Secure Information Sharing: Which approach to choose?

28.02.2014 by Martin Kuppinger

There are various approaches to Secure Information Sharing (SIS), as I have explained in previous posts. However, which one is the best? As always, there is no simple answer. It depends on the requirements of the customers. Nevertheless, the various product categories have their strengths and limitations.

Let’s look at the categories within SIS first:

  • IRM: Information Rights Management is about technologies that encrypt documents and assign entitlements. Users can only open the documents if they are entitled. Applications enforce the entitlements such as limitations on printing, sharing, editing, etc.
  • Secure Data Rooms: This category provides secure data stores. These data stores can be accessed by various persons, allowing them to share information. A typical use case is sharing data in merger & acquisition processes. Typically, online editing is allowed but downloading is restricted, so that these solutions also can enforce restrictive entitlements on documents.
  • Collaborative Networks: These networks typically are focused on industry collaboration and provide environments that enable not only information sharing but also the management of the users and other functions. The obvious limitation is that they do not enforce entitlements on documents once these are downloaded. However, combination with IRM is potentially feasible.

When looking at these three concepts, IRM appears to be the best choice. The challenge for now has been, that IRM solutions had their challenges in managing (external) users, that they were lacking broad application support, and that most of them were rather complex to implement. As mentioned in a previous blog post, Microsoft has removed these barriers with its Azure RMS service. Thus, IRM is now an approach that any organization should consider to fulfill its need for SIS. Aside from Microsoft, there are some other players in the market, such as Nextlabs, Covertix, Watchful Software, or Seclore. They might work well for specific requirements.

The strength of Secure Data Rooms is primarily that they are “ready to use”. Instead of setting up an IRM infrastructure – which even based on Cloud offerings requires some planning – they can be used immediately. Thus they are a good solution for rapid deployment. However, IRM appears to be the more sustainable concept.

Collaborative Networks have a somewhat different role, because they provide value-add services for communities within industries. They are not only a tool but a service. The larger the community, the higher the value.

All approaches to SIS have their strengths and their weaknesses. However, there is good news: There are sufficient mature options now for SIS to finally start the SIS program in any organization. There is no argument anymore for collaborating with business partners without SIS in place.

Don’t miss EIC 2014 – it will be the place to learn more about Secure Information Sharing.


The need for Secure Information Sharing

24.02.2014 by Martin Kuppinger

A while ago, I wrote about the changing market for Secure Information Sharing. I also recently published a report on Microsoft Azure RMS, one of the most important products in that market segment, and further reports will follow.

The first question is: What is Secure Information Sharing (SIS) about? It is about technologies that allow sharing information across the boundaries of an organization in a secure manner. Such technologies ensure encryption of the document both in motion and at rest. Furthermore, they apply and enforce access control, restricting access to the documents and (ideally) enforcing entitlements for editing, printing, forwarding, etc.

SIS has been a requirement of many organizations for years now, especially organizations that need to share information with a broad number of business partners and have complex supply chains. Some, such as the automotive industry, aerospace & defense, or life sciences, have been looking for such solutions for several years. In some of these industries, collaboration networks that enable SIS are established. These industries also are the ones who have been most active in demanding improved IRM (Information Rights Management) solutions.

So why do we need SIS? There are some reasons:

  • Agile, connected businesses lead to new requirements for collaboration. A good example is the life sciences industry, where success and time-to-market frequently depend on efficient collaboration with various external parties. Such collaboration, especially in a competitive environment with strong regulatory requirements and tough competition, requires the ability to securely share information.
  • Regulatory compliance is a strong driver for SIS. The ever-increasing requirements push the demand for SIS in various industries – again life sciences is a great example.
  • The fear of organizations regarding industrial espionage also increases the demand for solutions that seamlessly protect information at rest, in motion, and in use – and that’s where SIS comes into play.
  • Finally, traditional IT security such as firewalls and Data Leakage Prevention (DLP) are not sufficient to fulfill these requirements. New types of solutions are required.

