Security and Risk Management Strategies Blog

[Blogger: Trent Henry]

Burton Group has long covered enterprise digital rights management (known varyingly as ERM or E-DRM). Our most recent report on E-DRM describes the technology as “driving security to the data.” Similar to consumer DRM schemes that protect Windows media or Apple iTunes content, E-DRM uses cryptography and fine-grained policies to limit what a user can do with data. Unlike consumer media, however, E-DRM is used exclusively by enterprises to protect corporate data and is typically targeted at word processing files, spreadsheets, email, and related content.

Here in Prague at Burton Group’s Catalyst Conference, many of our security talks have been geared around the trend of information-centric security. As a result, several attendees have approached me to ask, “Where is E-DRM going?”

Good question, but a hard one, because even Burton Group is of a mixed mind on the topic. On one hand, we see E-DRM as software-based technologies whose consumer counterparts have suffered one break (attack) after another. In short, they’re low-surety solutions. In addition, the products suffer from an in-your-face user experience that necessarily adds complexity for employees. On the other hand, E-DRM is arguably the finest example of security surrounding data itself: fine-grained policies (e.g. “You cannot print this document and may only email to other Finance Group members”), cryptographic protection, and prevention of other sorts of leakage (e.g. no copy/paste to unauthorized applications).

The vendor landscape for E-DRM has changed substantially in the last 18 months. Microsoft has made significant strides in adding E-DRM support to SharePoint. Oracle, through its acquisition of Stellent, picked up SealedMedia. And EMC, through its acquisition of Documentum, did the same with Authentica. The remaining standalone vendors are Adobe and Liquid Machines. It’s clear that vendors are solving one typical objection to E-DRM: the management of yet another silo of policies. By linking Enterprise Content Management (ECM) and E-DRM, the content repository’s security settings can automatically be reflected in DRM-protected documents that leave the ECM environment.

Where does that leave us?

•  We have cautious optimism that E-DRM will continue to receive uptake, even though today’s deployments tend to be relatively small and tactical.
• We expect vendors to enhance protection, making use of trusted platform modules for integrity validation and hardware cryptomodules for improved cryptography handling.
• We expect additional integration between rights management and content management solutions.
• Ultimately, we think there will be interesting synergies between virtualization and E-DRM, where mobile workloads (on virtual machines) and the sensitive content they contain can be managed, tethered, and persistently secured via rights-management no matter where a machine image lands.

Blogger: Dan Blum

It is no surprise for us to hear loose lips flapping in India about a capability to decrypt Blackberry and other carrier traffic.

After all, we’ve done basic threat analysis for years and it was only months ago that I was brought into a company-wide CISO meeting at a U.S. defense contractor to help them hash out their travel policy for mobile devices. Going into the meeting, I knew their policy restricted taking devices to a list of countries considered dangerous – but there was an exemption for BlackBerries.

Our research uncovered that BlackBerry is pretty secure in most respects. It has transport encryption along with optional password protection, remote kill, disk encryption, and S/MIME encryption. Viruses have not flourished on this functionally limited and closed platform. Few if any third party add on programs are required for additional protection. Nonetheless, I went into the meeting prepared to talk with the CISOs about the risks and security limitations of life on BlackBerry.

Was the BlackBerry exemption reasonable? At the time, BlackBerry transport encryption was not known to have been broken (to be fair, the article listed above still qualifies as rumor, not certainty of breakage). However, I pointed out that it is dangerous to assume well-equipped attackers like military or intelligence organizations can’t crack transport encryption. And even if they haven’t cracked the BlackBerry network and whole disk encryption features, sophisticated adversaries have other attack paths. Check out Neal Stephenson’s excellent book Cryptonomicon for a description of how a talented adversary might “see” your keystrokes and screen images through a motel room wall, for example.

If one of your employees – such as a key scientist, project manager, or executive – is targeted for surveillance and is carrying sensitive data through certain countries, one could argue that he or she had better undergo serious counter-intelligence training.  Learn to spot and shake tails, sneak into dark alleys for that BlackBerry fix. Learn to paper the closet with layers of aluminum foil and send messages in the dark. Defend that BlackBerry with encryption, long passphrases, and kung fu. But unless James Bond is running your company, I doubt this is what your executives have in mind for the next business trip!

Assuming your organization’s lower level employees are like needles in a haystack and won’t be bothered could be an exercise in wishful thinking. It is always possible that nation states are monitoring some or all of the airwaves. Not so long ago the NSA had a massive a covert surveillance program in place. Years before the government was reportedly snarfing up terabytes of emails and crunching them through a program called Carnivore. And of course, selective monitoring of people on watch lists continues on a large scale. This is just the surveillance we know about in the U.S. We suspect there’s more behind the scenes and especially in countries such as China. Even if you train your non-specifically-targeted low level employees to write and speak in search-keyword-free code, the carnivore programs of the world are pretty good at sniffing out those interesting needles – such as descriptions of your business plans, manufacturing processes, and trade secrets.

Sound paranoid? I admit that I don’t know what the probabilities of being targeted or monitored are – just that it can happen. It’s the height of arrogance to believe that a nation state can’t get your information if they’ve targeted it and you’re within their borders. And it’s dangerous to rely on security by obscurity when medium or high consequence information must be protected.

What can be done? If key personnel can't dispense with the BlackBerry (or any other email device) during international travel to those countries where information may be most at risk, they (the users) should limit communications to what they’d feel comfortable uttering over a potentially-monitored telephone call. Controlling incoming communications – messages sent by others – is a harder problem. Until data loss prevention (DLP) products become more contextually sensitive about the travel issues, it may be best not to synchronize the BlackBerry with the overseas user’s home mailbox. Instead, have the user give out a temporary address for the BlackBerry and warn senders to be discreet.

Blogger: Trent Henry

Last week, security.itworld.com ran a piece talking about attacks against encryption.
Specifically, they raised the danger of attacks against data-at-rest (i.e., stored data) encryption.

This is something we pointed out in our VantagePoint TeleBriefing last year. (Score one for our prognostication.) We called it "Best Security Never" and warned our clients that increased use of encryption brings increased requirements for strong key management.

Personally, I think a greater risk is poor key archival. When an employee gets hit by a bus, you don't want to lose critical information encrypted on a local hard drive. However, attacks against key management infrastructure itself are also a legitimate concern. If bad guys are able to access individual keys (or, gasp, master keys), a company’s information confidentiality can be written off. If an adversary damages keys, information availability can be written off as well. These scenarios pose issues similar to today's stored keys in Kerberos servers or Active Directory instances. Enterprise-wide key management simply further exacerbates risk aggregation.

This means security teams need to take oh-so-careful measures to protect their central key stores. But this protection is by no means the whole story. When Burton Group talks about encryption, we discuss the entire "supporting cast" of requirements: proper user authentication, cipher implementation, administrator controls, etc. So although key management--and potential attacks against keys--is an important consideration, it's just one of many things that a well-architected enterprise encryption solution should address....