Keep Your Secrets Secret

Employees can spread your secrets in any number of ways. Here are your best shots at stopping them


Enterprise Rights Management Enterprise rights management helps you provide “persistent security” to electronic files—that is, file-level security that lasts throughout the file’s life. Once a file is created, the user can assign it a wide range of permissions. Microsoft Office 2003 Professional’s Information Rights Management application offers enterprise rights management capabilities. This solution lets you set and change file permissions for specific users and groups, assign permissions based on roles, restrict printing, forwarding and copying, and set file expiration dates. This type of technology can greatly enhance an organization’s control over its proprietary information and trade secrets.

However, implementing Microsoft’s Information Rights Management is not a project to be undertaken lightly. It requires significant back-end support because it relies on Microsoft Windows Rights Management Services for Windows Server 2003. It also requires Microsoft Active Directory, Microsoft Internet Information Services, a database such as Microsoft SQL, and Microsoft Office 2003 Professional. Individuals with Microsoft Office 2003 Professional can create documents with restricted permissions by using the free trial service for IRM at http://tinyurl.com/cge4n. It requires a Microsoft .NET Passport account, but it gives you an excellent opportunity to learn more about setting permissions on documents.

There are many commercially available digital rights management solutions besides Microsoft’s IRM. One is Authentica Inc.’s Secure Documents, which appears to have some features that can help an organization corral its information. These include letting content owners place watermarks into documents and providing a detailed audit trail.

Other products include Airzip Inc.’s FileSecure and Liquid Machines Document Control, which integrates with 65 applications and file formats. To gain a better understanding of the capabilities of these tools, take the time to view one of Liquid Machines’ online demos at www.liquidmachines.com.

The security and tracking capabilities of these tools can also help an organization comply with many regulations, such as HIPAA requirements.

Nine Tips for Keeping Secrets
You should always apply multiple levels of security to protect trade secrets. An organization should never rely on a single security product or implementation. The following solutions in combination can offer robust protection.

1.Tell employees that they are not allowed to distribute proprietary information. Include this prohibition in employment agreements and severance agreements. Implement non-disclosure agreements. Remember that you can only legally claim information as a trade secret if you can show that you’re taking appropriate steps to protect it. Addressing trade secret issues in policies and agreements is a good first step. This seems like an obvious protection mechanism, but it is overlooked by many organizations.

2.Implement basic file rights management. Allow users access to only the information they need to do their jobs. If an employee gives a two-week notice of his intent to leave the company, his rights should be reviewed and possibly restricted.

3.Manage or block access to portable data storage devices such as CDs, DVDs, USB drives and floppy disks. Products like DeviceWall from Centennial Software and SecureWave’s Sanctuary Device Control can help you control the use of these devices.

4.Block access to online data storage sites.

5.Prohibit the use of consumer-grade instant messaging and chat. These programs are often used to bypass corporate monitoring and logging of communications. Individuals intent on sharing information with a competitor or co-conspirator will often use instant messaging.

6.Implement enterprise/digital rights management to restrict permissions on corporate files and control the actions a user can take on specific files.

7.Immediately disable network access and remote access for terminated employees. See “You’re Fired!” in the March 2005 issue of Security Technology & Design (p.74)) for tips on how to do this.

8.When employees leave, ask them to sign a document stating that they have removed all proprietary information and software from home computer systems. While this may not always be effective, it shows that you are taking every step possible to protect your information. Producing this document in court during an intellectual property or theft of trade secrets case could prove helpful.