Privacy and security go hand in hand. Privacy cannot be protected without implementing proper security controls and technologies. Organization must make not only reasonable efforts to protect privacy of data, but they must go much further as privacy breaches are damaging to its customers, reputation, and potentially, could put the company out of business.

Breaches are increasingly being carried out by malicious attacks, but also a significant source of breaches is internal mistakes caused by poor information governance (IG) practices, software bugs, and carelessness. The average cost of a data breach in 2013 was over $5 million dollars, according to the Ponemon Institute,¹ but some spectacular breaches have occurred, such as the $45 million in fraudulent automated teller machine cash withdrawals in New York City within hours in early 2013, and the 110 million customer records breached at giant retailer Target in late 2013. Millions of breaches occur each year: There were an estimated 354 million privacy breaches between 2005 and 2010 in the United States alone.

Cyberattacks Proliferate

Online attacks and snooping continue at an increasing rate. Organizations must be vigilant about securing their internal, confidential documents and e-mail messages. In 2011, security experts at Intel/McAfee “discovered an unprecedented series of cyber attacks on the networks of 72 organizations globally, including the United Nations, governments and corporations, over a five-year period.”² Dmitri Alperovitch of McAfee described the incident as “the biggest transfer of wealth in terms of intellectual property in history.”³ The level of intrusion is ominous.

The targeted victims included governments, including the United States, Canada, India, and others; corporations, including high-tech companies and defense contractors; the International Olympic Committee; and the United Nations. “In the case of the United Nations, the hackers broke into the computer system of its secretariat in Geneva in 2008, hid there for nearly two years, and quietly combed through reams of secret data, according to McAfee.”⁴ Attacks can be occurring in organizations for years before they are uncovered—if they are discovered at all. This means that an organization may be covertly monitored by criminals or competitors for extended periods of time.

And they are not the only ones spying—look no further than the U.S. National Security Agency (NSA) scandal of 2013. With Edward Snowden's revelations, it is clear that governments are accessing, monitoring, and storing massive amounts of private data.

Where this stolen information is going and how it will be used is yet to be determined. But it is clear that possessing this competitive intelligence could give a government or company a huge advantage economically, competitively, diplomatically, and militarily.

The information assets of companies and government agencies are at risk globally. Some are invaded and eroded daily, without detection. The victims are losing economic advantage and national secrets to unscrupulous rivals, so it is imperative that IG policies are formed, followed, enforced, tested, and audited. It is also imperative to use the best available technology to counter or avoid such attacks.⁵

Insider Threat: Malicious or Not

Ibas, a global supplier of data recovery and computer forensics, conducted a survey of 400 business professionals about their attitudes toward intellectual property (IP) theft:

• Nearly 70 percent of employees have engaged in IP theft, taking corporate property upon (voluntary or involuntary) termination.
• Almost one-third have taken valuable customer contact information, databases, or other client data.
• Most employees send e-documents to their personal e-mail accounts when pilfering the information.
• Almost 60 percent of surveyed employees believe such actions are acceptable.
• Those who steal IP often feel that they are entitled to partial ownership rights, especially if they had a hand in creating the files.⁶

These survey statistics are alarming, and by all accounts the trend continuing to worsen today. Clearly, organizations have serious cultural challenges to combat prevailing attitudes toward IP theft. A strong and continuous program of IG aimed at securing confidential information assets can educate employees, raise their IP security awareness, and train them on techniques to help secure valuable IP. And the change needs to be driven from the top: from the CEO and boardroom. However, the magnitude of the problem in any organization cannot be accurately known or measured. Without the necessary IG monitoring and enforcement tools, executives cannot know the extent of the erosion of information assets and the real cost in cash and intangible terms over the long term.

Countering the Insider Threat

Frequently ignored, the insider has increasingly become the main threat—more than the external threats outside of the perimeter. Insider threat breaches can be more costly than outsider breaches. Most of the insider incidents go unnoticed or unreported.⁷

Companies have been spending a lot of time and effort protecting their perimeters from outside attacks. In recent years, most companies have realized that the insider threat is something that needs to be taken more seriously.

Malicious Insider

Malicious insiders and saboteurs comprise a very small minority of employees. A disgruntled employee or sometimes an outright spy can cause a lot of damage. Malicious insiders have many methods at their disposal to harm the organization by destroying equipment, gaining unsanctioned access to IP, or removing sensitive information by USB drive, e-mail, or other methods.

Nonmalicious Insider

Fifty-eight percent of Wall Street workers say they would take data from their company if they were terminated, and believed they could get away with it, according to a recent survey by security firm CyberArk.⁸ Frequently, they do this without malice. The majority of users indicated having sent out documents accidentally via e-mail. So, clearly it is easy to leak documents without meaning to do any harm, and that is the cause of most leaks.

Solution

Trust and regulation are not enough. In the case of a nonmalicious user, companies should invest in security, risk education, and IG training. A solid IG program can reduce IP leaks through education, training, monitoring, and enforcement.

In the case of the malicious user, companies need to take a hard look and see whether they have any effective IG enforcement and document life cycle security (DLS) technology such as information rights management (IRM) in place. Most often, the answer is no.⁹

Privacy Laws

The protection of personally identifiable information (PII) is a core focus of IG efforts. PII is any information that can identify an individual, such as name, Social Security number, medical record number, credit card number, and so on. Various privacy laws have been enacted in an effort to protect privacy. You must consult your legal counsel to determine which laws and regulation apply to your organization and its data and documents.

In the United States, the Federal Wiretap Act “prohibits the unauthorized interception and disclosure of wire, oral, or electronic communications.” The Electronic Communications Privacy Act (ECPA) of 1986 amended the Federal Wiretap Act significantly and included specific on e-mail privacy.¹⁰ The Stored Communications and Transactional Records Act (SCTRA) was created as a part of ECPA and is “sometimes useful for protecting the privacy of e-mail and other Internet communications when discovery is sought.” The Computer Fraud and Abuse Act makes it a crime to intentionally breach a “protected computer” (one used by a financial institution or for interstate commerce).

Also relevant for public entities is the Freedom of Information Act, which allows U.S. citizens to request government documents that have not previously been released, although sometime sensitive information is redacted (blacked out), and specifies the steps for disclosure as well as the exemptions. In the United Kingdom, the Freedom of Information Act 2000 provides for similar disclosure requirements and mandatory steps.

In the United Kingdom, privacy laws and regulations include these:

• Data Protection Act 1998
• Freedom of Information Act 2000
• Public Records Act 1958
• Common law duty of confidentiality
• Confidentiality National Health Service (NHS) Code of Practice
• NHS Care Record Guarantee for England
• Social Care Record Guarantee for England
• Information Security NHS Code of Practice
• Records Management NHS Code of Practice

Also, the international information security standard ISO/IEC 27002: 2005 comes into play when implementing security.

Redaction

Redaction is the process of blocking out sensitive fields of information. In a paper environment, this was done with a black marking pen; however, privacy software can redact certain fields in digital documents, making them unreadable. Redaction is used for confidential patient information in medical records as well as other confidential document types, such as birth certificates, financial documents, property deeds, and other unstructured information that is managed.

A complete audit trail should be enabled that shows when specific users accessed or printed specific confidential information.

Limitations of Perimeter Security

Traditionally, central computer system security has been primarily perimeter security—securing the firewalls and perimeters within which e-documents are stored and attempting to keep intruders out—rather than securing e-documents directly upon their creation. The basic access security mechanisms implemented, such as passwords, two-factor authentication, and identity verification, are rendered totally ineffective once the confidential e-documents or records are legitimately accessed by an authorized employee. The documents are usually bare and unsecured. This poses tremendous challenges if the employee is suddenly terminated, if the person is a rogue intent on doing harm, or if outside hackers are able to penetrate the secured perimeter. And, of course, it is common knowledge that they do it all the time. The focus should be on securing the documents themselves, directly.

