Security at data level is rising up the corporate
agenda. So what actually works?
Information management has become, in recent years, something of
a balancing act. On the one hand, companies must grant their
employees quick and easy access to the corporate information that
they need in order to perform their jobs efficiently. On the other,
good governance and compliance concerns demand that they guard
against that information falling into the wrong hands, whether
those hands are those of an employee who is not authorised to see
the information or, worse still, a complete outsider.
Many companies are still failing to achieve that balance,
according to a recent computer crime survey. In fact, the
Department of Trade and Industry’s biennial security report found
that employees at one in five large UK organisations can gain
unauthorised access to sensitive information.
That leaves their employers seriously vulnerable to fraud, said
Andrew Beard, director at PricewaterhouseCoopers, which conducted
the survey. “Financial fraud has never been palatable to any
organisation, but if there is also reputational damage, share price
impact or loss of intellectual property, [unauthorised access] is
even more alarming.”
Security spending may rise every year, but the majority of
information security initiatives continue to focus on perimeter
security, designed to keep outsiders from gaining access to the
internal network. That approach overlooks the fact that the
potential for real financial loss comes from the risk of intruders
acting as authorised users and insiders who abuse system privileges
to misappropriate valuable corporate information.
“The rapid proliferation of corporate information inside the
business only serves to exacerbate the situation and is forcing
businesses to take a long, hard look at how they handle information
security,” said Sophie Louvel, an analyst with market research
company IDC.
For the purposes of implementing effective information security
to protect information behind the firewall, it is useful to
distinguish between two different categories of information:
structured information, which includes financial and customer data
that is stored in databases and business applications; and
unstructured information, which includes documents (both paper and
electronic), e-mails, images, video and instant messages.
Of the two, structured information (transactional data) poses
the least problems from an access control point of view. Most
business application software, such as enterprise resource planning
systems, has some element of built-in security. “For most
enterprises, ERP security starts with user-based controls where
authorised users log in with a secure name and password,” said Mark
van Holbeck, director of enterprise strategy at office supply firm
Avery Dennison.
Companies can then limit a user’s access to the system based on
their individual customised, authorisation level, he said. “For
example, an accounts payable clerk should not have access to human
resources or inventory management modules within the ERP system.”
Audit logs within an ERP system track individual transactions or
changes in the system, and internal auditors can then sample the
audit logs for irregular transactions.
Likewise, most corporate databases also require authorised users
to log in using a password and user name in order to gain access to
data. And database suppliers are scrambling to introduce more
advanced security features to their products, said Eric Schmitt,
principal analyst at research company Forrester Research.
“Over the past two years, enterprises have been taking database
security more seriously then ever before by formalising security
policies and hardening their environments. But many are still
having trouble establishing robust security measures because of a
lack of tools, resources and expertise,” he said.
That is changing rapidly as new database security features are
released, but in the meantime those gaps are filled by a range of
third-party suppliers such as Embarcadero Technologies, nCipher and
Protegrity, who offer add-on tools for database access control such
as database firewalls, simplified database encryption and granular
auditing tools.
Unstructured data, however, poses a much greater challenge when
it comes to controlling and auditing access to business
information. There are two main reasons for this. First,
unstructured data represents a far greater proportion of the
information a company holds than structured data – as much as 80%
at some companies, according to analyst firm Gartner.
Second, it resides in myriad different formats (such as Word
files, spreadsheets, e-mails and audio/video files) and in multiple
different systems, in both back-end servers and on individual
users’ PCs.
Increasingly, this sprawl of unstructured information is
referred to as “enterprise content”, and sales of enterprise
content management systems are currently growing at about 7%-8%
annually, compared with growth between 2% and 3% in the IT industry
as a whole.
A major reason for this is the amount of control that ECM
systems enable companies to apply to documents, said Nick Tuson,
technical director for EMEA at ECM supplier FileNet. “That control
operates at two levels. First, ECM systems provide authentication
that controls access to the information itself through the use of
passwords and user names. Second, they also dictate the kind of
level of access that users can have to that information and what
they can do to it and with it,” he said.
In most ECM systems, that level of access is highly granular. In
EMC Documentum’s ECM system, for example, it operates at seven
different levels, according to Dave Gingell, EMC’s vice-president
of software in EMEA.
“At the lowest level, if I do not have authorised access to a
document, I won’t even know it is there. If I run a search for it,
it will not show up in the search results,” he said. “At the very
highest level, I would be able to delete it – to expunge it
entirely from the company’s systems.”
In between these two extremes are different levels of access:
browse (the ability to know it is there but not be able to open
it); read (view only); relate (the ability to comment on the
document but not change its content); version (the ability to add a
new version of the document to the repository); and write (the
ability to overwrite the content it holds).“You can set up these
permissions for individuals, for small workgroups, for larger teams
and for whole departments or subsidiaries, according to the
business’needs,” said Gingell.
Another key advantage of ECM systems in handling unstructured
data is their sophisticated auditing capabilities. “These auditing
tools enable organisations to track activity and user interaction
with every object or piece of content they hold in the repository
so that a record is kept of every time it is opened, viewed and
changed in any way,” said Tuson.
Not only that, but each time a document is changed, versioning
tools ensure that every version is kept within the ECM repository,
creating a clear audit trail.
Records management tools in ECM systems operate at an even more
sophisticated level, ensuring that business records remain
unchanged after they are created and stored, in order to comply
with regulatory and legislative mandates. “Once a document has been
declared a record, it is locked down and it can’t be altered. And
the audit trail will prove to the regulators the exact date that it
was locked down and that nothing has happened to it since then,”
said Gingell.
But once a document has left the organisation, most frequently
as an e-mail attachment sent to an external recipient, most
organisations have little control over it. That is why many
companies are now seeking to apply stricter controls over the
business documents they release into the wild, said Mark Wheeler,
European marketing manager at publishing software company
Adobe.
In the wrong hands, sensitive financial forecasts or information
about the potential side effects of a drug could be altered and
disseminated, or simply forwarded to unauthorised recipients.
“Electronic communications have made sensitive corporate
documents more vulnerable than ever. What Adobe is focusing on is
enabling an organisation to send information to suppliers,
customers and other third parties, but still retain some control
over what is done with it after it has been sent out,” he said.
Adobe’s widely used Acrobat product enables a user to send
confidential information to an authorised recipient on a
person-to-person basis and apply certain “rights” to it –
dictating, for example, who can open it, whether it may be printed
and so on.
Adobe’s Livecycle product is used to send out confidential
documents on a much larger scale, Wheeler said. “It is used by
banks, for example, to send out statements to customers in their
millions in a secure and unalterable format that only they can open
and read.”
It also offers more sophisticated access control functions, such
as the ability to revoke access to an e-mail attachment, even if it
was sent some time ago. “That could be useful, for example, if you
had sent a list of preferential, discount prices for your products
to a customer that you had decided you no longer wanted to do
business with. By simply revoking access, there is no way they
could pass that list on to a competitor,” he said.
“Effectively, it is like keeping documents on a leash, so that
you can snap that leash back whenever you want or need to.”
It is also a level of control that most organisations are
seriously lacking, both within their own four walls and the world
beyond. Until better measures are put in place to ensure that
better access control and auditability is achieved, few businesses
can claim to know who has access to their confidential information
– or what they do with it.
Read:
Security special report: The changing threat
Read:
Security special report: The internal threat
Read:
Security special report: Compliance quandary
Read:
Security special report: Accessing all areas
Read:
Security special report: Fingertip security