While no one can predict what will happen to the economy over the next 12 to 18 months, you can bet your bottom dollar that threats to confidential data will increase substantially in that time frame. Why? Malicious code threats are growing exponentially while the cyberunderground becomes ever more sophisticated.
Fortunately, industry players are starting to team up to lower the cost, complexity, and integration effort needed for data-centric security. Last week, EMC's RSA and Microsoft got together to announce that the software giant will integrate RSA's Data Loss Prevention (DLP) into the Windows infrastructure in order to discover and classify data (Word documents, Excel spreadsheets, and so on). Microsoft will also tightly integrate DLP with its Enterprise Rights Management (ERM) Server. Not to be outdone, security bigwig McAfee on Monday announced that it will integrate its DLP data discovery and policy management solutions with a leading ERM solution from Liquid Machines.
Why the activity?
1. DLP solutions need to become more mainstream
While every company that conducts business over the Web needs DLP capabilities, software solutions require customization, sophisticated skills, and lots of dough. Microsoft's data classification integration into Windows should help alleviate this by providing baked-in DLP basics.
2. DLP and ERM are complementary
DLP technology assumes you don't know where sensitive data is so you want to find it, classify it, and keep it confidential. ERM, on the other hand, assumes you know exactly where the data lives and you want granular protection at the user and file level. These announcements demonstrate that the debate between DLP and ERM was misguided--large organizations need both solutions to safeguard known and unknown sensitive data across the network.
3. Entitlement management is the next challenge
While we figured out how to centralize user authentication pretty well, we still leave entitlement management (i.e., user privileges) to each individual application. This method doesn't scale, is full of security vulnerabilities, and is nearly impossible to audit. Liquid Machines, McAfee, Microsoft, and RSA get this as do others like Cisco Systems (through its Securent acquisition) and Rohati. Clearly, these vendors are positioning themselves for this next moneymaking opportunity.
So what's next? While other DLP vendors will form their own cozy relationships, my hope is that the industry comes together in a group hug and defines some meta data standards for classification, policy definition, and enforcement. I know this isn't likely but it would sure go a long way to help us all protect our sensitive data.
Microsoft and EMC's RSA on Thursday announced an expanded technology partnership around digital rights management in the enterprise.
There are two parts to the announcement, said Douglas Leland, general manager of the Identity and Security Business Group at Microsoft. One, Microsoft will build RSA's Data Loss Prevention (DLP) prevention classification into the Microsoft IT platform and future information protection products.
The other part of the announcement, said Leland, is that RSA will in turn integrate Microsoft's Active Directory Right Management System (RMS) into its DLP product. "This makes RSA's DLP solution identity-aware."
Microsoft and EMC said their solution is different from other DLP solutions on the market because it is thoroughly integrated within the platform, not layered on. For example, Microsoft will start by adding RSA's DLP 6.5 to Windows Server 2008. Other Microsoft products to be included in the program are Microsoft Exchange and SharePoint.
For the user, the process is transparent, happening entirely on the back end. "(This technology will) assist the user in such a way that they don't have to make a choice in what information they have to protect," said Christopher Young, senior vice president of products at RSA. Whenever sensitive documents are traded via Exchange or SharePoint, the ability to read only, print, or not print will be controlled automatically by the policies set by the CIO or other security officers.
In Germany it's apparently OK to have non-employees roam the offices, while in Brazil corporate secrets are commonly shared with family members, and even with total strangers. These are some of the results of a survey (PDF) commissioned by Cisco Systems and released Tuesday.
"It's interesting to see the cultural differences in terms of what's allowed and what's not allowed in different countries," said Marie Hattar, vice president of network and security solutions at Cisco. "If you look towards doing a data leakage prevention strategy, you've got to consider physical security as much as you do network security."
Hattar told CNET News that the survey came about because of dramatic changes in the workplace within the last few years. Two of the changes--a younger workforce and the rise of smart mobile phones--are "completely blurring between what's personal and what's your work life." She also cited the recent rise of the knowledge worker in countries such as India, China, and Brazil. "So it becomes key that as you implement your network security strategy, your physical security strategy, that you are also putting into place some of these educational policies to drive your employees to good behavior," she said.
In Brazil, the study found, 39 percent of employees surveyed talk about sensitive company information with their friends and family and 8 percent of the time they talk to strangers. By comparison, the numbers for the U.S. were 16 percent friends and family and only 2 percent strangers. "If you look at China," Hattar said, "it's one of the more lower countries in terms of who they talk about company business outside the company." Cisco's data showed that while 17 percent of Chinese workers talk about work to friends and family members, none said they talked to strangers.
Another data point was how permissive employees are of non-employees in the office. "In Germany, one out of five actually admit to letting partners or vendors or what have you roam their office buildings unsupervised." Hattar admitted this alone would not lead to data leakage, but warned that employees should "put their computers on standby, (prevent) their passwords from being posted on the computer or written down somewhere, and have a physical security mechanism that will alert you so that you know whether someone is looking or doing something that they shouldn't be doing."
The Cisco report further recommends that companies know where the data is stored and how it is accessed and used. Companies should educate employees on how data protection equates to money earned and money lost, the bottom line. Finally, international companies should determine global policy objectives and create localized education programs tailored to a country's culture and threat landscape.
Hattar observers that "as you evolve your business into different cultures, even if you have locked down your physical security and your network security you can't escape from having to put into place an education program to raise the awareness that you have to educate your employees about the possibility of verbal disclosure."
The Cisco study was conducted by InsightExpress, a U.S.-based market research firm, and involved more than 2,000 employees and information technology professionals. Specifically, the study surveyed 1,000 employees and 1,000 IT professionals from various industries and company sizes in 10 countries.
With information technology, you can look at problems and solutions in lots of different ways. For end users and academics, this can lead to a lot of experimentation, skunk works projects, and trial-and-error. But that is not the case when it comes to technology vendors. Start-ups also see lots of ways to solve problems, but they are bound by business plans, directors, and funding to pick their battles and build focused solutions. Some make the right choice and get lucky, some don't.
As an example, I offer two different solution types for data security: Data Loss Prevention (DLP) and Enterprise Rights Management (ERM). These two segments are focused on protecting confidential and private data but each took a bit of a different approach. At a high level, DLP solutions sort of assume that you don't know where your confidential data is or what people are doing with it so you need some way to prevent bad things from happening. Alternatively, ERM assumes that you do know where the data is and what people should be doing with it so you need automated tools for policy enforcement.
These two related product segments have had vastly different fortunes. DLP became the toast of the town with a number of visible acquisitions. Port Authority was scooped up by Websense, EMC grabbed Tablus, and Symantec purchased Vontu. Others like Orchestria and Vericept continue to do well as independent companies. ERM players didn't fair quite as well, however. Companies like Authentica and Sealed Media were purchased at discounted prices while others simply shut their doors.
DLP initially proved to be a better financial bet, but ultimately there are a few ironies in this victory:
Ironic point No. 1: DLP vendors are now adding ERM-like functionality like data usage policy enforcement into their products. I guess this means that as users get a better understanding about their data and how people use it, they realize that they need better ways to control these activities.
Ironic point No. 2: ERM vendors like Adobe Systems, Liquid Machines, and Microsoft that were able to ride out the market storm are now in high demand. Users finally recognize the value here.
Like comedy, timing is everything when it comes to technology start-ups. Believe me, I learned this lesson first-hand. The DLP guys found a goldmine while ERM companies faded away. What's old is new again, however. ERM, as an adjunct to DLP or as a standalone security suite, will ultimately benefit users and investors alike.
- prev
- 1
- next