Restricting access is the goal of conventional perimeter security, but it does not directly protect the information inside. Perimeter security protects information the same way a safe protects valuables; if safecrackers get in, the contents are theirs. There are no protections once the safe is opened. Similarly, if hackers penetrate the perimeter security, they have complete access to the information inside, which they can steal, alter, or misuse.¹¹ The perimeter security approach has four fundamental limitations:

1. Limited effectiveness. Perimeter protection stops dead at the firewall, even though sensitive information is sent past it and circulates around the Web, unsecured. Today's extended computing model and the trend toward global business means that business enterprises and government agencies frequently share sensitive information externally with other stakeholders, including business partners, customers, suppliers, and constituents.
2. Haphazard protections. In the normal course of business, knowledge workers send, work on, and store copies of the same information outside the organization's established perimeter. Even if the information's new digital environment is secured by other perimeters, each one utilizes different access controls or sometimes no access control at all (e.g., copying a price list from a sales folder to a marketing folder; an attorney copying a case brief or litigation strategy document from a paralegal's case folder).
3. Too complex. With this multi-perimeter scenario, there are simply too many perimeters to manage, and often they are out of the organization's direct control.
4. No direct protections. Attempts to create boundaries or portals protected by perimeter security within which stakeholders (partners, suppliers, shareholders, or customers) can share information causes more complexity and administrative overhead while it fails to protect the e-documents and data directly.¹²

Despite the current investment in e-document security, it is astounding that once information is shared today, it is largely unknown who will be accessing it tomorrow.

Defense in Depth

Defense in depth is an approach that uses multiple layers of security mechanisms to protect information assets and reduce the likelihood that rogue attacks can succeed.¹³ The idea is based on military principles that an enemy is stymied by complex layers and approaches compared to a single line. That is, hackers may be able to penetrate one or two of the defense layers, but multiple security layers increase the chances of catching the attack before it gets too far. Defense in depth includes a firewall as a first line of defense and also antivirus and anti-spyware software, identity and access management (IAM), hierarchical passwords, intrusion detection, and biometric verification. Also, as a part of an overall IG program, physical security measures are deployed, such as smartcard or even biometric access to facilities and intensive IG training and auditing.

Controlling Access Using Identity Access Management

IAM software can provide an important piece of the security solution. It aims to prevent unauthorized people from accessing a system and to ensure that only authorized individuals engage with information, including confidential e-documents.

Today's business environment operates in a more extended and mobile model, often including stakeholders outside of the organization. With this more complex and fluctuating group of users accessing information management applications, the idea of identity management has gained increased importance.

The response to the growing number of software applications using inconsistent or incompatible security models is strong identity management enforcement software. These scattered applications offer opportunities not only for identity theft but also for identity drag, where the maintenance of identities does not keep up with changing identities, especially in organizations with a large workforce. This can result in theft of confidential information assets by unauthorized or out-of-date access and even failure to meet regulatory compliance, which can result in fines and imprisonment.¹⁴

IAM—along with sharp IG policies—“manages and governs user access to information through an automated, continuous process.”¹⁵ Implemented properly, good IAM does keep access limited to authorized users while increasing security, reducing IT complexity, and increasing operating efficiencies.

Critically, “IAM addresses ‘access creep’ where employees move to a different department of business unit and their rights to access information fail to get updated” (emphasis added).¹⁶

In France in 2007, a rogue stock trader at Société Générale had in-depth knowledge of the bank's access control procedures from his job at the home office.¹⁷ He used that information to defraud the bank and its clients out of over €7 billion (over $10 billion). If the bank had implemented an IAM solution, the crime might not have been possible.

A robust and effective IAM solution provides for:

• Auditing. Detailed audit trails of who attempted to access which information, and when. Stolen identities can be uncovered if, for instance, an authorized user attempts to log in from more than one computer at a time.
• Constant updating. Regular reviews of access rights assigned to individuals, including review and certification for user access, an automated recertification process (attestation), and enforcement of IG access policies that govern the way users access information in respect to segregation of duties.
• Evolving roles. Role life cycle management should be maintained on a continuous basis, to mine and manage roles and their associated access rights and policies.
• Risk reduction. Remediation regarding access to critical documents and information.

Enforcing IG: Protect Files with Rules and Permissions

One of the first tasks often needed when developing an IG program that secures confidential information assets is to define roles and responsibilities for those charged with implementing, maintaining, and enforcing IG policies. Corollaries that spring from that effort get down to the nitty-gritty of controlling information access by rules and permissions.

Rules and permissions specify who (by roles) is allowed access to which documents and information, and even contextually from where (office, home, travel) and at what times (work hours, or extended hours). Using the old policy of the need-to-know basis is a good rule of thumb to apply when setting up these access policies (i.e., only those who are at a certain level of the organization or are directly involved in certain projects are allowed access to confidential and sensitive information). The roles are relatively easy to define in a traditional hierarchical structure, but today's flatter and more collaborative enterprises present challenges.

To effectively wall off and secure information by management level, many companies and governments have put in place an information security framework—a model that delineates which levels of the organization have access to specific documents and databases as a part of implemented IG policy. This framework shows a hierarchy of the company's management distributed across a range of defined levels of information access. The U.S. Government Protection Profile for Authorization Server for Basic Robustness Environments is an example of such a framework.

Challenge of Securing Confidential E-Documents

Today's various document and content management systems were not initially designed to allow for secure document sharing and collaboration while also preventing document leakage. These software applications were mostly designed before the invention and adoption of newer business technologies that have extended the computing environment. The introduction of cloud computing, mobile PC devices, smartphones, social media, and online collaboration tools all came after most of today's document and content management systems were developed and brought to market.

Thus, vulnerabilities have arisen that need to be addressed with other, complementary technologies. We need to look no further than the WikiLeaks incident and the myriad of other major security breaches resulting in document and data leakage to see that there are serious information security issues in both the public and private sectors.

Technology is the tool, but without proper IG policies and a culture of compliance that supports the knowledge workers following IG policies, any effort to secure confidential information assets will fail. An old IT adage is that even perfect technology will fail without user commitment.

Protecting Confidential E-Documents: Limitations of Repository-Based Approaches

Organizations invest billions of dollars in IT solutions that manage e-documents and records in terms of security, auditing, search, records retention and disposition, version control, and so on. These information management solutions are predominantly repository-based, including enterprise content management (ECM) systems and collaborative workspaces (for unstructured information, such as e-documents). With content or document repositories, the focus has always been on perimeter security—keeping intruders out of the network. But that provides only partial protection. Once intruders are in, they are in and have full access to confidential e-documents. For those who are authorized to access the content, there are no protections, so they may freely copy, forward, print, or even edit and alter the information.¹⁸

The glaring vulnerability in the security architecture of ECM systems is that few protections exist once the information is legitimately accessed.

These confidential information assets, which may include military plans, price lists, patented designs, blueprints, drawings, and financial reports, often can be printed, e-mailed, or faxed to unauthorized parties without any security attached.¹⁹

Also, in the course of their normal work processes, knowledge workers tend to keep an extra copy of the electronic documents they are working on stored at their desktop, or they download and copy them to a tablet or laptop to work at home or while traveling. This creates a situation where multiple copies of these e-documents are scattered about on various devices and media, which creates a security problem, since they are outside of the repository and no longer secured, managed, controlled, or audited.

It also creates records management issues in terms of the various versions that might be out there and determining which one is the official business record.

Apply Better Technology for Better Enforcement in the Extended Enterprise

Protecting E-Documents in the Extended Enterprise

Sharing e-documents and collaborating are essential in today's increasingly mobile and global world. Businesses are operating in a more distributed model than ever before, and they are increasingly sharing and collaborating not only with coworkers but also with suppliers, customers, and even at times competitors (e.g., in pharmaceutical research). This reality presents a challenge to organizations dealing in sensitive and confidential information.²⁰

Basic Security for the Microsoft Windows Office Desktop

The first level of protection for e-documents begins with basic protections at the desktop level. Microsoft Office provides ways to password-protect Microsoft Office files, such as those created in Word and Excel, quickly and easily. Many corporations and government agencies around the world use these basic protections. A key flaw or caveat is that passwords used in protecting documents cannot be retrieved if they are forgotten or lost.

