As global organizations create ever larger volumes of highly sensitive, confidential and commercially valuable content, how those documents and emails are accessed, collaborated-on and secured in traditional document and content management platforms becomes a business-critical decision.
Professionals in legal, finance, HR and other regulated groups are managing some of the enterprise’s most sensitive information – and are under increasing pressure to ensure that information is not part of a data breach or privacy violation.
The evolving nature of threats now requires a different response. According to Verizon’s 2019 Data Breach Investigations Report, over 70% of security threats continue to originate from compromised credentials – and 32% of breaches involved phishing.
That means that traditional security defenses such as firewalls, malware detection, email filtering and complex password requirements are ineffective in preventing a malicious actor with a compromised set of credentials from accessing enterprise networks and document systems including Content Service Platforms (CSPs).
If the default for new content creation – even at the department or division level - is set at ‘open security’ then a single compromised credential can impact a significant amount of data, with huge ramifications. Every employee, regardless of rank or regional location can become a possible breach source.
Due to these reasons it is imperative that organizations take steps to limit access to highly sensitive content stored in CSPs based on who has a legitimate ‘need-to-know’ (NTK). Each enterprise should secure its own sensitive information on a NTK basis and ensure those in its ‘information supply chain’ also adopt this approach.
As professional service providers face significant risks from storing information from many different clients, they have been the first ones to see this issue at scale and are amongst the early adopters.
The requirement for implementing NTK security can be driven by several factors:
- Client pressures. Customers today expect that their sensitive data will be properly looked after and protected.
- Many multi-nationals have to cascade specific internal security and policy requirements to geo/region specific, business division specific or project specific levels that need enforcement across all content sources.
- Government, defense, aerospace and pharmaceuticals all have highly competitive research facilities which contain sensitive intellectual property all of which needs to be maintained separately and securely, creating a further web of overlapping policies and requirements.
- If personal data is involved and organizations are acting as data processors, data privacy regulations such as the European GDPR mandate ‘state of the art’ security practice into their operations.
To compound the issue further, staff attrition will drive changes in the underlying policies and the job of managing these overlapping and changing requirements necessitates careful planning, management and execution. The increasing demands of audit by client, government and regulatory bodies will drive this aspect of security to a whole new level of importance - and urgency.
A further consideration of implementing NTK is how it is deployed across systems as the volume of documents grows exponentially.
- A traditional approach is to define access for every document individually through an Access Control List (ACL). Historically these have been relatively static assignments based on group assignment in Active Directory for example. The challenge with reflecting (or cascading) policy onto every document is that each document must be updated and then re-indexed, adding significant load onto CSP components. This load is directly proportional to the number of documents in the workspace to be secured and impacts all end users of the system. This can have knock on effects such as new security rollouts being delayed until weekends. As a result, NTK security is not implemented organization-wide, but rather only in specific cases – leaving an exposure.
- A more modern and scalable approach is to allow the CSP’s native access algorithm to be extended to associate people or groups with policies (sets of access rules) in addition to native security. This enables the maintenance of business relevant policies, automatically mapped to document level rules. The extended access algorithm approach avoids the computationally costly ACL cascade but is practically only possible with integrated solutions where the security and CSP applications are natively integrated. Further advantages of an integrated solution include clear representation of security in the end user client UI - this is especially important when complex policy needs result in overlapping policies.
The changing nature of security threats will drive more and more organizations to limit access to sensitive content in their CSPs and will drive demand for platforms capable of managing security based on sophisticated and overlapping policies, without noticeable degrading of system or IT infrastructure performance.
Need-to-know security is an essential part of protecting sensitive enterprise information against the 70% of attacks that involve compromised credentials. The ability to do so at scale will become a differentiating feature and a must have for enterprise users such as legal, accounting, M&A, finance and R&D to work safely, productively and efficiently.