assessment 5
nikhila chowdary
chapter11.pdf
207
P rivacy and security go hand in hand. Privacy cannot be protected without imple- menting proper security controls and technologies. Organization must make not only reasonable efforts to protect privacy of data, but they must go much further
as privacy breaches are damaging to its customers, reputation, and potentially, could put the company out of business.
Breaches are increasingly being carried out by malicious attacks, but also a sig- nifi cant source of breaches is internal mistakes caused by poor information gover- nance (IG) practices, software bugs, and carelessness. The average cost of a data breach in 2013 was over $5 million dollars, according to the Ponemon Institute, 1 but some spectacular breaches have occurred, such as the $45 million in fraudulent automated teller machine cash withdrawals in New York City within hours in early 2013, and the 110 million customer records breached at giant retailer Target in late 2013. Millions of breaches occur each year: There were an estimated 354 million privacy breaches between 2005 and 2010 in the United States alone.
Cyberattacks Proliferate
Online attacks and snooping continue at an increasing rate. Organizations must be vigilant about securing their internal, confi dential documents and e-mail messages. In 2011, security experts at Intel/McAfee “discovered an unprecedented series of cyber attacks on the networks of 72 organizations globally, including the United Nations, governments and corporations, over a fi ve-year period.” 2 Dmitri Alperovitch of McAfee described the incident as “ the biggest transfer of wealth in terms of intellectual“ property in history.”3 The level of intrusion is ominous.
The targeted victims included governments, including the United States, Canada, India, and others; corporations, including high-tech companies and defense contrac- tors; the International Olympic Committee; and the United Nations. “In the case of the United Nations, the hackers broke into the computer system of its secretariat in
Information Governance and Privacy and Security Functions
C H A P T E R 11
Portions of this chapter are adapted from Chapters 11 and 12, Robert F. Smallwood, Safeguarding Critical E-Documents: Implementing a Program for Securing Confi dential Information Assets , © John Wiley & Sons, Inc., 2012. Reproduced with s permission of John Wiley & Sons, Inc.
208 INFORMATION GOVERNANCE
Geneva in 2008, hid there for nearly two years, and quietly combed through reams of secret data, according to McAfee.” 4 Attacks can be occurring in organizations for years before they are uncovered—if they are discovered at all. This means that an organization may be covertly monitored by criminals or competitors for extended periods of time.
And they are not the only ones spying—look no further than the U.S. National Security Agency (NSA) scandal of 2013. With Edward Snowden’s revelations, it is clear that governments are accessing, monitoring, and storing massive amounts of private data.
Where this stolen information is going and how it will be used is yet to be determined. But it is clear that possessing this competitive intelligence could give a government or company a huge advantage economically, competitively, diplomatically, and militarily.
The information assets of companies and government agencies are at risk globally. Some are invaded and eroded daily, without detection. The victims are losing economic advantage and national secrets to unscrupulous rivals, so it is imperative that IG policies are formed, followed, enforced, tested, and audited. It is also imperative to use the best available technology to counter or avoid such attacks. 5
Insider Threat: Malicious or Not
Ibas, a global supplier of data recovery and computer forensics, conducted a survey of 400 business professionals about their attitudes toward intellectual property (IP) theft:
■ Nearly 70 percent of employees have engaged in IP theft, taking corporate property upon (voluntary or involuntary) termination.
■ Almost one-third have taken valuable customer contact information, databases, or other client data.
■ Most employees send e-documents to their personal e-mail accounts when pil- fering the information.
■ Almost 60 percent of surveyed employees believe such actions are acceptable. ■ Those who steal IP often feel that they are entitled to partial ownership rights,
especially if they had a hand in creating the fi les. 6
These survey statistics are alarming, and by all accounts the trend continuing to worsen today. Clearly, organizations have serious cultural challenges to combat prevailing attitudes toward IP theft. A strong and continuous program of IG aimed at secur- ing confi dential information assets can educate employees, raise their IP security
Attacks can continue in organizations for years before they are uncovered—if they are discovered at all.
The average cost of a data breach in 2013 was over $5 million.
INFORMATION GOVERNANCE AND PRIVACY AND SECURITY FUNCTIONS 209
awareness, and train them on techniques to help secure valuable IP. And the change needs to be driven from the top: from the CEO and boardroom. However, the mag- nitude of the problem in any organization cannot be accurately known or measured. Without the necessary IG monitoring and enforcement tools, executives cannot know the extent of the erosion of information assets and the real cost in cash and intangible terms over the long term.
Countering the Insider Threat
Frequently ignored, the insider has increasingly become the main threat—more than the external threats outside of the perimeter. Insider threat breaches can be more costly than outsider breaches. Most of the insider incidents go unnoticed or unreported.7
Companies have been spending a lot of time and effort protecting their perimeters from outside attacks. In recent years, most companies have realized that the insider threat is something that needs to be taken more seriously.
Malicious Insider
Malicious insiders and saboteurs comprise a very small minority of employees. A dis- gruntled employee or sometimes an outright spy can cause a lot of damage. Malicious insiders have many methods at their disposal to harm the organization by destroying equipment, gaining unsanctioned access to IP, or removing sensitive information by USB drive, e-mail, or other methods.
Nonmalicious Insider
Fifty-eight percent of Wall Street workers say they would take data from their company if they were terminated, and believed they could get away with it, according to a recent survey by security fi rm CyberArk.8 Frequently, they do this without malice. The majority of users indicated having sent out documents accidentally via e-mail. So, clearly it is easy to leak documents without meaning to do any harm, and that is the cause of most leaks.
Solution
Trust and regulation are not enough. In the case of a nonmalicious user, companies should invest in security, risk education, and IG training. A solid IG program can reduce IP leaks through education, training, monitoring, and enforcement.
Security professionals state that insider threat breaches are often more costly than outsider ones.
Information assets are invaded and eroded daily, often without detection. This compromises competitive position and has real fi nancial impact.
210 INFORMATION GOVERNANCE
In the case of the malicious user, companies need to take a hard look and see whether they have any effective IG enforcement and document life cycle security (DLS) technology such as information rights management (IRM) in place. Most often, the answer is no. 9
Privacy Laws
The protection of personally identifi able information (PII) is a core focus of IG efforts. PII is any information that can identify an individual, such as name, Social Security number, medical record number, credit card number, and so on. Various privacy laws have been enacted in an effort to protect privacy. You must consult your legal counsel to determine which laws and regulation apply to your organization and its data and documents.
