Failure to share information and work collaboratively can cripple a business
Collaborative working and information is needed to keep a business working, although security has to be built in.
At the Field Fisher Waterhouse security forum, the concept of collaborative working was debated among speakers and delegates.
Paul Vincent, global head of security architecture and design at Lloyds Banking Group, said that information is needed to keep the business working and if you stop the data flowing, "it will not be long before you are crippled beyond repair".
He recommended four approaches: to produce a guidance for secure collaborative sharing and have a good way of sharing data; to roll out technology solutions that don't end up not being used; integrate solutions into the IT landscape; or take an attitude that "collaboration is data leakage and must be prevented at all costs". He said that this is for companies with no solution in place.
He said: “At our business we do not allow webmail access or USB sticks and we have to use a VPN to share data, but this means that from a security perspective, data is not going anywhere but the business is able to function.”
Vincent recommended that to secure information look at network administrator control; to secure applications look at creating a secure workspace; and to secure data look at digital rights management.
However he said that technology is not mature enough yet, but it was getting to a tipping point and the challenge is how to integrate security capability with products.
He said: “The smart companies have a strategy and deliver to it. You need a good guarantee to share data and if people do not work within the security controls, they get fired.
“Have good governance and decide on your approach to collaboration and have a business unit to determine risk. A federated model is good, but it needs control. It is also good if security and innovation are tied up together on this.”
Stewart Room, partner at Field Fisher Waterhouse, said that the objectives of sharing are in realising agility and productivity in business, and the need to make sure it is done securely. “This is a trust issue fundamentally, it is also worth looking at Intralinks' concept of un-sharing and ISO 27010,” he said.
Earlier in the day, Richard Anstey, CTO EMEA of Intralinks, said that "Generation Y have a different notion of what it means to share" and that this has changed the notion of securing the boundary and the firewall and network, to protecting the information itself.
He highlighted a customer who had used Intralinks' technology to protect intellectual property and work better with third parties. “With users, you have to have ease-of-use and simplicity as if the product is incomprehensible, users will use their own tools,” he said.
“It must also be auditable and secured so you know what is going on and search for data over time. Where will your data be in five to ten years' time?”
Ian Bryant, technical director of the UK Trustworthy Software Initiative, encouraged the creation of a ‘trust circle' when it comes to the management of sharing information, in order to determine a community who can use the data and a ‘trust master' who has overall responsibility.
Asked if that trust master should be a regulator, Bryant said that this is not really the case, but it could be a data protection officer or someone who understands how to work with data.