You Are Fired!!

Is the economic downturn turning employees into data thieves? Shockingly, the answer is, YES! Those who have served the company with most sincerity can change their loyalty once a layoff notice is served. And their most potential weapon to get back to the company is the vast amount of confidential data available with them. They may sell it off for money, use it to get a job in a rival company, or just make it public to take revenge. But not just from a laid off employee, a company faces the risk of data theft from anybody who has indicated to quit.

Almost every company has a gradual process of removing data access for the employee once they have informed or been informed about their employment termination. But employees make the decision much before they inform the organization. And between deciding and informing, they may take copies of all sensitive information. Similarly for layoffs, the rumors start spreading much before, giving ample time for other employees to get ready.

Well, present recession definitely doubles the risk. One of the immediate reaction to the recession is cost cutting and layoffs are definitely considered. In case of a massive layoff, monitoring data transactions of a large number of employees is much more difficult.

How big is the risk? Last August, FBI arrested a financial analyst with a mortgage broker farm for selling excels sheets with customer information. FBI estimates that over the last 2 years, he might have made US $ 70,000! The entire customer database of a large company can easily fit into a USB drive. Data can be emailed in a second, printed in a minute. Click here to read

The need is to monitor and control the usage of all sensitive data throughout its lifecycle, no matter where it is. It is required to treat every piece of data individually, and providing specific usage rights for each. Moreover, it should be possible to change these rights dynamically for an / set of employees, in case they are about to leave the company.

Seclore’s FileSecure allows you to do just that. It enables differential usage right for various documents. If an outgoing employee has a copy of some sensitive data in his home PC, he won’t be able to open the document anymore. The usage right determines whether one can print, copy or forward a data or not.

FileSecure supports all important File Formats for office use (MS Office, Open Office, PDF, Text, Images, AutoCAD drawings and more). It’s easy to install and to operate. What’s more, every piece of data comes with an audit report that shows if unauthorized attempts were made on them.

The vulnerability of important office data only increases the troubles in an already tough time. Be secure beforehand, with FileSecure.

Beyond Disk Encryption

Organizations world wide are striving to protect their most critical asset – data. During the daily work process there is mass amount of bulk and individual transactions that takes place. These transactions have critical information that is shared between internal employees, external vendors (for data entry and bill printing) and customers. Information is shared via different mediums like emails, shared folder, usb disk drives, etc. There is also frequent movement of laptops between various departments. Due to the high mobility of data there is always an increasing risk of information theft. Full disk encryption is an important solution in the effort to protect data in laptops while the data is at rest (i.e. data is inside the laptop). However it only solves part of the problem. For e.g. – a few tantalizing and prodding questions like-

1. How do you enforce protection of the same data once it leaves the laptop (via email, removable media, etc) ?
2. How do you protect the information from other ways of extracting data like print-screen, screen grabbing tools, remote desktop sessions?
3. How do you put granular control on information such that certain users can view and edit the document while some others can only view and print the document?All the above questions bring us to the fact that Disk Encryption technology only protect the container in which the data resides and not the data itself!
   

Why protect the container when the content needs protection ???

Different ways in which data gets leaked out even when full disk encryption is in deployed are-

1. Authorized employees parted with the content with unauthorized users in unencrypted form.
2. Ex-employees who had access to the information share it with their new organization.
3. Employees who had more rights than were required to perform their task manhandled the data (E.g. printing, doing print screen).
4. Business partners and vendors received unencrypted information because they did not have the decryption utility at their end. This eventually results in data leaks.

The problem at the heart of the system is that disk encryption is a perimeter-centric technology! There is no way of protecting information once it is available in unencrypted mode or once it moves outside the organizations firewall (perimeter).
To mitigate the above threats, a more holistic and information level security approach needs to be taken. A solution which satisfies the following requirements needs to be taken-

1. an information usage control system that would provide security to the content itself without compromising on information sharing
2. Capability to control editing, printing, distribution of shared information for each recipient
3. Persistent protection of data while it is at rest, in transit and in use
4. Capability to control information after it leaves the organizations firewall (i.e. after distribution)
5. Full audit trail of authorized and unauthorized activity on the document
6. Ability to revoke the usage rights on shared information irrespective of its location

IRM to the rescue

IRM, enables the organization to enforce usage rights on documents. With IRM Document creators can give specific usage rights like WHO (people, groups) can use the information, WHAT (view, edit, print, forward, full control) can the person do with the information, WHEN (specific dates, time spans) can this be done & from WHERE (within the office, at business partner) can the information be used. Documents can also be “deprecated” such that access to old documents residing on desktops can be prevented. Some IRM technologies like the ones offered by Seclore also provide the “audit trail” feature. The audit trail not only guarantees compliance to regulatory standards (e.g. ISO 27000, SOX, HIPPA, Basel2) but also helps in detecting suspicious activities on documents by unauthorized users. Document rights can also be changed post distribution thereby providing additional control on distributed documents.