In the United States, the Federal Wiretap Act “prohibits the unauthorized inter- ception and disclosure of wire, oral, or electronic communications.” The Electronic Communications Privacy Act (ECPA) of 1986 amended the Federal Wiretap Act sig- nifi cantly and included specifi c on e-mail privacy. 10 The Stored Communications and Transactional Records Act (SCTRA) was created as a part of ECPA and is “sometimes useful for protecting the privacy of e-mail and other Internet communications when discovery is sought.” The Computer Fraud and Abuse Act makes it a crime to in- tentionally breach a “protected computer” (one used by a fi nancial institution or for interstate commerce).
Also relevant for public entities is the Freedom of Information Act, which allows U.S. citizens to request government documents that have not previously been released, although sometime sensitive information is redacted (blacked out), and specifi es the steps for disclosure as well as the exemptions. In the United Kingdom, the Freedom of Information Act 2000 provides for similar disclosure requirements and mandatory steps.
In the United Kingdom, privacy laws and regulations include these:
■ Data Protection Act 1998 ■ Freedom of Information Act 2000 ■ Public Records Act 1958 ■ Common law duty of confi dentiality ■ Confi dentiality National Health Service (NHS) Code of Practice ■ NHS Care Record Guarantee for England ■ Social Care Record Guarantee for England ■ Information Security NHS Code of Practice ■ Records Management NHS Code of Practice
Also, the international information security standard ISO/IEC 27002: 2005 comes into play when implementing security.
Redaction
Redaction is the process of blocking out sensitive fi elds of information. In a paper environment, this was done with a black marking pen; however, privacy software can redact certain fi elds in digital documents, making them unreadable. Redaction is used
INFORMATION GOVERNANCE AND PRIVACY AND SECURITY FUNCTIONS 211
for confi dential patient information in medical records as well as other confi dential document types, such as birth certifi cates, fi nancial documents, property deeds, and other unstructured information that is managed.
A complete audit trail should be enabled that shows when specifi c users accessed or printed specifi c confi dential information.
Limitations of Perimeter Security
Traditionally, central computer system security has been primarily perimeter security—securing the fi rewalls and perimeters within which e-documents are stored and attempting to keep intruders out—rather than securing e-documents directly upon their creation. The basic access security mechanisms implemented, such as passwords, two-factor authentication, and identity verifi cation, are rendered totally ineffective once the confi dential e-documents or records are legitimately accessed by an authorized employee. The documents are usually bare and unsecured. This poses tremendous challenges if the employee is suddenly terminated, if the person is a rogue intent on doing harm, or if outside hackers are able to penetrate the secured perimeter. And, of course, it is com- mon knowledge that they do it all the time. The focus should be on securing the documents themselves, directly.
Restricting access is the goal of conventional perimeter security, but it does not directly protect the information inside. Perimeter security protects information the same way a safe protects valuables; if safecrackers get in, the contents are theirs. There are no protections once the safe is opened. Similarly, if hackers penetrate the perimeter security, they have complete access to the information inside, which they can steal, alter, or misuse. 11 The perimeter security approach has four fundamental limitations:
1. Limited effectiveness. Perimeter protection stops dead at the fi rewall, even though sensitive information is sent past it and circulates around the Web, unsecured. Today’s extended computing model and the trend toward global business means that business enterprises and government agencies frequently share sensitive information externally with other stakeholders, including busi- ness partners, customers, suppliers, and constituents.
2. Haphazard protections. In the normal course of business, knowledge workers send, work on, and store copies of the same information outside the organi- zation’s established perimeter. Even if the information’s new digital environ- ment is secured by other perimeters, each one utilizes different access controls or sometimes no access control at all (e.g., copying a price list from a sales folder to a marketing folder; an attorney copying a case brief or litigation strategy document from a paralegal’s case folder).
3. Too complex. With this multi-perimeter scenario, there are simply too many pe- rimeters to manage, and often they are out of the organization’s direct control.
4. No direct protections. Attempts to create boundaries or portals protected by pe- rimeter security within which stakeholders (partners, suppliers, shareholders, or customers) can share information causes more complexity and administra- tive overhead while it fails to protect the e-documents and data directly. 12
Despite the current investment in e-document security, it is astounding that once information is shared today, it is largely unknown who will be accessing it tomorrow.
212 INFORMATION GOVERNANCE
Defense in Depth
Defense in depth is an approach that uses multiple layers of security mechanisms to protect information assets and reduce the likelihood that rogue attacks can succeed.13 The idea is based on military principles that an enemy is stymied by complex layers and approaches compared to a single line. That is, hackers may be able to penetrate one or two of the defense layers, but multiple security layers increase the chances of catching the attack before it gets too far. Defense in depth includes a fi rewall as a fi rst line of defense and also antivirus and anti-spyware software, identity and access management (IAM), hierarchical passwords, intrusion detection, and biometric t verifi cation. Also, as a part of an overall IG program, physical security measures are deployed, such as smartcard or even biometric access to facilities and intensive IG training and auditing.
Controlling Access Using Identity Access Management
IAM software can provide an important piece of the security solution. It aims to pre- vent unauthorized people from accessing a system and to ensure that only authorized individuals engage with information, including confi dential e-documents.
Today’s business environment operates in a more extended and mobile model, often including stakeholders outside of the organization. With this more complex and fl uctuating group of users accessing information management applications, the idea of identity management has gained increased importance.
The response to the growing number of software applications using inconsistent or incompatible security models is strong identity management enforcement software. These scattered applications offer opportunities not only for identity theft but also for identity drag , where the maintenance of identities does not keep up with changing g identities, especially in organizations with a large workforce. This can result in theft of confi dential information assets by unauthorized or out-of-date access and even failure to meet regulatory compliance, which can result in fi nes and imprisonment.14
IAM—along with sharp IG policies—“manages and governs user access to infor- mation through an automated, continuous process.” 15 Implemented properly, good IAM does keep access limited to authorized users while increasing security, reducing IT complexity, and increasing operating effi ciencies.
Critically, “IAM addresses ‘access creep’ where employees move to a different department of business unit and their rights to access information fail to get updated” (emphasis added).” 16
In France in 2007, a rogue stock trader at Société Générale had in-depth knowl- edge of the bank’s access control procedures from his job at the home offi ce. 17 He used that information to defraud the bank and its clients out of over €7 billion (over $10 billion). If the bank had implemented an IAM solution, the crime might not have been possible.
“IAM addresses ‘access creep’ where employees move to a different depart- ment of business unit and their rights to access information fail to get updated.”
