Security Think Tank: Do not trust the network to ensure secure collaboration

What is the best approach to increasing collaboration without reducing security in an enterprise?

Most enterprises have much to gain from supporting collaborative working. For those founded on R&D it is pretty much second nature: proprietary tools support internal capabilities, uptake of social platforms encourages user participation. 

Such organisations quickly pick up, pilot and absorb – or drop - iterations as they launch, and Corporate IT Forum members regularly share results and views on effectiveness (‘Yammer’ being a case in point as I write).

Commercial relationships with external organisations, too, can benefit from a collaborative approach, particularly in the drive to foster innovation. But it is this process of external collaboration that most often raises challenges in meeting security and data standards, and it is vital to appreciate that, by and large, it is not the tools used for collaboration that create risk, but rather the environment they operate in. For example, in the Cloud, or across geographies.

A recent Forum workshop addressed this issue of third-party collaboration, asking questions such as how practical is working across and beyond boundaries? Does the actual reward outweigh the potential risk? How are enterprises bringing partners and suppliers inside the firewall while still keeping all parties' sensitive data protected?

It concluded that for many, the de-perimeterisation of the network has already happened and the natural consequence of collaboration with partners and suppliers is that they are effectively already inside the firewall. 

“It just means that you do not know where the edge of your, or their, network is.” Even greater reason to protect sensitive data, and for all parties to provide assurance that their interconnectivity is not introducing unacceptable risks, and that their partners' partners are not a risk liability.

But Forum members are keen not to reinvent the wheel when faced with this apparent ‘new’ security risk, but to apply the recognised good practice of existing security principles:

  • Know the Data: manage data based upon classification. Use ‘read-only’ where appropriate and screen scraping tools
  • Know the Users: IDM/IAM. Modify the data view according to access location
  • Know the Systems: have endpoint assurance
  • Do not trust the Network: monitoring and management. Enforce security protocols

Apply these principles anywhere, including in the cloud, whether public or private – and do not forget to  support the principles with monitored audit trails.

Ollie Ross is head of research at The Corporate IT Forum.

More on secure collaboration:

Read more on Privacy and data protection