Putting an End to Data Breaches as We Know Them

Wednesday, January 26, 2011

Robert Siciliano

37d5f81e2277051bc17116221040d51c

The AP reports “WikiLeaks’ release of secret government communications should serve as a warning to the nation’s biggest companies: You’re next.”

According to the Privacy Rights Clearinghouse’s Chronology of Data Breaches, more than 500 million sensitive records have been breached in the past five years.

The Chronology of Data breaches lists specific examples of incidents in which personal data is compromised, lost, or stolen: “employees losing laptop computers, hackers downloading credit card numbers and sensitive personal data accidentally exposed online.”

WikiLeaks has been quite the news topic and for good reason. Data breaches cost in many ways. One cost is of course in the form or dollars. But when it is military secrets breached, that can cost lives.

It shouldn’t be this way.

The talk show pundits buzz that with the release of thousands of additional secret government documents, it leads to the conclusion that there is no way to protect sensitive data. If the government can’t even prevent a Private in the Army from stealing confidential data, what hope is there?

Nearly all WikiLeaks articles conclude that you have to tradeoff security with productivity, implying that content becomes unusable with higher levels of security in place.

In this Associated Press article ‘Companies beware: The next big leak could be yours’, Jordan Robinson of the Associated Press, states:

“But the more companies control information, the more difficult it is for employees to access documents they are authorized to view. That lowers productivity and increases costs in the form of the additional help from technicians.”

This is true for traditional content security measures but ignores significant advances made by security company Zafesoft, whose solution does not require a change in user behavior or complex technical support to maintain.

Companies that do a little research will find there is a way to protect their valuable information without compromising productivity and at a reasonable cost.

Robert Siciliano is a Personal Security and Identity Theft Expert. See him discussing another databreach on Good Morning America. (Disclosures)

Possibly Related Articles:
19791
Breaches
Data Loss breaches Privacy WikiLeaks Information Security
Post Rating I Like this!
E68c72e1e8be98215f1fa5155236f5c6
Anthonie Ruighaver Nice teaser. Please enlighten us how this new technology works and why you think it will be more cost-effective compared to the more traditional approach of controlling access. (Yes, I did look at the website, but did not get any real info from that)
1296097444
37d5f81e2277051bc17116221040d51c
Robert Siciliano OK Anthonie, but Zafesoft.com is pretty comprehensive. I'm sure you can do free trial as well.

When there is sensitive information, access control alone cannot secure it. By definition Access Control – allows authorized people to access and redistribute to non authorized users if they choose to do that. This results in Wikileaks or other loss of sensitive information. SO the traditional approach needs to then use physical security methods to prevent the user from copying, editing, exporting, saving, sending, the sensitive files to ensure security. There are many needs in the real world – where this cannot be enforced. Enforcing these physical methods cost a lot more than the alternative below.

With the Zafesoft approach the actual data that is sensitive is made secure, not just the access to it. This allows the authorized users to view and edit the sensitive information anywhere in the world, and forward it in whole or part to other users. The other users always get this information in a secure format, and if they are authorized they can view it etc, if not it appears like encryption. This is data level security, and the technology is way beyond access control.
1296160128
Default-avatar
Mark Pollyguy Claims have been made that several of the leaks acquired by WikiLeaks were in fact given by persons with an authenticated access to the sensitive data.

From you comment, the Zafesoft approach is still access control, you either have the access to pass the encryption or not. The action of a user beyond that are still un-controlled. It dwindles down to being the same theory, just a different product.

There is no difference between the definition you have provided for Access Control and the Zafesoft approach.
Someone could still gain access and re-distribute the sensitive data in another format through something as primitive as the Print_Screen button.
1296181822
37d5f81e2277051bc17116221040d51c
Robert Siciliano Mark,
I have great news for you.

It is precisely in this regard that Zafesoft is different.

Once the data has been secured by Zafesoft, (its been zafed), the authorized users can view and edit the data as they please.