INFORMATION GOVERNANCE AND PRIVACY AND SECURITY FUNCTIONS 213
A robust and effective IAM solution provides for:
■ Auditing . Detailed audit trails of g who attempted to access which information , and when . Stolen identities can be uncovered if, for instance, an authorized user attempts to log in from more than one computer at a time.
■ Constant updating. Regular reviews of access rights assigned to individuals, in- cluding review and certifi cation for user access, an automated recertifi cation process ( attestation ), and enforcement of IG access policies that govern the way users access information in respect to segregation of duties.
■ Evolving roles. Role life cycle management should be maintained on a continuous basis, to mine and manage roles and their associated access rights and policies.
■ Risk reduction. Remediation regarding access to critical documents and information.
Enforcing IG: Protect Files with Rules and Permissions
One of the fi rst tasks often needed when developing an IG program that secures confi - dential information assets is to defi ne roles and responsibilities for those charged with implementing, maintaining, and enforcing IG policies. Corollaries that spring from that effort get down to the nitty-gritty of controlling information access by rules and permissions.
Rules and permissions specify who (by roles) is allowed access to which documents and information, and even contextually from where (offi ce, home, travel) and at what times (work hours, or extended hours). Using the old policy of the s need-to-know basis is a good rule of thumb to apply when setting up these access policies (i.e., only those who are at a certain level of the organization or are directly involved in certain projects are allowed access to confi dential and sensitive information). The roles are relatively easy to defi ne in a traditional hierarchical structure, but today’s fl atter and more col- laborative enterprises present challenges.
To effectively wall off and secure information by management level, many compa- nies and governments have put in place an information security framework—a model that delineates which levels of the organization have access to specifi c documents and databases as a part of implemented IG policy. This framework shows a hierarchy of the company’s management distributed across a range of defi ned levels of information access. The U.S. Government Protection Profi le for Authorization Server for Basic Robustness Environments is an example of such a framework.
Challenge of Securing Confi dential E-Documents
Today’s various document and content management systems were not initially designed to allow for secure document sharing and collaboration while also preventing docu- ment leakage. These software applications were mostly designed before the invention and adoption of newer business technologies that have extended the computing environment. The introduction of cloud computing, mobile PC devices, smartphones, social media, and online collaboration tools all came after most of today’s document and content management systems were developed and brought to market.
214 INFORMATION GOVERNANCE
Thus, vulnerabilities have arisen that need to be addressed with other, comple- mentary technologies. We need to look no further than the WikiLeaks incident and the myriad of other major security breaches resulting in document and data leakage to see that there are serious information security issues in both the public and private sectors.
Technology is the tool, but without proper IG policies and a culture of compli- ance that supports the knowledge workers following IG policies, any effort to secure confi dential information assets will fail. An old IT adage is that even perfect technology will fail without user commitment.
Protecting Confi dential E-Documents: Limitations of Repository-Based Approaches
Organizations invest billions of dollars in IT solutions that manage e-documents and records in terms of security, auditing, search, records retention and disposition, version control, and so on. These information management solutions are predominantly re- pository-based, including enterprise content management (ECM) systems and collab- orative workspaces (for unstructured information, such as e-documents). With content or document repositories, the focus has always been on perimeter security—keeping intruders out of the network. But that provides only partial protection. Once intrud- ers are in, they are in and have full access to confi dential e-documents. For those who are authorized to access the content, there are no protections, so they may freely copy, forward, print, or even edit and alter the information. 18
The glaring vulnerability in the security architecture of ECM systems is that few protec- tions exist once the information is legitimately accessed.
These confi dential information assets, which may include military plans, price lists, patented designs, blueprints, drawings, and fi nancial reports, often can be printed, e-mailed, or faxed to unauthorized parties without any security attached. 19
Also, in the course of their normal work processes, knowledge workers tend to keep an extra copy of the electronic documents they are working on stored at their desktop, or they download and copy them to a tablet or laptop to work at home or while traveling. This creates a situation where multiple copies of these e-documents are scat- tered about on various devices and media, which creates a security problem, since they are out- side of the repository and no longer secured, managed, controlled, or audited.
The glaring vulnerability in the security architecture of ECM systems is that few protections exist once the information is legitimately accessed.
Technologies like fi rewalls, access controls, and gateway fi lters can grant or deny access but cannot provide granular enforcement of acceptable use policies that defi ne what users can and cannot do with confi dential data and documents.
INFORMATION GOVERNANCE AND PRIVACY AND SECURITY FUNCTIONS 215
It also creates records management issues in terms of the various versions that might be out there and determining which one is the offi cial business record.
Apply Better Technology for Better Enforcement in the Extended Enterprise
Protecting E-Documents in the Extended Enterprise
Sharing e-documents and collaborating are essential in today’s increasingly mobile and global world. Businesses are operating in a more distributed model than ever be- fore, and they are increasingly sharing and collaborating not only with coworkers but also with suppliers, customers, and even at times competitors (e.g., in pharmaceutical research). This reality presents a challenge to organizations dealing in sensitive and confi dential information.20
Basic Security for the Microsoft Windows Offi ce Desktop
The fi rst level of protection for e-documents begins with basic protections at the desktop level. Microsoft Offi ce provides ways to password-protect Microsoft Offi ce fi les, such as those created in Word and Excel, quickly and easily. Many corporations and government agencies around the world use these basic protections. A key fl aw or caveat is that passwords used in protecting documents cannot be retrieved if they are forgotten or lost.
Where Do Deleted Files Go?
When you delete a fi le it is gone, right? Actually, it is not (with the possible exception of solid state hard drives). For example, after a fi le is deleted in Windows, a simple undelete DOS command can bring back the fi le, if it has not been overwritten. That is because when fi les are deleted, they are not really deleted; rather, the space where they reside is marked for reuse and can be overwritten. If it is not yet overwritten, the fi le is still there. The same process occurs as drafts of documents are created and temp (for temporary ) fi les are stored. The portions of a hard drive where deleted or temp fi les are stored can be overwritten. This is called unallocated space. Most users are unaware that deleted fi les and fragments of documents and drafts are stored temporarily on their computer’s unallocated space. So it must be wiped clean and completely erased to ensure that any confi dential documents or drafts are completely removed from the hard drive.
IG programs include the highest security measures, which means that an organi- zation must have a policy that includes deleting sensitive materials from a computer’s unallocated space and tests that verify such deletion actions are successful periodically.
Lock Down: Stop All External Access to Confi dential E-Documents
Organizations are taking other approaches to stop document and data leakage: physi- cally restricting access to a computer by disconnecting it from any network con- nections and forbidding or even blocking use of any ports. Although cumbersome, these methods are effective in highly classifi ed or restricted areas where confi dential
216 INFORMATION GOVERNANCE
e-documents are held. Access is controlled by utilizing multiple advanced identity ver- ifi cation methods, such as biometric means.
