By Pablo Osinaga, Co-Founder of Kormox
January 6th, 2011
In one corner: collaboration, sharing, productivity, agility. In the other corner: information security. Or at least that seems to be the prevailing thought.
The official announcement for US government mitigation efforts around recent wikileaks disclosures starts with “The 9/11 attacks and their aftermath revealed gaps in intra-governmental information sharing. During the past decade, departments and agencies have tried to eliminate those gaps, resulting in considerable improvement in information-sharing”. You could read between the lines “We had to have information sharing, and we all know it inevitably leads to poor security. We were forced to choose between the lesser of two evils”.
It would seem that corporations and government agencies alike are forced to make suboptimal decisions. They can choose to be “cowboys”, who believe sharing is paramount and security/privacy a second degree order consideration. Or they can choose to be “paranoids”, who are willing to sacrifice rapid collaboration, sharing, agility and productivity in order to minimize information security risks.
But the reality is that we can’t afford to make concessions: We need 21st century productivity, while making no compromises in information security.
Lack of effective visibility and control
While some policy decisions that relate to security can be taken centrally by the Information Security group (e.g., which encryption algorithms to use, or which firewall settings are most adequate), when it comes to business data and how much sharing is appropriate, it is strictly a business decision.
However, due to the increasingly unstructured nature of today’s IT environments, there are significant challenges for high-level information owners to have visibility and control over the business information they are responsible for. Had Hillary Clinton’s deputies had visibility on the ability for privates to download all classified channel files to removable media, we wouldn’t be speaking about wikileaks today.
I argue that it is because of this difficulty that we face the before mentioned dichotomy. The central IT group responsible for information security relies on the business to ‘organically’ decide on sharing/handling of unstructured data, while high-level information owners are challenged in doing so and expect IT to proactively ‘do something’ about security.
Without effective technologies that enable information owners to gain visibility and control over their information, the central IT group responsible for security can only implement overly simplistic (mostly ineffective) high-level guidance that leave most security risks intact or take draconian measures that hinder productivity and business agility.
Challenges for information owners to gain visibility and control
Individual information custodians (such as end users handling information) independently decide what to do with information: how to use it, where to store it, where to send it, who to share it with. They do so guided by high-level written corporate policies and informal processes. As they collaborate, they create, duplicate, replicate, share and distribute an enormous amount of data that is highly unstructured in nature. And while trying to achieve important business goals, they inadvertently expose the organization to significant risks as information flows in a highly organic manner.
For each type of critical data (e.g., classified embassy channels), there are hundreds, if not thousands of end user custodians who handle, share, and distribute the information in a highly organic and unstructured way. For a high-level business manager/executive, it is a daunting task to control the information they are responsible for.
Firstly, they have no real visibility into existing handling practices and risks, as data resides in myriad repositories, hundred/thousand email accounts, file shares, individual PCs, cloud providers, mobile devices, etc. Moreover, data flows in a highly unstructured way, through emails (internal, external), network communications and removable media.
Secondly, even if they had the visibility, effectively applying controls is equally daunting. On one side, it is hard to make white-and-black decisions looking at things from a 30,000 feet point of view – e.g.: should low-level analysts’ email flows of business data to external parties be blocked? There may be good business reasons for doing so, and blocking such flows could impede their day-to-day operations. On the other side, even if the policies to be applied are cut clear (e.g., Chinese-walls concerns), implementing them is a major challenge. For one, data resides across many different repositories and changing access controls involves myriad of technical details. On the other side, some of today’s general-purpose data repositories (such as email system) do not allow to implement controls based on the type of data (i.e., information-centric). Even worse, as data gets shared, distributed and duplicated, the controls applied to it get relaxed.
Elements of an effective solution
Below I describe my perspective on the 3 key elements that an effective solution needs to enable visibility and control for high-level business information owners over the information they are responsible for.