Thus, IRM solutions take information protection well beyond full disk encryption by ensuring that usage rights are propagated during normal information use. Unlike full disk encryption technology which protects Information only while at rest, IRM offers protection while at rest, when in motion and when in use. Information is protected throughout the entire lifecycle of creation-distribution-use and destruction. Thus with granular control in information even post distribution IRM puts control on information over and beyond what disk encryption offers.

Beware, your data is still on sale

In a recent Global Security Survey conducted by Deloitte, 56% of respondents reported that they'd had data breach trouble more than once in the past year with a trusted vendor.While a lot of "post mortem" followed, the obvious measure to be implemented finds little or no mention.

Providers of information are primarily responsible for its appropriate use. This is more important in case of outsourced processing where a third party has access to lot of sensitive information. How are the providers (Clients) ensuring that the information is used only for the purpose it was provided and once the purpose is served, is not available even to the recipient?

We have highlighted this need in our older blogs, but looking at the recent reports of data theft in outsourcing( thestar.com, dbusinessnews.com) the question to ask is ...Is anybody listening?!

Can technology stop piracy?

These days, you don’t need to buy a ticket to watch a movie. A day after its release, you’ll invariably find any blockbuster in one of those sharing websites, ready to be downloaded for free. Count the amount of money that the industry is losing every year.

Why only cinema? Buying music albums has been reduced to a joke today, with almost everyone downloading music from websites. And if at all someone buys an album, he makes sure that its copy reaches every single friend. Talk about value for money!

Here comes the question. Today a movie or a music album involves investments in millions. Is it only to be shared for free? Is there a way to save all this money? Here comes the savior- Digital Rights Management, abbreviated as DRM.

In simple terms, DRM collectively refers to all the measures that prevents unauthorized (read Free) usage of the content in digital medium. With increased piracy, DRM is appearing to be the business of tomorrow, with a gross global business prediction of $2.4 billion by 2015. While North America represents the largest market today, market gurus pin their hopes on India and China to take the lead in the DRM market.

So how does DRM work? There isn’t a single answer for this. Often the main data is accompanied with a piece of data that tells who may or may not use it, to establish differential access. The restrictions vary. Windows Vista contains its own DRM system, Protected Media Path to ensure that restricted content can be played only on Media Player. Apple iTunes on the other hand is usually quite generous with DRM restrictions. But when it comes to certain music players, Apple has set restrictions too. Some CDs are made only for players and not for computers, in order to prevent copying.

Not withstanding so many different solutions, music and movie pirates are able to do their job with admirable finesse! While the industry advocates buying only original work, a technology solution is required to address the problem fully.

First, the software, should be tough to crack, as every second day, hackers find ways to sidestep restrictions. The technology should enable having control, even after sharing the files. Also, it should support all important formats and should enforce usage restrictions regardless of the devices on which it is played. Another important factor is being able to dynamically change the rights. This will give the owners full control on who can use original work and how the usage can be allowed.

Such a solution for movie and music piracy is possible. Similar issues are prevalent for information and document leakages. And solutions are available to address them. Choosing the right software is the need of the hour.

FileSecure offers such end-to-end persistent control for documents. It enables controlling document usage even after distribution, regardless of where it is lying physically. Such technology will help to mitigate the risk of information breach in case of documents and ensure that your fruit of labor doesn't sell for free in case of art!

Is Information Security really regulated in India?

Recently, Vishal Gupta had written an article about Information Security Regulations in India, and what steps need to be taken to make them effective. Here is an excerpt of the article:

Today, no business can run without information, be it i.e. names, addresses, account numbers – about employees, customers, business partners. So the enterprises should also bear the responsibility of keeping all this information. This is however, not reflected from the frequent data breaches of the recent times.

