RSA: Accenture executive touts DRM, corporate data lockdown

By Robert Westervelt, News Editor 08 Feb 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

"It's really a good thing to start encrypting everything," said Richard LeVine, a senior manager and global lead for DRM with IT services firm Accenture, said this week during a mobile security session at RSA Conference 2007. "Warn employees of the dangers because it's everybody they know that can suffer if something leaks."

RSA Conference 2007 Can't make it to the show? SearchSecurity.com staff members are on the RSA floor, on hand to deliver the latest RSA Conference 2007 news and updates.

LeVine said enterprises must not only set strict security policies and enforce them, but also tell employees why a certain policy has been set. Don't ban the use of a consumer-based mobile instant messaging (IM) client. Instead, he suggested offering an alternative, such as an enterprise-level IM client that has encryption, which could be turned on and off depending on the conversation.

"We should be letting people do the workflow they do everyday," LeVine said. "Let policy changes be transparent."

According to Stamford, Conn.-based research firm Gartner Inc., up to 70% of mobile workstations and devices used outside the office are not backed up sufficiently. In addition, the analyst firm said that many laptop, PDA and mobile phones carry enough critical data to expose companies to a serious breach.

LeVine touted the use of Windows Rights Management Services (RMS), a form of DRM, as a way to encrypt critical corporate data that may be on mobile devices and home-based employees' desktop computers. RMS enables a company to lock down documents. When an employee is fired or quits his or her job, RMS gives the company the ability to lock that person out of corporate documents on a home computer or mobile device. If done right, Levine said, employees won't even notice the security features are in place.

DRM has been a major theme at RSA this year, as Microsoft Chairman Bill Gates and Art Coviello, the former CEO of RSA Security and president of EMC's new security division, both signaled in their keynote presentations that it would be a strategic initiative for their companies. While Microsoft claims to have shipped a large volume of RMS seats, Ray Wagner, a research director at Gartner, said the actual deployments appear to be few and far between.

"Deeper integration of RMS into Vista and the Microsoft apps certainly make it potentially more ubiquitous as a possibility. However, it's still not a front-burner priority for enterprises today," Wagner said.

He also said said that content management vendors, such as San Jose, Calif.-based Adobe Systems Inc. and Stellent Inc., recently acquired by Oracle Corp., also have signaled a significant push in DRM. But most DRM initiatives are currently from vendors, Wagner said, and not as a result of customer requests.

Mike Horton, a senior security strategist at Cingular Wireless, now called AT&T Mobility, said his company like many others is trying to get a handle on corporate data as employee devices grow smarter and more powerful. While implementing technology, such as encryption or device authentication, is one answer, educating employees to bring about behavioral change is also very important.

"It's not only about what technology they implement or how well they implement it," Horton said. "It's about finding a way to get employees to make minor changes in their daily lives that have a big affect on securing data."

Making policy changes to spur employee behavioral changes is one way to make a serious commitment to security and regain control of corporate data, LeVine said. For example, a plan that allows employees to be reimbursed for the cost of a memory stick or other storage device allows a company to control corporate data. When the device is lost it would have to be reported, LeVine said. Also, the company can request the device back when the employee no longer works for the company.

"It is almost always undetermined what employees take home with them and what they take when they eventually leave a company," LeVine said. "Nobody ever thinks they're a bad guy."

<< Return to our special coverage of RSA Conference 2007

Tags: Information Security Policies, Procedures and Guidelines,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information Security Policies, Procedures and Guidelines Twitter risks, Facebook threats trouble security pros Cybersecurity czar candidate questions clout of new position Incident response planning The basics of enterprise GRC project management RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Risk management must include physical-logical security convergence DHS fills National Cybersecurity Center post New partnerships, creative thinking help security bust recession Experts optimistic of Obama cybersecurity plan

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary