1. secure
dataroom
leaders in data security
White Paper - Protecting Confidential
Documents in the Extended Enterprise
Common Misconceptions and Best-Practice Strategies
Executive Summary mistake to a fatal blow to your business.
Increasingly, important business processes that Consider this recent real-life story: A new Silicon
involve confidential documents are extending outside Valley start-up recently raised about $30 million
the corporate boundaries. As important documents in three rounds of venture funding after receiving
travel further from the corporate firewall, their a valuation of $150 million. Unfortunately, the
protection becomes paramount. Data security company’s VP of sales mistakenly leaked the
breaches are all too common; today’s business company’s 2007 sales spreadsheet, which showed
climate demands a better way to collaborate without projected sales of just $1.34 million for the year.
compromising sensitive information. Common In a matter of hours, screenshots of the start-up’s
misconceptions about data security exacerbate embarrassingly low sales figures were available to
the problem. A paradigm shift in how business anyone and everyone on the web.
executives and IT view data security is needed. Perhaps this silicon darling wasn’t IT-savvy enough
Documents can in fact be kept more secure through to have a bullet-proof data security strategy. But how
best-practice, persistent document security strategies about this recent news item? High-tech giant HP had
that provide end-to-end protection beyond the to release its 2007 second quarter forecast early after
firewall. By deploying such a strategy, companies a copy of an e-mail containing the latest financial
will be able to securely accelerate business and gain information slipped through the confines of the
competitive advantage. corporate firewall.
Introduction These two real-life stories illustrate all too clearly that
It’s no secret: As today’s corporate borders ensuring confidentiality and control over business
become more fluid and transparent, the risk of sensitive data is no easy task. Why? Because “the
inadvertent or intentional security breaches of business of business” is moving faster than ever, and
confidential information grows. Executives residing the technology needed to keep ever-more-widely
in remote locations, increased electronic data dispersed documents secure just hasn’t kept up.
penetration of imperfect firewalls, 24/7 availability, This white paper will discuss the enormous cost of
web-enabled applications and virtual collaborative data breaches, the rising importance of data security,
communities all contribute to an electronic and common misconceptions that exacerbate the
document protection nightmare. Important people problem of protecting your company’s most important
deal with important information every day and the and confidential information. It will look at traditional
more important the document is, the more it wants IT approaches and reveal why they are inadequate
to travel across corporate boundaries. At the same for today’s business culture. It will suggest a
time, those well-travelled documents can cause paradigm shift in how companies view data security,
the most damage if they fall into the wrong hands. and explore new technologies that meet the needs
The impact can range from a mildly embarrassing of the new enterprise.
elaw.com.au 1
2. secure
dataroom White Paper - Common Misconceptions and Best-Practice Strategies
Confidential Documents in the Wrong Hands:
What It Costs, Why It Matters
case study:
Confidential documents routinely fall into the wrong Corporate Boardroom
hands in a variety of ways. Intentional data theft from
either inside or outside the company is an all-too- challenge:
frequent occurrence. Malicious intention is not always Sensitive documents were
the culprit, however. Unintentional breaches happen
repeatedly being leaked to the press
as well, due to poor data security measures, human
error, or both. The imperative of “getting the job done” by company insiders, causing
compels individuals to forward business-sensitive disruption and badpress.
information, whether or not airtight security measures
are in place. Regardless, the costs associated with solution:
data security breaches can be enormous. The board of directors at the bank
deployed a secure virtual data room
Hard Costs to lock down all sensitive documents
Forrester Research recently estimated that a security intended for board members.
breach can cost anywhere between $90 and $305 per
record. That means that the cost of a single, significant The result? Leaks were stopped and
breach may run into millions or even billions of dollars.1 documents stayed secure. The bank
The research firm surveyed 28 companies that had then extended the use of secure
recent data breaches. Hard costs cited included
data rooms to other functional areas
outside legal fees, notification costs, response costs,
lost employee productivity, marketing and PR costs, that dealt routinely with confidential
and discounted product offers. Other significant hard information, such as financial reporting,
costs Forrester warned of that were not part of the strategy and acquisitions, top
estimate included regulatory fines, restitution fees management, and human resources.
and additional security and audit costs.
