Operation Lockdown? A Formal Policy for Content Protection Has Always Been a Good Idea. This Just May Be the Year It Becomes the Norm

When asked if banks should incorporate enterprise content controls, one research analyst said "certainly," referring to use of encryption or other protective schemes designed to seal customer data, intellectual capital, and other documents at the office or beyond. But the same analyst admitted that this valuable--indeed necessary--idea had yet to become commonplace. Sure, best-practice acolytes are out there being inventive in the use of controls. But it's more the norm to have departments of excellence amid a more laissez fare environment where laptops, Blackberries, and USB sticks float in and out to accommodate business need. This is mostly because there is a perception gap that has executives questioning whether a few well-publicized incidents represent enough of a problem to warrant the cost and effect of systematic lockdown. "Then there's the question of content encryption technology's maturity as well as the maturity of other content-related systems such as rules-based engines coupled with inspection systems," notes Eric Maiwald, senior analyst, security and risk management practice, Burton Group, Midvale, Utah. "In all fairness to decision makers, the technology just hasn't been ready until recently." When asked if most banks took information protection seriously, Maiwald answered: "It's not as if senior management has been sitting around saying, 'Oh to heck with it, we can't afford to do this so we'll take our chances.' It's more that the understanding of which protections would be the most effective is in transition." Maiwald emphasizes that any choice of specific solution sets would need to be tailored to the individual company's risk exposures. (They exist in a variety of niche areas from the network to the application layer.) "And, I still believe that virus and perimeter protections address the bigger source of problems for the average company," Maiwald says. Money spent in one security area tends to leach away money that could be spent in another. A new level of security coming Some industry watchers see a new day coming for content-specific controls, however. Ed Gaudet, vice-president of product management and marketing with Waltham, Mass.-based Liquid Machines, is one of them. He says banks are beginning to sort through their options and rethink key business processes in order to instill a new level of information-handling discipline. "The idea that the network can be designed to be a Jericho wall is laughable," Gaudet says. "Sure, the technology took time to improve, but what many of us in this niche have done is perfect the application of known, proven technologies, including encryption." Even Maiwald, who could be said to be a "gradualist" when it comes to content-specific adoption, believes that some pilots are occurring and more phone calls to vendors are being made, although he's not sure who's buying. "Bankers are learning that the content itself needs to be secure," says Sanjay Vyas, director, payment systems, Arcot Industries, Sunnyvale, Calif. Partnering with Adobe, Arcot works, in effect, to easily apply PDF access controls to documents. Vyas says that the last six months has been a time when awareness has shot up regarding data and document protection as distinct from systems-specific controls. It takes a regulatory push Call it the ChoicePoint effect, or just think of it as sophistication gained from years of distributed 7 computing and the public mishaps that can go with it. Timed with new regulatory pressures, a new data security awareness seems to be seeping into the corporate groundwater. "In my practice in the last six months there's been a significant shift in the level of understanding about breach risks and actions required to reduce liability," says Lynn Barr, a partner with Goodwin Procter, LLP, based in Boston. True, she notes, there ought to be different standards of protection for different types of documents or databases, but banks are beginning to hammer out the details. …