From my perspective, the potential for Secure Information Sharing (SIS) technologies is based on these considerations and the fact that SIS focuses on the right perimeter. This perimeter is not the server system, it is not the end user’s device, and it is not the firewall. It is the information. Information Security, as the name implies, is about securing information – and that is what SIS does.

My next post on this topic will dive a little deeper into the strengths and weaknesses of various approaches.


Microsoft RMS Security and Confidentiality

21.02.2014 by Martin Kuppinger

Microsoft Rights Management Services (RMS) is a solution that might help Secure Information Sharing become a topic for the masses, at least at the enterprise level. I just recently wrote a report on the product. However, as with any Information Security technology – especially ones that are Cloud-based – there are questions about security details.

For Microsoft Azure RMS specifically, it is worthwhile to look at this post. It describes in detail how RMS protects and consumes documents. The other document worth having a look at is a whitepaper Microsoft published a while ago. That whitepaper goes (among other topics) into detail regarding two important aspects:

  • The various deployment options from fully Cloud to “pretty much on premises”
  • The BYOK (Bring Your Own Key) approach that allows doing a lot of things based on local HSMs (Hardware Security Modules)

These might answer some of the questions you might have concerning security and confidentiality of Microsoft RMS.


Secure Information Sharing – a lot of new momentum

22.11.2013 by Martin Kuppinger

During the last few months, we have seen – especially here in Europe – a massive increase in demand for methods to securely share information, beyond the Enterprise. The challenge is not new. I have blogged about this several times, for instance here and here.

While there have been offerings for Information Rights Management or Enterprise Rights Management for many years – from vendors such as Microsoft, Adobe, Documentum or Oracle, plus some smaller players such as Seclore – we are seeing  a lot of action on that front these days.

The most important one clearly is the general availability of Microsoft Azure RMS (Rights Management Services), with some new whitepapers available. I have blogged about this offering before, and this clearly is a game changer for the entire market not only of rights management, but the underlying challenge of Secure Information Sharing. Microsoft also has built an ecosystem of partners that provide additional capabilities, including vendors such as Watchful Software or Secude, the latter with a deep SAP integration to protect documents that are exported from SAP. And these are just two in a remarkably long list of partners that help Microsoft in making Azure RMS ready for the heterogeneous IT environments customers have today.

Aside of the Microsoft Azure RMS ecosystem, some other players are pushing solutions into the market that can work rather independently, somewhat more the way Seclore does. Two vendors to mention here are Nextlabs and Covertix. These are interesting options, especially (but not only) when there is a need for rapid, tactical solutions.

Other vendors that are worth a look in this market for Secure Information Sharing include Brainloop and Grau Data. Both are German vendors, but there are other solutions available in other countries and regions. These focus primarily on providing a space to exchange data, while the others mentioned above focus more on data flowing rather freely, by protecting these documents and their use “in motion” and “in use”.

The current momentum – and the current demand – are clear indicators for a fundamental shift we see in Information Security and for Information Stewardship. In fact, all these solutions focus on enabling information sharing and allow users to share information in a secure but controlled way. This is in stark contrast to the common approach within IAM (Identity and Access Management) and IAG (Identity and Access Governance), where the focus is on restricting access.

Secure Information Sharing enables sharing, while the common approaches restrict access to information on particular systems. So it is about enabling versus restricting, but also about an information-centric approach (protect information that is shared) versus a system-centric concept (restrict access to information that resides on particular systems).

With the number of solutions available today, from point solutions to a comprehensive platform with broad support for heterogeneous environments – Microsoft Azure RMS – there are sufficient options for organizations to move forward towards Secure Information Sharing and enabling business users to do their job while keeping Governance, Compliance, and Information Risks in mind. Regardless of the business case, there are solutions available now for Secure Information Sharing.

It is time now for organizations to define a strategy for Secure Information Sharing and to move beyond restricting access. More on this at EIC Munich 2014.


Information Rights Management: Microsoft gives it a new push – just in time to succeed

11.08.2013 by Martin Kuppinger

Information Rights Management is the discipline within Information Security and IAM (Identity and Access Management) that allows protecting information right at the source: The single file. Files are encrypted and permissions for using the files are directly applied to the encrypted and packaged file.