Soft Costs
There are significant non-quantifiable costs to a Protection of Confidential Documents:
company whenever a data breach occurs, including More Critical Than Ever
inadvertent disclosure of key assets, potential loss
of customers, negative impact to the stock price, Today, more widely dispersed executives and
shareholder lawsuits, unfavourable press, and more. employees are collaborating, accessing, and sharing
These costs can be even more detrimental than hard important, sensitive corporate information beyond
costs, given their implications, and can eventually run the brick-and-mortar walls of the company, driving
into the tens of millions of dollars. the need to share confidential information securely.
Business processes within an organisation that
The Cost of Non-Compliance require safe sharing of highly sensitive information
include executive level information sharing, finance,
Today’s organisations are required to meet stringent human resources and research and development,
corporate governance and compliance requirements, to name just a few.
or pay a high price. Recent regulations such as
Payment Card Industry (PCI), electronic access of Increasingly, these business processes extend across
patient information (HIPAA), and the newly amended the corporate firewall to external partners, contractors,
e.discovery rules (Rule 26 of the Federal Rules of Civil and other outside professionals who need access
Procedure (FRCP) underscore the fact that airtight to confidential documents. For example, many
data security is critical in today’s highly regulated contributors are involved in preparing documents
business environment. Moreover, regulations such for executive board meetings and seamless
as the Sarbanes-Oxley Act (SOX) now require a fully collaboration of remote team members must be
documented information flow for critical corporate ensured. Distribution of information to members
information, creating a need for tamper-proof and of an executive board is often costly and time
persistent audit trails. consuming, and most of all, it is frequently insecure.
elaw.com.au 1. Kark, Khalid; “Calculating The Cost of a Security Breach” (Forrester Research, April 2007) 2
3. secure
dataroom White Paper - Common Misconceptions and Best-Practice Strategies
Leading industry analyst Gartner refers to groups Common Misconceptions about Data Security
of individuals who collaborate together outside the
corporate boundaries as “communities of trust.” Keeping data secure in today’s dispersed environment
According to Gartner, there is a rapidly growing need is a much more daunting task than it was in the
for ways to “meet the communications and security past. Part of the problem is the prevalence of
needs for the ongoing sharing of sensitive data across commonly held ideas about data security that simply
the Internet between multiple organisations.” 2 are not true. Below are three of the most common
misconceptions that actually impede organisations
Examples of collaboration-heavy business processes in the implementation of a truly secure solution:
that transcend corporate firewalls are: boards
of directors; mergers and acquisitions; business Misconception #1:
partnerships; management consultants; outsourcing Data Security is IT’s Problem
processes; joint ventures with competitors; real
Most business executives want to know that
estate management; and life science clinical trials.
confidential documents are protected from data
This trend will continue to grow as more and more breaches without having to worry about the
collaboration occurs among dispersed individuals mechanism by which this is achieved. As a result,
located around the globe. These processes need to data security is delegated to IT. But this “hands-off”
be secure; additionally, they can’t be impeded by an approach can lead to a number of problems.
unwieldy IT security infrastructure that slows down
the job that needs to be done. First, IT departments are primarily concerned with
security from an infrastructure perspective and are not
necessarily as concerned about end-user experience.