Secure Printing
Organizations normally expend a good amount of effort making sure that computers, documents, and private information are protected and secure. However, if your com- puter is hooked up to a network printer (shared by multiple knowledge workers), all of that effort might have been wasted. 21
Some basic measures can be taken to protect confi dential documents from being compromised as they are printed. You simply invoke some standard Microsoft Offi ce protections, which allow you to print the documents once you arrive in the copy room or at the networked printer. This process varies slightly, depending on the printer’s manufacturer. (Refer to the documentation for the printer for details.)
In Microsoft Offi ce, there is an option in the Print Dialog Box for delayed print- ing of documents (when you physically arrive at the printer).
Serious Security Issues with Large Print Files of Confi dential Data
According to Canadian output and print technology expert William Broddy, in a company’s data center, a print fi le of, for instance, investment account statements or bank statements contains all the rich information that a hacker or malicious insider needs. It is information distilled to the most important core data about customers, and has been referred to as data syrup since it has been boiled down and contains no mountains of extraneous data, only the culled, cleaned, essential data that gives criminals exactly what they need.d 22
What most managers are not aware of is that entire print fi les and sometimes remnants of them stay on the hard drives of high-speed printers and are vulnerable to security breaches. Data center security personnel closely monitor calls to their data- base. To extract as much data as is contained in print fi les, a hacker requires hundreds or even thousands of calls to the database, which sets off alerts by system monitor- ing tools. But retrieving a print fi le takes only one intrusion, and it may go entirely unnoticed. The fi les are sitting there; a rogue service technician or fi eld engineer can retrieve them on a routine service call.
To help secure print fi les, specialized hardware devices designed to sit between the print server and the network and cloak server print fi les are visible only to those who have a cloaking device on the other end.
Organizations must practice good IG and have specifi c procedures to erase sensitive print fi les once they have been utilized. For instance, in the example of preparing statements to mail to clients, fi les are exposed to possible intrusions in at least six points in the process (starting with print fi le preparation and ending with the actual mailing). These points must be tightly monitored and controlled. Typically, an
A print fi le contains all the distilled customer information a hacker might want. Retrieving a print fi le takes only one intrusion and may go entirely unnoticed.
INFORMATION GOVERNANCE AND PRIVACY AND SECURITY FUNCTIONS 217
organization retains a print fi le for about 14 days, though some keep fi les long enough for customers to receive statements in the mail and review them. Organizations must make sure that print fi les or their remnants are secured and then completely erased when the printing job is fi nished.
E-Mail Encryption
Encrypting (scrambling using advanced algorithms) sensitive e-mail messages is an effective step to securing confi dential information assets while in transit. Encryption can also be applied to desktop folders and fi les and even entire disk drives (full disk en- cryption, or FDE). All confi dential or sensitive data and e-documents that are exposed to third parties or transferred over public networks should be secured with fi le-level encryption, at a minimum. 23
Secure Communications Using Record-Free E-Mail
What types of tools can you use to encourage the free fl ow of ideas in collaborative efforts without compromising your confi dential information assets or risking litigation or compliance sanctions?
Stream messaging is an innovation that became commercially viable around 2006. It is similar in impact to IRM software, which limits the recipients’ ability to forward, print, or alter data in an e-mail message (or reports, spreadsheets, etc.) but goes further by leaving no record on any computer or server.r
Stream messaging is a simple, safe, secure electronic communications system ideal for ensuring that sensitive internal information is kept confi dential and not publicly released. Stream messaging is not intended to be a replacement for enterprise e-mail but is a complement to it. If you need an electronic record, e-mail it; if not, use stream messaging. 24
What makes stream messaging unique is its recordlessness. Streamed messages cannot be forwarded, edited, or saved. A copy cannot be printed as is possible with e-mail. That is because stream messaging separates the sender’s and receiver’s names and the date from the body of the message, never allowing them to be seen together. Even if the sender or receiver were to attempt to make a copy using the print-screen function, these ele- ments are never captured together.25
Files are exposed to possible intrusions in at least six points between print fi le preparation and fi nal hard-copy mailing.
With stream messaging, no record or trace of communication is left.
218 INFORMATION GOVERNANCE
The instant a stream message is sent, it is placed in a temporary storage buffer space. When the recipient logs in to read the message, it is removed from the buffer space. By the time the recipient opens it, the complete stream message no longer exists on the server or any other computer.
This communications approach is Web based, meaning that no hardware or soft- ware purchases are required. It also works with existing e-mail systems and e-mail addresses and is completely immune to spam and viruses. Other solutions (both past and present) have been offered, but these have taken the approach of encrypting e-mail or generating e-mail that disappears after a preset time. Neither of these approaches is truly recordless.
Stream messaging is unique because its technology effectively eliminates the ability to print, cut, paste, forward, or save a message. It may be the only electronic commu- nications system that separates the header information—date, name of sender, name of recipient—from the body of the message. This eliminates a traceable record of the communication. Soon many other renditions of secure messaging will be developed.
In addition, stream messaging offers the added protection of being an indiscrimi- nate Web-based service, meaning that the messages and headers are never hosted on the subscribing companies’ networks. This eliminates the risk that employers, com- petitors, or hackers could intercept stream messages, which is a great security benefi t for end users. 26
Digital Signatures
Digital signatures are more than just digitized autographs—they carry detailed audit information used to “detect unauthorized modifi cations” to e-documents and to “authenticate the identity of the signatory.” 27
Online transactions can be conducted with full trust that they are legal, proper, and binding. They prove that the person whose signature is on the e-document did, in fact, authorize it. A digital signature provides evidence in demonstrating to a third party that the signature was genuine, true, and authentic, which is known as nonrepudiation . To repudiate is to dispute, and with digital signatures, a signatory is unable to claim that the signature is forged.
Digital signatures can be implemented a variety of ways—not just through soft- ware but also through fi rmware (programmed microchips), computer hardware, or a combination of the three. Generally, hardware- and fi rmware-based implementations are more diffi cult to hack, since their instructions are hardwired.
Here is a key point: For those who are unfamiliar with the technology, there is a big difference between electronic signatures and digital signatures. 28
An “electronic signature is likely to be a bit-map image, either from a scanned image, a fax copy or a picture of someone’s signature, or may even be a typed acknowledgement or acceptance.” A digital signature contains “extra data appended to
There is a big difference between digital and electronic signatures. Digital signatures contain additional authenticating information.
