Enterprise Rights Management: How to Prevent Corporate Data Breaches

Like most large enterprises, Flextronics built strong defenses against external attacks, says Brian Bauer, the company's vice president of global IT policy at the time and now a partner at information services consulting firm Bauer & Associates. Despite this, the company's defenses were not applied to employees, customers, and contractors. One challenge is to ensure that clients and contractors can only access databases relevant to their projects. The company designs and manufactures products for some of the world's leading router, video game and medical device companies, and many of these customers are competitors with each other. The company also needed a way to prevent or stop design engineers from leaking valuable and important data, and Bauer says that in his experience, seventy percent of data loss is due to operational error rather than intentional theft. Flextronics' IT team initially tried a "total lockdown," preventing employees from posting any important information on blogs or social networks, bringing in portable hard drives or cameras, or even using the Internet. The result, of course, was predictable, and the rules infuriated engineers, who complained that they couldn't access the information they needed to do their jobs. Eventually the company turned to an enterprise rights management (ERM) platform, NextLabs' Enterprise DLP, which combines data loss defense and information rights management. Setting Policies vs. Clarifying Permissions Data loss prevention (DLP) software scans information sent outside the firewall and applies security policies to the information. Security policies are usually based on the content of the information, such as the rule that if a message contains certain keywords or phrases, it cannot be stored on a particular device or leave the company unencrypted. For its part, information rights management (IRM) focuses on deploying detailed user access rights to digital data objects located outside the corporate firewall, e.g., an employee outside the organization may be able to read or change a file on his or her smartphone, but not send or download the file to a removable storage device. Once Flextronics deployed Enterprise Data Loss Prevention Controls, design engineers were able to access information and collaborate with colleagues as needed, bringing mobile storage devices (but not cameras) to the company, Bauer said. When NextLabs' Enterprise DLP software discovers that an employee is trying to blog**** about important design information, send it to an unsecured Web mailbox or download it to a mobile device, it blocks the operation and sends the employee a corporate policy note. The product also automatically creates audit files to track who is or isn't following company policies.02