For the last two decades, billions of dollars and countless hours have been invested in securing the perimeter of the IT realm. The order of the day has been to harden network and server access through the deployment and redeployment of an evolving series of firewalls, anti-spam/anti-virus applications and intrusion detection and prevention systems. Whereas this is necessary IT hygiene, it has brought to light two very important and inescapable facts: someone is always inside the perimeter and people inside the perimeter can do amazing amounts of damage.
A study by the Ponemon Institute revealed that 90% of the 211 enterprises surveyed had suffered a loss of confidential or sensitive data in the previous twelve months. These losses were sustained even though the companies had made significant investments in perimeter security. This leads to a simple conclusion: information leaks are all too often caused by trusted insiders. These are people with permission and the credentials to be behind the firewall, who leak information knowingly or unknowingly.
Unintentional breaches happen all the time. For example, an employee forwards a sensitive document about an upcoming merger to colleagues who have the right to see that information. The employee then mistypes one of the email addresses, which sends the document to someone outside the company.
Unfortunately, intentional breaches also occur frequently. Another worker might deliberately send that sensitive document to someone they know full well has neither the right nor the clearance for access to the information. That person might well be a competitor who has paid for such assistance.
Security breaches are not limited to email or electronic document transmission. Consider the proliferation of USB keys, removable drives and personal devices (such as smartphones and tablet computers) in recent years. These devices can hold a dizzying amount of confidential information. It is easy to understand why 'perimeter security' isn't the panacea it was two decades ago; yet it remains the primary focus of information security investment.
How Does One Stop this Type of Breach?
The information security industry is increasingly investing in data-centric security. With this approach, the focus is not to secure only the perimeter, but also the information.
The main tactic is to classify and encrypt sensitive or confidential information and ensure that only properly authorized people have the key to decrypt it. Thus, even if an intended or unintended breach occurs, whether the information is sent, left on a USB key or stored on a web drive, the data can't be seen or used by anyone beyond the authorized audience.
How Does this Work?
The first step is to classify and encrypt confidential and sensitive data. This can be done automatically, without the user being involved in the process.
Enterprises should develop dynamic global data policies, so that when information is created (be it an email, document, spreadsheet, presentation, engineering drawing, etc.) it is automatically encrypted using a secure wrapper. This protection lasts throughout the lifecycle of the information, regardless of how many times it is sent, opened, stored, saved or edited. The information will always have this classification and encryption wrapper protecting it, even if it is sent, carried or stored beyond the enterprise’s secure IT perimeter.
The next step is to ensure that the keys are centrally stored and managed. Each time an attempt is made to use that protected information the wrapper ‘reaches out’ to the central server managing the keys (more accurately, a list of who has the rights to what levels of information). Effectively, the wrapper asks: ‘Does this person have the right to use me?’ If the answer is 'yes', then the action is allowed. If the answer is 'no', then the encryption stands firm and the object is useless.
Imagine the document mentioned earlier, about an upcoming merger. Using data-centric security, the merger document is automatically classified and encrypted. This classification occurs because the user has actively marked the document as ‘confidential’. It can also happen automatically, without user action, when the auto-dynamic policy is applied because the document contains predefined key words, phrases or regular expressions that indicate it is of a sensitive nature.
Ideally, in an effective enterprise, all interactions with the rights management server will be saved for future forensic, auditing, and tracking purposes. The records of interactions will be useful in cases where the attempted breaches were intentional.
The emergence of transparent data-centric security solutions is unsurprising, given the staggering effect of information security breaches and the loss or disruptions they cause. According to a Merrill Lynch study, leaks of confidential or proprietary information represent 52% of threats to organizations' security. Several events in the last twenty years have painfully illustrated that although securing the perimeter and keeping intruders out is one step in the process, it by no means completely prevents sensitive information from flowing out.
World-class enterprises will continue to expand their investments in data-centric security technologies to protect what is, next to their people, their greatest asset: information.
Charles Foley is the CEO of Watchful Software, and has over 25 years of experience leading both private and public company teams, across various segments of the technology marketplace. Foley has been chairman and CEO of TimeSight Systems, an innovator in digital surveillance and storage. Prior to TimeSight, he was President of Tacit Networks, designing the marketing and business development strategies that led to their acquisition by Packeteer in 2006. Before Tacit Networks, Foley served as chairman and CEO of InfiniCon Systems, a leader in high-performance datacenter networking systems.