Is IP protection/regulatory compliance important to your organization, and if so, what software products are you using to protect yourself?

Up until this point, I've been on the vendor side, exclusively within the segments of endpoint data protection/data loss prevention and the enterprise rights management. I've seen a fair number of business use cases, and I've seen concerned executives, but it seems like a fair number of decision makers are just "dipping their toes in the water", so to speak, on software technologies which address the problem. Very few (aside from a handful of visionaries) are willing to take the plunge and roll out an enterprise data protection strategy. Why is this? Given the exposure in the media, on lost customer records, social security numbers, misplaced or lost critical corporate intellectual property on hard drives...the list goes on and on… you would think executives would be champing at the bit to acquire solutions to address this very large and very visible problem.

Instead, there seems to be a high level of confusion and indecision within the market. There are a number of point solutions, but no one seems to be able to do everything out of the box. And those solutions that say they can do everything out of the box, often neglect to mention much of it is customization or other professional services integration work. Then, there is the issue to deploying largely untested and unproven software across the enterprise. Doing so can sometimes be a greater risk to the business than the lost intellectual property itself.

So, I ask the LinkedIn network, do you care about protecting your IP or achieving regulatory compliance? What software products are you currently using or planning on using soon to address your needs for IP protection, regulatory compliance, etc.?

Feel free to join my LinkedIn Network if you would like to discuss further. I've worked first-hand with a number of solutions, and during my time as an analyst, was briefed on most of the others.

This is an interesting question. I know of organizations that don't seem to understand the importance of security (at all?). I find this shocking especially because several of the organizations are holding extremely sensitive financial and personal data. The "11'o clock news" issue, and trying to stay out of it.

In an organization that I was responsible for we deployed hardware appliances and some products that sat on existing hardware- products that were extremely good in monitoring and managing corporate security/IP were Tripwire for auditing, Sourcefire IDS/IPS (as a behind-the-firewall appliance), Entrust for implied trust (in our case, trusting senders/receivers of emails and monitoring the content of emails for leaks of sensitive data), Websense for web traffic monitoring, and most important any products that protect the inside from the outside- e.g. leaking information outside of the company via the network.

This doesn't answer your question directly but I believe this is because there is no "one" solution "in a box" that will accomplish this task (that I am at least aware of). There level of complexity of such a product would be astounding and the amount of design including real-time dipping into new data and massive monitoring of network resources would require an amazingly powerful appliance.

The best i've seen is where products integrate with each other, either via API's or through data dips between products to semi-centralize data and make it more manageable.

I honestly don't believe I would even trust a product that proclaims to do "everything out of the box". Historically if you look at out of the box solutions they seldom meet customer requirements. If you think of old and failed out-of-the-box solutions (currently telecommunications products come to mind) such as "MCI one" and many others- they tried to bundle a multitude of products together as a value-add and ended up finding out that customer's requirements were so varied that nobody wanted "all" of it, therefore negating any sort of point of "the box". Furthermore you had to buy "the box" (for it to be cost effective, at least) and you couldn't pick components inside that you specifically wanted without negating the whole "value" of the product.

Therefore the concept of compartmentalizing products is very interesting to me. That is, to have light-weight products that can integrate into existing environments. E.G. "Plug-Ins". The idea that each product can run independently from each other but can also work together is an idea that if I were into marketing would probably be something a company (or companies in partnerships) could really capitalize on.

Who knows, maybe this already exists but I am unaware of such a solution.

Hope this helps.
I think there is a fair amount of activity in this area, but perhaps not in as all-encompassing a manner as you may have been expecting. For example, I think plenty of organizations are moving toward whole disk encryption. Reputation and liability worries make this a relatively easy decision for professional services firms (like the big 4, say), but I think it is also becoming more common in the insurance and financial sector. I haven't seen numbers, but I'd expect big pharma to be eager to move this way, as well.

OTOH, maybe there isn't the kind of uptake in data leakage prevention solutions that require a large investment in supporting processes to make them truly effective. Personally, I would not want a product that purports to do everything out of the box (especially with the price tags I've read about). With the vendor side of the market in such flux, I can see customers that aren't in immediate need holding off until the dust settles,. and deploying easier to understand solutions that don't require as much support on the process end (like whole disk encryption).

