This article can also be found in the Premium Editorial Download "Information Security magazine: Nine tips to guarding your intellectual property."
Download it now to read this article plus other related content.
|Recent cases illustrate the variety of ways
valuable IP can leak out of an organization.
Essentially, a trade secret is just another piece of corporate information. Like all information, it has a lifecycle--it is created, used, shared, stored and eventually destroyed.
What makes protecting a trade secret challenging is how it changes form and proliferates through the organization during its lifecycle. It may start as a chemical process written in a lab notebook, at some point be recorded in an electronic document, become a set of discrete tasks in a manufacturing process and eventually be combined with other IP to form a product. Each of these forms--manual, digital, process, product--may have different lifecycles. At each point, the IP may face different risks that must be examined and, where appropriate, mitigated.
Various products can help protect trade secrets and IP data that exist in digital form, during certain points in the data's lifecycle. There are emerging technologies that monitor the movement of structured and unstructured data and enforce actions on the data based on custom policies. These products from vendors such as Orchestria and Vericept work at the network and desktop levels, and can monitor movement, prevent data from being copied from the originating application to external sources--for example, USB drives--and help classify data as requiring more or less protection.
EMC's Infoscape can help inventory unstructured data, such as Microsoft Word documents, Adobe PDF files and various spreadsheets, and also classify it based on a company's data classification scheme. Complementary EMC products offer secure storage and archival of data. Sun Microsystems' Identity Manager can provide a foundation for controlling what systems people are given access to and what roles they are given within an application based on company-defined policy. Sun also offers integrated solutions for secure data storage.
In addition, there are products from companies such as PGP and Entrust to protect mobile data with combinations of file-level encryption and access controls on physical interfaces to the mobile device. Finally, vendors such as Adobe have developed enterprise rights management (ERM) products designed to provide data protection--specifically IP--across business processes and organizational boundaries.
Adobe offers products designed to securely capture, process, transfer and archive information, both online and offline. John Landwehr, Adobe's director of security solutions and strategy, believes that the best protection of sensitive data happens at the document level: "Given the range of devices that IP can live on--from desktops, to laptops, to PDAs and mobile phones--we think that the only viable way to persistently protect that information is if the protection travels with the document."
However, a word of caution about some of these products designed to protect confidential data: Because the vast majority are based on rule-set driven engines, the number of false positives they generate can be significant.
This was first published in May 2007