- Security TWENTY
- Women in Security
The fundamental principle of breach prevention; by Rui Biscaia of Watchful Software.
Hardening the network to keep attackers out does not suffice anymore. While it remains necessary IT practise, it takes no account of two very important and inescapable truths – users are always inside the perimeter, and those authorised users can cause significant damage.
Chief Information Officers (CIOs) who ignore this ‘insider threat’ to information security fail to tackle possibly the most fundamental persistent threat – that of a breach orchestrated by one or more of the organisation’s own users. Regardless of intent, security breaches caused by insiders can be devastating to a company.
If the greatest threat isn’t the ‘bad guys’ breaking into the network, but the ‘good guys’ letting the information out, how do CIOs control what happens to the data?
Quite simply, the best way to protect information is to have it encrypted. Experts today believe information should simply be encrypted no matter where it is (on the drive, in transit on the network, etc.), meaning that information is always secure, irrespective of whether it is inside or outside of the company network boundaries.
Data-centric security has the ability to provide protection and management at the data layer, regardless of its location, while still mediating and controlling access to the information. As an example of data-centric security, each user or group of users can be allowed to classify or reclassify, read, modify, print, forward, or take other actions, based on an Information Security Policy matrix. The enforcement of the usage rights is handled within the data file, controlling how information is used, even after it has been opened by intended recipients.
Combined with a multi-level security model for data classification, data-centric security enables access to be controlled by the security attributes of the data itself, together with the user’s security clearance over it.
Most users in an organisation are honest employees, and want to assist in protecting the company if possible. Advanced data-centric security solutions allow information to be classified as it is saved (in the case of documents, spread sheets, presentations, etc.) or as it is sent (in the case of messages and emails).This means that if users are consciously thinking about what type of information they are creating, they can easily classify it using their normal tools (Word, Excel, PowerPoint, PDF, etc).
However, there are times when the company won’t want to rely on voluntary (and remembered) compliance. Some things, by their nature, should automatically be classified based upon either their content (the information contained in the email, document, etc.) or context (who is creating it, where it is stored/sent, formats, etc).
Myriad data leakage events have shown us that it’s simply not enough to secure the network perimeter. As the greatest risks to business are trusted insiders creating an accidental or even malicious breach, what is actually needed is for IT managers to be more conscientious about securing the information itself.
Companies should define an information security policy which allows information to be classified into different levels of sensitivity, protected using strong encryption, and which ensures that only users with appropriate levels of clearance can access and handle it. If a company takes this approach, the damage caused when confidential information is breached, lost, leaked or stolen may largely be avoided, meaning greater profits, a healthier business and happier executives.