INFORMATION GOVERNANCE AND PRIVACY AND SECURITY FUNCTIONS 219
a message which identifi es and authenticates the sender and message data using public-key encryption.”29”
So digital signatures are the only ones that offer any real security advantages. Digital signatures are verifi ed by the combination of applying a signatory’s private
signing key and the public key that comes from the signatory’s personal ID certifi - cate. After that, only the public key ID certifi cate is required for future verifi cations. “In addition, a checksum mechanism confi rms that there have been no modifi cations to the content .” t 30
A formal, trusted certifi cate authority (CA) issues the certifi cate associated with the public-private key. It is possible to generate self-certifi ed public keys, but these do not verify and authenticate the recipient’s identity and are therefore fl awed from a security standpoint. The interchange of verifi ed signatures is possible on a global scale, as “digital signature standards are mature and converging internationally.” 31
After more than 30 years of predictions, the paperless offi ce is almost here. Business process cycles have been reduced, and great effi ciencies have been gained since the majority of documents today are created digitally and spend most of their life cycle in digital form, and they can be routed through work steps using business process management (BPM) and work fl ow software. However, the requirement for a physical signature frequently disrupts and holds up these business processes . Documents have to bes printed out, physically routed, and physically signed—and often they are scanned back into a document or records management (or contract management) system, which defeats the effi ciencies sought.
Often multiple signatures are required in an approval process, and some organiza- tions require each page to be initialed, which makes the process slow and cumbersome when it is executed without the benefi t of digital signatures. Also, multiple copies are generated—as many as 20—so digital signature capability injected into a business pro- cess can account for signifi cant time and cost savings. 32
Document Encryption
There is some overlap and sometimes confusion between digital signatures and document encryption. Suffi ce it to say that they work differently, in that document encryption secures a document for those who share a secret key, and digital signatures prove that the document has not been altered and the signature is authentic.
There are e-records management implications of employing document encryption:
Unless it is absolutely essential, full document encryption is often advised against for use within electronic records management systems as it prevents full-text indexing, and requires that the decryption keys (and application) are available for any future access. Furthermore, if the decryption key is lost or
Requiring a physical signature can disrupt and slow business processes. Digital signatures speed that up and add a layer of security.
220 INFORMATION GOVERNANCE
an employee leaves without passing it on, encrypted documents and records will in effect be electronically shredded as no one will be able to read them.
Correctly certifi ed digital signatures do not prevent unauthorized per- sons reading a document nor are they intended to. They do confi rm that the person who signed it is who they say they are, and that the document has not been altered since they signed it. Within a records management system a digi- tal signature is often considered to be an important part of the metadata of a document, confi rming both its heritage and its integrity.33
Data Loss Prevention (DLP) Technology
The aforementioned document security challenges have given rise to an emerging but critical set of capabilities by a new breed of IT companies that provide data loss prevention (DLP) (also called data leak prevention). DLP providers create software and hardware appliances that thoroughly inspect all e-documents and e-mail messages before they leave the organization’s perimeter and attempt to stop sensitive data from exiting the fi rewall.
This fi ltering is based on several factors, but mostly using specifi ed critical content keywords that are fl agged by the implementing organization. DLP can also stop the exit of information assets by document types, origin, time of day, and other factors.
DLP systems are designed to detect and prevent unauthorized use and transmission of confi dential information.34 In more detail, DLP is a computer security term referring to systems that identify, monitor, and protect data/documents in all three states: (1) in use (endpoint actions), (2) in motion (network actions), and (3) at rest (data/document stor-t age). DLP accomplishes this by deep content inspection and contextual security analysis of transaction data (e.g., attributes of the originator, the data object, medium, timing, recipient/destination, etc.) with a centralized management framework.
Promise of DLP
Gartner reports that the DLP market reached an estimated $670 million in 2013, up from $425 million in 2011, and “with adoption of DLP technologies moving quickly down to the small to medium enterprise, DLP is no longer an unknown quantity.” 35 Although the DLP market has matured, it suffers from confusion about how DLP best fi ts into the new mix of security approaches, how it is best utilized (endpoint or gateway), and even the defi nition of DLP itself. 36
Data loss is very much on managers’ and executives’ minds today. The series of WikiLeaks incidents exposed hundreds of thousands of sensitive government and mili- tary documents. According to the Ponemon Institute (as reported by DLP Experts), data leaks continue to increase annually. Billions of dollars are lost every year as a result of data leaks, with the cost of each breach ranging from an average of $700,000 to $31 million. Some interesting statistics from the study include:
■ Almost half of breaches happen while an enterprise’s data was in the hands of a third party.
■ Over one-third of breaches involved lost or stolen mobile devices.
INFORMATION GOVERNANCE AND PRIVACY AND SECURITY FUNCTIONS 221
■ The cost per stolen record is approximately $200 to $225. ■ One-quarter of breaches were conducted by criminals or with malicious intent. ■ More than 80 percent of breaches compromised over 1,000 records. 37
What DLP Does Well (and Not So Well)
DLP has been deployed successfully as a tool used to map the fl ow of data inside and exiting the organization to determine the paths that content takes, so that more sophisticated information mapping, monitoring, and content security can take place.
This use as a traffi c monitor for analysis purposes has been much more successful than relying on DLP as the sole enforcement tool for compliance and to secure information assets. s Today’s technology is simply not fast enough to catch everything. It catches many e-mail messages and documents that users are authorized to send, which slows the network and the business down. This also adds unnecessary overhead, as someone has to go back and release each and every one of the e-mails or documents that were wrongly stopped.
Another downside: Since DLP relies on content inspection, it cannot detect and monitor encrypted e-mail or documents.
Basic DLP Methods
DLP solutions typically apply one of three methods:
1. Scanning traffi c for keywords or regular expressions, such as customer credit card or Social Security numbers.
2. Classifying documents and content based on a predefi ned set to determine what is likely to be confi dential and what is not.
3. Tainting (in the case of agent-based solutions), whereby documents are tagged and then monitored to determine how to classify derivative documents. For example, if someone copies a portion of a sensitive document into a different document, this document receives the same security clearance as the original document. 38
All these methods involve the network administrator setting up a policy clearly defi ning what is allowed to be sent out and what should be kept in confi dence. This policy creating effort is extremely diffi cult: Defi ning a policy that is too broad means ac-d cidentally letting sensitive information get out, and defi ning a policy that is too narrow means getting a signifi cant amount of false positives and stopping the fl ow of normal business communications.
