Several recent news are associated with the leakage of company secrets to the competitor; contents leaked are diversified and include 20nm DRAM process, programs, blueprints, design drawings, etc. developed by the company. A mechanical equipment design company delivered design drawings to three equipment manufacturers. Such manufacturers manufactured some components and finally the original company assembled these components. It was surprised that such three manufacturers cooperated with each other and imitated machines were produced on the day after design drawings ODM were delivered. As manufacturing cannot be realized without original design drawings, the original company had no control after the design drawings were provided to the competitor and proof cannot be provided after the event occurred even though non-disclosure agreement was binding on all parties.
Restriction by legacy DLP system
There are two types of DLP (Data Leakage Prevention) systems: content identification and leakage channel control. The content identification system has disadvantages of incorrect release and wrongfully treatment as well as rule adjustment complexity (increase in management complexity) and implementation efficacy deceleration (with contents to be scanned). However, it is very difficult for the content identification system to play the role for original codes and design drawings. All programs have an identifier, logic control, variables, constants, etc. These cannot become judgment conditions, let alone drawings and documents (although there are products which claim that OCR identification is possible…), and these provide limited protection of development deliverables of the company.
How good is the performance of DRM？
Compared to other data security systems, the DRM system focuses on the control of access to files. The confidentiality and access control of files can effectively prevent personnel without right from using the contents; the DRM is applicable to most office application scenarios. However, this is not that simple for the research and development by means of the use of IDE (integrated development environment) and CAM/CAD system. Generally speaking, for the purpose of encryption and access control, the DRM program is strongly combined with AP (such as WORD) and file formats to perform functions. Therefore, the DRM program itself will be restrained by the main application. For example, after the version is upgraded, the DRM program is not necessarily supported. This situation is more complicated in the IDE. There may be several editors which edit program codes. The included files are in multiple formats and include resource file and project file. Version control is uploaded to SVN server, etc. CAD/CAM includes subgraphs, element drawings, samples, etc. If the native tool manufacturer does not provide the protection scheme, it is not easy to appropriately support third-party elements.
Problems that may be faced in the promotion of original code development environment protection
Based on many years’ experiences in the promotion of data security, data security is never a technical problem but one at the human behavior and business management level. Obstacles that may be encountered should be first considered during the evaluation of the original code development environment protection scheme:
- Appropriate tool: the solution tool should be assessed as described above.
- Work impact: first of all, work habits of colleagues may be changed in a forced manner. Inappropriate process changes or excessively strict restrictions may cause an impact over the productivity. Secondly, the flexibility in work may be lost and this may affect the innovation playing. In the most possible case, CSO may be strongly resisted.
- Declined trust in the company: colleagues may feel monitored, controlled and treated as a dirty dog. If the trust in the company is declined, then the risk of labour turnover will be increased.
- The ignored bug causes program developers to be more easily challenged: don’t forget that program developers of course have some know-how and have a mentality of challenging (otherwise, how can they be qualified for RD?). I believe that it will not be difficult for them to develop a certain tool to bypass some control and restrictions. Is the evaluated tool still effective?
- Judgment of scope of application: which departments and business units should be managed? For some businesses of the specific nature, drawings and pictures are trade secrets. For some online games, scripts in addition to program codes are trade secrets.
- Applications of external partners: in many scenarios, original documents need to be provided to the partners and it is also expected that these documents can be protected to a certain extent during circulation. As the partners are not the company, the inconvenience in the operation which is caused by control and protection measures may affect the will to conduct cooperation.
The expectation of the company to protect invested deliverables must be based on good reasons and aboveboard policy statement and appropriate communication with colleagues. Although the difficulty is not totally in the tool, the previously mentioned possible management complexity and resistance from personnel can be reduced if the selected solution is appropriate.