They may spend significant time and resources
case study: devising an infrastructure solution that is cumbersome
Mergers and Acquisitions for end users; for example, they may implement
encrypted e-mail or encrypted hard disks. Or they
challenge: may build a company-wide solution for every desktop,
A law firm was heading the sale of a which is not necessary and can take years to develop
large, well-known automotive company. and deploy. It’s like using an all-in-one wrench to fix a
In the due diligence process, they needed specialised problem.
to broadcast sensitive documents to a large IT-centric approaches to data security tend to take too
number of potential bidders. The challenge long to deploy, focus primarily on internal employee
was to distribute the data in such a way desktops, exclude external partners, and/or are too
that recipients could not “keep” the data, unwieldy to allow ease of use. Or, on the other
to track downloads and gauge interest extreme, an IT solution may not be good enough,
and to follow up with more detailed and have its own security loopholes.
documentation to qualified bidders only. In short, business executives need to find a way to
The deal team at the firm wanted to self conduct confidential business that is efficient, includes
manage the due diligence process rather outside approved participants, and meets stringent
than rely on IT. security requirements without being at the mercy of
cumbersome IT solutions. Because executives are
solution: held accountable for data breaches, data security
The firm deployed a secure deal room, must be a management concern.
not just for the due diligence process but Misconception #2:
for the entire lifecycle of the transaction. If it’s Behind the Firewall, it’s Safe
This included initial strategy, gathering
Highly confidential documents are in fact more
all confidential information quietly, highly vulnerable behind the firewall than outside. Why?
controlled due diligence, negotiation, Because there are so many individuals behind a
closing, and post-merger integration. The company firewall who could gain inappropriate access.
whole process was 100% secure, totally
Perpetrators of data security breaches are often
controlled, easy to use, and did not require
disgruntled employees, “super users” with high
any IT resources, thus expediting a major access permissions, or individuals who have left
merger safely and successfully. the organisation or changed positions, but whose
access privileges have not been updated.
elaw.com.au 2. Heiser, Jay; “The $10 Billion Market for Communities of Trust” (Gartner, January 2007) 3
4. secure
dataroom White Paper - Common Misconceptions and Best-Practice Strategies
The firewall does not take into account the selective- Misconception #3:
ness and breadth of individuals in collaboration-heavy Traditional Security Measures
business processes. Only a select few individuals
should have access to sensitive documents. For this
are Good Enough
reason, file servers, document management systems, Business professionals who are tasked with
and e-mail are vulnerable repositories for storing and important, deadline-driven projects are generally
managing confidential documents. trusting that the security measures in place are
enough to protect the documents they are working
The best and safest solution is one that seamlessly
with. However, as stated above, some IT security
connects authorised users on both sides of the
measures are not in fact bullet proof. It is dangerous
firewall while preventing unauthorised access by
to assume that any data security measure is better
individuals both inside and outside your organisation.
than nothing. The reality is that partial security
equals essentially no security.
For example, the practice of sending emails with
case study: a disclaimer is widespread, and yet completely
unsecure; the disclaimer does not in fact “protect”
Research and Development the security of the data or email attachments from
unauthorised access. It’s the equivalent to having a
challenge: “This house is protected” home alarm sign on your
front lawn, without the real alarm system installed
A drug research firm needed a and functioning.
way to share highly confidential
Another example of partial security is encrypted emails,
research information, including whose information and attachments are only truly
clinical trial data on a new drug “safe” while encrypted. Once they are unencrypted at
with a pharmaceutical firm the desktop, they are vulnerable. Hard-disk encryption
interested in licensing the drug. also only solves part of the problem, because it only
Protecting their Intellectual protects information “at rest”. Once documents are
in transit, whether from one laptop to another or
Property, while expediting the from one person to another, the information is
process, was paramount. vulnerable, since the encryption does not travel
with the document.
solution: A New Paradigm
This firm designated a secure These misconceptions illustrate the need for a major
virtual data room as the central paradigm shift in the way businesses view data security.
repository for all facets of the drug Traditional approaches to data security like firewalls
review stage. They controlled all (perimeter security), encrypting data-at-rest (on the
server) or in transit (encrypted e-mail) are insufficient.
