Securing documents in the WikiLeaks era

This is the first installment of a two-part series in which Robert Smallwood writes about the need for organizations to address the issue of electronic document security, the consequences that result from failure to employ security measures, the use of enterprise rights management (ERM) software in safeguarding information, roadblocks to implementing ERM, and Microsoft's role in that market. The second part of this series will include descriptions of others vendors in the e-document security space.

Plugging the gaps

Electronic document security has come to the forefront of the business and political world with the exposure of classified U.S. military documents in 2010 by the website publisher WikiLeaks. With the threat of more disclosures and examples of leaked information abounding, organizations are scrambling to plug gaps in electronic document security and communications.

Protecting e-documents goes far beyond protecting military secrets; in the private sector it means guarding financial data, price lists, product designs and blueprints, strategic plans, legal documents, personnel files and other private corporate data, which have real economic implications. Check Point Software Technologies has issued this statement, "Despite repeated examples of data loss the industry has witnessed over the past few years, and despite their disastrous consequences, many organizations still lack clear data security policies and fail to deploy the right security arsenal to prevent them. While they take all the necessary measures to protect their physical infrastructure and facilities—controlling and restricting access to their physical sites—they fail to protect their informational and digital assets. Yet, this is where a company's innermost secrets, intellectual property and value resides—confidential files, financial documentation, acquisition plans, customer information, sensitive e-mails, exclusive product releases and other corporate records. All are ultra-capital assets that need to be shielded from the outside world."

Software source code and other intellectual property are also at risk. According to the U.S. Commerce Department, intellectual property theft is estimated at more than $250 billion and costs over 750,000 jobs annually. The International Chamber of Commerce estimates the global fiscal loss to intellectual property theft is more than $600 billion per year—and rising.

In February 2010, the U.S. Justice Department announced the creation of an intellectual property (IP) task force(justice.gov/opa/pr/2010/February/10-ag-137.html) as part of its initiative to crack down on the growing number of domestic and international IP crimes. "The rise in intellectual property crime in the United States and abroad threatens not only our public safety but also our economic well-being," Attorney General Eric Holder said. "The Department of Justice must confront this threat with a strong and coordinated response."

Corporate espionage is not new, and it does have tangible costs. In 2009, a former Ford product engineer stole more than 4,000 confidential documents containing trade secrets from the company's computers to sell to a Chinese car manufacturer. The calculated loss to Ford was estimated to be $50 million to $100 million. In 2010, a General Motors engineer and her husband conspired to steal trade secrets about hybrid engine technology and sell them to Chinese competitors. In January, The New York Times reported that the car manufacturer Renault filed a criminal complaint on an industrial espionage case in which it asserts that a foreign company sought to obtain secrets related to its electric car program.

The threat is real

We live in a different world now, and the nature of internal threats has evolved. "Because of WikiLeaks and other high-profile espionage cases, managers now know the threat of stolen or misused documents is real, and for whistleblowers to reveal internal documents and memos is almost expected, which greatly raises the threat—and the need for securing internal communications," says Alon Samia, CEO of Covertix, which specializes in file level surveillance and control software. "A firewall isn't enough. Data loss prevention isn't enough. You need enterprise rights management on top of that."

Data loss prevention (DLP) software and appliances stop sensitive e-mails, documents and data from leaving the firewall, based on specified content. Enterprise rights management (ERM) provides embedded file level protections against unauthorized viewing, editing, printing, copying, forwarding or faxing, which travels with the document or data, regardless of media type.

"Persistent protection"

DLP is a good concept that is difficult to implement effectively. Steve Coplan, senior analyst, Enterprise Security Practice, at The 451 Group, says, "If you look at DLP and tell it to ‘catch everything,' it just can't do it in real time-the computing power and classification technology just isn't there. DLP as an enforcement technology has, overall, been a disappointment. But many organizations use DLP as a tool to discover where the gaps are, and who is doing what." In the ERM world, that is called "discovery," which is finding out what data flows where in an organization, and mapping it out.