The idea of implementing an Enterprise 2.0 strategy appeals to many organizations who are trying to be more agile. But with it comes security concerns that need to be addressed with strategies that don't remove the benefits derived from Enterprise 2.0 collaboration. Here's a look at how to do that.
From Web 2.0 to Enterprise 2.0
Facebook, YouTube, MySpace, Google Docs, Dropbox, Skydrive are just a few of the many web 2.0 sites that have driven the internet into the mass collaborative network it is today. We all want to share our pictures, experiences and skills on the internet and of course more and more we are aware of the risks of doing so. Google Docs have had bugs leading to the unwarranted exposure of documents, Facebook has been in the middle of many controversies around the leaking of information. Who actually owns this content? Facebook? You?
So what about content in the enterprise 2.0 environment? Now I need to ensure my Q4 financial reports are safe and not disclosed. It is about having control over the patient records stored in an Excel spreadsheet and then lost on a USB drive dropped in the street.
As E2.0 brings web 2.0 into the enterprise it runs directly into the issues of security, compliance and regulation. It's a big challenge and a big contradiction. The business wants to use all these amazing new ways to share content, but the same business also needs to ensure that only the right people can get access to it.
And What About the Cloud?
Then there is the cloud. Cloud, cloud, cloud, it's on every webcast, in every article. The cloud has many advantages. Why wouldn't you want to outsource all your costs of network management, storage, system administration? The cloud makes perfect sense but has one massive concern... security. Wouldn't it be nice if someone else could host your content, provide the search functionality, upgrade the systems, manage backups and the network access and yet you could have persistent control over the actual information itself?
Is This Really a Problem?
Absolutely, the evidence is growing all the time. GM just had two ex-employee's copy 40 million dollars of hybrid research documents and take them to a competitive Chinese car manufacturer. Microsoft lost a PowerPoint presentation with details of their Windows 8 roadmap. The healthcare industry, worldwide, is constantly having to report lost and stolen laptops and storage devices littered with documents and emails containing private health information (PHI).
There are some public websites tracking known data breach incidents. www.datalossdb.org is a list of all known public data loss incidents, wikileaks.org actually makes information public themselves. Some blogs focus on a particular industry such as phiprivacy.net which comments on the challenges of the health care industry.
This is a trend that is not slowing down. More and more technologies and platforms are being invented to create, share and access a wide variety of information.
Location, Location, Location... Chasing the Security Perimeter
Securing Information by Location
Technology is available to help address these challenges but unfortunately right now it's short sighted and mainly focusing on location. Applying security at the place where the information resides, either on a hard disk, on a USB key or in transfer on a network.
The problem with this approach is you end up having to secure many, many locations. Each time a location where this information can live is found, a product is bought and implemented to encrypt it. Each location they identify, a product is purchased and deployed. But this is a constant and costly battle. How many products are you going to end up buying and maintaining?
What About Places Where Encryption Cannot Not Be Applied?
Burning a file to a CD/DVD? Copying to a USB key that has no encryption support, copying files onto an external hard drive, or onto a network repository... Many are deploying Data Loss Prevention (DLP) technologies to address this and while DLP is excellent at discovering and monitoring for the storage and movement of sensitive information, its end result is to block the email you are trying to send, delete/quarantine the file you've just copied onto the network or stop you from using USB ports or burning DVD's.
In addition, DLP policies have effect at a point in time, so if things change, you may still wind up with security breaches.
Applying Control to Devices Isn’t Good Enough
Another problem is all these technologies require you can apply control to a device. Take for example the use of hard disk encryption. What about when you want to share information with a partnering company? Do you mandate they install the same hard disk encryption you've used? Who pays for that? What if they already use a hard disk encryption, but it's not using strong enough encryption to meet the regulation you are enforced to comply with?