Security — especially cloud security — is a popular subject these days. Security is changing, but is still a fundamental practice (or should be) in all organizations.
Taking Information Out of the Caves
So why all the renewed focus? The cloud is a big reason. Another is that over the past 20 years, information has transitioned from being stored in paper format, which requires vast amounts of physical storage in servers and facilities, to digital. Years ago, an international bank stored all of its archived information in caves in the nearby hills — seriously. Now, almost everything is digital. So the cloud and the replacement of physical storage with primarily digital information located off-premises are two big changes. But what else?
Statistics on the growth of digital information abound. It is well known that organizations are being inundated with information, and have issues managing that information. The problem is out of control and, at the same time, widely ignored. We can view the business value of the proactive management of unstructured and semi-structured data as a mix of hard and soft dollars: increased productivity, reduced costs, leveraging current investments and identification of risk. Achievable? Absolutely.
Our view of digital information is also changing. It not only acts as the backbone that drives our business, but the currency. It is created, bought, sold and often stolen. It is a business asset that represents value.
This is where applying information governance to security gets a bit more complicated. If we accept the assumption that digital information is indeed currency, then it must be subject to the same rules and policies as any other corporate asset.
Muddying the Waters
Two of the key components of information governance are governance and policy enforcement. To successfully implement both requires extensive human involvement, from the top of the organization to the bottom. Governance is the broad umbrella that defines what needs to be governed and why. Policy is how to implement the controls that consistently improve the use, transparency, and value of the information to ensure compliance and achievement of business goals. This is what makes information governance a challenge.
Quite simply, people are the reason for success or failure.
Unfortunately, with the rapid pace of ingesting and creating content, it isn’t only the document itself that must be protected and secured, it is the source. In 2013, the value of intellectual property in the US was $329 billion dollars in royalties and licensing. But intellectual property goes hand in hand with what organizations classify as confidential, such as engineering, new products and prototypes, financials, mergers and acquisitions, competitive strategies, and client information. This muddies the waters and makes the security challenges even greater. Communication with third parties — vendors, partners, clients — has grown phenomenally. Can all information be controlled on a "need to know" basis in this scenario?
It Only Takes One
According to Osterman Research, 95 percent of business users communicate primarily via email. Of emails sent, 98 percent include attachments. Secure? Highly doubtful. Mobile devices and BYOD, has opened up a can of legal worms and put the security of confidential information at risk.
In the BYOD world, who owns the content — the owner of the device or the organization? Does the organization have the right to access the device to identify confidential information? Current court cases will decide that outcome.
Further complicating security issues is social. Accepted in a court of law, an organization is responsible for tweets, social postings, Facebook, and instant messaging, even in end users’ personal accounts when used in the workplace. Security breaches should be an organizational priority. For some reason, this is not the case. Did you know that most breaches are caused internally, either through negligence or deliberately? Looking at the vast requirements to ensure organizational security can be an IT nightmare. And the security holes only get deeper, developing into an abyss with no escape.
Even if an organization is committed to security and protection, these applications and tools are typically used at the perimeter level, not at the content level. And therein lies another problem. Many, if not most, security products can find PII, PHI or any standard descriptor. That’s great and what you should expect from a security vendor. But in most environments, someone has to proactively generate a report and evaluate what was found, which happens after the fact. Better late than never doesn’t work. With potentially thousands of users, it only takes one. One doesn’t matter? It does if what they do is the cause of a highly publicized data breach or litigation.
Did you know the average data breach costs an organization $3.79 million?
Secure It with Metadata Strings
Ideally, metadata strings, or concepts, defined by an organization as confidential or containing privacy data, should be identified on ingestion or creation of content. In this way, the organization can proactively deal with potential exposures before they happen, removing the document from search and routed to a secure repository to prevent portability. This approach removes the end user from the decision making process of classifying the information as confidential, prevents deliberate breaches, and moves the content to a secure repository. It delivers not only information security but also a significant reduction in IT resources and costs, identifying all possible confidentiality infringements with minimal administrative action.
Along with these benefits, this gives the organization a method of identifying organizational risk. What are the number of violations, where do they occur and how do they occur? Once the risk has been identified, the organization now has the knowledge to make informed decisions on policy and enforcement.
The complexity of the security problem is far reaching and substantial. But given the right tools, organizations can protect their knowledge assets, reduce risk and resolve the challenging issues of security.