This allows protection of documents across their entire lifecycle: At rest, in motion, and in use. Other Information Security technologies might only protect files at rest. Classical file server security can enforce access rights. However, once a user has access, he can do with that file whatever he wants to do. Other technologies protect the file transfer. But all of them fail in securing information across the entire lifecycle. That is where Information Rights Management comes into play.

Information Rights Management – more important than ever before

Information Rights Management (IRM) is more important than ever before. An increasing number of attacks against both on-premise and Cloud IT infrastructures and the uncertainty and concerns regarding the access of governmental agencies to data sent over the Internet and held in the Cloud are driving the need for better Information Security approaches that protect information throughout their lifecycle. In addition, there is an ever-growing number of regulations regarding Privacy, the protection of Intellectual Properties, etc.

Information Rights Management is the logical solution for these challenges, as long as documents are concerned, because – as mentioned above – it protects information at rest, in motion, and in use. This depends on the types of applications, requiring applications with built-in support for Information Rights Management or workarounds that at least inhibit certain operations such as printing.

Clearly, Information Rights Management also has its limits. The person photographing the screen still can bypass security. However, using Information Rights Management on a large scale would mean a big step forward for Information Security.

IRM: Not new – so why haven’t we already seen a breakthrough?

Given that IRM is such a logical approach to use for improving Information Security, the obvious question is: Why don’t we already use it? There are several offerings from various vendors, but we are far away from widespread adoption.

There are many reasons for that. The most important ones, so far, have been a lack of broad support for various file formats and applications, issues in dealing with external users that need to consume information, and the complexity of implementation. There have been other challenges, but these three are the most relevant ones.

Microsoft to remove the IRM inhibitors

Microsoft, one of the vendors that has been active for years now in the IRM market, is now tackling these inhibitors. The Microsoft RMS (Microsoft Rights Management Services) have been re-designed and enhanced. The Microsoft promise is that “Microsoft RMS enables the flow of protected data on all important devices, of all important file types, and lets these files be used by all important people in a user’s collaboration circle”. Another important capability is what Microsoft calls BYOK – Bring Your Own Key. Companies can manage their own keys in their own HSM (Hardware Security Module) on-premise, however the HSM can be asked to perform operations using that key. This is a complex topic I will cover more in depth in another post. There is also a broad range of implementation models, from doing everything in the cloud to more “cloud hesitant” approaches, serving the needs and addressing the concerns of various types of customers.

The Microsoft Rights Management suite is implemented as a Windows Azure service. By moving IRM to the Cloud, Microsoft enables flexible collaboration between various parties, beyond the traditional perimeter of the enterprise. Companies can flexibly collaborate with their business partners.

Moving RMS to the Cloud might raise security concerns. However, the documents themselves are never seen by the Azure RMS service. Azure RMS is responsible for secure key exchange between the involved client devices. It is responsible for requesting authentication and authorization information. This is done by relying on either the federated on-premise AD or Windows Azure AD. Other Identity Providers will be added over time, including Microsoft Account (aka LiveID) and Google IDs. Furthermore, Windows Azure AD provides flexibility for federating with external parties.

This flexibility is also the answer to the challenge of supporting all users within a collaboration circle. Windows Azure RMS does not rely on the on-premise Active Directory (and ADFS-based federation) solely, but is far more flexible in onboarding and managing RMS users. Users from external partners can self-sign-on once they receive an RMS-protected document.

The second challenge always has been the management of file types and applications. Microsoft RMS supports “RMS-enlightened applications” (i.e. ones that have built-in support for RMS), a free RMS App that runs on various operating system platforms and supports various standard formats such as JPG, TXT, and XML, and finally a wrapping approach to protect file types that are not supported by the other two approaches. Furthermore, Microsoft has started building a significant ecosystem with various partners supporting environments such as CAD systems or documents exported from SAP environments. Based on these changes, RMS works well on a broad range of devices and for all relevant file types, including native support for the PDF format in the Microsoft-provided PDF reader.

With Azure RMS and all the new features in Microsoft RMS setup and management of RMS becomes far easier than ever before – including policy management and usability for end users.

