You may be in control of all within the perimeter of corporate security, but when data leaves that safe haven, information rights management is essential, argues security partner of Deloitte, Paul Boichat.
Controlling access to the most sensitive information and data in an organisation is an age-old problem with a trusted technical solution, but is it fit for purpose in today's environment?
Protecting intellectual property rights (IPR), business data and our IT infrastructure has always been the core job of any IT security team. In response to the challenge, we have developed a well-known and accepted solution – within any enterprise, there will be a vast array of firewalls, network monitoring and perimeter protection to keep intruders out and our data safe.
In comparison to the almost constant state of revolution and invention within other areas of IT, this ‘sealed perimeter' model is remarkably mature and constant. It is an absolute expectation that any size of business (or even home) will have a level of perimeter firewall protection; a good proportion of an IT security syllabus will focus on network security and a CISO never needs to show a return on a business case to install a firewall.
By age, ubiquity or any other metric of success, this model could be considered a winner among other IT solutions and every day it protects the bulk of our IT lives, but does this security model still fit the way businesses need to work? Recent concerns with third-party data usage highlight a problem with the traditional perimeter: how do you control, monitor and manage information that legitimately needs to leave the security of your internal IT network? While data is stored within your company, you can be confident that your investment in firewalls, network security and trusted IT security professionals will keep it safe and out of the news.
For top-secret R&D output, at one extreme, or the more banal internal corporate newsletter, at the other, the safety of your network might be the only home necessary for the data, but for anything other than the most secret or benign, that is not likely to be the case. Whether it's financial reporting, customer data, M&A documents or the latest business strategy, there are many reasons an employee might need to email or transport sensitive data to third parties, outside of your perimeter and control.
Too often, the default response to this has been to further tighten the perimeter, to see this as data leakage that needs to be prevented or, worse, to take a hands-off attitude – ‘outside is not my problem'.
That response no longer fits the way organisations need to work.
Every day, the data that we produce is legitimately sent to third parties from each department within an organisation in hundreds of different ways. These are not strategic partnerships that your IT security team can manage with a secure connection or point-to-point solution. It is ad hoc business collaboration, the thousands of small daily interactions between your employees and the people they work with: when your lawyer sends a document to another legal team for review during the latest acquisition process; when a sales manager emails an account plan to her own private email address so that she can continue to work from home; when the marketing team sends customer data to a creative agency to run a campaign; or when the CFO emails financial data to trusted third parties in preparation for the quarterly results' conference call. All are legitimate reasons for data to cross the perimeter.
Once the data is attached and sent out in an email, your internal IT security team cannot monitor what is going to happen to that data. Unfortunately, the lack of control doesn't translate to a lack of risk. How will the third-party lawyer secure the M&A document within its network or document repository; what will the sales manager do with the account plan when she leaves the organisation; how will the creative agency control access to customer data forever outside your control; and will journalists be able to access embargoed quarterly results? While not as immediately obvious as the direct commercial risk of losing precious R&D data, each eventuality relies on the processes, security awareness and goodwill of third parties to prevent reputational, IPR and financial risk – risk that could expose the organisation to huge loss, financial or reputational and which is entirely dependent on someone outside of its perimeter.
If an IT security education programme has been rolled out before the send button is clicked, the employee may think about the implications of their actions. Perhaps the customer data should be encrypted? They may password-protect the file and remember not to include the password in the same email. They may courier the DVD, rather than trusting it to the ordinary post. They may add a disclaimer to the bottom of the email, or request assurances from the other party that they will only use the data internally and for the intended purpose – but is it enough to trust that the third party will maintain the same high standards of care for your data?
In recent examples of high-profile data loss and in the thousands of unreported data leakage incidents, we are seeing the consequences of not managing access rights to information produced securely in an organisation but now, legitimately, in the control of third parties.
Of course, any security breach or malicious action is not directly your responsibility, but whether it is your customer data exposed or your financial data leaked, the reputational damage can be just as large as if it were your fault.
A modern security approach needs to reflect this open business model. Recognising that data will and should move across the firewall in a managed and secure way is key to regaining control over data loss risk. Recognising that it is not appropriate to rely on third parties to manage that risk for you and owning the rights management to your data wherever it may live is a vital policy change. There are tools and processes that can be put in place to help, but too often IT security is limited to the traditional infrastructure or perimeter model, when an approach addressing the full lifecycle of the data, inside and outside the organisation, is essential.
A data leakage solution, a vital part of modern IT security infrastructure, will help to identify and manage these transactions as they cross the perimeter; it may help to identify unencrypted data leaving in an email. However, what if a partner inappropriately forwards the unencrypted data to other parties or prints it out and leaves it on reception?
To eliminate this risk, an information rights management (IRM) approach is needed to control the usage and access to your data, wherever it resides. With an enterprise-wide IRM solution, the data could be protected so that only the intended recipient could access the file – and including a policy in place to ensure that document cannot be printed at any time, with even access revoked after a predetermined period.
A focus purely on an organisation's boundary will never address the risks and problems faced by companies as data leaves the control and security of a corporate network. Modelling and implementing a complete IRM strategy is a key step to controlling and managing this risk; only when you can retain control of data, inside or outside of your IT infrastructure, can you be confident you will not be exposed by someone else's security lapses.