They can in fact copy the file or a portion of the content to their local drive or file and then email the file to any unauthorized user in the world. The unauthorized user will see encryption, and not the content. Even a single character of zafed content will remain encrypted where it travels, no matter how many times it’s been copy-pasted.

On the other hand if they try something like Print_Screen, with zafed content – they will not get any image.

Organizations have tested this for over 10 months – it is still secure.

Ask more questions please. I'm really looking for IT professionals to try and poke holes in this. Its pretty amazing technology.
1296186518
959779642e6e758563e80b5d83150a9f
Danny Lieberman Robert,
Sounds interesting but it's just another form of IRM (information rights management - btw, not the same thing as access control although there is some overlap).IRM, based on DRM has it's own problems - the two key design flaws being:

a) involvement in the user interaction.

b) Requiring the organization to know in advance which 
information it wants to control

This is why Oracle IRM deployments stall over the first couple hundred users - and as a result, employees find backdoors to leak the information.

I've published an article that goes into more detail on the design flaws of a DRM based approach here:

http://www.software.co.il/downloads/preventing-intellectual-property-abuse.pdf
1296203729
37d5f81e2277051bc17116221040d51c
Robert Siciliano Hi Danny,

That is a great paper. You are absolutely right – those are the reason why DRM that has been around for over 12 years and has failed. It is the manual management of rights that makes Rights Management a non starter.

I would add to your list of DRM challenges:

Lack of security from simple editors like Notepad.

Users do not want to interact for security purposes.

Manual decision making on what needs security is not practical (time consuming and judgment dependent)

The Zafesoft approach first of all provides robust security, way beyond DRM technologies. This addresses point 1 above.

Secondly it allows edit, this is a BIG deal. With edit ability of secure data, users no longer need layers of rights management, and its administration. This eliminates point 2 above.

Thirdly Z-Discovery product addresses the automated discovery and security of sensitive information. This addresses point 3 above.

Put together the solution secures data, runs with an extremely low overhead, and does not involve user interaction.
1296258309
72cc4c5e6cbde70aa374bf94076ad722
Peter Abatan Hey Gentlement, Let's not get carried away. I have been to the Zafesoft website and it is fundamentally enterprise rights management (ERM) even though the term ERM is not used. ZafeSoft is not any different from how some of the ERM vendors now implement their solutions.

How one can conclude that the Zafesoft approach first of all provides robust security, way beyond ERM technologies has no basis at all.

The copy and paste feature where a new document inherits the security feature of the parent document has been a technology that Fasoo has been using for many years.

Robert also said ZafeSoft involves no user interaction. REALLY? How do you send a file to an external partner securely without specifying the partners identity in one form or the other? I can confidently say that ZafeSoft does involve user interaction.

There are so many misconceptions about enterprise rights management, even among security experts. It is not easy to understand how it works, but when you take time to understand the capabilities the benefits are immense.
1296404307
Default-avatar
Simon Thorpe @Danny: I'm not sure where you've had problems deploying the Oracle IRM solution, but I can assure you that there are many customers well beyond several thousands users in production deployments. If you need some technical assistance you might want to contact your local Oracle represetative.

The manual management of rights is not an issue either. Many business require there be human interaction with classifications that grant access to information. Oracle IRM has also been integrated with many identity provisioning systems to automate the management of rights. The most simplest of solutions being group membership from the directory.

The lack of IRM solutions for notepad are quite simple. No customers ask for it. Most customers ask for Office, PDF and HTML solutions, hence why IRM, which is a technology focused on enterprise security, typically doesn't have solutions for notepad.

Users not wanting to interact for security purposes? Again you seem to be wildly missing the mark. The company finds that security is often of greater concern than a users desire to protect information. As such IRM solutions are commonly integrated with the systems which generate the information in the first place. For example automating the protection of content when it is stored in SharePoint, or downloaded from PeopleSoft. These integrations remove any need for user interaction and when combined with SSO on the Windows desktop, users don't even need another step for authentication.

Most IRM technologies also provide edit capabiites. Oracle IRM actually allows you to edit a document, copy information between secured documents via the clipboard, but not allow that sensitive information to end up in an insecure environment such as Notepad or Facebook.

