Document-based Security Standards: The Time is Now

I first heard the term de-perimeterization years ago from my friends at the Jericho Forum, a UK-based organization of security professionals. Back then the focus was on securing IT when it crossed organizational boundaries. In other words, a highly-secure network perimeter offers little protection if my business applications, services, and sensitive data are consumed by users working at other organizations, with different security policies and controls, residing outside the firewall.

Fast forward to today and Jericho's term has never been more applicable. IT externalization is ubiquitous, users and their devices are highly mobile, and Internet services like Box and Dropbox make sensitive data available anywhere on any device. This isn't de-perimeterization alone, this is de-perimeter Balkanization.

So what's needed here? Another layer of defense focused on our most important asset - data. I know, this is not a new idea. Data Loss Prevention (DLP) solutions from McAfee, RSA, Symantec, and Trend Micro are designed to provide this type of protection. As an industry, we also played with Digital Rights Management (DRM) technology for a while that offered more granular protection. At its peak, DRM allowed for policy enforcement on a document-by-document level. Documents were encrypted for storage and only decrypted for use by approved users. Document access could expire after certain periods of time. Users could be granted specific rights to documents. For example, a user might be able to edit a document but unable to print, cut-and-paste, or save the document to a mobile storage device.

There were a multitude of DRM (also called enterprise DRM or eDRM) vendors about 5 years ago but most are but a distant memory. Unfortunately, eDRM never really caught on because of its technical limitations. You needed eDRM software on endpoints to make it work so sharing data with external partners was a kludge at best (just like Jericho Forum predicted). eDRM needed application and file format smarts to work and often required the installation of device drivers that caused more than a few blue screens of death.With the sale of Liquid Machines to Check Point in 2010, the startups were all but gone and the eDRM market was really left to Adobe and Microsoft.

Fast forward to the present, however, and eDRM is in the midst of a renaissance of sorts, driven by cloud services, web technologies, and BYOD. The two companies that jump out here are Massachusetts-based Content Raven and Silicon Valley startup Watchdox. Both companies provide document-centric security controls without the need for endpoint agents. Furthermore, document policy enforcement spans across multiple endpoint device types - PCs, Macs, iPads, Androids, etc.

I believe that both companies can help to bury the eDRM failures of the past and really help this technology reach its potential. That said, I have a suggestion that could greatly enhance the potential for success here. Why not instrument ALL document types with standard metadata tags that spell out security policies and enforcement control requirements? For example, the metadata tags could communicate a policy like, 'this document is top secret so it should be encrypted at all times, never saved to a mobile storage device, and should be destroyed 30 days from now.' Taken to its logical progression, these metadata tags could also provide documents with digital signatures to weed out attachment-based APT malware from trusted and authenticated content. If these tags were based upon standards, security technologies, operating systems, and networking equipment could read the tags and enforce policies. Voila, eDRM has universal applicability.

Yes, standards are hard but in this case I think the entire industry would have to acquiesce if Adobe and Microsoft took the lead and worked in concert to make this happen. From a business document perspective, these two companies control most of the document-based content out there so if they championed this cause, other applications and document types would have to follow.

I don't know the people at Adobe and since Microsoft blew up its security business unit, I rarely talk to the folks in Redmond. Nevertheless, I'm happy to help drive this standards effort any way I can. Perhaps NIST, GSA, or some other industry group could also get involved to push these two industry giants to cooperate for the greater good. Yeah, I know, document-based metadata tags are not a panacea, but in my humble opinion they could really help make eDRM move to the mainstream and ultimately help us better protect our sensitive data.

You can read Jon's other blog entries at Insecure About Security.

Topics: Cybersecurity Data Protection Enterprise Mobility