Where Do Deleted Files Go?

When you delete a file it is gone, right? Actually, it is not (with the possible exception of solid state hard drives). For example, after a file is deleted in Windows, a simple undelete DOS command can bring back the file, if it has not been overwritten. That is because when files are deleted, they are not really deleted; rather, the space where they reside is marked for reuse and can be overwritten. If it is not yet overwritten, the file is still there. The same process occurs as drafts of documents are created and temp (for temporary) files are stored. The portions of a hard drive where deleted or temp files are stored can be overwritten. This is called unallocated space. Most users are unaware that deleted files and fragments of documents and drafts are stored temporarily on their computer's unallocated space. So it must be wiped clean and completely erased to ensure that any confidential documents or drafts are completely removed from the hard drive.

IG programs include the highest security measures, which means that an organization must have a policy that includes deleting sensitive materials from a computer's unallocated space and tests that verify such deletion actions are successful periodically.

Lock Down: Stop All External Access to Confidential E-Documents

Organizations are taking other approaches to stop document and data leakage: physically restricting access to a computer by disconnecting it from any network connections and forbidding or even blocking use of any ports. Although cumbersome, these methods are effective in highly classified or restricted areas where confidential e-documents are held. Access is controlled by utilizing multiple advanced identity verification methods, such as biometric means.

Secure Printing

Organizations normally expend a good amount of effort making sure that computers, documents, and private information are protected and secure. However, if your computer is hooked up to a network printer (shared by multiple knowledge workers), all of that effort might have been wasted.²¹

Some basic measures can be taken to protect confidential documents from being compromised as they are printed. You simply invoke some standard Microsoft Office protections, which allow you to print the documents once you arrive in the copy room or at the networked printer. This process varies slightly, depending on the printer's manufacturer. (Refer to the documentation for the printer for details.)

In Microsoft Office, there is an option in the Print Dialog Box for delayed printing of documents (when you physically arrive at the printer).

Serious Security Issues with Large Print Files of Confidential Data

According to Canadian output and print technology expert William Broddy, in a company's data center, a print file of, for instance, investment account statements or bank statements contains all the rich information that a hacker or malicious insider needs. It is information distilled to the most important core data about customers, and has been referred to as data syrup since it has been boiled down and contains no mountains of extraneous data, only the culled, cleaned, essential data that gives criminals exactly what they need.²²

What most managers are not aware of is that entire print files and sometimes remnants of them stay on the hard drives of high-speed printers and are vulnerable to security breaches. Data center security personnel closely monitor calls to their database. To extract as much data as is contained in print files, a hacker requires hundreds or even thousands of calls to the database, which sets off alerts by system monitoring tools. But retrieving a print file takes only one intrusion, and it may go entirely unnoticed. The files are sitting there; a rogue service technician or field engineer can retrieve them on a routine service call.

To help secure print files, specialized hardware devices designed to sit between the print server and the network and cloak server print files are visible only to those who have a cloaking device on the other end.

Organizations must practice good IG and have specific procedures to erase sensitive print files once they have been utilized. For instance, in the example of preparing statements to mail to clients, files are exposed to possible intrusions in at least six points in the process (starting with print file preparation and ending with the actual mailing). These points must be tightly monitored and controlled. Typically, an organization retains a print file for about 14 days, though some keep files long enough for customers to receive statements in the mail and review them. Organizations must make sure that print files or their remnants are secured and then completely erased when the printing job is finished.

E-Mail Encryption

Encrypting (scrambling using advanced algorithms) sensitive e-mail messages is an effective step to securing confidential information assets while in transit. Encryption can also be applied to desktop folders and files and even entire disk drives (full disk encryption, or FDE). All confidential or sensitive data and e-documents that are exposed to third parties or transferred over public networks should be secured with file-level encryption, at a minimum.²³

Secure Communications Using Record-Free E-Mail

What types of tools can you use to encourage the free flow of ideas in collaborative efforts without compromising your confidential information assets or risking litigation or compliance sanctions?

Stream messaging is an innovation that became commercially viable around 2006. It is similar in impact to IRM software, which limits the recipients' ability to forward, print, or alter data in an e-mail message (or reports, spreadsheets, etc.) but goes further by leaving no record on any computer or server.

Stream messaging is a simple, safe, secure electronic communications system ideal for ensuring that sensitive internal information is kept confidential and not publicly released. Stream messaging is not intended to be a replacement for enterprise e-mail but is a complement to it. If you need an electronic record, e-mail it; if not, use stream messaging.²⁴

What makes stream messaging unique is its recordlessness. Streamed messages cannot be forwarded, edited, or saved. A copy cannot be printed as is possible with e-mail. That is because stream messaging separates the sender's and receiver's names and the date from the body of the message, never allowing them to be seen together. Even if the sender or receiver were to attempt to make a copy using the print-screen function, these elements are never captured together.²⁵

The instant a stream message is sent, it is placed in a temporary storage buffer space. When the recipient logs in to read the message, it is removed from the buffer space. By the time the recipient opens it, the complete stream message no longer exists on the server or any other computer.

This communications approach is Web based, meaning that no hardware or software purchases are required. It also works with existing e-mail systems and e-mail addresses and is completely immune to spam and viruses. Other solutions (both past and present) have been offered, but these have taken the approach of encrypting e-mail or generating e-mail that disappears after a preset time. Neither of these approaches is truly recordless.

Stream messaging is unique because its technology effectively eliminates the ability to print, cut, paste, forward, or save a message. It may be the only electronic communications system that separates the header information—date, name of sender, name of recipient—from the body of the message. This eliminates a traceable record of the communication. Soon many other renditions of secure messaging will be developed.

In addition, stream messaging offers the added protection of being an indiscriminate Web-based service, meaning that the messages and headers are never hosted on the subscribing companies' networks. This eliminates the risk that employers, competitors, or hackers could intercept stream messages, which is a great security benefit for end users.²⁶

Digital Signatures

Digital signatures are more than just digitized autographs—they carry detailed audit information used to “detect unauthorized modifications” to e-documents and to “authenticate the identity of the signatory.”²⁷

Online transactions can be conducted with full trust that they are legal, proper, and binding. They prove that the person whose signature is on the e-document did, in fact, authorize it. A digital signature provides evidence in demonstrating to a third party that the signature was genuine, true, and authentic, which is known as nonrepudiation. To repudiate is to dispute, and with digital signatures, a signatory is unable to claim that the signature is forged.

Digital signatures can be implemented a variety of ways—not just through software but also through firmware (programmed microchips), computer hardware, or a combination of the three. Generally, hardware- and firmware-based implementations are more difficult to hack, since their instructions are hardwired.

Here is a key point: For those who are unfamiliar with the technology, there is a big difference between electronic signatures and digital signatures.²⁸

An “electronic signature is likely to be a bit-map image, either from a scanned image, a fax copy or a picture of someone's signature, or may even be a typed acknowledgement or acceptance.” A digital signature contains “extra data appended to a message which identifies and authenticates the sender and message data using public-key encryption.”²⁹

So digital signatures are the only ones that offer any real security advantages.