1 – Simple and easy (on-demand) with 0-bureaucracy:
Let’s face it; we are all highly skeptical of any ‘data stewardship’ program. While some benefits are gained out of those mammoth-type projects, the efforts required make them quixotic endeavors. Just thinking about them turns us off. Therefore, I will say that for any effective solution to work things need to be simple, easy and quick.
While that may sound as wishful thinking to some, it is helpful to remember how information retrieval looked like pre modern search. Information needed to be cataloged, manually curated, organized into predefined taxonomies; experts would help you identify the right set of data to review given your inquiry. Sounds a lot like mammoth-type complexity. Today, however, our bar for “simple, easy and quick” is so high that we get frustrated if we spend more than 5 seconds looking for something at Google.
High-level information owners should be able to express the type of data they are interested in (e.g., confidential embassy channels, internal executive communication, hedge-fund clients proprietary trading strategies, black-ops DoD contract project designs) and obtain visibility into handling practices and risks in a matter of seconds. It shouldn’t matter how unstructured the data is, how organically it flows or how highly distributed their handling processes are.
2 – Full visibility “in english”
While for some folks it may be interesting to know that information resides in a DMZ, behind a second generation firewall using SHA-1 encryption and stored at servers with all TCP/IP ports shut down except for 8080, most high-level business information owners don’t have the time, the skill or the desire to deal with such mundane technical details.
What they need to know is way simpler: who has access to the information they are responsible for? How is data being used? How is data flowing? Who is this information shared with? Which external parties have access to the information? Such ‘intelligence’ would need to be provided in a synthesized manner, so that even though they may not know who “Joe Smith” is (someone with access to data), they know that “people in the finance department (e.g., Joe Smith)” have access to the information. Moreover, critical risks need to be easily understood in a language they can understand and relate to in the blink of an eye – e.g., low-level employees with no clear need-to-know can currently access the entire corpus of data and save it into removable media storage.
3 – Range of information-centric controls
On one side, the mechanisms for controlling information for such solution need to be strictly ‘information-centric’, that is: they apply to the information itself regardless of where it is stored, where it flows, how it gets copied, replicated or how it changes format/medium/files. In doing so, it is critical that such controls leverage existing information security infrastructure investments, such as DLP capabilities.
On the other side, there should be a range of different types of controls that enable high-level business information owners to take the risk mitigation actions that best suit each situation. In the before mentioned example of low-level analysts’ email flows of business data to external parties, the information owner should have more options than just blocking or allowing. From the 30,000 feet view perspective, blocking is too draconian as there may be good business reasons for such flows and you don’t want to risk disrupting operations. However, not doing anything seems to be suboptimal as well. Some options that could work for such situation include adding a confirmation step each time such flow occurs, reminding the sender of how his/her actions are being audited. Even less intrusive would be a control that would send periodic targeted educational campaigns to low-level analysts that are custodians of the information, reminding of the directional information security policy for the data type. Such range of controls enable information owners to apply their directional guidance on how information should be taken care of, drastically reducing risks, without being constrained by too rigid/impractical solutions that are not effective.
Lastly, while the implementation of such controls may have an associated degree of technical complexity, such issues should be abstracted away to information owners.
Emergence of effective solutions
In an overly complex world, where IT environments become increasingly more unstructured, distributed and organic, with data volumes exploding, it is critical to enable information owners to control their business information in a way that is not only effective, but also simple, easy and quick. Incidents such as the wikileaks scandal remind us all of today’s challenges associated with controlling information and the big downside of risks – e.g. Bank of America had a 1-day drop of market-cap value of $3.5B on 11/30/2010 due to rumors of internal sensitive information being available to wikileaks.
While the before mentioned elements of a solution are my own personal perspective and debatable, what is clear to anyone now is that it has become absolutely critical to engage information owners in security in a way that is effective. Central IT groups don’t have the required business knowledge/context to make the critical sharing/security decisions that minimize risks and maximize business agility.