You really should gain more experience on the real world deployments of IRM technologiies before making such sweeping statements.
1296488316
959779642e6e758563e80b5d83150a9f
Danny Lieberman Simon - seems you're responding to a few people on the thread.

I'd love to learn more. Please contact me offline and we'll chat. I'm always looking for interesting opportunities.

D
1296503466
Default-avatar
Simon Thorpe @Danny, yes sorry I was addressing many points in the comments and article. I'd love to talk further offline, lemme contact you.

@Mark Pollyguy But the point of IRM is to provide content over ensuring content cannot exist in an uncontrolled manner. IRM provides features that allow you to prevent screen capture, control access to the clipboard, prevent programmatic access to documents and other features. Zafesoft is a new technology in this space and has some of these features. I'm not aware of the maturity of the product.

Because of the persistent access control features of IRM technologies it allows you to give people access to information then revoke it at a later date. With well developed IRM technologies all the rights to content are separated from the documents themselves allowing for information owners to change all sorts of rights in near real time. Take a look at the following video for an example;

http://www.youtube.com/watch?v=OKvdMB9dhfM
1296508404
E68c72e1e8be98215f1fa5155236f5c6
Anthonie Ruighaver Thanks everybody, interesting discussion.
My main problem is, however, the implicit assumption that such a security service can be 100% secure. I have never encountered any security service that was completely secure. So what features does this technology have to detect when its security fails? This, by the way, is the biggest problem with any encryption based security service. Use of encryption often fails, but is difficult to detect.
1296524807
37d5f81e2277051bc17116221040d51c
Robert Siciliano @Peter. Rights Management technologies are called that because their aim is to restrict the end users ability in some ways. Usually to prevent them from editing or moving the information to an environment where it can be leaked.

From a business perspective this creates a real challenge – how do you secure data, yet allow the users to consume the data with a high degree of freedom, and explains limited adoption that DRM and ERM have had in their over 12 years of existence.

Yes you are probably correct that all the nuances of rights management technologies are not understood, however the key restrictions are clear.

Zafesoft’s approach to data security is different, although the customer requirements of authorized access and audit trail remain the same. The biggest advancement of this solution is editability of secure text, as well as its continued editability across different applications, editors, and operating systems.

Windows, MAC, and Linux etc…

The second difference is ease of use, so that the users (once authorized) no longer need to interface with the solution, or think about what rights to administer or pass on to other users.

In addition Zafesoft offers Z-Discovery. This is an enterprise class pattern based data discovery and classification engine. This utilizes pattern search technology (looks for SSN, Patient Numbers, DL, Bank Account numbers or other custom patterns) to discover and classify across the organization. It can then automatically “zafe” that the data at location it was discovered, so the users do not need to interface with security.

The secure information remains accessible for view, edit, copy, move, export, save to PDF, and other functionality across multiple operating systems, and editors. These are some of the ways in which Zafesoft technology is beyond rights management, for yet more ways you should contact them.
1296526134
37d5f81e2277051bc17116221040d51c
Robert Siciliano @Simon. Appreciate your comments. The SealedMedia (founded 1996) technology has certainly been around for quite a while, and the user interface requires the ordinary user to actually interact with the rights management infrastructure.

@General

Working with most rights management technologies requires user training, and time.

It is interesting to note that Notepad is one of the more difficult editors to secure…

Zafesoft’s two value propositions are (1) – very high security. So prevent data loss, even when working with MAC or Linux users. Most DRM technologies do not support edit rights on these platforms, and any user who needs to work with secure information from these platforms gets a NON-Secure version of the data which beats the point of security.

(2) User Transparency. So the users can do all the things they need to do to do their job, and to think and manipulate the secure data, including copy, paste, edit etc. without any training. Internal users needs to spend any time managing policy or security rights of themselves or any other users. (New users go through a one time authentication process).

The zafed data is available to online or offline users (people flying, or working from home, or disconnected for other reasons). The persistent security allows organizations to be HIPAA and HITECH compliant, including revoking users, or expiring documents as needed. It enable access to users across the world.