Digital signatures are verified by the combination of applying a signatory's private signing key and the public key that comes from the signatory's personal ID certificate. After that, only the public key ID certificate is required for future verifications. “In addition, a checksum mechanism confirms that there have been no modifications to the content.”³⁰

A formal, trusted certificate authority (CA) issues the certificate associated with the public-private key. It is possible to generate self-certified public keys, but these do not verify and authenticate the recipient's identity and are therefore flawed from a security standpoint. The interchange of verified signatures is possible on a global scale, as “digital signature standards are mature and converging internationally.”³¹

After more than 30 years of predictions, the paperless office is almost here. Business process cycles have been reduced, and great efficiencies have been gained since the majority of documents today are created digitally and spend most of their life cycle in digital form, and they can be routed through work steps using business process management (BPM) and work flow software. However, the requirement for a physical signature frequently disrupts and holds up these business processes. Documents have to be printed out, physically routed, and physically signed—and often they are scanned back into a document or records management (or contract management) system, which defeats the efficiencies sought.

Often multiple signatures are required in an approval process, and some organizations require each page to be initialed, which makes the process slow and cumbersome when it is executed without the benefit of digital signatures. Also, multiple copies are generated—as many as 20—so digital signature capability injected into a business process can account for significant time and cost savings.³²

Document Encryption

There is some overlap and sometimes confusion between digital signatures and document encryption. Suffice it to say that they work differently, in that document encryption secures a document for those who share a secret key, and digital signatures prove that the document has not been altered and the signature is authentic.

There are e-records management implications of employing document encryption:

Data Loss Prevention (DLP) Technology

The aforementioned document security challenges have given rise to an emerging but critical set of capabilities by a new breed of IT companies that provide data loss prevention (DLP) (also called data leak prevention). DLP providers create software and hardware appliances that thoroughly inspect all e-documents and e-mail messages before they leave the organization's perimeter and attempt to stop sensitive data from exiting the firewall.

This filtering is based on several factors, but mostly using specified critical content keywords that are flagged by the implementing organization. DLP can also stop the exit of information assets by document types, origin, time of day, and other factors.

DLP systems are designed to detect and prevent unauthorized use and transmission of confidential information.³⁴ In more detail, DLP is a computer security term referring to systems that identify, monitor, and protect data/documents in all three states: (1) in use (endpoint actions), (2) in motion (network actions), and (3) at rest (data/document storage). DLP accomplishes this by deep content inspection and contextual security analysis of transaction data (e.g., attributes of the originator, the data object, medium, timing, recipient/destination, etc.) with a centralized management framework.

Promise of DLP

Gartner reports that the DLP market reached an estimated $670 million in 2013, up from $425 million in 2011, and “with adoption of DLP technologies moving quickly down to the small to medium enterprise, DLP is no longer an unknown quantity.”³⁵ Although the DLP market has matured, it suffers from confusion about how DLP best fits into the new mix of security approaches, how it is best utilized (endpoint or gateway), and even the definition of DLP itself.³⁶

Data loss is very much on managers' and executives' minds today. The series of WikiLeaks incidents exposed hundreds of thousands of sensitive government and military documents. According to the Ponemon Institute (as reported by DLP Experts), data leaks continue to increase annually. Billions of dollars are lost every year as a result of data leaks, with the cost of each breach ranging from an average of $700,000 to $31 million. Some interesting statistics from the study include:

• Almost half of breaches happen while an enterprise's data was in the hands of a third party.
• Over one-third of breaches involved lost or stolen mobile devices.
• The cost per stolen record is approximately $200 to $225.
• One-quarter of breaches were conducted by criminals or with malicious intent.
• More than 80 percent of breaches compromised over 1,000 records.³⁷

What DLP Does Well (and Not So Well)

DLP has been deployed successfully as a tool used to map the flow of data inside and exiting the organization to determine the paths that content takes, so that more sophisticated information mapping, monitoring, and content security can take place.

This use as a traffic monitor for analysis purposes has been much more successful than relying on DLP as the sole enforcement tool for compliance and to secure information assets. Today's technology is simply not fast enough to catch everything. It catches many e-mail messages and documents that users are authorized to send, which slows the network and the business down. This also adds unnecessary overhead, as someone has to go back and release each and every one of the e-mails or documents that were wrongly stopped.

Another downside: Since DLP relies on content inspection, it cannot detect and monitor encrypted e-mail or documents.

Basic DLP Methods

DLP solutions typically apply one of three methods:

1. Scanning traffic for keywords or regular expressions, such as customer credit card or Social Security numbers.
2. Classifying documents and content based on a predefined set to determine what is likely to be confidential and what is not.
3. Tainting (in the case of agent-based solutions), whereby documents are tagged and then monitored to determine how to classify derivative documents. For example, if someone copies a portion of a sensitive document into a different document, this document receives the same security clearance as the original document.³⁸

All these methods involve the network administrator setting up a policy clearly defining what is allowed to be sent out and what should be kept in confidence. This policy creating effort is extremely difficult: Defining a policy that is too broad means accidentally letting sensitive information get out, and defining a policy that is too narrow means getting a significant amount of false positives and stopping the flow of normal business communications.

Although network security management is well established, defining these types of IG policies is extremely difficult for a network administrator. Leaving this job to network administrators means there will be no collaboration with business units, no standardization, and no real forethought. As a result, many installations are plagued with false positives that are flagged and stopped, which can stifle and frustrate knowledge workers. The majority of DLP deployments simply use DLP for monitoring and auditing purposes.

Examining the issue of the dissolving perimeter more closely, a deeper problem is revealed: DLP is binary; it is black or white. Either a certain e-document or e-mail can leave the organization's boundaries or it cannot. This process has been referred to as outbound content compliance.

But this is not how the real world works today. Now there is an increasing need for collaboration and for information to be shared or reside outside the organization on mobile devices or in the cloud.

Most of today's DLP technology cannot address these complex issues on its own. Often additional technology layers are needed.

Data Loss Prevention: Limitations

DLP has been hyped in the past few years, and major security players have made several large acquisitions—especially those in the IRM market. Much like firewalls, DLP started in the form of network gateways that searched e-mail, Web traffic, and other forms of information traveling out of the organization for data that was defined as internal. When it found such data, the DLP blocked transmission or monitored its use.

Soon agent-based solutions were introduced, performing the same actions locally on users' computers. The next step brought a consolidation of many agent- and network-based solutions to offer a comprehensive solution.

IG policy issues are key. What is the policy? All these methods depend on management setting up a policy that clearly defines what is acceptable to send out and what should be kept in confidence.

With DLP, a certain document can either leave the organization's boundaries or it can't. But this is not how the real world works. In today's world there is an increasing need for information to be shared or reside outside the organization on mobile devices or in the cloud. Simply put, DLP is not capable of addressing this issue on its own, but it is a helpful piece of the overall technology solution.

Missing Piece: Information Rights Management (IRM)

Another technology tool for securing information assets is information rights management (IRM) software (also referred to as enterprise rights management [ERM] and previously as enterprise digital rights management [e-DRM].) For purposes of this book, we use the term “IRM” when referring to this technology set, so as not to be confused with electronic records management. Major software companies also use the term “IRM.”

IRM technology provides a sort of security wrapper around documents and protects sensitive information assets from unauthorized access.³⁹ We know that DLP can search for key terms and stop the exit of sensitive data from the organization by inspecting its content. But it can also prevent confidential data from being copied to external media or sent by e-mail if the person is not authorized to do so. If IRM is deployed, files and documents are protected wherever they may be, with persistent security. The ability to apply security to an e-document in any state (in use, in motion, and at rest), across media types, inside or outside of the organization, is called persistent security. This is a key characteristic of IRM technology, and it is all done transparently without user intervention.⁴⁰

IRM has the ability to protect e-documents and data wherever they may reside, however they may be used, and in all three data states (at rest, in use, and in transit).⁴¹

IRM allows for e-documents to be remote controlled, meaning that security protections can be enforced even if the document leaves the perimeter of the organization. This means that e-documents (and their control mechanisms) can be separately created, viewed, edited, and distributed.

IRM provides persistent, ever-present security and manages access to sensitive e-documents and data. IRM provides embedded file-level protections that travel with the document or data, regardless of media type.⁴² These protections and prevent unauthorized viewing, editing, printing, copying, forwarding, or faxing. So, even if files are somehow copied to a thumb drive and taken out of the organization, e-document protections and usage are still controlled.