Government and industry regulators should bring forth a set of regulations and norms to ensure that enterprises value information that people entrust them with.


The purpose being:

1. Confidentiality: Information is only revealed to those who have the right
2. Integrity: No unauthorized change has occurred
3. Availability: Information is available and usable i.e.
4. Non-Repudiation: Information disputes can be resolved i.e.

Measures should be taken to ensure that the enterprises that handle personally identifiable data acts responsibly. This could be classified as:

1.Mandatory establishment of information security auditors: The Prime Minister has said that India is a knowledge economy. So here, knowledge has to be treated like money. Just as financial transactions have to pass a financial auditor, information transactions should pass through the information security auditors, who are different from company’s own IS team.

2. Complete auditing of confidential information: Enterprises need to deal with customer information the same way as they deal with money. It should be possible to:

• Keep a track of the information deposit i.e. Opening an account
• A track of the events post deposit i.e. Various transactions
• Ability to delete all information on request i.e. Closing the account

3. Enactment of disclosure norms: Most countries are still debating if it should be mandatory to inform people affected in a data breach? The argument is that as long as there’s no damage done, the company should not be penalized. Judgments in cases related to Wells Fargo and TJX are along these lines. While this debate will continue for some time, the enactment of disclosure norms would be a significant preventive measure since enterprises would be careful if their reputations are risked.

4.Establishment of a centralized information security ombudsman with international reach: We need to have a centralized, information security ombudsman which can affect industry specific norms as well as co-ordinate with international security agencies in cases involving international cyber crime.

To conclude, the present norms in India leave much to be desired. See what Shojan Jacob , Advocate at Kerala High Court has to say about this. It is time for the government to step in and to have industries take information security more seriously.

Do you still think your Credit Card data is safe?

Remember our last blog post about how HEARTLAND credit card payment processor was forced to admit a security breach that could impact 100 million people? Well, if you were lucky enough not to get caught up in that breach, there's apparently another one to worry about.

Now during a sting operation, BBC reporters posing as fraudsters from London bought UK names, addresses and valid credit card details from one Saurabh Sachar, based in New Delhi. To read more click here

This re-iterates our view that the providers of information need to ensure that it's protected wherever it is. And this is possible today! Read our blog to know more.

Your credit card is with you AND some where else too!

Take this. The Credit Card you’re using can have its duplicate lying in some faraway city of the US, right at this moment! And before you jump the gun on your bank, let’s make it clear. They have nothing to do with it. And neither does any other bank in the world (that includes almost every bank that offers a Credit card). The victim’s name here is, Heartland.

The two global Credit Card giants, Visa and MasterCard, depend on Heartland for processing their cards. The company processes more than 100 million transactions per month for over 250,000 customers. Sometime in the later part of the last year, unidentified hackers broke into their systems. They didn’t look for data like customers’ address or contact. Rather they stole the data which would enable them create duplicates of, hold your breath, up to 100 million credit cards.

The company noticed the fraud after receiving some complaints from Visa and MasterCard. Further investigation revealed, what is claimed to be the biggest data breach in the history.

Till now, 500 financial institutions have been brought to the record, for being affected by the breach. Also as the breach came into light, allegations of forgery started pouring in from all over the world.

In another interesting development, 3 men were arrested in New Jersey on multiple charges of credit card fraud and some of the card numbers they allegedly used are tied to the Heartland hack. They have been using those cards since last November. Are they the culprits? Or are they just pawns in this game? Only time will tell.

Law enforcement is currently investigating how those three men were able to obtain credit card numbers from the Heartland breach in the month of November, when the breach was first announced on January 20. Does that mean that the actual breach happened long before the announcement?

While the investigations try to find out what actually happened, we should also ponder on how something like this can be avoided in future? Let’s understand the core problem.

Most financial services organizations outsource significant part of their data processing to vendors, often in different continents. While this provides commercial benefits, there is an ever looming security concern. Many processes are adopted and imposed to ensure that data breach does not occur, but the fact of the matter is leakages happen. The reason is simple; the company that provides or generates the raw data for processing does not have control over it when it is used halfway across the globe! We discussed this in one of our earlier blog Security concern while outsourcing

What’s needed is a way to ensure that security on the outsourced data travels with it, no matter where the data is! So ideally, while Heartland was processing data of its customers, there should have been controls on the data mandating that it can be used only on Heartland authorized machines and applications. Also, after Heartland completed the processing, the raw data should have become unusable! Thus, even if the data was hacked into, no one would have been able to use it!