I have a couple of comments to your issues stated. I feel authentication is a very important component, since access always starts with an individual. Its been my experience that "usable" strong authentication between a user and an organization is the first barrier to enterprise data protection. The second is authentication between 2 unrelated organizations. For instance: if you have IP being created or used by an East Indian partner, how do you implement a consistent policy to ensure the IP is properly maintained and accounted for by that partner?

Usable strong authentication is an oxymoron. Biometrics are an excellent way to legally ensure (for all parties) that the authorized user is accessing IP data. But if the biometrics slow your users down, they won't be eagerly adopted. Passwords, on the other hand, are easy to use and maintain but security and liability become and issue especially when dealing with an outside partner.

I am on the vendor side of the issue as well and we have done a few things that fix these problems. First, we have created a biometric token (Mobio) that has unique qualities. To the user the operation is similar to a two-factor token but has biometric one-touch functionality, thereby eliminating the need for a password or PIN. We call these biometrically generated codes are called "biocodes". The benefits? Firstly, a user cannot thwart a biocode. e.g. They cannot deny having generated a login biocode based on our combination of cryptography and time/event synchronization. Secondly, our algorithm was created in such a manner that it can be split among N-Servers enabling Mobio users to utilize their biocodes outside their organization. e.g. Company A can validate its employees to Company B using SSL or another trusted third party.

In terms of implementation, it does depend on the environments but I can firmly say we have taken the position that everyone has enough software. Period. They just need the right cryptography to connect the dots on the back-end.

If you don't mind I'd like to comment on this question from a slightly different perspective. Please forgive me if I am a little controversial. :)

I am a computer forensic investigator. I'm the guy who is called in when there is a suspected or actual incident - security breach, fraud, IP theft, etc. I gather the evidence, conduct an investigation, and take the matter through to an employment investigation or prosecution.

With respect, I do not think "which products" is the right question. A strategy that starts at product selection will not succeed in protecting an enterprise.

I believe the right question is "what risks"? And while invoking "business risk" is trite in the IT community, I don't recall any enterprise where I thought they had truly developed an integrated strategy starting with business risk and covering the full range of risk mitigation (eg. IT, legal, etc).

I fairly regularly conduct investigations at clients who have a pretty rich set of IT and other security products - firewalls, IDS, IPS, encryption, security cameretc. Yet they still get ripped off for money, information, customers, etc. Why is this?

Easy. They all make the same mistakes:

- Failure to understand the real risks

- Over-reliance on technology (including failure to look beyond technology for solutions, eg legal)

- Lack of integration between business risk and technological solution

Let me give you an example. One client, I won't name the industry, has a very very high security environment. Yet a staff member managed to steal a large quantity of confidential information and use it to help them set up in competition. How did this happen?

The client failed to understand the risks posed by their own staff. They had spent a lot of money having their IT security built and tested to keep Internet hackers out, but completely failed to address what in my opinion was a much greater area of risk.

This client had a policy against the use of portable storage media (floppies, CDs, USB drives, etc). Yet every single computer deployed by their IT department had a floppy drive, a CD burner and several USB ports that would accept a portable memory stick. The staff member used these to steal information, and when questioned said that they had no idea there was a policy against using these things. Of course the employer was not in a strong position to argue, given they had put all of these things on the employee's desk and could not prove that the employee had been shown the relevant policy material.

This client had every IT security product you could think of - firewalls, IDS, IPS, disk encryption, security cameras, etc. Didn't help them.

After this experience they started from scratch, and did it properly. They re-assessed their risks, resulting in "internet hackers" falling down the list a bit and "employees" making an appearance near the top. Once they had worked out the risks, they could then develop risk mitigation strategies. Some of these involved IT products, but most did not. Part of the solution was policy refinement and promulgation. A major part was harmonising the IT build with company policy.

My point is that selection of products is only a (small) part of the process of protecting an enterprise, and is more towards the end of the process than the start.