The major applications for IRM services include cross-protection of e-mails and attachments, dynamic content protection on Web portals, secure Web-based training, secure Web publishing, and secure content storage and e-mail repositories all while meeting compliance requirements of Sarbanes–Oxley, the Health Insurance Portability and Accountability Act, and others. Organizations can comply with regulations for securing and maintaining the integrity of digital records, and IRM will restrict and track access to spreadsheets and other financial data too.

In investment banking, research communications must be monitored, according to National Association of Securities Dealers rule (NASD) 2711, and IRM can help support compliance efforts. In consumer finance, personal financial information collected on paper forms and transmitted by fax (e.g., auto dealers faxing credit applications) or other low-security media can be secured using IRM, directly from a scanner or copier. Importers and exporters can use IRM to ensure data security and prevent the loss of cargo from theft or even terrorist activities, and they also can comply with U.S. Customs and trade regulations by deploying IRM software. Public sector data security needs are numerous, including intelligence gathering and distribution, espionage, and Homeland Security initiatives. Firms that generate intellectual property IP, such as research and consulting groups, can control and protect access to IP with it. In the highly collaborative pharmaceutical industry, IRM can secure research and testing data.

IRM protections can be added to nearly all e-document types including e-mail, word processing files, spreadsheets, graphic presentations, computer-aided design (CAD) plans, and blueprints. This security can be enforced globally on all documents or granularly down to the smallest level, protecting sensitive fields of information from prying eyes. This is true even if there are multiple copies of the e-documents scattered about on servers in varying geographic locations. Also, the protections can be applied permanently or within controlled time frames. For instance, a person may be granted access to a secure e-document for a day, a week, or a year.

Key IRM Characteristics

Three requirements are recommended to ensure effective IRM:

1. Security is foremost; documents, communications, and licenses should be encrypted, and documents should require authorization before being altered.
2. The system can't be any harder to use than working with unprotected documents.
3. It must be easy to deploy and manage, scale to enterprise proportions, and work with a variety of common desktop applications.⁴³

IRM software enforces and manages document access policies and use rights (view, edit, print, copy, e-mail forward) of electronic documents and data. Controlled information can be text documents, spreadsheets, financial statements, e-mail messages, policy and procedure manuals, research, customer and project data, personnel files, medical records, intranet pages, and other sensitive information. IRM provides persistent enforcement of IG and access policies to allow an organization to control access to information that needs to be secured for privacy, competitive, or compliance reasons. Persistent content security is a necessary part of an end-to-end enterprise security architecture.

Well, it sounds like fabulous technology, but is IRM really so new? No, it has been has been around for a decade or more, and continues to mature and improve. It has essentially entered the mainstream around 2004/2005 (when this author began tracking its development and publishing researched articles on the topic).

IRM software currently is used for persistent file protection by thousands of organizations throughout the world. Its success depends on the quality and consistency of the deployment, which includes detailed policy-making efforts. Difficulties in policy maintenance and lack of real support for external sharing and mobile devices have kept first-wave IRM deployments from becoming widespread, but this aspect is being addressed by a second wave of new IRM technology companies.

Other Key Characteristics of IRM

Policy Creation and Management

IRM allows for the creation and enforcement of policies governing access and use of sensitive or confidential e-documents. The organization's IG team sets the policies for access based on role and organizational level, determining what employees can and cannot do with the secured e-documents.⁴⁴ The IG policy defined for a document type includes these following controls:

1. Viewing
2. Editing
3. Copy/Paste (including screen capture)
4. Printing
5. Forwarding e-mail containing secured e-documents

Access to sensitive e-documents may be revoked at any time, no matter where they are located or what media they are on, since each time a user tries to access a document, access rights are verified with a server or cloud IRM application. This can be done remotely—that is, when an attempt is made to open the document, an authorization must take place. In cloud-based implementations, it is a matter of simply denying access.

Decentralized Administration

One of the key challenges of e-document security traditionally is that a system administrator had access to documents and reports that were meant only for executives and senior managers. With IRM, the e-document owner administers the security of the data, which considerably reduces the risk of a document theft, alteration, or misuse.

Auditing

Auditing provides the smoking-gun evidence in the event of a true security breach. Good IRM software provides an audit trail of how all documents secured by it are used. Some go further, providing more detailed document analytics of usage.

Integration

To be viable, IRM must integrate with other enterprise-wide systems, such as ECM, customer relationship management, product life cycle management, enterprise resource planning, e-mail management, message archiving, e-discovery, and a myriad of cloud-based systems. This is a characteristic of today's newer wave of IRM software.

This ability to integrate with enterprise-based systems does not mean that IRM has to be deployed at an enterprise level. The best approach is to target one critical department or area with a strong business need and to keep the scope of the project narrow to gain an early success before expanding the implementation into other departments.

IRM embeds protection into the data (using encryption technology), allowing files to protect themselves. IRM may be the best available security technology for the new mobile computing world of the permeable perimeter.⁴⁵

With IRM technology, a document owner can selectively prevent others from viewing, editing, copying, or printing it. Despite its promise, most enterprises do not use IRM, and if they do, they do not use it on an enterprisewide basis. This is due to the high complexity, rigidity, and cost of legacy IRM solutions.

It is clearly more difficult to use documents protected with IRM—especially when policy making and maintenance is not designed by role but rather by individual. Some early implementations of IRM by first-to-market software development firms had as many as 200,000 different policies to maintain (for 200,000 employees). These have since been replaced by newer, second-wave IRM vendors, who have reduced that number to a mere 200 policies, which is much more manageable. Older IRM installations require intrusive plug-in installation; they are limited in the platforms they support, and they largely prevent the use of newer platforms, such as smartphones, iPads, and other tablets. This is a real problem in a world where almost all executives carry a smartphone and use of tablets (especially the iPad) is growing.

Moreover, due to their basic design, first-wave or legacy IRM is not a good fit for organizations aiming to protect documents shared outside company boundaries. These outdated IRM solutions were designed and developed in a world where organizations were more concerned with keeping information inside the perimeter than protecting information beyond the perimeter.

Most initial providers of IRM focused on internal sharing and are heavily dependent on Microsoft Active Directory (AD) and lightweight directory access protocol (LDAP) for authentication. Also, the delivery model of older IRM solutions involves the deployment and management of multiple servers, SQL databases, AD/LDAP integration, and a great deal of configuration. This makes them expensive and cumbersome to implement and maintain. Furthermore, these older IRM solutions do not take advantage of or operate well in a cloud computing environment.

Although encryption and legacy IRM solutions have certain benefits, they are extremely unwieldy and complex and offer limited benefits in today's technical and business environment. Newer IRM solutions are needed to provide more complete DLS.

Embedded Protection

IRM embeds protection into the data (using encryption technology), allowing files to protect themselves. IRM may be the best available security technology for the new mobile computing world of the permeable perimeter.⁴⁶

Is Encryption Enough?

Many of the early solutions for locking down data involved encryption in one form or another:

• E-mail encryption
• File encryption
• Full Disk Encryption (FDE)
• Enterprisewide encryption

These encryption solutions can be divided into two categories: encryption in transit (e.g., e-mail encryption) and encryption at rest (e.g., FDE).

The various encryption solutions mitigate some risks. In the case of data in transit, these risks could include an eavesdropper attempting to discern e-mail or network traffic. In the case of at-rest data, risks include loss of a laptop or unauthorized access to an employee's machine. The most advanced solutions are capable of applying a policy across the organization and encrypting files, e-mails, and even databases. However, encryption has its caveats.

Most simple encryption techniques necessarily involve the decryption of documents so they can be viewed or edited. At these points, the files are essentially exposed. Malware (e.g., Trojan horses, keystroke loggers) installed on a computer may use the opportunity to send out the plain-text file to unauthorized parties. Alternatively, an employee may copy the contents of these files and remove them from the enterprise.