1296528441
37d5f81e2277051bc17116221040d51c
Robert Siciliano update

@Simon. Appreciate your comments. The SealedMedia (founded 1996) technology has certainly been around for quite a while, and the user interface requires the ordinary user to actually interact with the rights management infrastructure.

@General

Working with most rights management technologies requires user training, and time.

It is interesting to note that Notepad is one of the more difficult editors to secure…

Zafesoft’s two value propositions are (1) – very high security. To prevent data loss, on Windows, MAC or Linux on multiple editors. Most DRM technologies do not support edit rights on these other platforms, and any user who needs to work with secure information from these platforms gets a NON-Secure version of the data which beats the point of security.

(2) User Transparency. So the users can do their job, and NOT think about managing security. They can manipulate the secure data, including copy, paste, edit etc. without any training. Internal users do NOT need to spend any time managing policy or security rights of themselves or any other users. (New users go through a one time authentication process).

The zafed data is available to online or offline users (people flying, or working from home, or disconnected for other reasons). The persistent security allows organizations to be HIPAA and HITECH compliant, including revoking users, or expiring documents as needed. It enables access to users across the world.
1296531544
Default-avatar
Simon Thorpe @Robert well yes user do have to authenticate to content but that interaction can be removed using SSO/ESSO technologies. The protection of content is typically automated and the integrations with DLP ensure that unprotected content can be discovered and then protected with IRM, again, without user interaction.

Good IRM technologies require little to no end user training. Training usually is given to those managing IRM classifications and typically even this level of effort is removed when integrated with provisioning systems or simply by existing group memberships that are managed elsewhere in the enterprise.

Also there are some customers who want user interaction. They want the user to have to login and realize the content is secure and therefore it is a chance to raise the awareness of the user about the classification of the content.

Securing notepad is easy, i'm not sure what leads you to think it would be difficult. I've a strong engineering background in IRM and I can tell you that integrating with Microsoft Word, Excel and PowerPoint present a much bigger challenge to protecting content. I'd go into detail but that would require an NDA. Further... the reason you don't see much IRM solutions protecting notepad is no customer i've come across (in 12 years of working with IRM technologies) has ever asked for notepad.

Zafesoft indeed has a new and different approach with cross plaform functionality a very important feature. With regards to user transparency, the points you mention are not uniqte the Zafesoft and have been common in IRM technologies for many years.

The market leaders in the IRM space are Oracle and Microsoft. These are the two IRM technologies that have the most maturity and a very strong road map. If you would like, I can arrange for a presentation to you on the specifics of the Oracle IRM solution.
1296534043
Default-avatar
Simon Thorpe @Anthonie I don't think anyone here is suggesting IRM is a 100% secure solution. There is no such thing. Anyone ever trying to convince you that a technology is 100% is wrong.

What happens when the technology fails? Mature IRM technologies are designed, where possible, to fail safe. IRM sometimes relys on elements beyond it's control. e.g. protecting PDF requires some reliance on the security of Adobe Acrobat. What if a bug exists in Acrobat that exposes a weakness in the IRM solution?

A good IRM technology will be able to repudiate on certain aspects of the client. For example lets say Adobe Acrobat 10.3.2.1 has a bug. The IRM vendor would implement a fix and release a new version of the client. Then on the IRM server customers can specify not to talk to IRM clients which are opening content on a platform with Acrobat 10.3.2.1 and are not using the fixed IRM client. Because nothing is 100% secure a technology must provide an ability to respond to bugs and security issues.
1296534513
Default-avatar
Simon Thorpe @Robert, reading your responses further it seems you may only have looked at the Zafesoft solution. What experience do you have with the other IRM vendors available?
1296534606
72cc4c5e6cbde70aa374bf94076ad722
Peter Abatan @Robert. I am not sure you are familiar with other IRM or ERM solutions out there. There are about 25 ERM/IRM vendors out there providing different solutions, from the ones that only protect Adobe reader documents to the more sophisticated non-disruptive solution. There is really nothing new with Zafesoft that is not featured in other IRM/ERM solutions out there.

