Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Protecting IP in a world of offshoring

For years, organizations have complained that other countries are stealing their trade secrets, leaving companies and products vulnerable to knock-offs and counterfeits. How can companies ensure that their intellectual property is safe and doesn't get into the wrong hands?

Ensuring protection of intellectual property (IP) in the age of offshore development is of paramount importance. Organizations that take advantage of the myriad benefits of offshore development must put in place the right security and guidance measures to ensure sensitive information that provides market advantage does not enter into the hands of a hungry competitor or potential competitor. These security measures must not only prevent the intentional or unintentional distribution of confidential or otherwise sensitive information, but also provide guidance to employees who may not be aware of the sensitivity or confidentiality of the data being distributed.

One of the primary challenges of managing confidential information in offshore development environments is distance. The further away an office, a facility or a team is from headquarters, the more challenging it is to manage and ensure the dissemination of corporate policy about data confidentiality. There is often an inverse relationship between distance and the perceived criticality of a business process. An employee may not feel as compelled to adhere to a business process - such as corporate standards for handling confidential information – if he is geographically distant from the team that is trying to enforce the process.

U.S. companies need to keep IP safe and at the same time coach employees and contractors on the sensitivity of information they are handling. This requires a multi-faceted approach, including an analysis of the security posture of the network perimeter (who can get in or out), validation of appropriate information access control (who can access what information), examination of information storage repositories (what is stored where and why, and determining how sensitive it is), control of information leaving a controlled repository or the network itself, and capture of forensic data for investigation should sensitive data leak through the corporate boundary.

The first two approaches are well established and widely used. IT organizations have done an outstanding job of protecting the network perimeter, using technologies such as network firewalls and intrusion detection and prevention to ensure that only the appropriate traffic types or nodes have access into or out of the network. Information access control is also well established. Most IT organizations already employ, or have begun to employ, the appropriate level of permissions against information repositories. Access control techniques do a good job at providing perimeter security and endpoint security, enabling organizations to control who can go where and who can access what specific sets of data in what capacity.  

The last three approaches to data security –– examination of storage repositories for data classification, protection of data in motion and data in flight, and capture of forensic data –– are not well established, nor are they widely used today. However, a new series of data loss prevention or DLP technologies have emerged to address them. DLP is increasingly relevant, especially for organizations that leverage offshore development or have a distributed business infrastructure. DLP goes a step beyond traditional endpoint security, perimeter security, and access control in that it is founded upon principles of information security that include how information is used, stored, and exchanged. IT organizations looking to protect data in offshore environments should consider using DLP to protect IP data in three fundamental ways: when it is at rest, in use, and in motion.  

Organizations may store data at rest in repositories or collaboration points, and may store it centrally or distributed throughout the organization – each method has its own strengths. DLP solutions with data-at-rest systems scan the contents of locations known to contain information in order to identify sensitive or confidential content. Data-at-rest systems also scan workstations attached to the network to identify any uncontrolled copies of sensitive data they may contain. Users of the system can define policies (above and beyond default policies) that dictate what do to when sensitive data is found on a machine in the network outside of the repository (also known as an uncontrolled copy).  Generally, these systems can also propagate information about the sensitive or confidential data (this information is called signatures or fingerprints) to other DLP systems, such as data-in-use or data-in–motion systems, to help them better identify the movement of sensitive data and respond accordingly.  

A data-in-use system allows IT organizations to more tightly control the propagation of sensitive data. The system is commonly deployed as an agent on user desktops and laptops to control information exit points. For instance, a data-in-use system can leverage policies received from a data-at-rest system to block or warn a user performing an action that may put sensitive data at risk of exposure. Such actions could include sending a human resources spreadsheet through Webmail, or in the case of IP, posting a product roadmap, software specification, or even source code to an internet blog. Data-in-use systems can also mitigate the propagation of sensitive information through unsecured devices such as USB drives, iPods, and even printers.

The data-in-motion component of DLP is deployed at the network perimeter to perform two primary functions – intervention and capture. Data-in-motion devices can receive fingerprints of sensitive data from data-at-rest systems and compare inbound or outbound network traffic to the fingerprints. When the data-in-motion component is configured for intervention, it can block such traffic from leaving the network. When configured in a capture mode, the component will record incidents for later forensic analysis and investigation, and it can generate alarms that notify appropriate personnel, such as the manager of the person who has sent sensitive data over the network. In the case of all three DLP components – data at rest, data in use, and data in motion – incident management systems will help you understand what data has been sent where, and whether it was sent successfully or unsuccessfully. This is very helpful in offshore environments when determining if data has left the company, and if so, how it left and by whom.

With its series of tightly-coupled technologies, DLP can help organizations with offshore environments prevent the leakage of sensitive information and protect critical business assets – your intellectual property, your competitive advantage, and your reputation. 

Joel Christner is manager of product management at Reconnex

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.