Device Control Methods

Another method that is related to DLP is device control. Many vendors offer software or hardware that prevents users from copying data via the USB port to portable drives and removing them from the organization in this manner. These solutions are typically as simple as blocking the ports; however, some DLP solutions, when installed on the client side, can selectively prevent the copying of certain documents.⁴⁷

Thin Clients

One last method worth mentioning is the use of thin clients to prevent data leaks. These provide a so-called walled garden containing only the applications users require to do their work, via a diskless terminal. This prevents users from copying any data onto portable media; however, if they have e-mail or Web access applications, they still can send information out via e-mail, blogs, or social networks.

Note about Database Security

Database security and monitoring is addressed in Chapter 10, “IG for IT.”

Compliance Aspect

Compliance has been key in driving companies to invest in improving their security measures, such as firewalls, antivirus software, and DLP systems. More than 400 regulations exist worldwide mandating a plethora of information and data security requirements. One example is the Payment Card Industry Data Security Standard (PCI-DSS), which is one of the strictest regulations for credit card processors. Companies that fail to comply with these regulations are subject to penalties of up to $500,000 per month for lost financial data or credit card information. Forrester Research estimated the per-record cost of a breach is $90 to $305. But do compliance activities always result in adequate protection of your sensitive data? In many cases the answer is no. It is important to keep in mind that being formally compliant does not mean the organization is actually secure. In fact, compliance is sometimes used as a fig leaf, covering a lack of real document security. One needs to look no further than to the recent series of major document leakage incidents to understand this. Those all came from highly secure and regulated entities, such as banks, hospitals, and the military.

Hybrid Approach: Combining DLP and IRM Technologies

An idea being promoted recently is to make IRM an enforcement mechanism for platforms like DLP. Together, DLP and IRM accomplish what they independently cannot. Enterprises may be able to use their DLP tools to discover data flows, map them out, and detect transmissions of sensitive information. They can then apply their IRM or encryption protection to enforce their confidentiality and information integrity goals.⁴⁸

Several vendors in the fields of DLP, encryption, and IRM have already announced integrated products. However, at this point in time, most IRM solutions are by no means ready for prime time when it comes to this use. Only a select few second-wave IRM software providers can offer comprehensive, streamlined, persistent security across many platforms.

As the enterprise perimeter dissolves, document and data security should become the focus of the Internet security field. However, most legacy solutions, such as encryption and legacy IRM, are complex and expensive and provide only a partial solution to the key problems. Combining several methods offers effective countermeasures, but an ultimate solution has not yet arrived.

Securing Trade Secrets after Layoffs and Terminations

In today's global economy—which has shifted labor demands—huge layoffs are not uncommon in the corporate and public sectors. The act of terminating an employee creates document security and IP challenges while raising the question: How does the organization retrieve and retain its IP and confidential data? An IG program to secure information assets must also deal with everyday resignations of employees who are in possession of sensitive documents and information.⁴⁹

According to Peter Abatan, author of the Enterprise Digital Rights Management blog, “As a general rule all organizations should classify all their documents with the aim of identifying the ones that need persistent protection” (emphasis added). That is to say, documents should be protected at all times, regardless of where they travel and who is using them, while the organization still retains control of usage rights. There are two basic technological approaches to this protection:

1. The first, as discussed earlier in this chapter, is combining IRM with DLP; DLP is used to conduct deep content inspection and identify all documents that may contain sensitive information, then the DLP agent “notifies the enterprise [information] rights management engine that sensitive information is about to be copied to external media or outside the firewall and therefore needs to be encrypted.”
2. The second is using a form of context-sensitive IRM “in which all documents that contain sensitive data defined in the [global] data dictionary [are] automatically encrypted.”

These two technological approaches must be fostered by an IG program. They can have significant positive impact in protecting sensitive information, no matter where it is located, and can help document owners withdraw access to its sensitive documents at any time.

Organizations must educate their employees to increase awareness of the financial and competitive impact of breaches and to clarify that sensitive documents are the property of the organization. If those handling sensitive documents are informed of the benefits of IRM and related technologies, they will be more vigilant in their efforts to keep information assets secure.

Persistently Protecting Blueprints and CAD Documents

Certain IRM software providers have focused on securing large-format engineering and design documents, and they have made great strides in the protection of computer-aided design files. As much as 95 percent of CAD files are proprietary designs and represent valuable, proprietary IP of businesses worldwide. And CAD files are just as vulnerable as any other e-document in that, when unprotected, they “can be emailed or transferred to another party without the knowledge of the owner of the content.”⁵⁰

In today's global economy, it is common to conduct manufacturing operations in markets where labor is inexpensive and regulations are lax. Many designs are sent to China, Indonesia, and India for manufacturing. Although they usually are accompanied by binding confidential disclosure contracts, but these agreements are often difficult to enforce, especially given the disparity in cultures and laws. And what happens if a rogue employee in possession of designs and trade secrets absconds with them and sells them to a competitor? Or starts a competing business? There are a number of examples of this happening.

Owners of valuable proprietary IP must vigilantly protect it; the very survival of the business may depend on it. Monitoring and securing IP wherever it might travel is now a business imperative.

Theft of IP and confidential information represents a clear and present danger to all types of businesses, especially global brands dependent on proprietary designs for a competitive advantage. Immediate IG action by executive management is required to identify possible leaks and plug the holes. Not safeguarding IP and confidential or sensitive documents puts the organization's competitive position, strategic plans, revenue stream, and very future at risk.

Securing Internal Price Lists

In 2010, it was reported that confidential information about the advertising expenditures of some of Google's major accounts was leaked to the public.⁵¹ This may not seem like a significant breach, but, in fact, with this information, Google's customers can determine if they are getting a preferred price schedule, and competitors can easily undercut Google's pricing for major customers. According to Peter Abatan, “[It is clear] why this information is so critical to Google that this information is tightly secured.”

Is your company's price list secured at all times? Price lists are confidential information assets, and if they are revealed publicly, major customers could demand steeper discounts and business relationships could suffer irreparable damage, especially if customers find out they are paying more for a product or service than their competitors.

A company's price list is critical to an organization because it impacts all aspects of the business, from the ability to generate revenue to private dealings with customers and suppliers. IRM should be used to protect price lists, and printing of these valuable lists must be monitored and controlled using secure printing methods and document analytics.

Confidential information should be persistently protected throughout their document life cycle in all three states (at rest, in motion, and in use) so that if they are compromised or stolen, they are still protected and controlled by the owning organization.

Approaches for Securing Data Once It Leaves the Organization

It is obvious with today's trends that, as Andrew Jaquith of Forrester Research states, “The enterprise security perimeter is quickly dissolving.” A lot of valuable information is routed outside the owning organization through unsecured e-mail. A breach can compromise competitive position, especially in cases dealing with personnel files and marketing plans or merger details. Consider for a moment that even proprietary software and company financial statements are sent out. Exposure of this data can have real financial impact. Without additional protections, such as IRM and e-mail encryption, these valuable information assets are often out of the control of the IT department of the owning organization.⁵²

Third-party possession or control of enterprise data is a critical point of vulnerability, and many organizations realize that securing data outside the organizational perimeter is a high priority. But a new concept has cropped up of late that bucks unconventional wisdom: “Control does not require ownership.”

Instead of focusing on securing devices where confidential data is accessed, the new thinking focuses on securing the data and documents directly. With this new mindset, security can be planned under the assumption that the enterprise owns its data but none of the devices that access it. As Jaquith states, “Treat all endpoints as hostile” (emphasis added). Forrester Research refers to this concept as the “zero-trust model of information security.” Zero trust, according to Jaquith, is “centered on the idea that security must become ubiquitous” throughout an organization's infrastructure.

