Securing Data Wherever It Travels

Over the years, IT managers have struggled to ensure data is encrypted while it travels across the network, and as it resides on disk -- whether that's within the data center, on network-attached storage, or in individual workstations. In an attempt to better manage data, some enterprises have tried to create so called "zones of trust" that are designated to handle data at varying degrees of sensitivity.

"These approaches really don't work over the long term, because data is constantly being accessed by users, moved, and replicated," says Pete Lindstrom, research director at Spire Security.

Of course, Lindstrom isn't arguing that users shouldn't access and use enterprise data, but he is suggesting that the weakness in the approaches to encryption and data security is the fact that users must unencrypt data to be able to access and manipulate it. Then that data can often be freely moved to thumb drives, personal notebooks, and even emailed to anybody. Desktop encryption tools, such as PGP, BitLocker for Windows, and open-source TrueCrypt disk encryption, require users to take too many actions and make too many decisions on the data they use to be practical.

"When people are forced to classify data, they classify everything as top secret or everything is marked non-sensitive, and it's part of the reason why organizations will continue to have leaks and breaches," says Christofer Hoff, chief security architect at IT services provider Unisys.

However, the convergence of Data Leak Protection (DLP) and enterprise Digital Rights Management (eDRM) software with document management and enterprise content management applications and eventually into the operating system and networking protocols means enterprises may be able to build a security framework where encryption and access rights to information actually travel wherever data flows.This promise has been made before, albeit prematurely, in the marketing campaigns of individual eDRM vendors such as Authentica (now owned by EMC), Liquid Machines, and others that promise to let enterprises control various access privileges to documents, such as who can view, print, or forward information. While useful for many organizations, the technology needs to be engrained within the fabric of the IT infrastructure to be really effective.

These trends, analysts say, are already well underway. EMC in 2006 bought Authentica to add to its Documentum platform, and Microsoft is building eDRM capabilities directly into its Microsoft Office SharePoint Server 2007 content management and collaboration software. The trend is extended further by the recent partnership among RSA Security Inc., the security division of EMC Corp., and Microsoft. Under this partnership, Microsoft will integrate RSA's DLP Suite 6.5 with Microsoft's Active Directory Rights Management Services within Windows Server 2008. Another would be between Liquid Machines and McAfee Inc., which will integrate McAfee's DLP platform with Liquid Machines's eDRM platform. (See Partnerships Spark New Life Into Enterprise DRM.)

The convergence of content management platforms and eDRM should help enterprises better assign rights to controlled data, according to Lindstrom. "The most challenging data [to encrypt or apply security polices] is the user-generated data where they have to self-classify data," he says. "But if you have a central repository, an authoritative source, such as those in Sharepoint and Documentum, you can force that application of policies. This way, when data is shared within and outside the organization, you can apply security policy to it."

Unfortunately, to have pervasive access rights and encryption applied to all work files, the ability to classify data needs to be automated whenever possible and embedded within the workflow of an organization -- not attached to files after they're created or only applied as documents are checked in and out of content management systems. To ensure that eDRM reaches that level of sophistication will be one of the final hurdles to ubiquitous rights management. "People don't like anything being added to their workflows. They strongly resist even the seemingly most minor of extra steps," says Hoff. "What we really need are intelligent ways of ubiquitously classifying data, not tagging it after the fact, and then apply policy and basic routing decisions within the infrastructure to control how that information is secured and managed."

While there's no technology that is close to realizing that vision, applications such as the eDRM abilities in Documentum and Sharepoint are heading that way. "We are also seeing some of this technology being bundled into the operating system, which is Microsoft's long-term vision," says Hoff.While a ubiquitous security framework that assigns access rights and security polices to documents on-the-fly is years away, both Lindstrom and Hoff agree that enterprises need to pay more attention to DLP and eDRM today.

"The solutions are not fully baked, as we're still in the early adoption stages of this right now," notes Hoff. "But the adoption curve is in action. When you see large life-cycle management technologies integrating this technology, and vendors like Microsoft getting behind this, it means [independent software vendors] can build the solution sets necessary to make this a reality."