eln the eln security conundrum - atrium research mar 2011 security...the eln security conundrum...

ELN

Scientifi cComputing.com 16 March/April 2011

Balance should be maintained over the life of the system

The ELN Security Conundrum

Michael H. Elliott

I n February of this year, a scientist at Dow Chemical’s Plaquemine, LA, plant was convicted of steal-ing polymer development records

he obtained during the course of his 27-year employment and selling them in China.1 This case was on the heels of another situation at Dow, where a scientist in the agrosciences division in Indiana was arrested on charges of trying to develop products in China based on the company’s trade secrets.2

In 2009, a technical director at Valspar walked away with 44 gigabytes worth of confi dential data,

attempting to take it to his new job in China. The defendant, who eventually

pleaded guilty, had electronic records in his pocket worth up to 20 million dollars,

according to the U.S. Attorney. He accessed records on raw materials, formulations, prod-

uct research and marketing via the company’s corporate network and simply copied them to

thumb drives and walked out the door.3

In 2007, a scientist at DuPont pleaded guilty to down-loading 22,000 confi dential documents from the company’s

electronic data library. He planned to take the fi les with him

to his new company. He was able to access and download the records despite the fact that many of these records were outside the scientist’s research fi eld and included new emerging technologies. Only after he left the company was the unusual volume of downloads detected.4

For many years, information security was primarily con-cerned with avoiding system and network breaches by outside hackers. But now, the number of criminal cases where internal employees are stealing intellectual property is increasing.5 Companies like Valspar, Dow and DuPont were lucky. They found the security breaks before any resulting fi nancial dam-age. But, how many other companies are experiencing thefts of trade secrets, but do not even know it is occurring?

This trend is a conundrum for electronic notebook technol-ogy (ELN). In R&D, ELN is all about creating a searchable repository of experimental data and information. Users need access to gain the operational benefi ts of knowledge sharing and collaboration — something that was near impossible in the days of the paper notebook. If an ELN is completely locked down to avoid the rare instance where one or two “bad apples” could steal records, the larger organization would be handcuffed, increasing R&D cycle times and diminishing innovation. There must be a balance between the needs of the researchers and maintaining corporate confi dentiality.

ELN PRODUCT SECURITYFirst, a bit about security controls in commercial ELN prod-

ucts. Most of the major commercial products operate on a

SC13_ELN_Elliot.indd 16SC13_ELN_Elliot.indd 16 4/25/2011 3:27:57 PM4/25/2011 3:27:57 PM

folder-based security paradigm, similar to Microsoft Windows. Default security (read, write, modifi cation, delete) is set at the root folder of a notebook, project, study or experiment with as-signments to users and/or groups. Sup-porting inheritance, rights will cascade down to new folders and entities under-neath the root, but can be modifi ed. For example, a team can have access to view data for a project, but only select indi-viduals, such as scientists working on

a particular experiment, can post data to that experiment. Once approved and locked down via the electronic signature workfl ow, these records can be made available to a wider audience, such as all of R&D. Until a user has rights to view a record, they generally will not appear in search results.

A small minority of suppliers take restrictions a step further, down to

the section level of an experiment. Sections are blocks of data and/or text, like a graphical chemical reac-tion, list of materials and reagents, or the procedure of an experiment. If this is enabled, one user could complete a portion of an experiment while being able to only view the results of another who has completed another portion. In at least two systems, data views can be set so that only summary results can be exposed, shielding the details of the underlying raw data.

Most products integrate with active directory, so usernames and passwords can be the same as what are used for logging into the corporate network. Products commonly operate on a role/privilege basis, so users and the groups they belong to have to be defi ned in the system. Privileges are assigned to roles, and roles are assigned to groups to defi ne the functions in the system users are allowed to access. You do not want every user to have a role of a system administrator. Audit trails will record the who, what and when of data entry or modifi cation, though many lack the capability to alert an administrator of aberrant volumes of data downloading.

The robustness of the security controls in an ELN is rarely an issue. It is often the policies — or lack thereof — that cause users to not be able to access data when they should or that are set

to provide too open data access. Again, it is about striking a balance. We have seen installations where department managers set the security with no con-sistency across groups. Some managers, feeling that the ELN data from the de-partment is “theirs,” restrict any group from searching studies and will only provide summary PowerPoint presenta-tions. This is completely counter to the philosophy of knowledge sharing. But, we also have witnessed systems that were so open, anyone can access details, such as the chemical reaction design for a new product. Some information is on a need-to-know basis and should be de-fi ned by the system security policy. For example, does a pharmacologist need to

know the details of the reaction? Governance is vital to defi ne sys-

tem-wide security policies. Without a governance model set by management about who should access what, users search the system either expecting to fi nd something and cannot, or they du-plicate work, since they did not know the data actually exists. Or, they pro-vide opportunities for the unscrupulous employee to download and depart with confi dential data.

ISO 2700 SERIESAs a starting point of defi ning a com-

prehensive approach to system security is the ISO/IEC 27001:2005 Information Technology - Specifi cation for an Infor-


ELN

Figure 1: Cyclical process for ISMS

Figure 2: Process for creation of an information security management system


mation Security Management System,6 which specifi es requirements for the defi nition, deployment, monitoring and review of a security management system. An Information Security Man-agement System (ISMS) is an organized framework of policies, procedures and physical security controls. This is a cyclical Plan, Do, Act, Check process that is illustrated in Figure 1. Part of the 27000 series of information technology standards, 27001 is used in conjunc-tion with ISO/IEC 27002 Information technology - Security techniques - Code of Practice for Information Security Management. The 27002 framework is intended to impart best practices, rather than as a prescriptive series of abso-lute requirements and is scheduled for updating in 2011 to 2012.