Forrester has developed a new network architecture that builds security into the DNA of a network, using a mixture of five data security design patterns:

1. Thin client. Access information online only, with no local operations, using a diskless terminal that cannot store data, documents, or programs so confidential information stays stored and secured centrally. For additional security, “IT can restrict host copy-and-paste operations, limit data transfers, and require strong or two-factor authentication using SecurID or other tokens.”
2. Thin device. Devices such as smartphones, which have limited computing resources, Web surfing, e-mail, and basic Web apps that locally conduct no real information processing, are categorized as thin devices. In practice, these devices do not hold original documents but merely copies, so the official business record or master copy cannot be altered or deleted. A nice feature of many smartphones is the ability to erase or wipe data remotely, in the event the device is lost. This is a little added insurance, and it makes smartphones “truly ‘disposable,’ unlike PCs,” according to Jaquith.
3. Protected process. This approach allows local processing with a PC where confidential e-documents and data are stored and processed in a partition that is highly secure and controlled. This processing can occur even if the PC is not owned and controlled by the organization. “The protected process pattern has many advantages: local execution, offline operation, central management, and a high degree of granular security control, including remote wipe [erase].” A mitigating factor to consider here is most business PCs today are Windows based, and the world is rapidly moving to other, more nimble platforms.
4. Protected data. Deploying IRM and embedding security into the documents (or data) provides complete DLS. The newer wave of more sophisticated, easier-to-use IRM vendors have role-based policy implementation and such features as “contextual” enforcement, where document rights are dependent on the context—that is, where and when a user attempts access. For instance, allow access to documents on workers' desktops but not on their laptops; or provide access to printing confidential documents at the facility during office hours but not after. “Of all the patterns in the Zero Trust data security strategy, protected data is the most fine-grained and effective because it focuses on the information, not its containers.”
5. Eye in the sky. This design pattern uses technologies such as DLP to scan network traffic content and halt confidential documents or sensitive data at the perimeter. Deployed properly, DLP is “ideal for understanding the velocity and direction of information flow and for detecting potential breaches, outliers, or anomalous transmissions.” It should be noted that DLP does not provide complete protection. To do so would mean that many legitimate and sanctioned e-mails and documents would be held up for inspection, thus slowing the business process. As stated earlier, DLP is best for discovering information flows and monitoring network traffic. Another negative is that you cannot always require partner organizations and suppliers to install DLP on their computers. So this is a complementary technology, not a complete solution to securing confidential information assets.

By discarding the “age-old conflation of ownership and control, enterprises will be able to build data protection programs that encompass all possible ownership scenarios, including Tech Populism, offshoring, and outsourcing.”

Document Labeling

Document labeling is “an easy way to increase user awareness about the sensitivity of information in a document”(emphasis added).⁵³ What is it? It is the process of attaching a label to classify a document. For instance, who would not know that a document labeled “confidential” is indeed confidential? If the label appears prominently at the top of a document, it is difficult for persons accessing it to claim they did not know it was sensitive.

The challenge is to standardize and formalize the process of getting the label onto the document—enterprisewide. This issue would be addressed in an IG effort focused on securing confidential e-documents, or may also be a part of a classification and taxonomy design effort. It cannot simply be left up to users to type in labels themselves, or it will not be sufficiently executed and will end up leaving a mishmash of labeled documents without any formal classification.

Another great challenge are legacy or archived documents, which are the lion's share of an organization's information assets. How do you go back and label those? One by one? Nope. Not practical.

Some content repositories or portals, such as Microsoft SharePoint^®, provide some functionality toward addressing the document labeling challenge. SharePoint is the most popular platform for sharing documents today.

SharePoint has an information management policy tool called Labels, which can be used to add document labels, such as Confidential, to the top of documents:

The labels are easily added from within Microsoft Office Word, PowerPoint, and Excel. One method that can be used is for the user to click the Label button on the Insert ribbon group; another method is to add the label through a prompt that appears when a user saves or prints a document (if the administrator has configured this option).

The labeling capabilities in document and content management systems such as Microsoft's SharePoint are a good start for increasing user awareness and improving the handling of sensitive documents. However, the document labeling capabilities of Share-Point are basic and limited. These basic capabilities may provide a partial or temporary solution, although organizations aiming for a high level of security and confidentiality for their documents will need to search for supplemental technologies from third-party software providers. For instance, finding the capabilities to label documents in bulk rather than one by one, add watermarks, or force users to save or print documents with a standard document label that cannot be altered may require looking at alternatives. Some are software vendors have enhanced the SharePoint document labeling capability and may provide the complete solution.

Document Analytics

Some software providers also provide document analytics capabilities that monitor the access, use, and printing of documents and create real-time graphical reports of document use activities. These capabilities are very valuable.

Document analytics allows a compliance officer or system administrator to view exactly how many documents a user accesses in a day and how many documents the user accesses on average. Using this information, analytics monitors can look for spikes or anomalies in use. It is also possible to establish baselines and compare usage with that of an employee's peers, as well as with his or her past document usage. If, for instance, a user normally accesses an average of 25 documents a day and that suddenly spikes to 200, the system sends an alert, and perhaps it is time to pay a visit to that person's office. Or, if an employee normally prints 50 pages per day, then one day prints 250 pages, a flag is raised. Document analytics capabilities can go so far as to calculate the average time a user spends reading a document; significant time fluctuations can be flagged as potentially suspicious activity.

Confidential Stream Messaging

E-mail is dangerous. It contains much of an organization's confidential information, and 99 percent of the time it is sent out unsecured. It has been estimated that as many as 20 percent of e-mail messages transmitted pose a legal, financial, or regulatory threat to the organization. Specifically, “34 of employers investigated a leak of confidential business information via email, and an additional 26% of organizations suffered the exposure of embarrassing or sensitive information during the course of a year,” according to Nancy Flynn, Executive Director of the ePolicy Institute. These numbers are rising, giving managers and business owners cause to look for confidential messaging solutions.⁵⁵

Since stream messaging separates the header and identifying information from the message, sends them separately, and leaves no record or trace, it is a good option for executives and managers, particularly when engaged in sensitive negotiations, litigation, or other highly confidential activities. Whereas e-mail leaves behind an indelible fingerprint that lives forever on multiple servers and systems, stream messaging does not.

Business records, IP and trade secrets, and confidential executive communications can be protected by implementing stream messaging. It can be implemented alongside and in concert with a regular e-mail system, but clear rules on the use of stream messaging must be established, and access to it must be tightly restricted to a small circle of key executives and managers.

The ePolicy Institute offers seven steps to controlling stream messaging:

1. Work with your legal counsel to define “business record” for your organization on a companywide basis. Establish written records retention policies, disposition and destruction schedules. And litigation hold rules. Support the email retention policy with a bona fide email archiving solution to facilitate the indexing, preservation and production of legally authentic records. Implement a formal electronic records management system to manage all records.
2. Work with your legal counsel to determine when, how, why, and with whom confidential stream messaging is the most appropriate, effective—and legally compliant—way to hold recordless, confidential business discussions when permanent records are not required.
3. In order to preserve attorney-client privilege, a phone call or confidential electronic messaging may be preferable to email. Have corporate counsel spell out the manner in which executives and employees should communicate with lawyers when discussing business, seeking legal advice, or asking questions related to specific litigation.
4. Define key terms for employees. Don't assume employees understand what management means when using terms like “confidential,” “proprietary,” or “private” or “intellectual property,” etc. Employees must clearly understand definitions If they are to comply with confidentiality rules.
5. Implement written rules and policies governing the use of email and confidential stream messaging. E-policies should be written clearly and should be easy for employees to access, and understand. Make them [as] “short and sweet” as possible. Do not leave anything up to interpretation.
6. Distribute a hard copy of the new confidential messaging policy, email policy and other electronic communications (e.g., social media, blogs). Insist that each and every employee signs and dates the policy, acknowledging that they understand and accept it and that disciplinary action including termination may result from violation of the organization's established policies.
7. Educate, educate, educate. Ensure that all employees who need to know the difference between email which leaves a potential business record and stream messaging which does not, and is confidential.⁵⁶

Securing personal, classified, or confidential information effectively requires an eclectic, multifaceted approach. It takes clear and enforced IG policies, a collection of technologies, and regular testing and audits, both internally and by a trusted third party.