Thus, Microsoft provides answers to all three challenges mentioned at the beginning of this note: Dealing with all types of users; dealing with all types of file formats and applications; and reducing the complexity of IRM and specifically their own RMS.

There are some good sources for further information:

Have a look at these. From my perspective, it is well worth spending time on evaluating the new Microsoft RMS and Windows Azure RMS. I see a strong opportunity for the breakthrough of IRM as a technology with mass adoption.

This is only my first post on this subject, further posts will follow.


Context-aware, information-centric, identity-aware, versatile

03.02.2011 by Martin Kuppinger

Recently another analyst company had a presentation titled “The future of Information Security is context- and identity-aware”. Yes – but not that new. I remember that we had the context-based approaches as a key trend at our second European Identity Conference, back in 2008 (thus the upcoming EIC 2011 is IMHO the best place to learn about the new trends and the best practices for today around IAM, Cloud Security, GRC, and related topics).

I personally think that there are some important aspects to consider when looking at the overall topic of Information Security:

  1. First of all: It is about the I in IT, not the T. It is Information Security, not Technology Security. That is information-centric.
  2. You need to have the organizational structure, the processes, the policies in place before you look at technology.
  3. You need standards around information security for your entire application environment to reduce the grass root seecurity approaches and islands.
  4. Context is an important thing. Context defines criteria to understand the risk of interactions and transactions.
  5. Given that, it is mainly about risk. Context helps you in better dealing with risks, but the core thing is risk.
  6. Regarding identity-aware I’m a little reluctant. That is correct in the sense that there is little value in just looking at information or systems but not the identity. Look at DLP: Not allowing to transfer information is wrong – it is about allowing only the right people to transfer the right information. In that sense, identity-aware is important. Have a look here (not that new…) where I have put DLP into context. But you should be careful – it is not necessarily about a 1:1 mapping person:identity. There are situations (think about identity federation) where it might be a role, a group of people.
  7. Versatility is as well important – the flexibility to authenticate people in a flexible way, which is a prerequisite to support all types of potential users, internal as external.

Information security is a key topic for every organization (and not only the IT department). Following the principles above should help you to better understand the value of technical approaches. Technology which doesn’t support the principles and is not “backed” by the organizational structure, processes, and so on will only have limited value to achieve your targets around information security.


Lessons enterprises should learn from the recent wiki-leak

17.12.2010 by Martin Kuppinger

There has been a lot of discussion around Wikileaks publishing an incredible amount of data which has been classified as confidential by the US Government. I don’t want to discuss this from specifically – many people have done this before, with fundamentally different conclusions. More interesting is what this means for private organizations, especially enterprises. Wikileaks has threatened some of them: The russian oligopolies, the finance industry in general. That comes to no surprise. Wikileaks founder Assange rates them as “bad”,e.g. his enemies. Given that Wikileaks isn’t alone out there, there is an obvious threat to any enterprise. Some might think that construction plans of the defense industry should be published. Others might think that should be done with blueprints from the automotive industry after claimed incidents. Or with the cost accounting of the utilities if power or gas appears to be too expensive. I don’t want to judge about the reasons – I have my personal opinion on this but that’s out of the scope of this post.

Looking at that situation from an enterprise perspective, it becomes obvious that information security has to move to the top of the CIO agenda (and the CEO agenda!) if it isn’t yet there (and given that the enterprise isn’t willing to share everything with the public – blueprints, calculations, whatever,…). That requires approaches which are somewhat more fine-grain than the once which obviously have been in place in the US government, allowing a private (or something like that, I’n not that familiar with the ranks in the US military) to access masses of documents. It also requires to efficiently protect the information itself instead of the information system only. Information tends to flow and once it is out of the system the system-level security doesn’t grip anymore.