Is that possible? You know the answer- of course it is! Read here about InfoSource, which helps organizations to outsource data with the confidence that it is being used only by the vendor who is authorized and also only for the purpose for which it was outsourced!

Knowlegde Management system and its protection

Guest blog from Animesh Parihar - Global Delivery Head (SAP) and member of Seclore Advisory Board

Business…. today is not sustained by a single organization. It is built on a complex eco-system interwoven with vendors on one side and customers on the other. Organizations need to share information not only with internal employees but also externally with contractors, vendors and other business partners. There is a continuous inflow and outflow of content being created, gathered, transferred, received, modified, stored, disposed, etc. To ease out and streamline the intricate collaboration that is required within the organization and between their partners, sophisticated collaboration tools like Knowledge Management Systems (KMS) are being extensively deployed.

The basic idea of a KMS is to enable employees to have ready access to the organization's documented base of facts, sources of information, and solutions. The base assumption is that sharing this information organization wide can lead to more effective ways of working and it could also lead to ideas for new and improved work methodologies. Over time data that is confidential, sensitive and IP also find their way into KMS repositories.

But, this initiative to streamline information access brings new challenges. The frontrunner of these challenges is the security of the knowledge when it is outside the KMS! It is widely known that collaboration and security are competing forces. KMS by virtue of its core functionality to enhance collaboration between users falls short of providing tight security to content when it is outside its realms. With content being added to the KMS repository every day, and with business relationships being volatile, the security issue becomes an exponentially building time bomb waiting to explode with dire consequences in terms of potential information leakage and its resultant revenue loss. Click here to know more. For example- what happens if an employee having access to sensitive data on his laptop leaves and joins a competitor?

Enter Information Rights Management (IRM). Integrating IRM with KMS extends the security of repositories to protect content wherever it goes, within the confines of the KMS and beyond. Infact, IRM is the only technology that can help secure information as soon as it is created to its destruction point. IRM controls who (people, groups, teams, …), what (read, edit, print, distribute, …), when (dates, duration,…) and where (locations, IP addresses,…) of content when it is outside the KMS, thereby providing persistent security irrespective of the location. Predefined rules can be set such that as soon as a document gets created and uploaded into the KMS, the document gets immediately and automatically protected with the predefined rights, thus making IRM protection oblivious to the user and friendly to use.

The integration of IRM with KMS makes information-centric security for all confidential, sensitive and IP related content an achievable aim. The minimal cost and effort of having such a necessary and must have feature outweighs the risks of loosing sensitive information to a competitor.

Seclore’s technology with its deep and sophisticated integration with KMS, achieves more than just content security. One of the salient features of Seclore’s IRM is the “on the fly” changing of rights. This provides the organization with a tool which can be used to change the rights on a distributed document as and when the business relationships change. Powerful features like using registered credentials for authentication, allowing automatic protection of documents etc enable users to ensure persistent security with minimal disruption to user experience and way of working.

Reference links-
Knowledge Management: Everyone Benefits by Sharing Information
Association for Information Systems on Knowledge Management

Guest blog by Animesh Parihar who has spent a quarter of a century in getting technology to deliver value. In his present role as Head of Global Delivery at SAP, Animesh handles the operations of delivery centers spread three continents. As member of its advisory board, Animesh helps Seclore in driving focus on information security needs of the collaborative enterprise, and identifying various means to enhance collaboration while mitigating the risk of information breach.

Animesh Parihar

Mumbai attacks – lessons for information security

The Mumbai attacks, among other things, are a lesson to all of us on the importance of protecting the usage of technology and information. A laundry list of technologies used by the terrorists before and during the attacks includes:

1. GPS devices – For steering the sea vehicle as they approached Mumbai. None of the terrorists have been known to get a formal training in sea faring but they were still able to come from Karachi to Mumbai.
2. Satellite phones – For usage at seas we well as in Mumbai in case local phone networks are jammed
3. Internet enabled cell phones with switchable SIM cards – To monitor media and stay in touch with their management, also to monitor police response and activities
4. Anonymous email services - To communicate with media using a “remailer” service which prevents the email source to be traced
5. VoIP numbers – For communication during the siege such that the local networks are not able to tap into the conversation

The scary part is that most of the above technologies (with the possible exception of Satellite phones - which can again be ordered from the internet for as low as $25 per week ) is fairly easily available. Even remailer services are easily accessible on the internet.

