 The technological revolution brings challenges to the task of protecting information from loss, theft and snooping. Whether it's a legal document, design for a new prototype, bid for a contract or personnel review, revealing it can cause a company irrevocable harm. And yet, data is more exposed than ever to loss, theft and snooping with the proliferation of mobile devices and the likelihood of critical data traveling from place to place. Users have remote access via broadband and wireless connectivity, and contractors, vendors and customers, as well as employees, routinely share systems. As a result of this, data security takes on ever-greater importance.
Eminently Protectable
Within the enterprise environment, unlike the entertainment space, we have documents that are eminently protectable, given that we control both ends of the equation in terms of the systems and policies. We can determine what is run and who has access. We can monitor compliance, as well.
Of course, this all won't happen by chance. The technological revolution brings with it a complex set of security challenges. Rather than focusing on an outside perimeter defense (e.g., firewall or virus protection), the emphasis today needs to be placed on maintaining the access to and protection of the data itself.
As such, typical IT security to date has been like an M&M candy - hard on the outside, soft on the inside.
Our constant, "on-demand" mentality has exposed us to "on-demand" threats. Internet-connected attacks, in fact, have become so commonplace that CERT, the major reporting center for Internet security breaches, no longer publishes the number of annual security incidents.
To facilitate this new need for enhanced security, analysts predict that security industry revenues will boom, from an estimated $8 billion in 2003 to $14 billion by 2008.
Evolution of Risk
Fifty years ago, you might have taken a briefcase full of work papers home. A decade ago, data density had dramatically changed, and you might walk out of your employer's place of business with a hard drive or tape containing a thousand times more data.
There was no way to monitor or control what you did, but the risk was minimal because you had limited ability to play it back without expensive computing equipment whose cost was commensurate with your house. So the information was protected, in a de facto manner.
This transitioned to the telecommuting age, when people could work from home to some degree using proprietary hardware and a terminal with a dial-up line. The data, however, still resided within the enterprise. You could view it and print out some pages, but it was painful to download too much data. You had no place to put it.
Tools such as Windows allowed access to enterprise data and the ability to print and access file shares that house important documents. To protect against this vulnerability, employers installed firewalls for office and home use. With the advent of laptops, virtual private networks (VPNs) were made secure sockets layer (SSL)-compliant, which allowed the user to log into a port with a browser to access the data.
This evolution resulted in the creation of identity and access management, which allowed the enterprise to get a more detailed look at the identity of the user before giving access.
Today, data density is such that you can bring home 40 gigabytes in your pocket, in the guise of a music player. This is the equivalent of a stack of paper as high as the Empire State Building.
The enterprise knows who you are when you log in, but nothing will typically stop you from taking gigabytes of data home and making a copy on your spouse's computer or on a USB memory stick and losing it in a cab. Everything has been done about protecting the data on the network, but the data itself is unprotected.
The Worst Kind
IT security has done a very good job of eliminating external attacks, but we have continued to leave ourselves vulnerable to the worst kind of attack, which is insider attack. This doesn't even need to be malicious. It can be accidental.
VPN now exists for PDAs and other mobile platforms, with employees routinely carrying these devices with their memory sticks in their briefcases or pockets so they can work on trains and airplanes. As a result, it has been estimated that as many as 60,000 memory sticks alone were lost globally in the last six months of 2004.
The Technology Challenge
You're working on a document because your identity has been verified across the network, the document opens for you because you're you, and when you're done with it the new version is saved.
But what about three months later, once you've quit the company? You should no longer be able to open that document, and the company should be able to flag any attempt to open it. Enterprise rights management technology allows companies to do this now, so the document won't open unless you have an agent on your system that automatically downloads for you, prompts you and ubiquitously gives you access.
Enterprises today must create sets of rules about content, actions allowed and disallowed, and the consequences for executing them. They need to be able to monitor the workflow and know what's going on. Furthermore, by using analytics and monitoring the population of employees, companies should be able to predict who is going to quit so they can make provisions ahead of time.
Ultimately, once the organization implements a system like this, departed or disgruntled employees will be unable to take anything useful with them.
Similarly, policies must be established and converted into actions that will prevent critical information from passing from one department to another, saving companies from embarrassment or worse.
Even though human resources may have access to the next set of salary increases or layoffs, for example, standards need to be in place to stop the document from going any further. Enterprise rights management and related technologies can do all this, and more.
If You Were a Carpenter
If you're a carpenter, you own your own hammer and you take it with you when you leave a job. Yet, if you are an information or knowledge worker in a special domain and you have developed an expertise in your job that will make you valuable in your career, why should you be expected to give up the "repository of knowledge" that you have accumulated?
Our culture says that knowledge is power and stripping you of your tools may be no different than demanding that the carpenter leave his hammer behind.
The company may or may not believe that taking that data with you will cost it money, or give an unfair competitive advantage to your new employer, but it feels justified in locking you out from the data because it paid you for your efforts and so own the goods.
Fair or not, the scale seems to be balanced more and more in the employer's favor. Citing the enforcement of its fiduciary responsibility to investors, organizations are putting into place practices and policies that are intended to enforce intellectual property rights.
Some have developed exit policies that, when properly deployed, will literally pull the plug on the employee by virtually clicking the "OK" box in some exit interview menus, which can propagate throughout the system and cause all of the documents to stop working.
Security solutions, as discussed, are obviously about more than technology. Any sound data security practice must:
• Establish a monitoring and enforcement policy - This entails controlling access to systems, networks and content.
• Evaluate the value of the asset being protected - A security investment must be predicated on the value of the asset at risk.
• Incorporate security solutions that are transparent - An organization doesn't want to stand in the way of an employee who is taking a memory stick home to finish a document. It does, however, want to form obstacles to any inappropriate or unauthorized individuals.
• View security as a process, rather than a product - The emphasis needs to be on planning, in terms of the needs and practices of the business, rather than on buying software.
Employees must be reminded of the organization's intellectual property policy not only on the days they arrive and leave, but as a part of their daily lives. This won't necessarily prevent people from stealing, but it will stop them from accidentally accumulating data and then feeling nostalgic in their ownership of it.
Out for Good
We can't put the genie back in the bottle. People have the ability to move gigabytes of data and store them, and enterprises want employees to have the flexibility to work remotely, to work using their own computers and to be responsible for their own data backups.
Nobody wants to search an employee's home computer hard drive the day he resigns; this would be intrusive, and there are so many devices a person can store things on that it may be impossible to find it all, anyway.
We can, however, use enterprise rights management and encryption technologies to lock down all the confidential documents he has brought home so they won't open. If we do just that, we'll be shutting down a security leak that is decades old.
Richard LeVine is a senior manager with Accenture's Global Architecture and Core Technology Security Practice. He can be reached at r
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
|