access to all documents, ensuring They assume that highly confidential business
that IP information remained highly information remains in a tightly controlled, definable
protected. Once the partner decided environment. That assumption is false. The reality is
to license the drug, the firm this: Data must move. And it will find its way. Therefore,
continued to utilise the data room data protection has to be attached to the document
itself and it has to follow the document wherever it
as a way to ensure secure project goes. This is known as persistent document security.
collaboration with its new partner in
The new paradigm sees important documents as safer
a highly confidential manner. This when placed in a repository outside the firewall, a place
approach allowed high productivity, that is highly secure, accessible anytime, anywhere by
shortened the drug review and a select number of individuals and allows users to
partnership process, and reduced control exactly what documents are viewed, accessed,
the risk of exposing a drug initiative and updated. In this paradigm, documents are stored
on a highly protected, encrypted server outside the
with high earnings potential. firewall. Workflows are managed by authorised end
users, rather than by IT, so that sensitive documents
are shielded from internal or external IT personnel.
elaw.com.au 4
5. secure
dataroom White Paper - Common Misconceptions and Best-Practice Strategies
Documents can only be accessed via strong suitable for meeting this need. However, effective
authentication methods that ensure only authorised solutions can be found in security technology that
access. And access rights can be easily managed overlays the existing infrastructure, instead of being
at a group level or down to an individual level. With dependent on it.” 3
these measures in place, documents outside the
firewall become in fact more secure, because
Enterprise Rights Management Software
although they are accessed anywhere, anytime, Enterprise rights management software (ERM) offers
a complete audit trail captures all activity and controls at the data level, so in essence, the security
documents remain secure in the repository. “travels” with the document, from the server to the
desktop. In this regard, enterprise rights management
software enriches encryption to include access
control and persistent protection. Recipients can view
case study: or modify documents only as allowed. While ERM
Fund Management software is an important step in the direction of
end-to-end data security, such a system by itself often
requires proprietary software on both the server and
challenge: the desktop and can be a relatively expensive solution.
A large financial services firm needed It also requires significant management overhead:
Access privileges need to be assigned according to
to ensure secure business processes
each document. ERM software addresses the security
and communications for an investment of moving documents better than does deploying only
fund involving multiple interests, hard-disk and/or e-mail encryption, but it requires more
including limited partners, investors, investment and more management overhead in order
law firms, accountants and consultants. to execute. Also, by itself it does not allow “anywhere,
anytime” access from any desktop, and therefore
These groups needed to perform due
impedes executives in remote locations from using
diligence on potential acquisition various desktop platforms.
targets and/or investments in the fund.
The key to successful adoption of an ERM infra-
structure within the extended enterprise, therefore,
solution: is to deploy such software within an application
The firm used a secure data room environment that enables users both inside and
outside the enterprise to benefit from such an
to organise the business processes infrastructure.
needed for successful fund
management. This involved A Different Approach:
partitioning the data room into Secure Virtual Data Rooms
separate areas for different parties Secure virtual data rooms (VDRs) are web-enabled
applications that operate outside of the corporate
and then controlling access to
firewall, provide highly secure access and viewing
information. This was accomplished controls at the data level (persistent security), but do
with no deployment of additional not require proprietary server and client-side software.
hardware or software and zero upfront VDRs are offered as a web-based service, and so
training for all parties involved. require no IT infrastructure; however, they can also
be integrated with an ERM infrastructure to provide
even greater functionality.