In a more detailed view shown in Figure 2, the process progresses from risk analysis through to audits and change control. The fi rst swimlane of tasks is an approach of risk analysis to analyze the potential impact of security breaches. The second lane is for the development of the ISMS program, creation/modifi cation of security poli-cies and procedures, training personnel, and deploying across the defi ned scope. Lastly, security is audited to ensure compliance with modifi cations to proce-dures and take corrective actions.

Risk management is based on

ISO/IEC 27005:2008 Information security risk management. 27005:2008 is a process to identify at-risk assets, potential threats, vulnerabilities and consequences. Shown in Figure 3, an analysis of the likelihood of security threats for the at-risk assets is compared to the impact or the consequences of the threat actually occurring. The top right portion of the diagram is the area of most concern. For example, if a chemis-try ELN containing all the structures of a potentially marketable new drug has lax security controls, then the impact to your business can be quite high if the data are stolen. Risk assessment should be continual and not a one-time event, as the nature of vulnerabilities and busi-ness value changes over time.

Not every ELN installation will re-quire a comprehensive ISMS. For some, the system is isolated to a small group. For others operating in an academic environment, a completely open system could be warranted. It all depends on your risk assessment about how far you need to go. A company with millions of dollars of IP and/or one who allows sys-tem access to offshore contract research organizations cannot be too safe.

DIGITAL LOSS PREVENTIONFor those who have a low risk

tolerance and want a comprehensive solution, there are technologies that can be used in conjunction with ELN to prevent copying data to removable media or sending data via e-mail. One such technology is Digital Loss Pre-vention or DLP. DLP, a fast-growing technology segment served by vendors such as Symantec, EMC and McAfee, is a tool for information asset inven-tory, monitoring and protection across networks and systems. It is designed to restrict access to confi dential informa-tion and detect unauthorized use. DLP can simplify the multitude of security options available to protect intellec-tual property, and there is no reason it cannot be more tightly integrated with commercial ELN offerings in the future. The potential for DLP in the R&D space is signifi cant, though at the

current time it is more widely used in markets like fi nance.

There are two general concepts em-ployed in DLP. The fi rst is a complete inspection of content using techniques like Bayesian analysis and machine learning to discover structured data in a database or unstructured fi les (e.g. spreadsheets, images, PowerPoint, etcetera) anywhere across the enter-prise. This creates an inventory of all records, and policies can identify the most sensitive records at risk. DLP will inspect content as it fl ows through the enterprise and track how it is be-ing used, enabling a corporate-wide visibility into data utilization. The second concept is a contextual analysis or monitoring those sending fi les and those receiving fi les providing visibility into policy violations.

There are at least two major catego-ries of DLP technology: network and host-based. In a network system, DLP analyzes network traffi c looking for unusual patterns or uses of information by persons not granted specifi c rights. Based on policies defi ned for users or groups, data access can be blocked (or alerts logged) from anywhere on the network. Host-based DLP works in a similar way, but also can block access to specifi c devices. For example, a user of ELN is not authorized to use a thumb drive to offl oad data. Or, if


ELN

Figure 3: Risk assessment drives security decisions


access is allowed, the user credentials and record descriptors of what was downloaded are logged and an alert is sent to an administrator. Files also can be prevented from being distributed via e-mail or instant messaging.

Some products go a step further than just examining and indexing information assets. They can automati-cally classify records based on a set of business rules, scanning contents for keywords defi ned in a policy. For ex-ample, a record may contain metadata that indicates it is associated with an as-yet-to be-patented compound. The system can automatically designate the record as confi dential, restricting access to only those on the compound’s proj-ect team or their management. The sys-tem will log and alert to management those who try to access those records — regardless of source — if they are not associated with that specifi c team.

At least one product can identify content copied and pasted from one document to another with what is called Indexed Document Matching. For example, an employee who is go-ing to leave the company accesses ELN records on the screen, but they are not allowed to download the fi les. They copy and paste contents from the ex-periment page to a Word document to e-mail those records to their personal e-mail account. Through the scanning

Scientifi cComputing.com

ELN

process, this activity is detected with a link to the original source record.

Security risks are increasing daily; and not just from external hackers attempting to steal your intellec-tual property. There may be, in rare instances, a devious employee who is looking for personal gain. But, fear of what might happen should not prevent the deployment of ELN, as the advantages are many. A balance should be maintained over the life of the system through an information security management system, which defi nes and maintains policies and procedures. For those who are very risk-averse, evalu-ation of additional controls through tools like DLP might be warranted.

REFERENCES1. www.justice.gov/opa/pr/2011/February/

11-crm-156.html2. www.justice.gov/criminal/cybercrime/

huangChar.pdf3. www.justice.gov/usao/iln/pr/chicago/2010/

pr1208_01.pdf4. www.pcworld.com/article/129116/

scientist_admits_stealing_valuable_trade_secrets.html

5. www.nytimes.com/2011/02/08/business/global/08bribe.html

6. http://www.iso.org

Michael Elliott is CEO, Atrium Research & Consulting. He may be reached at editor@Scientifi cComputing.com.

Learn more. Visit accelrys.com/eln

May 12

Accelerate Your Process Chemistry with an ELN

Learn How an Electronic Lab Notebook Can Help You

• Increase productivity by 25%

• Minimize transcription errors

• Improve collaboration

• Ease compliance burdens

Webinars On-Demand

Empower Your Analytical Lab with an ELN

Five Ways to Accelerate Drug Development with an ELN

Getting More Out of an ELN with Pipeline Pilot and Isentris

Electronic Lab Notebook Webinar Series—Register Now!


eln the eln security conundrum - atrium research mar 2011 security...the eln security conundrum...

Documents