Beyond Cyber-Hacking: The Growing Threats of Internal Theft and Data Mishandling
Designers and manufacturers of high tech products and services, particularly in aerospace and defense, have always spent huge amounts of money to protect intellectual property (IP) from loss and leak. The bulk of security efforts typically focuses on the growing threat of external intrusion from outside the company, particularly from overseas cyber-hackers. This focus is not surprising given the media attention on high profile cyber-hacking incidents, especially the details divulged by the Snowden documents. NSA documents reveal a huge amount of data related to defense technologies being stolen: the equivalent of five Libraries of Congress (50 terabytes).
However, a less attention-grabbing, but perhaps more pernicious threat is emerging: IP loss, leak, and theft in the course of authorized data sharing. In this case, internal employees or external partners gain access to sensitive intellectual property in authorized ways, but then either steal it with the intent to sell to competitors overseas, or unintentionally mishandle sensitive IP, inadvertently exposing it to loss and leak.
The problem is growing. The US government is currently actively prosecuting over a dozen cases of economic espionage against individuals alleged to have sold or sent technical IP belonging to US companies (including product designs and software) overseas.1 All cases involve employees or contractors who
were at one time authorized to access company IP. The number of cases being prosecuted continues to grow: roughly 15% more each year.
What Does this Mean for PLM?
The implication for Product Lifecycle Management (PLM) systems is that we cannot assume network-level security and application-centric data protection is enough to secure an organization’s sensitive IP.
For one, internal theft occurs quite easily with these security controls in place: internal users are authorized, and controls within PLM applications are lost once data is downloaded by an authorized user. In addition, product design and manufacturing typically involves collaboration across multiple organizations. Contractors, design partners, and Tier 1 and 2 manufacturing suppliers—all of whom are outside a primary organization—require access to IP. In order to protect IP, a company needs to extend the protections within the PLM system to download and external sharing use cases.
The Right Fit: Rights Management
Rights Management technologies, which have been around for decades, are clearly the right fit for this challenge, that is, being able to protect IP downloaded and shared outside PLM systems and other enterprise applications. With Rights Management, document-level access and usage control (“rights”) are applied directly to documents. These rights persist with files no matter where they are downloaded, uploaded, shared, or consumed.
However, in the past, solutions have come with technical limitations that made them both difficult to deploy and effective for a narrow set of use cases. For instance, Rights Management products typically support only certain file types and applications, involve cumbersome management and administration (requiring users to apply rights manually to files, or build complicated “templates”), interrupt user workflows (forcing users to log into servers for key exchange), or require client installation on all devices (which is impossible in external collaboration use cases).
The Right Approach…
Rights Management technologies are evolving to address these limitations, making them more effective and easier to integrate with PLM systems (as well as for other enterprise applications).
Support for All Files and Applications
First, the right solution must be file type and application agnostic. Consider the types of files that may need to be supported in a standard product and design manufacturing process: Microsoft Office and Adobe formats, design drawings and other graphics, 3-D visualization files, source code, and more. All files must be protected consistently, regardless of file types and the application used to access them.
Flexibility to be Automated or Manual
There are some use cases where you trust users to manually apply rights to files. In fact, the support of discretionary use cases may be quite important to address data security requirements. However, an effective solution also needs to be flexible enough to support automated application of rights based on business context. For instance, the attributes of a file (the team membership of the file creator, designated key words, file attributes) may warrant automatic application of rights to the file. Rights should also be applied based on the appropriate user action, based on data security requirements (for example, file upload, download, copy, edit, print, and so on).
Integrated with Business Applications
In addition, in order to leverage metadata (such as business object classifications in PLM), a Rights Management solution should be closely integrated with enterprise applications. This means that organizations don’t need to architect an entirely new process to apply rights protection to files. Instead—it happens automatically and seamlessly within a standard user workflow. The goal is to provide a seamless user experience, while adding an extra layer of protection to data.
All Devices, Client Install or No
Finally, when it is time to download protected data and share it, protection should be applied no matter the device. External collaboration use cases are the norm rather than the exception in product design and manufacturing—so rights protection needs to persist as data is shared on mobile devices, uploaded to the cloud, in line with formal review and release workflows, or informal ad-hoc sharing-all with zero-client install.
- “FBI Sees Big Threat From Chinese Spies; Businesses Wonder,” The Wall Street Journal, August 10, 2015, http://www. wsLcom/articles/SB112362385648509071.
By Roger Wigenstam, VP of Products at NextLabs|