That leads inevitably to the topic of Information Rights Management (IRM) which is a frequent topic in the blogs of Sachar Paulus and me – just have a look at our blogs. However, implementing IRM the typical way in organizations requires using centralized policies, classifications, and so on. And classification obviously failed in the last Wikileaks incident. Thus, I’d like to bring in an idea Baber Amin recently brought up in a discussion during a KuppingerCole webinar. He talked about “identity-based encryption” which in fact means encrypting it in a way which is controlled by the single user. That leads to an IRM where the single user controls who is allowed to use information he creates or owns. It is not (mainly) the organization.

But: Will that work? Some arguments and counter arguments:

  1. Information is not accessible once the user leaves the organization: Not correct, there might be an additional “master” key to allow recovery and so on. Many lessons could be learned from Lotus Notes in that area, to name an example.
  2. There are no corporate policies: Not correct, these could be understood as a second level of protection, adding to the first level managed by the user. E.g. classical IRM and personalized IRM could be combined.
  3. It won’t work because the user doesn’t understand what to do: Not correct. Just look at how users are dealing with information security in their daily live. For sure some things are going wrong and lessons have to be learned (not to appear drunken on a photo in Facebook, for example), but overall that works pretty well. Combined with the corporate policies, that should turn out to be much better than corporate policies only. Trust the employee and the wisdom of crowds.

Simply spoken: Think about doing it different than before. It is not about adding new tools at the (perforated) perimeter and all these point solutions. It is about building few consistent lines of defense, including and especially the next-generation IRM. For sure there is some way to go and tools aren’t there yet. But when thinking about how to protect your intellectual properties and the secrets your organizations wants to have (for whatever reason – I don’t judge here…), you should definitely think beyond the traditional approaches of IT security – look especially at Information Security instead of Technology Security, e.g. the I and not the T in IT.

When you think that this topic is worth to think about, you shouldn’t miss EIC 2011 - the conference on IAM, GRC, Cloud Security and thus also about things discussed in this post. And don’t hesitate to ask for our advisory services ;-)


Another approach to IRM

14.10.2009 by Martin Kuppinger

Last week I had a discussion with Seclore, a software company based in Mumbai, India. They are focusing on the area of Information Rights Management (IRM), one of my favourite research areas. I’m interested in this topic mainly for two reasons:

  1. Information Rights Management is one of the IT topics with the closest relation to the core business topic of Information Security/Protection (including Intellectual Property Rights, IPRs).
  2. Information Rights Management is the approach which allows the ongoing protection of information at rest, in move and in use – compared to many other approaches which cover only one of these phases.

Most solutions in that market are based on plug-ins into existing applications which enforce the IRM policies. The policies are managed centrally, information (documents) are protected by encryption.

Seclore’s approach is different in that they not mandatorily rely on such plug-ins but mainly act “below” the application. The client component (which is required to access protected, e.g. encrypted, documents) tries to analyze the activities off the application like access to the file system. One impact of that approach is that a document might be opened with different applications supporting the specific document format.

Even while I personally believe that implementing IRM functionality within the applications (the more common approach of vendors like Microsoft, Adobe and Oracle) allows a tighter control about the actions of a user and application on a document, the Seclore approach has some appeal. It is lightweight and works well today with different applications and in different environments, beyond the enterprise. As long as there is no common standard for the interactions of applications (the policy enforcement points) and the IRM backend systems across different vendors, this is a workaround. And once there is such a standard, Seclore is very likely to support it. Thus, not only looking at the big vendors but as well at Seclore makes sense in these early days of Information Rights Management.


Again: Identity Data Theft

22.01.2009 by Martin Kuppinger

Yesterday, news spread about the theft of millions of credit card dates at the US company Heartland Payment Systems, based in Princeton, New Jersey. Even while that might be one of the largest cases of data theft in the credit card industry, it wouldn’t be that interesting that I’d blog about. The – from my perspective – really interesting point is, from what I’ve read in the news, the way the attack has been performed.

The information sent is encrypted but has to be decrypted to work with it. The attackers grabbed the then unencrypted information. Surprise? Not really. The problem with security is that virtually any approach is incomplete – and thus inherently insecure. Examples?

