CSO Online lists a company’s supply chain and the rise of supply chain attacks as one of its 2018 trends: “No one’s personally identifiable information (PII) is safe. Companies can’t count on the integrity of their suppliers’ and partners’ security capabilities […] Expect more companies to demand security audits of their partners, suppliers, and service providers. Third-party breaches are becoming more common, and it shows that any organization’s security is only as good as its extended network.”
Supply chain refers to all partners, suppliers and even customers that a company collaborates with and increasingly shares data with, using traditional and modern means of collaboration, including e-mail, SharePoint, OneDrive, Dropbox, and even “last mile” endpoints like USB drives. Even small companies can have hundreds of partners, suppliers and customers and this ecosystem represents a significant risk for leaks.
Although supply chain breaches is forecasted as a rising trend, with high-profile examples including Target, Verizon, Domino’s, and the Paradise Papers, not much actionable advice is provided so far on how to reduce these incidents other than traditional advice – vet 3rd parties’ security capabilities, enforce security contractual agreements with partners, encrypt data over the wire, etc. These are good steps but the reality is, with supply chains so large and diverse and so many technology pathways where data can leak, there will always be holes in supply chain security despite a company’s best efforts.
In contrast, Information Rights Management offers a radical new paradigm of data protection that is perfectly suited to securing data in B2B and B2C collaboration across a large and diverse supply chain. Let’s look at what Information Rights Management offers in this context, and how it could have protected against many of the often-cited data breaches.
Information Rights Management – 4 Levels of Protection inSupply Chain Security
Information Rights Management solutions offer data protection in the supply chain in 4 ways:
1. Persistent Encryption
IRM embeds protection directly within the data itself, so that wherever the data goes, even if it leaks into the wrong hands, it’s still protected. This is known as Persistent Encryption. With traditional encryption, I encrypt data and send it to you, and you decrypt it. But you can then leak the decrypted data to another person, which is a huge security risk. With Persistent Encryption, I send you encrypted data and you can decrypt it because you on the policy, but if you then leak it to someone who is not on the policy, they are not able to decrypt it. In supply chain security, where data isn’t locked down but continually being passed around into the hands of potentially hundreds or thousands of collaborating users, this is essential.
2. Granular access control
Collaborators are only granted the minimum level of access required for their role. For example, when collaborating on a contract, company A can grant company B permission to read and comment, but not edit, print or copy-paste. Some very sophisticated IRM solutions can even protect against taking a photo of the screen by use of visual watermarks or even allowing the user with read access to only view a segment of the document at a time.
3. Visibility and Traceability
IRM lets you track where your sensitive data is and who’s trying to access it, whether that data is inside or outside your company perimeter. Advanced IRM solutions provide alerts if it falls into the wrong hands, and an audit trail that shows how data leaked every step of the way. This allows you to monitor your supply chain, detect attempted breaches, and identify untrustworthy collaborators, within your organization and with partners.
4. Kill Switch
IRM lets you revoke access to data that has left your building, on demand, or on a timer. If an employee is leaving your company or if you are stopping work with a partner, you can revoke access to any data that is in their hands, even if they dumped it onto a USB stick. If data is particularly sensitive, you could set it to self-destruct after a time period, e.g. after 24 hours.
High-profile Data Breaches
Even if only one partner in your supply chain does not follow security best practices, overall supply chain security will suffer. For example last summer, Deep Root Analytics, a small marketing firm used by the Republican National Committee in the United States, leaked the personal data of 200 million voters by accidentally putting the data on a publicly accessible server. The Verizon breach, which involved six million customer records, was caused by Nice Systems, a provider of customer service analytics. Nice put six months of customer service call logs, which included account and personal information, on a public Amazon S3 storage server.
With the “persistent encryption” feature of Information Rights Management, even if the data is placed on a public server by a partner, malicious users who get their hands on the data will not be able to decrypt and read it. And as the rightful content owner, I’m able to see that there are unauthorized attempts to open my data and remote detonate that data if I feel it’s warranted.
Domino’s Australia had a security breach and says a former supplier’s system had leaked customer names and email addresses. In this case, Domino’s could have revoked access to all employees from the supplier the moment their partnership agreement expired. Or, they could have set up a timer to revoke access and require their partners to re-authenticate regularly, so that even if their IT group forgot to remove the supplier’s access explicitly, the timer would have taken care of it. Worst case, even with no timer or revocation of access, the data is still encrypted, minimizing the risk of the supplier leaking the data to anyone other than users that had been explicitly authorized in the first place.
TigerSwan discovered that a third-party vendor that they had ended their contract with—TalentPen—had failed to take down their sensitive files that they had been collaborating on. TalentPen left the files in a bucket site on Amazon Web Services without a password or any type of security. As with Domino’s and many others, this would have been a non-issue.
Even in the case of a B2C supply chain, for example a financial services company that shares secret information with a high net worth individual who is only using a Gmail account on a home computer, IRM can make it possible to authenticate and fully trust the individual consuming the sensitive data, without requiring them to change the way they work (ie. they can still use Gmail and Microsoft Word on their home computer, rather than asking them to login to a cumbersome extranet or use a special e-mail application, where the usability is poor and the risk of leaking data is still there)
Looking to the Future
Increasingly we expect to see Information Rights Management technology applied to sensitive files and e-mails by companies who live and die by their ability to collaborate with B2B and B2C partners. For example, professional services firms that do business on behalf of customers, like Deloitte and Accenture who themselves had recent high-profile data breaches. Media companies like Netflix who collaborate with hundreds of partners big and small during pre-production, and millions of consumers once a product is released. Financial services who collaborate with banks and other financial and accounting partners in different regions, as well as their customers who want to share information easily.
As fast and secure collaboration and information sharing with the supply chain is recognized as critical, information rights management will be seen as a key part of supply chain security.