Regarding editability of secure text, as well as its continued editability across different applications, editors, and operating systems my question is their really a big demand for this? I can confidently say you can grant editing rights to someone using many of the ERM/IRM solutions available.

Likewise there are many IRM/ERM solutions that allow users once authorized no longer need to interface with the solution.

Considering the heading of this post, it is really a brave claim. What Zafesoft has done will not put an end to data breaches as we know it, but will help organizations become better at securing their IP. The same applies to all other IRM/ERM solutions on the market.

Zafesoft's Z-Discovery is not new, the ability to discover and secure data has been the reason why many ERM solutions have DLP plug-ins or use context sensitive DRM, so Zafesoft in not an innovator in this area.

Because Zafesoft has not used the term ‘Enterprise Rights Management’ or ‘Information Rights Management’ does not mean it is not so when the all features indicate that it is. So whether it is user transparency, ease of use and offline access, other ERM/IRM vendors have been there before Zafesoft. The fact that Ed the pig refers to himself as Ed does not mean Ed is not a pig, no pun intended.

Like Simon @Oracle I have been working with ERM for some time and I am yet to find a client that wants to secure notepad files. However, through Fasoo's copy and paste you automatically inherit the permissions of the parent document whether you paste to word, notepad or excel to name a few.

I have been to the Zafesoft's website read the content and watched the videos, and I can confidently say there is nothing ground breaking about this solution. My conclusion is that we should not get carried away by Zafesoft's solution because it is fundamentally ERM/IRM.

As Simon asked you in his response Robert, it seems you may have only looked at Zafesoft and not current with the solutions provided by other IRM/ERM vendors.

Peter Abatan.
The Enterprise Rights Management Blog
www.enterprisedrm.info
1296550454
37d5f81e2277051bc17116221040d51c
Robert Siciliano Gentleman, the purpose of this blog is to educate and respectfully discuss. I appreciate the feedback and well made points..

As Simon points out Zafesoft has a new and different approach – especially with cross platform functionality. This is a unique differentiator.

To our readers here I will say you have to see it – to understand how easy and transparent it is. We can hypothesize all day, but until you test drive you will not get it. This is a second differentiator.

From a business point of view I have some simple facts to help put the traditional DRM/IRM technologies in perspective.

Of these 25 how many reached $100 Million in product revenue? Can you name some? Please feel free to provide examples. My friends at Microsoft and Oracle tell me that this is not the case even at these large companies.

There are probably some very good reasons – why customer adaption was a challenge. I learn of this as I talk to CISO’s of many companies and to analysts from Gartner, Forrester, and Aberdeen etc. Ultimately business is a good judge of technology, while we can respectfully have our differences of opinion.

From a historical perspective, the next wave of security startup that came after DRM/IRM was DLP on the promise of a silent user interface; this appealed to the investors, after their non rewarding experience of DRM/IRM. Can you name some DRM/IRM companies that were a VC success?

I would recommend that our readers make up their own mind, after looking at the various technologies. If your organization has users that work on multiple operating systems and the data needs to be really easy to access, and secure then you need to see Zafesoft. Just sayin' ;)
1296655374
Default-avatar
Simon Thorpe Robert, you are quite correct that IRM has generated the sort of revenue that DLP went onto create. In my 12 years of working with these technologies there are numerous reasons we could argue why this is so and many of those points i'd rather not discuss publically.

However i'm confident that transparency to the end user isn't the issue. Many traditional IRM technologies can already be deployed in very transparent ways and many customers don't want the technology to be 100% transparent. There is plenty of research highlighting the security departments desire to communicate and educate end users and IRM technologies offer a chance to present security polity to an end user.

I am going to be setting up a web conference for Danny L, maybe I should extend that invite to all on this discussion, I can give you some more detailed history to IRM, go into the challenges its faced over the years and also demonstrate specifically how the Oracle IRM technology does some of the things you mention above. Contact me at simon.thorpe@oracle.com
1296661173
Page: « < 1 - 2 > »
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.