, or many documents even after they have been distributed. When the brokers then attempt to access the document in the email, they are denied. Even those who were able to access the documents before the organization knew of the error, would be denied access once their rights have been centrally changed. They may however still have access to other content, in the same classification. Such is the flexibility of the Oracle IRM classification model.

Wednesday Sep 17, 2008

Protecting confidential patient data


A recent article in the Teesdale Mercury reports, unfortunately, another instance of patient data falling into the wrongs hands. The press is constantly reporting issues of confidential patient information being hacked, lost, stolen, misused. This highlights a common problem within the healthcare industry, the requirement to share sensitive information about patients and practices of the organization whilst trying to comply with regulations which require process and technology is in place to secure such information. Unfortunately incidents like this are all too common, the Data Loss DB also makes it very easy to look across the healthcare vertical and see who has been losing information, how much was lost, when and how.


Worse still, the healthcare sector is full of regulation. One of the most important in the U.S.A. is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). A major component of HIPAA addresses the privacy of individuals’ health information by establishing a nation-wide federal standard concerning the privacy of health information and how it can be used and disclosed.

Essentially, a HIPAA covered entity cannot use or disclose protected health information for any purpose other than treatment, payment, or health care operations without either the authorization of the individual or under an exception in the HIPAA regulations.

IRM is an excellent technology to solve the problem of securing any content covered by the HIPAA act. Not only does it ensure only the right people have access to the right patient data, but as each and every secure document is accessed an audit record is generated. Allowing the organization the ability to present reports which prove all efforts have been taken to secure confidential patient information.

Friday Sep 12, 2008

Online Data Loss Database launched


Here is one website you do not want your company name to appear on, What is it?


"DataLossDB, formerly the Data Loss Database Open Source, is an research project aimed at documenting known and reported data loss incidents world-wide. The effort is now a community one, with the move to OSF, and relies on the contributions of users like you to grow and prune the database."


Basically the public at large submit to this website any known security breaches in the form of hacked websites, lost documents, media, laptops etc. It is a vastly improved interface to the former website, People can now search by date, by incident type, industry even by what is the largest known loss of records! A leader board on which you will all want to avoid being in the top ten. Any guesses at what technology might be able to help you ensure that even when your intranets are hacked, laptops lost and firewalls breached, your most sensitive content still remains safe? I don't think I even need to say it...

Nearly 1000 laptops go missing at London Heathrow a week


The Daily Telegraph, a UK newspaper, has just reported on some research done by the Ponemon Institute for Dell computers. The research has found that in a year about 800,000 laptops are either lost or stolen at airports all over the world. Shocking numbers, consider how many of these laptops contain sensitive information which is now totally out of the owner’s control.

The research highlights some scary statistics. In the US about 12,000 laptops go missing each week, 10% within Los Angeles. When asking the travelers if they took any steps to protect their content they found nearly 60% admitted no protection around their confidential information.

How do you protect against losing such devices? You may have encrypted the hard disk, but what if in the laptop bag the sensitive documents resided on non-encrypted USB drives or CDs and DVDs? Are you able to protect these storage devices? DLP products might be able to destroy the copies of the documents, but it needs some form of remote access to the laptop to issue the self destruct commands. These laptops might be powered up without internet access and the content stolen. The report is doing the rounds with other news websites that are suggesting varying methods on how to solve the problem and the issue of laptop theft has been in the press for many years.

Of course, I’m leading to the use of information rights management as the best solution. Not only would IRM ensure the documents were encrypted and access to them denied once the laptops and related devices are lost, but the responsibility for protecting the information doesn't need to rely on the end user. Deploying IRM and integrating with the content management systems, network file storage servers and also providing users with pre-sealed document templates ensures that content is correctly classified and protected without placing a burden on the end user make that decision.

We obviously use Oracle IRM within the company and a few years ago we had someone lose a laptop at an airport (Don't worry Mark, I won't name and shame... oops). Our response was simple, we disabled his Windows account credentials and temporarily revoked his rights to content on the IRM server whilst we sorted out new account details and reset passwords. We were safe in the knowledge that all the important documents on that laptop were secure.

If you want to learn more about how this technology can help you protect your organizations content either contact your Oracle sales representative or email us and we can give you access to our easy to use online evaluation system.