Besides technology the terrorists also demonstrated innovative gathering and use of information required to conduct an operation of this scale. It is now confirmed that the terrorists had high resolution satellite images (available freely on the internet) of Mumbai which would have been used to get themselves familiar with Mumbai streets before coming. They also appeared to have fairly detailed knowledge of the internal layout of the target locations. This information could have been obtained from their accomplices who are rumored to have stayed at the Taj and Oberoi Trident for a few days ahead of the carnage. It looks however unlikely that such a big operation would be put at risk by having people roaming around the hotels collecting information. With the method and precision used, the possibility of the terrorists having detailed drawings of the Taj and Oberoi Trident cannot be ruled out. The few places where these drawings are available are within the hotel itself and with public authorities (to find out names of authorities, the fire brigade department and BMC are obvious choices)

It appears that it might actually not be too difficult a task to gather the above information since Google earth is a free service and getting the internal layout of these buildings from one of the many places it is unavailable appears easy with no formal information security policy being implemented for these departments.

Some of the measures that our public offices must take for prevention of technology usage for terrorism are :

1. Preventing Google earth and similar services from displaying high resolution images of the (CRZ) Coastal Regulatory Zone as well as other sensitive areas
2. Ensuring that copies of layout drawings of public buildings are stored digitally and under high security. Even if the drawings are released to any body the usage of the information is restricted.
3. Having stricter identity norms for users of public services like mobile and financial services.

See also: Wikipedia

Unstructured Data

Exactly 5 months 23 days back your client had sent you an estimate via mail. Today, suddenly they wake up in the search of the ‘important’ document and bombard you with mails and calls. But where is it?

After 20 minutes of searching through the folders and mails, with different keywords, you finally recover it from trash mail folder, send it and breathe easy.

Wait! Did we say 20 minutes? Think if each of your employees spends that amount of time to find one document, may be 10 such documents everyday and uncountable every month. Finding right data claims invaluable man-hours for your company. According to Gartner, white-collar workers will spend anywhere from 30 to 40 percent of their time in a year just managing documents, and finding right information from those.

We buy information, we sell information, and we store information. But stored information is different from organized information, and we all have misconception regarding this.
Recently, HP surveyed 1020 CIO’s and department heads of large enterprise organisations across the UK and Europe. It found that on average, European companies believe than only 25 percent of their data is curerently unstructured, i.e. unorganized. While, as per the analysts, around 70% of the current data is actually unstructured, not in a usable form.

Whenever we receive data, we put them in files, arrange those in the folders, and feel happy. But that data is useless when we search for an element from there, when the element is not just a keyword, but a phrase, a sentence. The data doesn’t help us in comparison or analysis. Even when computer finds matches, someone has to sit and generate meaning from it. We cannot ask the data a question and get an answer. We have to find the answer ourselves from the heaps of information.

Worldwide, 80% of company’s data is unstructured, and counting. Unstructured data lies in mails, PDFs, documents, images, presentations, voice mails and so on. The irony is, it’s all with us, but not in a searchable format. So says Mani Shrabang, “ We’re drwoning in information but are starving for knowledge… That information is only useful when it can be located and then synthesized into knowledge.”

Information search in company database is much more than Google type search. They need to analyze information as a whole, generate patterns in that. No software till date serves that purpose. And when we fail to generate information, company suffers huge loss.

Morgan Stanley paid the ransom of $1.4 billion last year in a legal battle. Some claim the judgment was a direct result of the defense's inability to produce relevant e-mails and documents the court demanded. As one analyst noted, "During the pretrial discovery process, and the trial itself, Morgan Stanley kept stumbling on old, hard-to-search backup tapes and couldn't perform effective searches on its newer e-mail archive." Eventually, the judge became so frustrated with the delay that she ruled against Morgan Stanley.

It’s estimated that a company with 10,000 employees can save a neat $ 2.5 million by improving search on its intranet. Then think how much of extra your company’s bearing right now cost. No doubt that we need a system to shape up the unstructured data, to extract information from them, to do an intelligent search. And we need it right away!