Enterprise file security is of paramount importance in this age of rapid consumerization of information technology, free consumer file sharing solutions (like Dropbox) and bring-your-own-device (BYOD), as perimeter-based security is falling short. These things are creating internal threats that can lead to inadvertent data leakage.
The external threat landscape has also grown to a level never seen before, as cybercrime is rampant. Many enterprises’ data is now available on WikiLeaks. Email chains from Sony Pictures and leaked memos from Barclays are among the scores of leaked documents now public record on WikiLeaks.
Because of these inherent challenges from internal as well as external threats, the enterprise file security issues have become the topmost priority in every company that deal with sensitive information – particularly in security-conscious and regulated domains like Banks, Financial Services and Insurance (BFSI), Healthcare, Pharma and Media. Our takeaways from Gartner Security Summit last week concurred these thoughts during our interaction with CIOs and CISOs from leading enterprises.
Enterprise digital rights management (DRM aka Information Rights Management or IRM) is key part of enterprise file security in preventing the data leaks and to help trace the source of leaks. Enterprise DRM is fast becoming a major business requirement and is no longer just an option. Although it has been of immense value to CIO/CISO, the technology never really saw widespread corporate adoption and many enterprises have failed to implement it enterprise-wide because of wrong choice. You need to consider 6 essential things before buying an enterprise DRM solution.
A well-implemented DRM solution will make a big difference in the way companies do business, meet compliance requirements, ensure privacy, and protect the digital assets of the company. DRM implementation means a big investment for companies, not only financially, but also in terms of time, resources, disruption and the risk of failure. Hence it is not a type of investment that one can simply scrap if it doesn’t work out. With that in mind, here is a list of best practices you should consider while implementing enterprise rights management in your organization:
- Get Buy-in from End-users
With most of the traditional DRM solutions, the end-user experience involves a lot of friction because of poor usability. Hence people avoid or try to bypass the system – defeating the very purpose of it. Make sure that you have buy-in from the business people, who are going to be eventually the end-users. Involve them in the decision process. Ensure that your solution embeds in the their normal workflow like Outlook, right-click, drag-and-drop and enterprise file sharing solution (enterprise file sync & share – EFSS) you use. And, all of this should be without their extra effort.
- Block Shadow IT
Shadow IT is becoming a pervasive problem resulting in not only the huge cost endurances for the company but also serious threats of data leakage, security lapses and compliance risks. The proliferation of shadow IT in enterprises has significantly increased over last few years - particularly because of freely available cloud services (like Dropbox). Before you completely block Shadow IT, you should consider implementing enterprise file sharing – as a Dropbox alternative that also integrates with Outlook (or Notes) and provides mobile file sharing on BYOD devices (if you have implemented BYOD). It is wise to choose a secure file sharing that has built-in enterprise rights management because it provides a seamless experience to end-users as well as makes security tighter.
- Standardize File Sharing Methods
Historically, the most popular ways of sharing files have been email and FTP. Email has its own limitations in terms of the size of attachments, high storage requirement on email server (e.g. Exchange) and fat mailboxes (e.g. Outlook PST) – making it very inefficient and causing loss of productivity to employees. On the other hand, FTP (or SFTP) is difficult to use, manage and monitor, and poses many challenges for any enterprise. You should consider standardizing on an enterprise file sync & share solutions that provides a good alternative for FTP, integrates with Outlook, enables BYOD and also has built-in DRM capabilities. Otherwise, in absence of such an alternative the employees may turn to consumer file sync & share services that lack end-to-end security, data governance, controls and visibility.
- Enforce IT Policies for DRM
Security can’t be left to end-users! It is responsibility of IT and not individual end-users. Many companies place the burden of security directly on their employees, and only hope that employees exercise caution when sharing sensitive documents outside the organization. Most of the information rights management solutions in the market are based on this misconception. You need a solution, which facilitates centralized DRM policy enforcement such that the documents when shared with third-party are automatically protected without end-user having to apply DRM controls. You may, additionally, give DRM controls to those end-users, who are responsible and accountable.
- Integrate with DLP
Rights management and Data Loss Prevention (DLP) are two sides of same coin. If you already have content-aware DLP (offered by most DLP vendors including Symantec, McAfee and Websense) integration of rights management with data classification is core to a successful enterprise file security implementation as it ensures that the information that is sensitive is automatically locked down and shared only with appropriate DRM-encryption, while information that does not need securing is not touched.