  • Passwords are frequently encrypted via SSL when sent to a eCommerce website but then decrypted and compared – and often they are even stored unencrypted and sent back in case of a lost password. I’ve just seen this again recently, when I received my password in cleartext via eMail.
  • Data is encrypted on a specific type of device using some DLP (Data Loss Prevention) technology. Once delivered, it is decrypted – and might be mailed as an attachment.
  • Access Control Lists are enforced to provide security for data at file servers – but they are sent to the client unencrypted and the user might store an unshielded copy (or mail it or do something else).

These are just three examples – of hundreds or thousands. Another was discussed in a Kuppinger Cole Webinar yesterday, where we talked about “service oriented security”, e.g. application security infrastructures, SOA security, and so on. The question was about the security between the applications and the security systems (and eventually the security systems themselves). That is a good question. Often there are security holes somewhere at the center of the security system. SSL itself isn’t the answer. In that case it is about a consistent security approach. Unfortunately, even many IAM and GRC applications don’t provide a really sophisticated security model.

Another interesting point is that there are always other potential security holes. Trojans which grab keystrokes are one example, the man behind you reading the information at your screen is another one. Some of these problems can be adressed, for example with external keyboards for entering sensitive information in eBanking. Others will be always there.

There is no easy solution to these issues. Information Rights Management will help to address many of these problems – I’ve blogged about the need for IRM some time ago. But IRM won’t solve everything. Information has to be processed, thus the systems which process data are extremly sensitive (like in the case I’ve started with). And a business document in an ERP system is, finally, stored in fragments within a database.

From my perspective, the most important point is to work on an authorization strategy (or access strategy) which covers all aspects. Any investment in DLP is at risk as long as it isn’t part of the bigger picture. Point solutions are perfect for masquerading the real security problems, but they don’t really solve them. An overall strategy which identifies the security holes and which tries to use a limited number of well linked technologies is mandatory to minimize security risks. That strategy has to include everything, from the firewall and SSL-secured connections to IRM and the security of backend systems. That is no easy task, especially because there are frequently many different parties involved which all claim that they have found the holy grail for enforcing security. But it can be done – and it will save you a lot of money by avoiding investments in security technology which don’t really solve your problems.

For the ones of you capable of reading German: Please participate in this survey. That fits well to the topic of this blog post.


Why Information Rights Management is mandatory…

14.05.2008 by Martin Kuppinger

Information Rights Management (IRM) is one of these technologies which isn’t really successful until now, even while it is discussed and available for a pretty long time. IRM is about protecting the information directly, through signatures, encryption and a direct assignment of rights. These rights describe who is allowed to do what with that piece of information.

There are some reasons why IRM isn’t adopted widespread today. One is the complexity of the concepts. Without understanding PKIs and Public Key encryption it is impossible to really understand IRM. Another reason are the somewhat limited implementations. Most of them are fine for a limited set of applications and environments. Microsoft’s Windows Rights Management Services are great for Windows and Office. They even work in a B2B environment with some trust between the partners. But they are mainly for Microsoft apps. How about CAD and blueprints? How about the other office apps? And all the other types of documents, starting from XML documents, which are sent and stored? There are some other solutions, but most of them are either from pretty small vendors or very limited in scope.

But the most important reason is, in my opinion, that the relevance of Information Rights Management isn’t fully understood. Even when I talk with IAM responsible, IRM seems to be amongst the best hidden secrets. But access control which is limited to data in a silo like a file server or a document management system isn’t sufficient. Data is read and used by users, attached to mails, transferred via FTP – the perfect way to bypass most security concepts [I had a very interesting conversation with Taher Elgamal from Tumbleweed some days ago – Taher has been responsible for “inventing” SSL at Netscape, and it is definitely worth to have a look at Tumbleweed’s approaches to minimize FTP risk] and so on.

But if you look on it the other way round, everything is fine. IRM works as well for data which is stored in silos. With other words: If you use IRM for any type of information there is no necessity anymore for the classical access control approaches. The best way to protect information is to do it directly at the level of the information – and not at the level of one of these many systems which might change, transport or store the information. Given that, it is really time for an industry-wide initiative for IRM standards which work on every platform and with every type of information and every application.


Services
© 2014 Martin Kuppinger, KuppingerCole