SAN FRANCISCO -- Enterprises need to plug the leakage of critical company data flowing almost uninterrupted via...
instant message chats, mobile phone calls and lost cell phone and laptop computers, according to a mobile security and digital rights management (DRM) expert, or risk facing strict penalties or even jail time.
"It's really a good thing to start encrypting everything," said Richard LeVine, a senior manager and global lead for DRM with IT services firm Accenture, said this week during a mobile security session at RSA Conference 2007. "Warn employees of the dangers because it's everybody they know that can suffer if something leaks."
LeVine said enterprises must not only set strict security policies and enforce them, but also tell employees why a certain policy has been set. Don't ban the use of a consumer-based mobile instant messaging (IM) client. Instead, he suggested offering an alternative, such as an enterprise-level IM client that has encryption, which could be turned on and off depending on the conversation.
"We should be letting people do the workflow they do everyday," LeVine said. "Let policy changes be transparent."
According to Stamford, Conn.-based research firm Gartner Inc., up to 70% of mobile workstations and devices used outside the office are not backed up sufficiently. In addition, the analyst firm said that many laptop, PDA and mobile phones carry enough critical data to expose companies to a serious breach.
LeVine touted the use of Windows Rights Management Services (RMS), a form of DRM, as a way to encrypt critical corporate data that may be on mobile devices and home-based employees' desktop computers. RMS enables a company to lock down documents. When an employee is fired or quits his or her job, RMS gives the company the ability to lock that person out of corporate documents on a home computer or mobile device. If done right, Levine said, employees won't even notice the security features are in place.
DRM has been a major theme at RSA this year, as Microsoft Chairman Bill Gates and Art Coviello, the former CEO of RSA Security and president of EMC's new security division, both signaled in their keynote presentations that it would be a strategic initiative for their companies. While Microsoft claims to have shipped a large volume of RMS seats, Ray Wagner, a research director at Gartner, said the actual deployments appear to be few and far between.
"Deeper integration of RMS into Vista and the Microsoft apps certainly make it potentially more ubiquitous as a possibility. However, it's still not a front-burner priority for enterprises today," Wagner said.
He also said said that content management vendors, such as San Jose, Calif.-based Adobe Systems Inc. and Stellent Inc., recently acquired by Oracle Corp., also have signaled a significant push in DRM. But most DRM initiatives are currently from vendors, Wagner said, and not as a result of customer requests.
Mike Horton, a senior security strategist at Cingular Wireless, now called AT&T Mobility, said his company like many others is trying to get a handle on corporate data as employee devices grow smarter and more powerful. While implementing technology, such as encryption or device authentication, is one answer, educating employees to bring about behavioral change is also very important.
"It's not only about what technology they implement or how well they implement it," Horton said. "It's about finding a way to get employees to make minor changes in their daily lives that have a big affect on securing data."
Making policy changes to spur employee behavioral changes is one way to make a serious commitment to security and regain control of corporate data, LeVine said. For example, a plan that allows employees to be reimbursed for the cost of a memory stick or other storage device allows a company to control corporate data. When the device is lost it would have to be reported, LeVine said. Also, the company can request the device back when the employee no longer works for the company.
"It is almost always undetermined what employees take home with them and what they take when they eventually leave a company," LeVine said. "Nobody ever thinks they're a bad guy."
Dig Deeper on Information Security Policies, Procedures and Guidelines