Posted on Tue, May 25, 2010 @ 08:50 AM
"The roots of education are bitter, but the fruit is sweet."
~Aristotle
During my previous job as an engineering and IT manager at a Cambridge biotech company, we caught three senior scientists who were planning to take $100M worth of information. The company was involved in pre-clinical drug research for big pharmaceutical clients, and on one day, three different researchers ordered CD-ROM burners and hundreds of blank CDs, each within about 15 minutes of each other. The orders came through my head of IT, who had the presence of mind to ask, "What do you need the storage for?"
Astonishingly, they admitted that they were planning to start a new company and planned to use some of "their work" to get going.
Things rapidly became uncomfortable as it dawned on them that taking data from the company was likely not something senior management would view enthusiastically. They left without the CDs -- an administrative action. What became clear to me was that these employees would not have stolen a chair, but were going to walk out the door with the strategic assets of the company, without giving it a thought. The information represented more than $100M of value, yet, they seemed to understand neither the value of the information nor their obligation to the company and its customer data - even though they signed the appropriate usage policies. Usage policies are signed on employment or as part of an occasional awareness program, but are usually forgotten, left to gather dust in a bottom drawer of a filing cabinet under a desk.
We searched for solutions and spoke with numerous customers, knowing everyone was worrying about IP protection and information theft. Yet, no one had a positive answer to two simple questions:
- What happened with my data?
- Can I implement efficient control of my data regardless of usage?
From my exceptional tech group, both answers came back the same - no.
After months of fruitless searching, we came to the conclusion that we were not alone and that it would be worthwhile to address the challenge of protecting information.
Verdasys' growth has coincided with rising data loss, data breach, and outright data theft from common criminals to
foreign nations. Our market lies in the shift in demand from protecting physical assets of computing and IT infrastructure to the strategic protection of valuable data for corporations and global organizations.
One need only witness breaches like the HSBC situation and countless others to understand that the approach of locking down successive layers of infrastructure and a reliance on access control (log in) not only trivialize the challenge of information protection, but also limit the mobility and productivity that businesses have come to demand over the past 10 years. Combined with the drive to lower cost in flexible infrastructure, there is a need for a different approach centered around data that enables companies to govern information without changing the way they do business or run their operations. The happy truth is - there is a strategy that's effective, cost effective and enabling - EIP. What does a data-centric approach to information security have over the typical infrastructure-centric model? Simply put, if we do not focus on data --what it is, how it's being used, and who is using it - we are condemned to repeat the past. Nothing says fail quite like 75,000 compromised computers. Next up: Enterprise Information Protection: What is it, who's doing it successfully -- and how?
- Seth Birnbaum
Posted on Tue, Apr 13, 2010 @ 11:25 AM
Verdasys is in the spotlight for our approach to Enterprise Information Protection (EIP).
In case you missed it, Information Week Editor Bob Evans posted "In the Age of Google Hack, Verdasys Redefining Cybersecurity," on how Verdasys "is racking up big wins among large enterprises seeking new approaches."
Mr. Evans blogs about extraordinary IT transformations at the world's largest corporations -- the IT revolution going on at BP, or the top issues at tech powerhouses IBM, HP, Apple and Salesforce.com. It's exciting for us to be headlined alongside the giants, not to mention gratifying to see a top editor understand that it's time to start thinking differently about protecting data.
Verdasys is all about setting a "better approach" a superior strategy for companies to solve the real problem of protecting sensitive and confidential enterprise information. Yes, we're shining a bit of light ourselves here, launching our own blog. We have a lot to say, although it's been a measured decision for us to join the conversation. Sure, we have an agenda, but then again, we are successfully solving some of the broadest information protection challenges faced by global businesses and government. We think it is a very important to change the conversation about protecting data, and it must start today.
If there is one thing that sets us apart from traditional security vendors, it's the unprecedented success in protecting sensitive data that has been achieved by our customers. We have over 100 Global 2000 customers and seven years of field-driven expertise delivering technology and services. Our technology and methodology have not occurred by accident or coincidence, but by collaboration. With the help of our most important partners (they are much more than customers); we have refined our technology and our skills to offer the preeminent information protection solution that protects data across a global enterprise. We scale into the hundreds of thousands of systems and we protect over 5 petabytes of data. Our customers regularly win court cases against potential thieves, improve internal processes to minimize data loss by error or failure, and most importantly, enable new, efficient business processes and collaboration models defined and deployed in organizations where risk of data loss was previously too great.
The seeds of Verdasys were born of a near catastrophic data loss at a previous company where several Verdasys founders worked. A group of scientists attempted to compromise millions of dollars of sensitive IP and were only caught by the diligent work of an IT manager. When we searched for solutions and spoke with numerous technology companies we found that although everyone was worrying about IP protection and information theft, no one had an answer to some very basic questions: What happened with my data? Yesterday? Last week? 10 minutes ago? Was it moved, copied, deleted, stored, and if so, where and how? We wanted to know if we could put controls around information, without interfering with good people doing good work.
I'll blog more on this personal confrontation with IP theft soon. It explains a lot about who we are and where we are going. We're not about chasing the latest threat; we're about building and continually revising an information-centric platform and methodology to enable a proactive model of data protection. To quote the "Great One," Wayne Gretzy, we "skate to where the puck is going, not to where it's been." We call this Enterprise Information Protection (EIP).
In its simplest form, Enterprise Information Protection is quite unlike any other technology or approach to data security, focused on protecting information independent from infrastructure. EIP scales global security across an enterprise and outside to partners, supply chains and outsourced environments. As our Chief Scientist Emeritus and current In-Q-Tel Security Office Dan Geer says in SC Magazine, "Henceforth, center your security investment and your security process around data, not around networks and not around infrastructure...(It's about) protecting a company's information where it's at the greatest risk - whenever and wherever it is in use."
EIP is a relatively simple concept for an immensely complicated set of problems. Like the tale of the proverbial blind men and the elephant, EIP may be viewed differently depending upon one's perspective. At one of the nation's largest health insurers, it's about securing sensitive data in an outsourced environment. For a cutting edge sports car manufacturer, it's about securing design IP in a viciously competitive industry. And at a life insurance company we'll reveal more about in detail soon, it's about on one of the most comprehensive and sophisticated strategies we've seen for protecting critical customer data across a global company that is not lead by the wagging tail of compliance, but by a strategic information protection program owned by all senior managers and deployed as a strategic program to protect customers and brand.
In our experience, enterprise information protection, where it is working, is much more illuminating than the darkest data theft headlines making news around the world. We care deeply about working with our customers to address their most sophisticated and serious information protection requirements. Our approach is risk based, not fear driven; it covers a broad range of information protection use cases, along with expert delivery services. Every organization can benefit from our technology and approach, reduce their risk and put more information to work - safely. I look forward working with you as we take this journey together.
by Seth Birnbaum