Notes

1. Ponemon Institute Research Report, “2013 Cost of Data Breach Study: United States,” May 2013, www.symantec.com/content/en/us/about/media/pdfs/b-cost-of-a-data-breach-us-report-2013.en-us.pdf

2. Jim Finkle, “‘State Actor’ behind Slew of Cyber Attacks,” Reuters, August 3, 2011, www.reuters.com/article/2011/08/03/us-cyberattacks-idUSTRE7720HU20110803 (accessed August 18, 2011).

3. Ibid.

4. Ibid.

5. Ibid.

6. Peter Abatan, “Persistently Protecting Your Computer Aided Designs,” Enterprise Digital Rights Management, http://enterprisedrm.tumblr.com/post/1423979379/persistently-protecting-your-computer-aided-designs (accessed August 18, 2011).

7. Ari Ruppin, March 20, 2011 via e-mail.

8. Sam Narisi, “IT's role in secure staff cuts,” March 2, 2009. www.financetechnews.com/its-role-in-secure-staff-cuts/

9. Ibid.

10. Shira Scheindlin and Daniel Capra, The Sedona Conference, Electronic Discovery and Digital Evidence, Thomson Reuters, 2009, p. 204, www.amazon.com/Scheindlin-Conferences-Electronic-Discovery-Evidence-ebook/dp/B00AUE0LRI

11. Oracle White Paper, “Oracle Information Rights Management 11g—Managing Information Everywhere It Is Stored and Used,” March 2010 p. 4, www.oracle.com/technetwork/middleware/webcenter/content/irm-technical-whitepaper-134345.pdf (accessed December 23, 2011).

12. Ibid.

13. Open Web Application Security Project, “Defense in Depth,” https://www.owasp.org/index.php/Defense_in_depth (accessed June 24, 2013).

14. HCL, “Identity and Access Management Services,” www.hclisd.com/identity-and-access-management.aspx (accessed September 2, 2011).

15. Ibid.

16. Ibid.

17. Nicola Clark and David Jolly, “Fraud Costs Bank 7.1 Billion,” New York Times, January 25, 2008, www.nytimes.com/2008/01/25/business/worldbusiness/25bank-web.html?hp (accessed September 2, 2011).

18. Oracle White Paper, “Oracle Information Rights Management 11g.”

19. Robert Smallwood, “E-DRM Plugs ECM Security Gap,” KM World, April 1, 2008, www.kmworld.com/Articles/News/News-Analysis/E-DRM-plugs-ECM-security-gap-41333.aspx (accessed March 30, 2012).

20. Adi Ruppin, March 20, 2011, via e-mail to author.

21. Annik Stahl, “Secure Printing: No More Mad Dashes to the Copy Room,” http://office.microsoft.com/en-us/help/secure-printing-no-more-mad-dashes-to-the-copy-room-HA001227631.aspx (accessed August 22, 2011).

22. Telephone interview of William Broddy by author, August 7, 2011.

23. Bill Blake, “WikiLeaks, the Pearl Harbor of the 21st Century,” eDocument Sciences LLC, December 6, 2010, http://edocumentsciences.com/wikileaks-the-pearl-harbor-of-the-21st-century.

24. VaporStream, www.vaporstream.com (accessed December 9, 2013).

25. Ibid.

26. Ibid.

27. NIST, “Federal Information Processing Standards Publication,” FIPS PUB 186-3, issued June 2009, http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf (accessed August 15, 2011). FIPS Publication 186-3 (dated June 2009), was superseded on July 19, 2013 and is provided here only for historical purposes. For the most current revision of this publication, see: http://csrc.nist.gov/publications/PubsFIPS.html

28. Doug Miles, AIIM White Paper, “Digital Signatures – Making the Business Case,” http://www.arx.com/files/DOCUMENTS/Digital-Signatures-for-Document-Workflow-and-SharePoint-Survey.pdf (accessed December 9, 2013).

29. Computer Desktop Encyclopedia, www.computerlanguage.com, retrieved March 30, 2012.

30. Doug Miles, AIIM White Paper, “Digital Signatures – Making the Business Case.”

31. Ibid

32. Ibid.

33. Ibid.

34. Ari Ruppin, March 20, 2011, via e-mail.

35. Fred Donovan, “Gartner: Enterprise Content-Aware Data Loss Prevention Market to Reach $670 Million This Year,” February 7, 2013, www.fierceenterprisecommunications.com/story/gartner-enterprise-content-aware-data-loss-prevention-market-reach-670-mill/2013-02-07

36. Data Loss Prevention Experts, “DLP Product Guide for RSA Conference Expo 2011,” January 17, 2011, www.dlpexperts.com/dlpxblog/2011/1/17/dlp-product-guide-for-rsa-conference-expo-2011.html (accessed August 22, 2011).

37. Ibid.

38. Ibid.

39. Ibid.

40. Peter Abatan, “Who Should Be Blamed for a Data Breach?” Enterprise Digital Rights Management, http://enterprisedrm.tumblr.com/post/1087100940/who-should-be-blamed-for-a-data-breach (accessed December 9, 2013).

41. Peter Abatan, “Understanding Enterprise Rights Management,” Enterprise Digital Rights Management, www.enterprisedrm.info/page/2 (accessed August 3, 2011).

42. Robert Smallwood, “Securing Documents in the WikiLeaks Era,” May 28, 2011, www.kmworld.com/Articles/Editorial/Feature/Securing-documents-in-the-WikiLeaks-era-75642.aspx (accessed August 1, 2011).

43. Oracle, IRM Technical White Paper, Oracle.com, February 2008 (accessed December 9, 2013).

44. Abatan, “Understanding Enterprise Rights Management,” http://enterprisedrm.tumblr.com/page/3 (accessed December 9, 2013).

45. Ibid.

46. Ibid.

47. Ibid.

48. Ibid.

49. This discussion and quotes are from Peter Abatan, “Preparing for Staff Layoffs/Resignations where Confidential Information Is Concerned,” Enterprise Digital Rights Management, http://enterprisedrm.tumblr.com/post/1230356519/preparing-for-staff-layofis-resignations (accessed December 9, 2013).

50. Ibid.

51. This discussion and quotes are from Peter Abatan, “Is Your Price List under Lock and Key?” Enterprise Digital Rights Management, http://enterprisedrm.tumblr.com/post/1120104758/is-your-price-list-under-lock-and-key (accessed August 18, 2011).

52. This discussion and quotes are from Andrew Jaquith, “Own Nothing—Control Everything: Five Patterns for Securing Data on Devices You Don't Own,” ComputerWeekly.com, September 8, 2010, www.computerweekly.com/Articles/2010/09/10/242661/Own-nothing-control-everything-five-patterns-for-securing-data-on-devices-you-dont.htm (accessed August 18, 2011).

53. This discussion and quotes are from Charlie Pulfer, “Document Labeling in SharePoint,” September 13, 2009, www.contentmanagementconnection.com/Home/21196/ (accessed January 28, 2014.

54. Ibid.

55. Nancy Flynn, The E-Policy Handbook: Rules and Best Practices to Safely Manage Your Company's E-Mail, Blogs, Social Networking, and Other Electronic Communication Tools, 2nd ed. (New York: AMACOM, 2009), p. 57.

56. Ibid., pp. 68–70.

Portions of this chapter are adapted from Chapters 11 and 12, Robert F. Smallwood, Safeguarding Critical E-Documents: Implementing a Program for Securing Confidential Information Assets, © John Wiley & Sons, Inc., 2013. Reproduced with permission of John Wiley & Sons, Inc.