The idea of implementing an Enterprise 2.0 strategy appeals to many organizations who are trying to be more agile. But with it comes security concerns that need to be addressed with strategies that don't remove the benefits derived from Enterprise 2.0 collaboration. Here's a look at how to do that.
From Web 2.0 to Enterprise 2.0
Facebook, YouTube, MySpace, Google Docs, Dropbox, Skydrive are just a few of the many web 2.0 sites that have driven the internet into the mass collaborative network it is today. We all want to share our pictures, experiences and skills on the internet and of course more and more we are aware of the risks of doing so. Google Docs have had bugs leading to the unwarranted exposure of documents, Facebook has been in the middle of many controversies around the leaking of information. Who actually owns this content? Facebook? You?
So what about content in the enterprise 2.0 environment? Now I need to ensure my Q4 financial reports are safe and not disclosed. It is about having control over the patient records stored in an Excel spreadsheet and then lost on a USB drive dropped in the street.
As E2.0 brings web 2.0 into the enterprise it runs directly into the issues of security, compliance and regulation. It's a big challenge and a big contradiction. The business wants to use all these amazing new ways to share content, but the same business also needs to ensure that only the right people can get access to it.
And What About the Cloud?
Then there is the cloud. Cloud, cloud, cloud, it's on every webcast, in every article. The cloud has many advantages. Why wouldn't you want to outsource all your costs of network management, storage, system administration? The cloud makes perfect sense but has one massive concern... security. Wouldn't it be nice if someone else could host your content, provide the search functionality, upgrade the systems, manage backups and the network access and yet you could have persistent control over the actual information itself?
Is This Really a Problem?
Absolutely, the evidence is growing all the time. GM just had two ex-employee's copy 40 million dollars of hybrid research documents and take them to a competitive Chinese car manufacturer. Microsoft lost a PowerPoint presentation with details of their Windows 8 roadmap. The healthcare industry, worldwide, is constantly having to report lost and stolen laptops and storage devices littered with documents and emails containing private health information (PHI).
There are some public websites tracking known data breach incidents. www.datalossdb.org is a list of all known public data loss incidents, wikileaks.org actually makes information public themselves. Some blogs focus on a particular industry such as phiprivacy.net which comments on the challenges of the health care industry.
This is a trend that is not slowing down. More and more technologies and platforms are being invented to create, share and access a wide variety of information.
Location, Location, Location... Chasing the Security Perimeter
Securing Information by Location
Technology is available to help address these challenges but unfortunately right now it's short sighted and mainly focusing on location. Applying security at the place where the information resides, either on a hard disk, on a USB key or in transfer on a network.
The problem with this approach is you end up having to secure many, many locations. Each time a location where this information can live is found, a product is bought and implemented to encrypt it. Each location they identify, a product is purchased and deployed. But this is a constant and costly battle. How many products are you going to end up buying and maintaining?
What About Places Where Encryption Cannot Not Be Applied?
Burning a file to a CD/DVD? Copying to a USB key that has no encryption support, copying files onto an external hard drive, or onto a network repository... Many are deploying Data Loss Prevention (DLP) technologies to address this and while DLP is excellent at discovering and monitoring for the storage and movement of sensitive information, its end result is to block the email you are trying to send, delete/quarantine the file you've just copied onto the network or stop you from using USB ports or burning DVD's.
In addition, DLP policies have effect at a point in time, so if things change, you may still wind up with security breaches.
Applying Control to Devices Isn’t Good Enough
Another problem is all these technologies require you can apply control to a device. Take for example the use of hard disk encryption. What about when you want to share information with a partnering company? Do you mandate they install the same hard disk encryption you've used? Who pays for that? What if they already use a hard disk encryption, but it's not using strong enough encryption to meet the regulation you are enforced to comply with?
What is needed is a security solution that allows you to confidentially share information beyond your existing networks and security perimeters whilst having persistent and total control over who can access that information, at anytime and be able to change this access whenever you want.
IRM: Body Guards for Your Most Sensitive Information
Fortunately a technology exists and instead of using encryption and access control at the location, it moves this control to the document itself. Information Rights Management (IRM), or sometimes called Enterprise Digital Rights Management (EDRM), uses encryption to protect the file when it is sat on a hard disk or in a file repository and then has access controls to only allow authorized users to open the document.
Not The Same as PGP
This may sound a little like PGP which also uses crypto to protect the sharing of files with users. Where IRM differs, is that it is persistent. You never decrypt the file back to its native format. Instead when you open an IRM encrypted Word document, it is always under IRM control. Based on the rights you have been given, IRM controls if you can edit the document, can you print it? Even protecting the document from screenshots and people copy and pasting the information into other documents and websites.
The Centralization of Rights
Another crucial aspect of IRM is the centralization of these rights and separating the access data from the documents and emails. To understand the importance of this, consider the following:
You have a sales document with sensitive pricing data and you share this with your 1000 strong sales force. Then 6 months later, 20% of the sales force leaves to join a competitor and you hire replacements. Also some of those sales guys were promoted to managers which gave them the ability to edit the pricing document, something you don't allow for regular sales staff.
So the rights model changes, people change roles and some people leave the company. IRM stores all this information centrally on a server where your sales VP can make simple changes. The documents only know they are confidential sales documents, there is nothing in them that defines who can access them or how. So a simple change on the server, removing the ex-employee's, adding new employees and giving the new managers the ability to print.
All of this change is applied to the documents without having to recreate a new sales pricing document and redistribute to all the members. This is a crucial factor in making sure the solution can scale, is easy to use and actually reflects the changing requirements of your business.
Additional Benefits for IRM
There are other huge benefits to using an IRM solution:
- Now you can really leverage all the advantages of content management in the cloud. You can keep all your finance spreadsheets, engineering specifications, board presentations in the cloud but own the security and control who can access these documents.
- Every single time an IRM document is opened, printed, saved, it gets audited. Now you have visibility of who is doing what and where. You even get an audit event when someone fails to open a document.
- IRM allows you to share documents in their native format. Often a legal contract in Word format will be converted to PDF simply because the legal team want to ensure the contract isn't edited. IRM now allows you to share a Word document and not only control if they can edit it, but also enforce features like change tracking so that every change in the document has been recorded.
- The security is persistent! This is huge, imagine being able to revoke access to millions of documents you've shared with a partner who has fallen out of favor? Imagine being able to deny printing to all your external consultants
Enterprise 2.0 and IRM vs Location
At a time when organizations need to ensure information is available to the right people at the right time, new technologies and strategies such as Enterprise 2.0 can make the difference between being ahead of the game or struggling to keep up.
Key to that is "the right people" with the right access. So security is crucial. Securing information by location is not effective. It's time consuming and costly. IRM is a much quicker way to address a the more immediate risk of data loss, moving the security perimeter to the document and centralizing the access control away from the information.
Follow our continuing coverage of Information Management Agility including:
- Content Management Agility for Organizational Sustainability thru GRC
- What the Past Can Teach Us About Information Management Agility
- How an ECM Strategy Supports Information Management