Trusted staffers had taken key intellectual property with them when they left the company. Its every CIOs worst nightmare: to spend vast energy protecting against external threats, only to face a deep threat from within.
The people you fear the most are the people you trust the most, Venner tells me.
Action was required. To take full control of dataflow, Venner needed a rock-solid security solution that addressed both internal and external threats. The solution, he explains, had to be able to track, manage, understand, report, do post-analysis and trending, [monitoring] what is IP, where is IP going, whos had IP, and does anyone go after, take, or steal IP?
Furthermore, given that many employees work on laptops, the solution had to be geared for the individual rather than the data. Upping the challenge, in a single day a sensitive document might visit a half-dozen digital mediums. What solution could supervise all these transactions?
Venner chose Digital Guardian, by Verdasys. The security solution recently won a Datamation Product of the Year Award in the Enterprise Security category. (The other nominees were Code Green Networks, Data Domain DD580 Appliance, Kazeon Information Server IS1200-ECS, Bluesocket v6.1 software platform, and nuBridges Secure Transaction Manager.)
The Digital Guardian platform touts itself as a veritable octopus of data control. It handles file and mail encryption, content inspection, context management, application logging and masking, and other sensitive tasks.
Once Venner began using Digital Guardians monitoring and control capabilities, security at Broadcom improved. I could actually control what was IP, how it was flowing, who could do what with it, could you copy and paste, could you transfer, could you email it, those kinds of activities.
Broadcom recently upgraded to the Digital Guardian 5.0 platform; this platforms adaptive encryption capability is of particular interest to Venner. (Adaptive encryption encrypts and decrypts files selectively and automatically based on data context, rather than using a one size fits all approach.)
Venner explains the value of adaptive encryption: By default our policy is if you copy a file to an external USB drive, we will encrypt it so that only other Broadcom PCs can read it, unless we capture information around why youre passing it in an unencrypted fashion.
Were also thinking of using adaptive encryption to control certain files that are tagged appropriately, so that theyre always stored on your laptop or desktop, raw in an encrypted format. Every time that document flows, it flows as an encrypted object, never becoming unencrypted in an unprotected space. Even though were implementing disk encryption technology, this would be even a layer on top of that for IP protection.
This heavy-duty encryption method would protect data that Venner calls the crown jewels of the organization, information so sensitive that only a tiny cadre should be viewing it.
And if anyone was to steal their device, you hope [the employee] started an encrypted directory on the machine so they couldnt get to it. But even if they could hack the encrypted directory, it has a second layer of encryption to ensure that they could never get to the file.
Security Policy Implementation Engine
The rationale behind the development of Digital Guardian, says Verdasys president Nick Stamos, is that companies need a centralized encryption platform that implements company policies. So the DG solution is not DRM-based (because DRM methods are proprietary, so if the provider goes out of business its a problem). And its not disc based (because if someone steals your machine, the default mode is decrypt).
Instead, Digital Guardian is what Stamos calls a security policy implementation engine.
With DG, before it actually decrypts the file, it takes into account: whats the document classification? And, based on who you are, what are you allowed to do or not do with that particular document?
The focus is on a comprehensive solution that handles every data transfer scenario. And significantly, DG doesnt require end users to be aware of whats going on in the background.
Once you have one system that both provides the protection and the information policy enforcement, its much easier to now manage a large company because its all centralized, its all one policy, Stamos says. Theres no longer a need to make clearance decisions on an individual basis.