Even in industries as heavily regulated and IT dependent as financial services, it’s often difficult for senior managers to get the cooperation required to add a layer of security that isn’t absolutely required. It’s even harder when that extra security is to prevent data leaks from smartphones and tablets that are supposed to make the lives of high-powered end users more convenient—and there are no glaring weaknesses in the security they already use.
Executives, traders and others who regularly carry sensitive or confidential information have always been highly mobile and protected, largely because many of them relied on enterprise BlackBerry servers maintained inside their companies, William Murphy, CTO and managing director of Blackstone Financial Services. said during an interview with Slashdot.
As more people began to migrate to iPhones and iPads, the idea of an extra layer of security to protect information rather than devices became more attractive. Blackstone’s enterprise Blackberry server provided secure email to employees who still used it, but an increasing number were migrating to the iPhones and iPads on which the firm had standardized. “For people who were just file sharing within the network, you could argue whether the use case was significant enough to us something additional to secure documents themselves, because you’re already on a device and inside a network that are both secured,” Murphy said.
“The real reason to look at [document-specific security] was the mobility,” he added. “We do full DRM on investor documentation and have an investor portal on top built using APIs, we have additional security on deal rooms and deal communications. We weren’t lacking in security.”
Blackstone lacked a way to lock down specific documents so that even a lost iPhone or tablet wouldn’t mean automatic exposure of sensitive information belonging to clients. “What we were looking at was a secure repository we could use to create a walled-garden approach for mobile devices,” Murphy said.
As a result, Blackstone mobile devices are secured using MobileIron, a mobile-device management product that uses a client installed on a smartphone to create secure, discrete virtual machines within the same device, authenticated on the fly with a MobileIron server, which provides security and support policies.
Systems to secure or encrypt documents—even systems that depend on policies and access controls created on a server to secure documents even after they’ve left the building—aren’t rare. Adobe’s enterprise document management systems include that kind of enterprise security, “but you have to use PDF,” Murphy said. “Microsoft has it built in to some products as well, but you have to use Microsoft formats.”
Blackstone settled on a server-based large-scale document-security application from Watchdox. The enterprise version of the Watchdox software, which is cloud-based and lists for per-user per-month fees starting at $15, embeds access control within documents themselves.
In addition to locking down a document, the Watchdox server’s document-management functions keep track of which user has copies of which document, automatically syncing the version of the document on a mobile device with the most-current version on the server. It also updates security metadata on each document, every time the user connects to the network.
“It does full security rights management for the lifetime of the document, not just one version or for a set period,” Murphy said. “And people actually started using it because the sync function meant they always knew they’d have the latest version of their documents with them. They didn’t have to freak out and print things or email them as they’re about to take off. You just put the tablet in your suitcase and go.”
The no-worries aspect is more than a convenience. Users are often tempted by convenience—especially with products that secure documents or devices they always carry—to make things a little more convenient by cut-and-pasting content from a secure document into one that isn’t, or email secure documents to themselves.
The interface is simple enough and convenience of having the latest version of a document is great enough that it doesn’t take much to convince users to add an extra layer of security. “The culture of Blackstone is on that doesn’t really like top-down mandates on a lot of things,” Murphy said. “We didn’t force it. If someone wanted to have their documents with them all the time and wanted them secured, this was the easiest way to do it. Mostly people like that, if you’re going into a meeting, you know you have the latest version of your documents with you and can get to them with a couple of clicks instead of digging through the device.”
During two years of a non-rollout rollout, about 1,000 of Blackstone’s 1,800 employees have adopted the Watchdox app, with little pressure from IT other than to explain the benefit of document-by-document security.
The app is popular enough, and top executives believe enough in Watchdox’s potential, that Blackstone has invested in Watchdox the company (with profit as a goal, not just cozying up to a favorite vendor). Recommending a product from a company in which his employer has invested does create the potential for a conflict of interest that would make Murphy’s publicly-voiced approval less valuable. It’s worth nothing, however, that the company didn’t invest in Watchdox until after the product was in fairly wide use, and none of the other security products used by Blackstone created a need to own part of the company.
“Watchdox met the criteria we were using, people like it and it works,” Murphy said. “That part isn’t complicated. And really, it’s been pretty successful for a non-aggressive rollout strategy. It’s easier to not worry much about whether or not it’s been adopted.”