See How it Works - This document describes the ability of GTB’s DLP Suite in extending its Data Leakage Prevention policies to External parties such as Business Partners, Vendors & Contractors once confidential or any business critical information leaves the network perimeter.
2. The Case for Content Aware Information Rights Management
An IRM system which can transfer the responsibility of protection from human beings to a content aware automated
process will be extremely valuable in case of large organizations.
The need to integrate DLP and IRM is critical
Lots have been written about famous data breaches and the need for Data Loss Prevention. I will spare the reader the aggravation of reading it again here.
There are hundreds of data security systems designed to control and prevent data breaches, and yet, every week we here about a new Data Breach. It is
clear that users and administrators are unable to fully protect sensitive data. The main problem is that Data changes all the time. Users are focused on
doing their job and not on data security. Aggravating the problem is that Hackers, Malware, Spyware and Viruses are focused on extracting such data from
the perimeter. What is a CSO to do?
Content awareness and the 4 W's
A good solution is to provide Content-Aware Information Rights Management System. Automatic Content visibility transfers the obligation of Data Security
from users to a process. Imagine a system that automatically identifies files containing Credit Cards, Source Code, Images or any other intellectual property.
Furthermore, imagine a process in which pre-defined IRM Policies are automatically enforced on such files as soon as they are saved on desktops or file
shares. Such policies are the 4 W’s that are so crucial to protecting Data.
The 4 W’s – Who – What – Where and When
Access controls and usage control are two aspects of Data Security that are often ignored. Mapping the content discovery to the IRM policies (see example
picture below) provides automatic control of the 4 W’s:
WHO can access the information: The IRM system's identity establishment method, LDAP or non-LDAP databases as defined in custom applications and
portals.
WHAT can recipients do with the information: Control specific allowed actions on files: View, Edit, Print (Print Screen), Forward/Share, Copy/Paste.
WHEN can each user access the information: IRM can control the time-span in which the recipient has access to the file. A document may have allowed
access from August, 20, 4 pm to August 23rd, midnight. Alternatively time span may be defined as 2 days from first access.
WHERE the information can be used : This important Control restricts usage of the information to only a pre - specified list of computers identified by the
hardware (MAC address) or to a specific range of IP addresses or networks. CSO’s can now control Data even if such data is outside the perimeter. This is a
very good way to provide data protection for Smart Mobile Devices. One can prevent such devices from ever seeing the data. Users, who have such
credentials, may view the files with the local Browser.
The discovery agent must be monitoring the system constantly so that anytime a file is saved; it is scanned for a pattern or fingerprint and then the mapped
IRM Policy is enforced.
3. A Typical File Sharing Scenario – without IRM
RECEIVER SENDER
Once the file is sent to the RECEIVER,
The SENDER has no control on the file.
It can further be:
Edited, Copied, Printed, Distributed, Viewed (by others)
4. A Typical File Sharing Scenario – without IRM
Edited
Copied
Printed
Un-protected File
Viewed Distributed
Once the file is sent to the RECEIVER,
The SENDER has no control on the file.
It can further be:
Edited, Copied, Printed, Distributed, Viewed (by others)
It can further be:
Edited, Copied, Printed, Distributed, Viewed (by others)
5. GTB IRM by FileSecure - File Sharing Scenario [File Protection]
Policy Server (PS)
Request is sent to the SENDER defines the
Policy Server Usage Rights
6. GTB IRM by FileSecure - File Sharing Scenario [File Protection]
Various Users Different Rights
View Edit Print Copy/Paste Time Limit Location
USER 1 Office
USER 2 1-5 Jan
Usage Rights Matrix USER 3
USER 4 Office
Representative form of Usage Rights Matrix
Examples of protected files
… & other
combinations
View only View & Edit only View & Distribute only View & Print only
Seclore Policy Server (PS)
7. GTB IRM by FileSecure - File Sharing Scenario [File Protection]
Policy Server (PS)
Encryption Key is
generated at the Policy
File gets Protected
Server and sent to the
SENDER
8. GTB IRM by FileSecure - File Sharing Scenario [File Distribution]
@
External users
File with different Usage rights travels through various media (email, CD, shared internet
portals, LAN, etc.) to various RECEIVERS
9. File access in ONLINE mode (for Employees)
organization
1
USB
2
AUTHENTICATED
√ ?
3 Policy Server (PS)
1. RECEIVER gets a 2. Authentication 3. Once authenticated,
protected file through Information goes to a User Key travels to RECEIVER
removable media. Authentication system and the file opens with
Clicks on the file to open it (AD). restricted rights.
10. File access in ONLINE mode (for Employees)
organization
USB
Same File, but with
New usage rights
2. Authenticated
√
IRM Policy Server (PS)
View Edit Print Copy/Pas Time Location
te Limit
USER 1 Office
USER 2 1-5 Jan
USER 3
USER 4 Office
“SENDER can still change usage rights at the Policy Server and the new rights are transferred
automatically to the RECEIVER” . See Sequence 1 2 3
11. File access in ONLINE mode (for Business Partners)
1
e-mail
3
2 AUTHENTICATED
√ ?
Policy Server (PS)
1. RECEIVER gets a 3. Once authenticated,
2. Authentication Information Key travels to RECEIVER
protected file through e-
goes to a User Authentication and the file opens with
mail. Clicks on the file to
system (LDAP/non-LDAP) restricted rights
open it.
12. File access in OFFLINE mode
1
e-mail
4 3
2 AUTHENTICATED
√ ?
1. RECEIVER gets a Policy Server (PS)
protected file through e-
mail. Clicks on the file to open it
4. But in this case, Key gets
2. Authentication 3. Once authenticated, stored in RECEIVERS
Information goes to a User Key travels to RECEIVER computer after being
Authentication system and the file opens with encrypted with another key
(LDAP/non-LDAP) restricted rights. for offline usage along with a
timer
13. File access in OFFLINE mode
2
1
1. The Document can still be opened
even if the RECEIVER moves to a
2. Once the timer expires, the OFFLINE
rights get deleted. The USER can no-longer
different location (OFFLINE, No access to
access the document in OFFLINE mode.
Policy Server)
14. File access in OFFLINE mode
AUTHENTICATED
√ ?
Policy Server (PS)
RECEIVER has to come back ONLINE and authenticate himself to open the document.
15. File access in OFFLINE mode
e-mail
If the RECEIVER forwards the document,
If the RECEIVER tampers with the system
the RECIPIENT will not be able to open
time, all OFFLINE rights are Automatically
the document because he doesn't have
terminated.
the key.
16. Conclusion
The marriage of Content-Awareness and IRM provide the organization comprehensive access control on sensitive
data for internal and external constituents. Sensitive or confidential data is automatically encrypted based on file
content and access to such data is controlled by either the File Owner or designated Administrator. External
constituents may also have access rights to such files but only if they have been approved. This way organizations
are able to secure files even after such files are circulating outside the perimeter.
THE GTB Data Protection Suite
We return the “P” back into “DLP”
For more information, please contact:
GTB Technologies, Inc.
5000 Birch St., Suite 3000
Newport Beach, CA 92660
Sales: (800) 507-9926
Main: (949) 783-3359
Email: info@gttb.com or your local representative.
Web: www.gtbtechnologies.com
Reference: Graphics courtesy of Seclore Pvt. Ltd.