The most sophisticated VDRs offer the highest
security standards, including two-factor authentication,
encryption and tamper-proof audit trails. Extremely
Best-Practice Data Security Strategies important features to look for are operator shielding,
As important information moves farther and farther in which software and operating processes ensure
from the physical boundaries of the IT infrastructure, that the VDR operator is not able to read customer
the technology required to keep that information data and end-to-end security, in which documents
secure becomes paramount. According to Gartner, can be access-controlled even after delivery to users’
“The traditional security mechanisms provided by the desktops. VDRs combine these security functions with
operating system or network are just not communications and administration tools that allow
elaw.com.au 3. Heiser, Jay (Ibid) 5
6. secure
dataroom White Paper - Common Misconceptions and Best-Practice Strategies
the end user to easily set access rights, organise Business will go on, with or without the proper
workflow, and ensure complete control over controls. Documents will move and the farther they
everything that happens in the data room, from move from the corporate boundaries, the more
beginning to end. imperative it becomes to keep them secure,
A secure VDR provides a central repository for wherever they reside. Your most important
confidential documents located outside the IT information cannot be vulnerable; the cost in real
infrastructure. It gives business executives the control dollars, non-compliance and business risk is simply
they want and need over highly sensitive documents, too high. You need to ensure that your most
regardless of where documents “live,” in a way that important data is not only secure,but also easily
facilitates business rather than hinders it. Some VDRs accessible by those individuals who need such
offer additional features for specific applications, like access. Security can not be achieved at the expense
voting mechanisms and acting-by proxy rules for of business acceleration.
virtual board rooms. VDRs are device-agnostic, so any The technology implemented to ensure security
authorised individual can enter the data room anytime, in this new era of business must change. What’s
with any web-enabled device, wherever they are. needed is a paradigm shift in the way you think about
data security. Putting confidential information outside
Summary the firewall is actually safer and more expedient for
Critical business processes involve highly confidential, all parties involved. Fortunately, there are solutions
important documents that need to be safely accessed today that understand this new paradigm and
anytime, anywhere. Poor security measures based are providing new ways to allow you to conduct
on a “traditional” view of data security have lead to important business securely without being impeded
high-profile, significant data breaches. by IT complexity.
case study: case study:
Global Project Management Supply Chain Security
challenge: challenge:
A global company needed to form an inter- A manufacturing company needed to
national consortium of partners, customers, exchange plans, specifications and CAD
and suppliers to collaborate on a major files with its partners in the supply chain.
project. Of top concern was protection of The challenge? The partners in this project
the IP of the consortium. This company had happened to be the company’s competitors
to ensure that confidential information was in other areas of the business. It was
not leaked to partners that had competitive imperative that the information stayed
interests in other areas of their business. within the business unit of the partner
company without travelling to divisions of
solution: the company that had competing interests.
A secure data room for this project was
set up and managed by a neutral service solution:
provider, so as to avoid conflict of interest. The company used a secure data room
The data room enabled real-time document service for secure document delivery of all
accessibility, with fine-grained access related manufacturing information with a
controls and end-to-end security. As a complete audit trail. It also used the secure
result, project members from the various dataroom service to connect with an SAP
companies could easily access project- application to create and distribute docu-
related documents on demand, IP was pro- ments automatically. This process allowed
tected, and documents were successfully fast, secure access to relevant documents,
kept from potentially competing business while providing a tamper-proof audit trail of
units within the company. all activity in the data room.
elaw.com.au 6
7. Contact e.law Asia Pacific
General Enquiries
info@elaw.com.au
phone. 1300 136 993
overseas call +61 2 9221 1366
Office Locations
Sydney
Melbourne
Brisbane
Perth
Hong Kong
Shanghai
e.law offices
e.law service centres
About Us
e.newsletter e.law Asia Pacific is a privately owned company
Subscribe to e.law e.news and receive providing specialised products and services to many
updates on products, services, industry of Australia and Asia’s largest legal, corporate and
trends, upcoming events and more at government organisations.
e.law! We provide our monthly news-
e.forensics
letter service via a short HTML email,
if you would like to receive a copy, e.discovery
please register by completing the bureau services
registration form online at elaw.com.au
You may also unsubscribe at anytime. e.courts
document review & case management software
elaw.com.au online data rooms
At e.law we seek to work in partnership with our
clients offering services that are competitively priced,
high quality, fast, reliable, innovative, wide ranging
and adaptable. We look to build and sustain long
Quality
ISO 9001 term relationships with our clients where risk and
reward is shared.