Securing documents in the WikiLeaks era, Part 2
InDorse Technologies has caught the eye of some leading industry analysts with its ability to make file protection simple and scalable in an increasingly Web 2.0-enabled, device-agnostic, cloud-based business environment. Rob Marano, president and CEO, says, "Our company was founded to provide solutions that protect a company's important files without disrupting business flow or requiring intensive network configuration. In today's increasingly cloud-based and SaaS-based business environment, files are being shared more and more to conduct business. However, traditional information security solutions are unable to handle the move from silo-based IT security to the cloud. Given the shift away from internal servers, it was important to create a solution that was in lockstep with this trend. InDorse was built with the mindset that no software would be required and users would not be forced to change their daily routine."
When InDorse's ERM software is deployed, even authorized users are stopped from downloading large quantities of files in limited settings from remote locations. A trail of forensic data that captures who is downloading or opening files provides immediate accountability--before files can be leaked. What sets the company apart? Marano says, "InDorse products do not require any client software, automatically enforce usage and protection policies for sensitive business files, and actively and passively track and trace the files for life."
NextLabs began as a provider of data loss prevention (DLP) solutions, then moved upstream into enterprise rights management to offer a more complete security solution, which it terms "information risk management." The software is based on eXtensible Access Control Markup Language (XACML) from the standards body OASIS (oasis-open.org). XACML is a way of articulating policy, a core XML schema for representing authorization and entitlement policies, which allows standardization of access control routines across platforms.
Although players like Oracle are involved in XACML, NextLabs is currently the only company offering ERM based on the standard. That standardization and simplification allows for a drastic reduction in policy creation and maintenance. What else is unique about the firm's approach? Andy Han, VP and GM of products with NextLabs, says, "We offer transparent rights management, and we're able to apply rights to any file type or any application. We have ‘content awareness' built in, so based on the context of the file, we can determine rights. Also, we don't base policies on individual user identities, but base them on attributes and roles, so it is much more flexible and easier to maintain."
Zafesoft offers "the only solution that provides content security with edit," according to the website. "Users can edit, copy, paste, etc. All information remains ‘zafe' (fully secure), including copy of copies and derivatives taken from one file to another." ‘Zafed' content looks and behaves like the original, and is encrypted locally. Sandeep Tiwari, CEO, says, "We secure information in its native format, allow users to access and edit documents in their native format--we don't force them to use a proprietary viewer." The solution is cross-platform, supporting Windows, Mac and Linux. Presently, Zafesoft has fewer than 10 customers, but it had only been marketing the product for several months at press time. The Autonomy pattern search engine is used to search content for patterns and to secure the content.
Forrester's Hill sums up the enterprise rights management marketplace this way: "ERM products are still mostly geared toward protecting documents inside an enterprise. Our customers tell us it's still just too difficult to share documents across company boundaries, even with enhancements like MS Active Directory federation services. We expect new lightweight collaboration features will allow for more casual business-to-business collaboration, without requiring armies of lawyers and IT staff. In our view, purchases of one-off ERM solutions will trail off, in favor of more complete solutions, such as those integrated with DLP technology, content management infrastructure and other risk mitigation solutions."
Organizations will struggle with securing internal documents and sifting through the myriad of security solutions available, but the bestsecurity tool is to make information governance a priority, a part of the organization's culture.