Monday Jul 21, 2008

Upsetting your employees 101, Ban the use of iPods...

One way to guarantee annoying your employees, ban them from using cool and useful technologies. This is exactly what Jim Hereford from NextSentry seems to be suggesting. In his podcast with MacVoices he describes the risk with mass storage devices being used in the enterprise and calls for the banning of iPods and other cool devices. Even commenting that the PDA/phone is a risk.

His solution? NextSentry develops a product called Active Sentry, a perimeter security technology which monitors activity on your computer and prevents the copying of data to CD/DVD, USB devices, and instant messaging networks. It also controls printing, forwarding of emails etc. In effect it locks down the corporate desktop to ensure a user cannot copy information outside the boundaries of the controlled enterprise. Bizarrely Active Sentry doesn't work at all on Macintosh operating systems... how odd they would have an interview with someone from MacVoices.

But what if you legitimately want to share information across these perimeters? The following are a few simple use cases I come across in my working week.

  • I want to legitimately email documents to an external party, such as a customer or partner.
  • Weekly I backup my important files, often the most sensitive, to a remote drive. I have had two laptop hard disk failures in the past year!
  • For me, the quickest way to copy files between machines is via USB flash drives. Countless times I am sharing documents with my co-workers in meetings by passing a USB drive around.
  • I attend meetings using a shared computer hooked up to the projector, I carry my presentations and supporting documents on a USB flash drive and then copy them to the shared machine.
  • I use my iPod to listen to the excellent Digital Planet broadcast from the BBC as well as Oracle podcasts which I sync from the office before I drive home.


I'm sure there are many more cases where users in the enterprise environment need to use sensitive data across classic network boundaries. How frustrated would you be if a technology like Active Sentry kept interfering with your working day?

Lisa Vaas posts on the eWeek security watch blog picking up on the fact that, Banning the popular devices would be an unpopular move. Employers themselves are using iPods for convenient employee training. NextSentry's release referred to an Oct. 25, 2006 Wall Street Journal article that described some examples, such as National Semiconductor spending $2.5 million on video iPods for its 8,500 employees, including those overseas, for training purposes and company announcements.

Unpopular indeed! This is a great example of how companies are using new technology to share information with their users using a very familiar device.

She also mentions other rising technologies which are attempting to control the flow of sensitive data. "As portable storage devices shrink in size and gain in storage capacity, they pose an ever greater risk to organizations. Third-party security products have emerged to address this threat. For example, Safend markets an auditor that keeps an eye on every port in an enterprise, from USB to WiFi and Bluetooth. Another Safend product allows the definition and enforcement of security policies to control how ports and devices are accessed. DeviceLock is in the same space, as is SecureWave."

So the message from the above is one which describes a need to constantly keep looking for new security holes in your environment. Purchase a technology to plug that hole and then prevent your employees from using new devices and ways of sharing information!

You could of course take a much more balanced approach and implement Information Rights Management (IRM). Because IRM protects documents and emails directly (not indirectly as a side effect of protecting the perimeters within which some of the copies are stored), you do not need to be so strict about the locations to which the content is ultimately copied or forwarded. You do not need the draconian approach of banning all these really useful devices such as USB drives and iPods. It doesn't matter where the information ultimately ends up, IRM ensures only authorized users gain access.

Oracle IRM has long realized, by working with many large corporate environments, that security must come hand in hand with usability. If the security of a technology interferes too much with the end users existing workflows, it ultimately is less effective. Users find ways around the security mechanism, such as working on sensitive documents on home machines because the corporate desktop is too painful to use. Oracle IRM therefore places as much emphasis on the user experience as it does on its patented security techniques.

These Data Loss Prevention (DLP) and content monitoring technologies do have some very useful features however. They can use natural language filters to look for content that is deemed sensitive and then take remedial action. This would work very nicely with IRM, ensuring that if a user is moving content past a monitored point and it has not been protected with IRM, if could be automatically sealed at the perimeter.

So free up your employees. Don't ban their devices. Stop trying to monitor an ever increasing array of storage devices, file sharing networks, and cool technologies. Instead use IRM to protect the document throughout its entire life cycle – from creation to archival, no matter where it goes, no matter who tries to open it.


Oracle IRM protects and tracks your sensitive information no matter where it goes. It combines business friendly encryption with role based usage rights and auditing.

11g quick guide


« August 2016