Although network security management is well established, defi ning these types of IG policies is extremely diffi cult for a network administrator. Leaving this job to network administrators means there will be no collaboration with business units, no standardization, and no real forethought. As a result, many installations are plagued with false positives that are fl agged and stopped, which can stifl e and frustrate knowl- edge workers. The majority of DLP deployments simply use DLP for monitoring and audit- ing purposes.
Examining the issue of the dissolving perimeter more closely, a deeper problem is revealed: DLP is binary; it is black or white. Either a certain e-document or e-mail can
222 INFORMATION GOVERNANCE
leave the organization’s boundaries or it cannot. This process has been referred to as outbound content compliance.
But this is not how the real world works today. Now there is an increasing need for collaboration and for information to be shared or reside outside the organization on mobile devices or in the cloud.
Most of today’s DLP technology cannot address these complex issues on its own. Often additional technology layers are needed.
Data Loss Prevention: Limitations
DLP has been hyped in the past few years, and major security players have made sev- eral large acquisitions—especially those in the IRM market. Much like fi rewalls, DLP started in the form of network gateways that searched e-mail, Web traffi c, and other forms of information traveling out of the organization for data that was defi ned as internal. When it found such data, the DLP blocked transmission or monitored its use.
Soon agent-based solutions were introduced, performing the same actions locally on users’ computers. The next step brought a consolidation of many agent- and net- work-based solutions to offer a comprehensive solution.
IG policy issues are key. What is the policy? All these methods depend on manage- ment setting up a policy that clearly defi nes what is acceptable to send out and what should be kept in confi dence.
With DLP, a certain document can either leave the organization’s boundaries or it can’t. But this is not how the real world works. In today’s world there is an increasing need for information to be shared or reside outside the organization on mobile devices or in the cloud. Simply put, DLP is not capable of addressing this issue on its own, but it is a helpful piece of the overall technology solution.
Missing Piece: Information Rights Management (IRM)
Another technology tool for securing information assets is information rights manage- ment (IRM) software (also referred to as enterprise rights management [ERM] and previously as enterprise digital rights management [e-DRM].) For purposes of this book, we use the term “IRM” when referring to this technology set, so as not to be confused with elec- tronic records management. Major software companies also use the term “IRM.”
IRM technology provides a sort of security wrapper around documents and pro- tects sensitive information assets from unauthorized access. 39 We know that DLP can search for key terms and stop the exit of sensitive data from the organization by in- specting its content. But it can also prevent confi dential data from being copied to external media or sent by e-mail if the person is not authorized to do so. If IRM is deployed, fi les and documents are protected wherever they may be, with persistent security. The ability to apply security to an e-document in any state (in use, in motion, and at rest), across media types, inside or outside of the organization, is called persistent security .
The ability to secure data at any time, in any state, is called persistent protection.
INFORMATION GOVERNANCE AND PRIVACY AND SECURITY FUNCTIONS 223
This is a key characteristic of IRM technology, and it is all done transparently without user intervention. 40
IRM has the ability to protect e-documents and data wherever they may reside, however they may be used, and in all three data states (at rest, in use, and in transit). 41
IRM allows for e-documents to be remote controlled , meaning that security protectionsd can be enforced even if the document leaves the perimeter of the organization. This means that e-documents (and their control mechanisms) can be separately created, viewed, edited, and distributed.
IRM provides persistent, ever-present security and manages access to sensitive e-documents and data. IRM provides embedded fi le-level protections that travel with the document or data, regardless of media type.42 These protections and prevent un- authorized viewing, editing, printing, copying, forwarding, or faxing. So, even if fi les are somehow copied to a thumb drive and taken out of the organization, e-document protections and usage are still controlled.
The major applications for IRM services include cross-protection of e-mails and attachments, dynamic content protection on Web portals, secure Web-based training, secure Web publishing, and secure content storage and e-mail repositories all while meeting compliance requirements of Sarbanes–Oxley, the Health Insurance Portabil- ity and Accountability Act, and others. Organizations can comply with regulations for securing and maintaining the integrity of digital records, and IRM will restrict and track access to spreadsheets and other fi nancial data too.
In investment banking, research communications must be monitored, according to National Association of Securities Dealers rule (NASD) 2711, and IRM can help support compliance efforts. In consumer fi nance, personal fi nancial information col- lected on paper forms and transmitted by fax (e.g., auto dealers faxing credit applica- tions) or other low-security media can be secured using IRM, directly from a scanner or copier. Importers and exporters can use IRM to ensure data security and prevent the loss of cargo from theft or even terrorist activities, and they also can comply with U.S. Customs and trade regulations by deploying IRM software. Public sector data security needs are numerous, including intelligence gathering and distribution, espionage, and Homeland Security initiatives. Firms that generate intellectual property IP, such as re- search and consulting groups, can control and protect access to IP with it. In the highly collaborative pharmaceutical industry, IRM can secure research and testing data.
IRM protections can be added to nearly all e-document types including e-mail, word processing fi les, spreadsheets, graphic presentations, computer-aided design (CAD) plans, and blueprints. This security can be enforced globally on all documents or granularly down to the smallest level, protecting sensitive fi elds of information from prying eyes. This is true even if there are multiple copies of the e-documents scattered about on servers in varying geographic locations. Also, the protections can be applied permanently or within controlled time frames. For instance, a person may be granted access to a secure e-document for a day, a week, or a year.
Key IRM Characteristics
Three requirements are recommended to ensure effective IRM:
1. Security is foremost; documents, communications, and licenses should be en- crypted, and documents should require authorization before being altered.
224 INFORMATION GOVERNANCE
2. The system can’t be any harder to use than working with unprotected documents. 3. It must be easy to deploy and manage , scale to enterprise proportions, and work
with a variety of common desktop applications. 43
IRM software enforces and manages document access policies and use rights (view, edit, print, copy, e-mail forward) of electronic documents and data. Controlled information can be text documents, spreadsheets, fi nancial statements, e-mail messages, policy and pro- cedure manuals, research, customer and project data, personnel fi les, medical records, intranet pages, and other sensitive information. IRM provides persistent enforcement of IG and access policies to allow an organization to control access to information that needs to be secured for privacy, competitive, or compliance reasons. Persistent content security is a necessary part of an end-to-end enterprise security architecture.
Well, it sounds like fabulous technology, but is IRM really so new? No, it has been has been around for a decade or more, and continues to mature and improve. It has es- sentially entered the mainstream around 2004/2005 (when this author began tracking its development and publishing researched articles on the topic).
