Friday Jul 23, 2010

Who cares about encryption & why hard disk cryptography is only part of the solution...

One of my favourite sources of IT news and information is The Register, a UK based IT news related website that is written with style and often makes what can be a dull subject of IT, compelling reading.

I just read an article by Jon Collins which details results of a recent poll asking about general use of encryption and what people thought were the main areas where cryptography should be used to protect sensitive information. Run by research company Freeform Dynamics, Jon points out that their polls typically attract those interested in the subject matter, so its safe to say my Mum wasn't answering the questions.

The first analysis from the article looks at the answers to "Which of the following drivers are likely to influence your organisation when it comes to requirements for encrypting data?" Pretty obvious results with compliance in first place, then protecting the storage of confidential information and protecting information due to an increasingly mobile workforce.


No surprises here, more and more regulatory controls specify that credit card data, patient information, etc needs to be encrypted. Companies with large amounts of sensitive information, such as financial data, intellectual property and trade secrets need to protect the storage of that data and also when it's used on a mobile device, typically a laptop.

However when the poll asked what the most important areas of encryption were, the results revealed concerns of the modern, mobile workplace. The question was "In an ideal world, which of the following do you think should be encrypted and to what degree?"


So the top three ideal-world targets for encrypting everything are, in order:

  • Data stored on notebooks used by mobile workers
  • Data stored on smartphones and other portable/handheld devices
  • Data stored on desktops/notebooks used in home locations


Combine this with the following quote from Jon's article... "The executive who found himself personally responsible for a data breach when his laptop was stolen from his house may have been taken by surprise, as there is a lingering mindset that security is a central infrastructure thing. But rules and regs like PCI are not fussy about which particular part of the IT infrastructure is involved, be it a SAN in the data centre, or an SD card in a phone. It's all just IT."

Information rights management is a perfect solution for these encryption challenges. But it goes beyond just the mobile or home use, IRM uses encryption at the document or email level. So no matter where the information is stored, it's always encrypted. Another really nice feature of IRM is that even when the content is in USE, it is protected. So the file on the hard disk, the file being sent over the network and the file in your Word/Excel/PowerPoint/Adobe Reader/Internet Explorer etc is ALWAYS secured with IRM.

Unfortunately the article ends with some not so good news. The poll finds that one of the main reasons not to encrypt information on notebooks, removable devices (DVD's, CD's, USB drives etc) is the "practicalities around implementation" and "challenges with key management". So people view that deploying an encryption solution for mobile devices is difficult. Yet IRM is actually pretty easy to deploy and use and Oracle IRM has excellent key management.

Finally, and this is the real killer for me, is Jon's closing message, "Meanwhile, the message to end-users is, if you haven't already encrypted your laptop data, you'd best get on with it - or at least ask your IT department how to do it". I would be that most IT departments are going to end up looking at hard disk encryption to secure documents stored on mobile devices. Yet this really doesn't solve the greatest risk.

The advantage of hard disk encryption is it protect every file stored on it, unlike IRM which applies encryption to a limited set of supported file formats. However, that is also one of its main weaknesses... hard disk encryption ONLY protects the information whilst it is stored on the disk. It doesn't do anything to protect against the following challenges.


  • Research shows that data loss incidents are usually by accident and by people outside your organization. So basically it's the supplier you sent your trade secret document to that stores it on an unencrypted USB key which gets lost on train. Encrypting your employee hard disks doesn't get close to solving that problem.
  • Hard disk encryption only protects the content whilst it is stored on the disk. As soon as that content is attached to an email, copied to a USB key or even just opened in Word, it now exists in an decrypted state. IRM is persistent in its security because the cryptography is applied at the document level and is combined with tight application integration to ensure that you can't even copy and paste sensitive data from a document into a non-encrypted world.


So whilst IRM is not the be all and end all of information security, combined with technologies like DLP, hard disk encryption, network encryption etc, it brings a huge difference in the reduction of the risk and exposure of an organization to losing control of their most sensitive information.

Thursday Jan 29, 2009

Capgemini predicts a more sensible approach to de-risking data loss



According to Jude Umeh from Capgemini, 2009 is going to be the year to look at and implement an Information Rights Management solution. He highlights that the uptake of such technologies has been relatively slow and blames the lack of obvious immediate return of investment. The pure play IRM vendors have now mainly been picked up by the larger corporations (but who's going to be buying Liquid Machines?). We were the fortunate ones being acquired by Oracle, our IRM technology is now being integrated and developed into Fusion Middleware making Oracle IRM the only true middleware IRM technology. Jude Umeh from Capgemini


Jude predicts that;

  • "The frequent reports of data loss incidents mean that the corporate world has had to start looking at ways to prevent future mishaps. However, even current initiatives like wholesale corporate data encryption and data loss prevention strategies are not totally fool proof; therefore many organisations are still likely to need a more effective approach towards managing and securing information, especially one that will work even after data is lost or misplaced."


    Even more so in this economic climate. With many companies concerned of how to survive through the next few years, top of their list will be to avoid any unwarranted press attention regarding loss of intellectual property, financial data or such. Such incidents have a direct affect on already very fragile stock prices and as the new US government comes up to speed, regulatory fines are going to be painful to pay when loss of data breaches government mandates.


