Articles
Protecting Data in a Global Community
This article, from Erudine's Autumn 2008 edition of Engine magazine provides the wider context into which innovative small IT security companies need to operate.
The modern global brand is far removed from the corporations of old. Ubiquitous, interconnected, and borderless, these companies have unprecedented opportunities on a worldwide scale. But the very infrastructure that promises so much also presents a multitude of threats.
In today's wired-up global industries, where stolen data can be rapidly sent to multiple locations all over the world in a matter of minutes, losing sensitive information can be a costly mistake, both to the bottom line and to reputation. Embarrassing incidents of data loss can, according to independent researchers Ponemon Institute, cost an average £1.4 million for a UK business, 36% of which is down to customers taking their business elsewhere.
It's only a matter of time before the emergence of another incident of data lost in transit. Many CIOs are already re-examining their security measures and uncovering their exposure to the risks of data theft, leakage, or destruction.
But circumstances can make it difficult to keep sensitive information secure. It can be a fine line between having robust security and having excessively strict loss prevention processes that stifle business. Security needs to be flexible enough to allow employees to perform the many roles expected of them, while keeping levels of risk as low as possible.
Big Brother
To avoid accusations of 'big brother syndrome' and to outsource the headache of data protection, some corporations entrust their security to third parties. Most don't want to hand over their highly sensitive information to another company, but managing millions of points of data can be a significant drain on resources and the threat of legal action is constant.
There are 'point' solutions, both technological and methodological, that currently exist but none truly address the whole problem. Most require complex integration and micro-management, upping the total cost of ownership and limiting the flexibility required in a world changing faster than ever before.
There is a need to bring together existing technologies and new innovations to offer a new solution to the data protection problem and give corporations real control in handling threats to their data. We need to be able to:
- Protect a document for the intended audience at the point of creation
- Encode properties onto a document when it is saved
- Automatically check users when information is accessed
- Select multi-dimensional security parameters in a manner that is both intricate and easy to use
- Categorise authorisation details down to the individual level, with multiple aspects to each individual
- Automatically find and link data servers in a secure 'Web of Trust', maintaining executive impartiality and handing back control to the corporation as a whole
- Allow offline and remote access to data through the use encryption keys based on military standards
- Securely modify and add authorisation behaviour through a simple but powerful user interface
Web of Trust
Current data protection and security solutions tend to go down one of two routes: they either take the third-party ('trust in god') approach, or place control in the hands of the individual. There are few solutions on the market that allow document-level control but also enable corporations the overall control they need under law and to limit their own risk.
Technology exists that allows individual machines to 'self-discover' and form a secure 'Web of Trust' that can interlink security servers. This is weaved into the fabric of the Erudine solution, allowing corporations to decide who to trust and to what extent they should be trusted.
Through the Web of Trust, all rules regarding data access are shared between servers. When sensitive data needs to be looked at, a message is automatically sent from the user's machine to the servers, where pre-defined rules will either allow or deny access. Whenever this happens, there is a clearly visible audit trail showing the chain of events, recording such details as who accessed the data, when, and whether they were authorised.
The rules held in the Web of Trust can be very complex, to the extent that they may cover the degree of corporate disclosure required under law, which is checked against privacy requirements, and allow varying levels of access depending on the context.
Rules can also be implemented at the point of access. For instance, the sender of an email may define a group of people that will be authorised to view attached documents. As soon as a recipient attempts to open the attachments, a message is sent to the servers to request access and, if successful, a key is sent back to unlock encryption.
In this way, a user sending data may even define a limit on the amount a time for which data might be viewed, or even restrict the recipient to a once-only view after which the key expires and the data is rendered useless.
End-user authentication
Corporations desire more control over their sensitive data, but current solutions can be too restrictive, limiting flexibility in favour of tighter security. What is needed is corporate control without a straight jacket, allowing authentication rules to be defined down to an individual level and even implemented at the point of access.
There is a need for a system to empower corporate control of security but also carry an inherent level of trust that does not sit with one particular individual or department.
[see Erudine's Engine magazine for a fuller version of this article]