IRM software currently is used for persistent fi le protection by thousands of or- ganizations throughout the world. Its success depends on the quality and consistency of the deployment, which includes detailed policy-making efforts. Diffi culties in policy maintenance and lack of real support for external sharing and mobile devices have kept fi rst- wave IRM deployments from becoming widespread, but this aspect is being addressed by a second wave of new IRM technology companies.
Other Key Characteristics of IRM
Policy Creation and Management IRM allows for the creation and enforcement of policies governing access and use of sensitive or confi dential e-documents. The organization’s IG team sets the policies for access based on role and organizational level, determining what employees can and cannot do with the secured e-documents. 44 The IG policy defi ned for a document type includes these following controls:
1. Viewing 2. Editing 3. Copy/Paste (including screen capture) 4. Printing 5. Forwarding e-mail containing secured e-documents
Access to sensitive e-documents may be revoked at any time, no matter where they are located or what media they are on, since each time a user tries to access a document, access rights are verifi ed with a server or cloud IRM application. This can be done remotely—that is, when an attempt is made to open the document, an authorization must take place. In cloud-based implementations, it is a matter of simply denying access.
Decentralized Administration One of the key challenges of e-document security traditionally is that a system administrator had access to documents and reports that were meant only for
INFORMATION GOVERNANCE AND PRIVACY AND SECURITY FUNCTIONS 225
executives and senior managers. With IRM, the e-document owner administers the security of the data, which considerably reduces the risk of a document theft, alteration, or misuse.
Auditing Auditing provides the smoking-gun evidence in the event of a true security breach. Good IRM software provides an audit trail of how all documents secured by it are used. Some go further, providing more detailed document analytics of usage.
Integration To be viable, IRM must integrate with other enterprise-wide systems, such as ECM, customer relationship management, product life cycle management, enter- prise resource planning, e-mail management, message archiving, e-discovery, and a myriad of cloud-based systems. This is a characteristic of today’s newer wave of IRM software.
This ability to integrate with enterprise-based systems does not mean that IRM has to be deployed at an enterprise level. The best approach is to target one critical depart- ment or area with a strong business need and to keep the scope of the project narrow to gain an early success before expanding the implementation into other departments.
IRM embeds protection into the data (using encryption technology), allowing fi les to pro- tect themselves. IRM may be the best available security technology for the new mobile computing world of the permeable perimeter. 45
With IRM technology, a document owner can selectively prevent others from viewing, editing, copying, or printing it. Despite its promise, most enterprises do not use IRM, and if they do, they do not use it on an enterprisewide basis. This is due to the high complexity, rigidity, and cost of legacy IRM solutions.
It is clearly more diffi cult to use documents protected with IRM—especially when policy making and maintenance is not designed by role but rather by individual. Some early implementations of IRM by fi rst-to-market software development fi rms had as many as 200,000 different policies to maintain (for 200,000 employees). These have since been replaced by newer, second-wave IRM vendors, who have reduced that num- ber to a mere 200 policies, which is much more manageable. Older IRM installations require intrusive plug-in installation; they are limited in the platforms they support, and they largely prevent the use of newer platforms, such as smartphones, iPads, and other tablets. This is a real problem in a world where almost all executives carry a smartphone and use of tablets (especially the iPad) is growing.
Moreover, due to their basic design, fi rst-wave or legacy IRM is not a good fi t for organiza- tions aiming to protect documents shared outside company boundaries. These outdated IRM solutions were designed and developed in a world where organizations were more concerned with keeping information inside the perimeter than protecting information beyond the perimeter.
IRM technology protects e-documents and data directly rather than relying on perimeter security.
226 INFORMATION GOVERNANCE
Most initial providers of IRM focused on internal sharing and are heavily depen- dent on Microsoft Active Directory (AD) and lightweight directory access protocol (LDAP) for authentication. Also, the delivery model of older IRM solutions involves the deployment and management of multiple servers, SQL databases, AD/LDAP integration, and a great deal of confi guration. This makes them expensive and cum- bersome to implement and maintain. Furthermore, these older IRM solutions do not take advantage of or operate well in a cloud computing environment.
Although encryption and legacy IRM solutions have certain benefi ts, they are extremely unwieldy and complex and offer limited benefi ts in today’s technical and business environment. Newer IRM solutions are needed to provide more complete DLS.
Embedded Protection
IRM embeds protection into the data (using encryption technology), allowing fi les to protect themselves. IRM may be the best available security technology for the new mobile com- puting world of the permeable perimeter. 46
Is Encryption Enough?
Many of the early solutions for locking down data involved encryption in one form or another:
■ E-mail encryption ■ File encryption ■ Full Disk Encryption (FDE) ■ Enterprisewide encryption
These encryption solutions can be divided into two categories: encryption in transit (e.g., e-mail encryption) and encryption t at rest (e.g., FDE).t
The various encryption solutions mitigate some risks. In the case of data in transit, these risks could include an eavesdropper attempting to discern e-mail or network traffi c. In the case of at-rest data, risks include loss of a laptop or unauthorized access to an employee’s machine. The most advanced solutions are capable of applying a policy across the organization and encrypting fi les, e-mails, and even databases. However, encryption has its caveats.
Most simple encryption techniques necessarily involve the decryption of documents so they can be viewed or edited. At these points, the fi les are essentially exposed. Malware (e.g., Trojan horses, keystroke loggers) installed on a computer may use the opportunity to send out the plain-text fi le to unauthorized parties. Alternatively, an employee may copy the contents of these fi les and remove them from the enterprise.
Device Control Methods
Another method that is related to DLP is device control . Many vendors offer software or hardware that prevents users from copying data via the USB port to
INFORMATION GOVERNANCE AND PRIVACY AND SECURITY FUNCTIONS 227
portable drives and removing them from the organization in this manner. These solutions are typically as simple as blocking the ports; however, some DLP so- lutions, when installed on the client side, can selectively prevent the copying of certain documents. 47
Thin Clients
One last method worth mentioning is the use of thin clients to prevent data leaks. These provide a so-called walled garden containing only the applications users require to do their work, via a diskless terminal. This prevents users from copying any data onto portable media; however, if they have e-mail or Web access applications, they still can send information out via e-mail, blogs, or social networks.
Note about Database Security
Database security and monitoring is addressed in Chapter 10 , “IG for IT.”
