When it comes to implementing enterprise security, it is possible to take extreme steps that could cause more harm to employees and in turn the whole enterprise. Today, in most enterprises, information security continues to be heavily skewed in favor of securing infrastructure instead of information.
Security is not defined by the acceptable level of risk
Security concerns within an enterprise are often addressed along the lines of the acceptable level of information security risks. To understand the reasoning behind this rather extreme view, we must look at the current ways of implementing information security within enterprises, relying on controlling mobile devices such as smart phones and tablets, operating systems (OS), cloud-based third-party applications and public networks with a set of constantly evolving rules.
Mostly, these are measures that may address external threats posed by “hackers.” For example, enterprises most often ensure that only a device with the latest OS and anti-virus updates will be allowed to enter their secured network. When considering protection against internal threats, enterprises often implement policies such as blocking all USB ports on mobile devices from writing data on external storage or restricting information access to those within the enterprise’s secured network.
How do you control when you don’t own?
While one may have all these protective measures in place, there is still one glaring source of security breach: the growing mobile workforce. This growing trend includes employees working from home using social networks and social sharing sites, the increasing smart phone adoption with almost unrestrained access to work information, and the global workforce spreading across the country, or several countries, needing access to the same confidential information.
For example, a common security disconcert is the frequent use of hosted file services such as Dropbox or shared document services like GoogleDocs. World over, information security practitioners in leading enterprises are struggling with the same question: How do we control elements that we don’t even own?
Look beyond the device and into the information
While the device, OS, applications and network are important, they are surrogate methods of protecting the really valuable asset — information. Smart practitioners of security are enterprises that acknowledge the importance of the growing collaborative workforce and have taken the steps to effectively implement Information Rights Management (IRM) solutions that control the information as opposed to infrastructure-related elements like devices, applications or networks.
Automatic IRM is an evolving field whereby enterprises can control who can use the information, what each person can do with the information, and when and from where they can access the information. Using IRM, enterprises can closely define and implement information usage policies before a breach happens. This is a three step process, as follows:
- Policy definition, where enterprises can define the right answers to who uses the information, what they do with the information, when and from which location they access this information.
- Policy implementation, where enterprises implement the above definition on their sensitive information.
- Policy audits , where enterprises can audit and understand who used their information, when they accessed it, the location from which they accessed it and what they have done with that piece of information.
Using their defined policies, enterprises can also change permissions remotely and ensure that a clear divide of personal and enterprise-owned sensitive information is achieved. This ensures that security is truly information centric and not infrastructure or mobile device dependent.
Imagine this scenario: A CEO can send an email and control whether it self-destructs in one minute or in30 minutes or for however long he or she wants. Essentially, he or she can “remote control” this information and documents, regardless of its location, and is now in complete control of this sensitive piece of information.
The most important aspect of IRM is that it secures data through its life cycle, from create-store-transmit-use-archive-delete, which may be across personal and enterprise-owned infrastructure.
IRM represents a new approach to a new problem, not migrating old approaches to new problems. It is in fact an old idea that is becoming ever so important with every passing day. Not only because of the huge losses that enterprises face due to data breaches, estimated at close to a trillion dollars, but also due to changing technological scenario — BYOD , cloud computing, ubiquitous networking, virtualization and other sophisticated data thefts.
Vishal Gupta is the founder and CEO of Seclore, a leading information security software company. He brings more than a decade of experience in sales, marketing and business management and handles Seclore’s corporate development, investor relations and marketing. Vishal is a well-respected thought leader in the space, having had his ideation in fingerprint imaging lead to the development of the core technology behind Herald Logic, a company he founded in 2000. Contact him at [email protected].