Enter the cloud, and exit your data.
Since the introduction of BYOD and ‘the cloud’, your data has been on the move – whether you realize it or not. Emails are read on iPhones, proposals are placed in DropBox, and massive amounts of data find their way onto USB keys the size of a fingernail. And you can’t let yourself forget that any time data is set into motion like this, its security is put at risk. Your strategies need to evolve with the awareness that security is no longer about who can get into a given system, network, or device, since your data is flowing everywhere (including through a number of other networks that you don’t control). Every time a cloud-based drive is used to share information, a mobile device is leveraged to exchange files, or an email is sent, that data is being handled and moved outside of ‘traditional’ controls. Managing (and controlling) data-in-motion is a relatively new requirement for businesses to address in order to function effectively without massive exposure. It may also today’s premiere security threat.
According to leading IT analyst firm IDC, data-in-motion accounts for more than 83% of all data loss violations. At some point or another, we’ve all pressed the SEND button a little too hastily only to realize later that our email ended up in an unintended recipient’s inbox. Other times, we chide ourselves for having lost that one USB key with the really important confidential financial files.
Regardless of whether they are malicious or accidental, these mistakes happen daily as users constantly send, post and share sensitive information with employees, friends, competitors, and partners over a myriad of data exchange methods. With today’s web-enabled business dynamic, it is inevitable that employees are transmitting sensitive information each day at every level of the organization.
As each employee (and by extension your data) becomes more connected to the Internet of Things, companies are redesigning their security policies, procedures, and tools to limit the threats to business critical information caused by the explosion in data-in-motion. Two of the most promising areas being leveraged, both in the form of strategy and technology, are the implementation of multi-level security policies (MLSP) and role-based data access.
MLSP is a strategy that drives technology choices in addressing the data-in-motion risk profile. MLSP gives organizations a construct by which to identify what data has value, to classify it according to sensitivity and value, and to mark and tag that very same data to ensure corporate governance. By extension, corporate liability is reduced greatly if and when a security breach occurs.
Role-based access policies enforce the already established policies established in the MLSP, providing controls to manage who has access to data, and what they can do with it. For example, employees at a lower level in the organization wouldn’t normally have access to highly sensitive or ‘toxic’ information; this is defined in the MLSP and enforced by the role-based access technology. Moving up the information food chain, while mid-management may be able to read that same sensitive information, they may not be able to print or export that data. Enforcing access and usage controls over sensitive information ensures that data is only used by those with a need-to-know, and this can be done totally independently of where the data files reside. The result: higher compliance, lower liability, and massively reduced risk.
In the name of productivity and expediency, employees around the world continue to engage in risky behaviors that put corporate and personal data at risk. Data is constantly moving, and you can’t stop it. But you can manage it with the right strategy and tools. Start by adopting a comprehensive data-in-motion security strategy, coupled with implementing a multi-level security model and role-based access controls over data, and you’ll be on the right track. Without this approach, sensitive data is likely to escape your organization on a regular basis — and the perpetrators likely reside within your own company walls.
By Charles Foley, Chairman and CEO, Watchful Software
About Watchful Software
The company was formed to protect an organization’s most critical asset after its people – its information. Watchful Software technologies address the growing need for protecting sensitive and proprietary information against accidental or malicious theft, leakage, or loss. Leveraging key technologies including advanced encryption algorithms, digital rights management, and eBiometrics, Watchful has developed a suite of solutions that ensure only authorized personnel have access to enterprise systems and information, protecting against potentially massive economic and competitive damage from cyberterrorists and information thieves.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.