  • "There are signs that ERM vendors are waking up to the key role they have to play in creating the ecosystem of solutions required to tackle data loss issues head-on. For example, some vendors have begun integrating their ERM products with existing Data Loss Prevention systems in order to provide effective control of information, both within and outside the enterprise security perimeter."


    Since our acquisition with Oracle we have already released integrations with the Oracle content management solutions and are continuing to create ways to integrate with other technologies. Also the 11G release of IRM sees a large port of the IRM technology into the Oracle Fusion Middleware stack enabling many out of the box capabilities that are just unavailable in any IRM technology today.


  • "A recent study of the ERM market shows a steady increase in awareness and adoption by organisations in various sectors like finance, healthcare and IT consulting among others."


    Our experience here in Oracle confirms this and we've seen sales in the past few quarters from a variety of companies in all sectors.


Thursday Oct 16, 2008

Cisco research reveals common data loss mistakes

Cisco_logo.gif Cisco have just released a study into the behavior of corporate employees and their attitudes to security. The study was designed to understand behavior rather than look at the use of technology. John N. Stewart, chief security officer of Cisco comments that,
"Security is ultimately rooted in users behavior, so businesses of all sizes and employees in all professions need to understand how behavior affects the risk and reality of data loss ... Simply put, security practices can be more effective when all users realize what their actions result in."

The report highlighted 10 findings of note, I've highlighted two of these which relate to the sharing or use of confidential documents and emails.

Sharing corporate devices: In a sign that data isn't always in the hands of the right people, almost half of the employees surveyed (44 percent) share work devices with others, such as non-employees, without supervision.


Losing portable storage devices: Almost one in four (22 percent) employees carry corporate data on portable storage devices outside of the office. This is most prevalent in China (41 percent) and presents risks when devices are lost or stolen.

This highlights two obvious issues. Firstly that there are indeed security risks but also that people do want to legitimately share information with other people and people do carry corporate data outside the office and enterprise perimeters. What corporations need are security tools to ensure that employees can continue to share and use information but at the same time allow the corporation to retain control over the most sensitive data. This is where IRM is a good solution, it can help prevent unauthorized access to such data when shared or lost. So even if a corporate device is accessed by non-employees, any IRM protected documents would be inaccessible. Another finding which I found quite interesting:

Altering security settings on computers: One of five employees altered security settings on work devices to bypass IT policy so they could access unauthorized Web sites. This was most common in emerging economies like China and India. When asked why, more than half (52 percent) said they simply wanted to access the site; a third said, "it's no one's business" which sites they access.
John Stewart
"Today, data is in transit, in use, within programs, stored on devices, and in places beyond the traditional business environment, such as at home, on the road, in cafes, on airplanes and trains."
John N. Stewart, VP and Chief Security Officer, Cisco Systems, Inc.


We are very familiar with the problems of losing laptops, USB drives and sharing information across typical enterprise security boundaries, but as the item above highlights, users are often actively trying to circumvent security controls put in place on their desktops. John goes on to suggest some practices to reduce these risks of data loss.

  • Know your data; Manage it well: Know how/where it's stored, accessed, used.
  • Treat data as if it's your own - Protect it like it's your money: Educate employees how data protection equates to money earned and money lost.
  • Institutionalize standards for safe conduct: Determine global policy objectives and create localized education tailored to a country's culture and threat landscape.
  • Foster a culture of trust: "Employees need to feel comfortable reporting incidents so IT can resolve problems faster," Stewart said.
  • Establish security awareness, education and training: Think globally, but localize and tailor programs for regions based on threat landscape and culture.
Reasons for altering security settings

The overall message is about educating your users with good practices when handling important corporate data. There are many aspects of the Oracle IRM technology which make achieving some of the above recommendations possible.
  • End user training and education required to use Oracle IRM protected content is small, often end users are not aware they are using content that has been secured until they attempt to do something for which they do not have authorization, such as print the document or edit it.
  • IRM protected content is protected no matter where it is stored and accessed from. Each and every time content is used that activity is audited.
  • Confidential documents and emails can be automatically protected in line with your corporate classification policies by integrating IRM with your applications which create/store this data, e.g. financial reporting applications, content management repositories.
  • Using pre-sealed templates, new content is automatically secured and classified without having to place extra burden on the end user about how to correctly secure their content.


Deploying Oracle IRM effectively can address the concerns found in this report and actually requires little education with the majority of your employees. Ensuring that sensitive corporate data is protected at source as soon as possible also reduces the burden on the employee to constantly make decisions about handling corporate information correctly.

John goes on to say:

"Without modern-day security technologies, policies, awareness and education, information is more vulnerable. Today, data is in transit, in use, within programs, stored on devices, and in places beyond the traditional business environment, such as at home, on the road, in cafes, on airplanes and trains. This trend is here to stay. To protect your data effectively, we need to start understanding the risk characteristics of business and then base technology, policy, and awareness and education plans on those factors."


You couldn't have a more well put statement for a reason to use IRM to ensure that in the modern workplace, where your sensitive data is being used in and across a wide variety of environments, your corporate data is protected.


Oracle IRM protects and tracks your sensitive information no matter where it goes. It combines business friendly encryption with role based usage rights and auditing.

11g quick guide


« June 2016