The president of a prospect was recently discussing with us whether Oracle IRM (information rights management) was a good way of preventing data loss, and a viable alternative to a DLP (data loss prevention) system. Rights management would appear at first blush to be orthogonal to data loss prevention but it’s an interesting question that got me thinking.
The answer lies in understanding the fundamentals of crime.
Like any other crime, a trusted insider needs a combination of means, opportunity, and intent.
Means is giving insiders legitimate user accounts with the rights to access certain applications, databases and file services. Insiders have knowledge of how the system works, the business processes, the company culture and how people interact. They know who manages the rights management systems and grants systems permissions. With the right knowledge and social connections, means can be obtained even if they were not originally granted by design.
An example is a recent fraud event at French bank by a trader who had worked in the past in the bank’s audit group. He knew what trades would raise red flags, and what would not – and as a result could fly under the radar. Another example is a director of new technologies who had thousands of confidential product design and business development documents that
were not protected by the Oracle IRM system the company used – simply because they were not part of the manufacturing process yet. Both people had the means and later went on to abuse their privileges – one with fraudulent trades and the other with data theft.
The second piece is opportunity. With access to systems and their data, daily interaction with the applications and other users, an insider has the opportunity to exploit people and system vulnerabilities and steal data or modify data for personal gain.
The third element is intent. Intent is tricky. You may be ok today but tomorrow, after getting fired, you may be tempted to do something stupid and steal some company IP. Perhaps an employee is short of cash, needing to make payments on a house. A bribe from a competitor can look mighty inviting and not so wrong when it comes from a person we believe to be a friend operating in our best interests. In my experience, most data loss events are intentional. True, there are events where an employee sends a confidential agreement to a competing vendor by mistake – these are well publicized, but the real damage is generally low and employees are usually forgiven for their mistakes especially when the company culture rewards risk-taking.
DLP products are becoming very capable, with agent based products from Verdasys covering an exceptionally wide range of channels from removable devices to web applications and network DLP products like Fidelis Security XPS that cover a wide range network channels with powerful content interception and classification tools that offer high precision and recall (if you’re willing to watch the violations and and invest in improving your monitoring).
Using our crime model – we now realize that IRM mitigates the vulnerability of “means“. Once rights are granted, an IRM security countermeasure has finished it’s job. DLP on the other hand can be an effective countermeasure for vulnerabilities of “opportunity” and “intent“. IRM might be used for document control of management board files but not for managing passwords in biometrics system. The management board members are senior, well-educated, highly-paid people who have everything to lose by leaking a confidential file. On the other hand, the person managing the biometrics system may be a new hire in the security department with everything to gain and nothing to lose.
IRM and DLP have have their own places in the armory of security countermeasures each having fixed costs of acquisition and variable costs of implementation and maintenance. DLP and IRM can be complementary (producing better risk mitigation when used together) but practice shows that multiple security systems often result in higher costs and lower security due to system interactions, multiple configuration issues and a state of complacency that is generated at the management level by high levels of security and risk management spending. (I bought the best that money can buy from McAfee and Oracle – I must be protected)