Security special report: Who sees your data?

Security at data level is rising up the corporate agenda. So what actually works?


Security at data level is rising up the corporate agenda. So what actually works?

Information management has become, in recent years, something of a balancing act. On the one hand, companies must grant their employees quick and easy access to the corporate information that they need in order to perform their jobs efficiently. On the other, good governance and compliance concerns demand that they guard against that information falling into the wrong hands, whether those hands are those of an employee who is not authorised to see the information or, worse still, a complete outsider.

Many companies are still failing to achieve that balance, according to a recent computer crime survey. In fact, the Department of Trade and Industry’s biennial security report found that employees at one in five large UK organisations can gain unauthorised access to sensitive information.

That leaves their employers seriously vulnerable to fraud, said Andrew Beard, director at PricewaterhouseCoopers, which conducted the survey. “Financial fraud has never been palatable to any organisation, but if there is also reputational damage, share price impact or loss of intellectual property, [unauthorised access] is even more alarming.”

Security spending may rise every year, but the majority of information security initiatives continue to focus on perimeter security, designed to keep outsiders from gaining access to the internal network. That approach overlooks the fact that the potential for real financial loss comes from the risk of intruders acting as authorised users and insiders who abuse system privileges to misappropriate valuable corporate information.

“The rapid proliferation of corporate information inside the business only serves to exacerbate the situation and is forcing businesses to take a long, hard look at how they handle information security,” said Sophie Louvel, an analyst with market research company IDC.

For the purposes of implementing effective information security to protect information behind the firewall, it is useful to distinguish between two different categories of information: structured information, which includes financial and customer data that is stored in databases and business applications; and unstructured information, which includes documents (both paper and electronic), e-mails, images, video and instant messages.

Of the two, structured information (transactional data) poses the least problems from an access control point of view. Most business application software, such as enterprise resource planning systems, has some element of built-in security. “For most enterprises, ERP security starts with user-based controls where authorised users log in with a secure name and password,” said Mark van Holbeck, director of enterprise strategy at office supply firm Avery Dennison.

Companies can then limit a user’s access to the system based on their individual customised, authorisation level, he said. “For example, an accounts payable clerk should not have access to human resources or inventory management modules within the ERP system.” Audit logs within an ERP system track individual transactions or changes in the system, and internal auditors can then sample the audit logs for irregular transactions.

Likewise, most corporate databases also require authorised users to log in using a password and user name in order to gain access to data. And database suppliers are scrambling to introduce more advanced security features to their products, said Eric Schmitt, principal analyst at research company Forrester Research.

“Over the past two years, enterprises have been taking database security more seriously then ever before by formalising security policies and hardening their environments. But many are still having trouble establishing robust security measures because of a lack of tools, resources and expertise,” he said.

That is changing rapidly as new database security features are released, but in the meantime those gaps are filled by a range of third-party suppliers such as Embarcadero Technologies, nCipher and Protegrity, who offer add-on tools for database access control such as database firewalls, simplified database encryption and granular auditing tools.

Unstructured data, however, poses a much greater challenge when it comes to controlling and auditing access to business information. There are two main reasons for this. First, unstructured data represents a far greater proportion of the information a company holds than structured data – as much as 80% at some companies, according to analyst firm Gartner.

Second, it resides in myriad different formats (such as Word files, spreadsheets, e-mails and audio/video files) and in multiple different systems, in both back-end servers and on individual users’ PCs.

Increasingly, this sprawl of unstructured information is referred to as “enterprise content”, and sales of enterprise content management systems are currently growing at about 7%-8% annually, compared with growth between 2% and 3% in the IT industry as a whole.

A major reason for this is the amount of control that ECM systems enable companies to apply to documents, said Nick Tuson, technical director for EMEA at ECM supplier FileNet. “That control operates at two levels. First, ECM systems provide authentication that controls access to the information itself through the use of passwords and user names. Second, they also dictate the kind of level of access that users can have to that information and what they can do to it and with it,” he said.

In most ECM systems, that level of access is highly granular. In EMC Documentum’s ECM system, for example, it operates at seven different levels, according to Dave Gingell, EMC’s vice-president of software in EMEA.

“At the lowest level, if I do not have authorised access to a document, I won’t even know it is there. If I run a search for it, it will not show up in the search results,” he said. “At the very highest level, I would be able to delete it – to expunge it entirely from the company’s systems.”

In between these two extremes are different levels of access: browse (the ability to know it is there but not be able to open it); read (view only); relate (the ability to comment on the document but not change its content); version (the ability to add a new version of the document to the repository); and write (the ability to overwrite the content it holds).“You can set up these permissions for individuals, for small workgroups, for larger teams and for whole departments or subsidiaries, according to the business’needs,” said Gingell.

Another key advantage of ECM systems in handling unstructured data is their sophisticated auditing capabilities. “These auditing tools enable organisations to track activity and user interaction with every object or piece of content they hold in the repository so that a record is kept of every time it is opened, viewed and changed in any way,” said Tuson.

Not only that, but each time a document is changed, versioning tools ensure that every version is kept within the ECM repository, creating a clear audit trail.

Records management tools in ECM systems operate at an even more sophisticated level, ensuring that business records remain unchanged after they are created and stored, in order to comply with regulatory and legislative mandates. “Once a document has been declared a record, it is locked down and it can’t be altered. And the audit trail will prove to the regulators the exact date that it was locked down and that nothing has happened to it since then,” said Gingell.

But once a document has left the organisation, most frequently as an e-mail attachment sent to an external recipient, most organisations have little control over it. That is why many companies are now seeking to apply stricter controls over the business documents they release into the wild, said Mark Wheeler, European marketing manager at publishing software company Adobe. 

In the wrong hands, sensitive financial forecasts or information about the potential side effects of a drug could be altered and disseminated, or simply forwarded to unauthorised recipients.

“Electronic communications have made sensitive corporate documents more vulnerable than ever. What Adobe is focusing on is enabling an organisation to send information to suppliers, customers and other third parties, but still retain some control over what is done with it after it has been sent out,” he said.

Adobe’s widely used Acrobat product enables a user to send confidential information to an authorised recipient on a person-to-person basis and apply certain “rights” to it – dictating, for example, who can open it, whether it may be printed and so on.

Adobe’s Livecycle product is used to send out confidential documents on a much larger scale, Wheeler said. “It is used by banks, for example, to send out statements to customers in their millions in a secure and unalterable format that only they can open and read.”

It also offers more sophisticated access control functions, such as the ability to revoke access to an e-mail attachment, even if it was sent some time ago. “That could be useful, for example, if you had sent a list of preferential, discount prices for your products to a customer that you had decided you no longer wanted to do business with. By simply revoking access, there is no way they could pass that list on to a competitor,” he said.

“Effectively, it is like keeping documents on a leash, so that you can snap that leash back whenever you want or need to.”

It is also a level of control that most organisations are seriously lacking, both within their own four walls and the world beyond. Until better measures are put in place to ensure that better access control and auditability is achieved, few businesses can claim to know who has access to their confidential information – or what they do with it.

Read: Security special report: The changing threat

Read: Security special report: The internal threat

Read: Security special report: Compliance quandary

Read: Security special report: Accessing all areas

Read: Security special report: Fingertip security

Read more on IT risk management