Thursday Jul 17, 2008

Osterman Research Information Leak Prevention Survey

Concerns surrounding the loss of sensitive information increased recently with the release of a short survey by Osterman Research titled Information Leak Prevention, sponsored by FaceTime. They surveyed 109 mid-to large IT organizations in North America regarding their concerns about information leak prevention in their current or planned unified communications deployments and found their respondents had the following concerns.

  • 57% believe that their corporate information is not adequately protected from leaks via instant messaging and/or unified communications.
  • 48% worried about unintentional or accidental leaks of information by employees.
  • 31% named data loss due to malicious software.
  • 38% named intentional leaks by employees past or present.
When asked how prepared they were to prevent such incidents, 48% regarded it a top priority.



The survey was also picked up by Matt Hines, from eWeek's security watch. In his blog IT Leaders Still Sweating Data Loss he comments;

I think this a good thing, not a bad thing, because if more execs were under the impression that they were already well-defended or protected by some point solutions they already have in place that would likely mean that they're just sitting ducks for upcoming ownage, or for imprudent workers to leave their information exposed.

Clearly there is still plenty more work to be done in the whole world of data protection.

Information Rights Management (IRM) is a good solution to address these concerns and after over 10 years of development, Oracle IRM is perfectly positioned to integrate with different communications systems to ensure that the sensitive data IT managers are worrying about is secured.

So, sweat no more, IT managers! If you feel your job is at risk and your perimeter security solutions (e.g. FaceTime) do not provide persistent controls to protect your most sensitive documents and emails, it's time to start investigating in IRM.

Wednesday Jul 16, 2008

Response to Jon Oltsik on ERM

Jon Oltisk, a senior analyst at Enterprise Strategy Group recently posted the article titled ERM: The forgotten data security space. He comments on the ERM space, now more usually called IRM, as a forgotten technology with regards to data security. DLP is also discussed as another technology which addresses the problem of trying to protect your sensitive data.

He comments on two particular ironies that have resulted in the past few years in consolidation of these two technology spaces.

Ironic point No. 1: DLP vendors are now adding ERM-like functionality like data usage policy enforcement into their products. I guess this means that as users get a better understanding about their data and how people use it, they realize that they need better ways to control these activities.

Very true, DLP only protects at a gateway where the information passes. Such as a firewall or virus scanner. Yet there are so many ways in which content can be distributed, such as copying to USB flash keys, sent via non-corporate email, shared of peer to peer networks such as Gnutella and KaZaA. IRM however applies the controls at the document or email level, therefore it doesn't matter where or how the content is distributed, IRM persists the security.

Ironic point No. 2: ERM vendors like Adobe Systems, Liquid Machines, and Microsoft that were able to ride out the market storm are now in high demand. Users finally recognize the value here.

Thankfully for me, also very true... although Jon forgot to mention the market leader in IRM, i'll excuse him this one time. Oracle IRM, formerly SealedMedia, is the market leader in terms of large-scale enterprise deployments. He closes his rather short article stating that, "ERM, as an adjunct to DLP or as a standalone security suite, will ultimately benefit users and investors alike.".

Indeed, in fact DLP and IRM are both on an intersecting path via either partnerships, acquisition or development. Both aim to control the distribution and access to an organizations most sensitive content but do so in very different ways. IRM is designed to offer persistent information security controls at the content level. DLP mostly grew from outbound acceptable use content filtering, such as virus scanners and is still regarded as quite a new technology. DLP would be wise to seek partnerships where mature IRM technologies, like Oracle IRM, can be integrated alongside.

When DLP and IRM are combined, it provides a solution which moves the enterprise closer to the goal of having its corporate protection policies actually applied to their masses of unstructured sensitive content that is being distributed everywhere. Then if you consider adding to the mix GRC style applications and auditing technologies, the enterprise is very close to complete control and deep visibility of its data in use well beyond it's physical and virtual perimeters.

I plan to write a more detailed article DLP and IRM comparison, keep an eye on this blog.


Oracle IRM protects and tracks your sensitive information no matter where it goes. It combines business friendly encryption with role based usage rights and auditing.

11g quick guide


« July 2016