Compliance Aspect
Compliance has been key in driving companies to invest in improving their security measures, such as fi rewalls, antivirus software, and DLP systems. More than 400 regulations exist worldwide mandating a plethora of information and data secu- rity requirements. One example is the Payment Card Industry Data Security Stan- dard (PCI-DSS), which is one of the strictest regulations for credit card processors. Companies that fail to comply with these regulations are subject to penalties of up to $500,000 per month for lost fi nancial data or credit card information. It is estimated that the per-record cost of a breach is $90 to $305.” 48 But do compliance activities always result in adequate protection of your sensitive data? In many cases the answer is no. It is important to keep in mind that being formally compliant does not mean the organization is actually secure. In fact, compliance is sometimes used as a fi g leaf, covering a lack of real document security. One needs to look no further than to the recent series of major document leakage incidents to understand this. Those all came from highly secure and regulated entities, such as banks, hospitals, and the military.
Hybrid Approach: Combining DLP and IRM Technologies
An idea being promoted recently is to make IRM an enforcement mechanism for platforms like DLP. Together, DLP and IRM accomplish what they independently cannot. Enterprises may be able to use their DLP tools to discover data fl ows, map them out, and detect transmissions of sensitive information. They can then apply their IRM or encryption protection to enforce their confi dentiality and information integrity goals. 49
Several vendors in the fi elds of DLP, encryption, and IRM have already announced in- tegrated products . However, at this point in time, most IRM solutions are by no meanss ready for prime time when it comes to this use. Only a select few second-wave IRM
228 INFORMATION GOVERNANCE
software providers can offer comprehensive, streamlined, persistent security across many platforms.
As the enterprise perimeter dissolves, document and data security should become the focus of the Internet security fi eld. However, most legacy solutions, such as encryp- tion and legacy IRM, are complex and expensive and provide only a partial solution to the key problems. Combining several methods offers effective countermeasures, but an ultimate solution has not yet arrived.
Securing Trade Secrets after Layoffs and Terminations
In today’s global economy—which has shifted labor demands—huge layoffs are not uncommon in the corporate and public sectors. The act of terminating an employee creates document security and IP challenges while raising the question: How does the organization retrieve and retain its IP and confi dential data? An IG program to secure information assets must also deal with everyday resignations of employees who are in possession of sensitive documents and information. 50
According to Peter Abatan, author of the Enterprise Digital Rights Management blog, “As a general rule all organizations should classify all their documents with the aim of identifying the ones that need persistent protection” (emphasis added). That is to say, docu-” ments should be protected at all times, regardless of where they travel and who is using them, while the organization still retains control of usage rights. There are two basic technological approaches to this protection:
1. The fi rst, as discussed earlier in this chapter, is combining IRM with DLP ; P DLP is used to conduct deep content inspection and identify all documents that may contain sensitive information, then the DLP agent “notifi es the en- terprise [information] rights management engine that sensitive information is about to be copied to external media or outside the fi rewall and therefore needs to be encrypted.”
2. The second is using a form of context-sensitive IRM “in which all documents M that contain sensitive data defi ned in the [global] data dictionary [are] auto- matically encrypted.”
These two technological approaches must be fostered by an IG program. They can have signifi cant positive impact in protecting sensitive information, no matter where it is located, and can help document owners withdraw access to its sensitive documents at any time.
Organizations must educate their employees to increase awareness of the fi nancial and competitive impact of breaches and to clarify that sensitive documents are the property of the organization. If those handling sensitive documents are informed of the benefi ts of IRM and related technologies, they will be more vigilant in their efforts to keep information assets secure.
Persistently Protecting Blueprints and CAD Documents
Certain IRM software providers have focused on securing large-format engineer- ing and design documents, and they have made great strides in the protection of
INFORMATION GOVERNANCE AND PRIVACY AND SECURITY FUNCTIONS 229
computer-aided design fi les. As much as 95 percent of CAD fi les are proprietary designs and represent valuable, proprietary IP of businesses worldwide. And CAD fi les are just as vulnerable as any other e-document in that, when unprotected, they “can be emailed or transferred to another party without the knowledge of the owner of the content.”51
In today’s global economy, it is common to conduct manufacturing operations in markets where labor is inexpensive and regulations are lax. Many designs are sent to China, Indonesia, and India for manufacturing. Although they usually are accompa- nied by binding confi dential disclosure contracts, but these agreements are often dif- fi cult to enforce, especially given the disparity in cultures and laws. And what happens if a rogue employee in possession of designs and trade secrets absconds with them and sells them to a competitor? Or starts a competing business? There are a number of examples of this happening.
Owners of valuable proprietary IP must vigilantly protect it; the very survival of the business may depend on it. Monitoring and securing IP wherever it might travel is now a business imperative.
Theft of IP and confi dential information represents a clear and present danger to all types of businesses, especially global brands dependent on proprietary designs for a competitive advantage. Immediate IG action by executive management is required to identify possible leaks and plug the holes. Not safeguarding IP and confi dential or sensitive documents puts the organization’s competitive position, strategic plans, rev- enue stream, and very future at risk.
Securing Internal Price Lists
In 2010, it was reported that confi dential information about the advertising expen- ditures of some of Google’s major accounts was leaked to the public. 52 This may not seem like a signifi cant breach, but, in fact, with this information, Google’s custom- ers can determine if they are getting a preferred price schedule, and competitors can easily undercut Google’s pricing for major customers. According to Peter Abatan, “[It is clear] why this information is so critical to Google that this information is tight- ly secured.”
Is your company’s price list secured at all times? Price lists are confi dential infor- mation assets, and if they are revealed publicly, major customers could demand steeper discounts and business relationships could suffer irreparable damage, especially if cus- tomers fi nd out they are paying more for a product or service than their competitors.
A company’s price list is critical to an organization because it impacts all aspects of the business, from the ability to generate revenue to private dealings with customers and suppliers. IRM should be used to protect price lists, and printing of these valuable
As much as 95 percent of CAD fi les are proprietary designs and represent valuable IP.
230 INFORMATION GOVERNANCE
lists must be monitored and controlled using secure printing methods and document analytics.
Confi dential information should be persistently protected throughout their docu- ment life cycle in all three states (at rest, in motion, and in use) so that if they are com- promised or stolen, they are still protected and controlled by the owning organization.
Approaches for Securing Data Once It Leaves the Organization
It is obvious with today’s trends that, as Andrew Jaquith of SilverSky (formerly with Forrester Research) states, “The enterprise security perimeter is quickly dissolving.” A lot of valuable information is routed outside the owning organization through unse- cured e-mail. A breach can compromise competitive position, especially in cases deal- ing with personnel fi les and marketing plans or merger details. Consider for a moment that even proprietary software and company fi nancial statements are sent out. Expo- sure of this data can have real fi nancial impact. Without additional protections, such as IRM and e-mail encryption, these valuable information assets are often out of the control of the IT department of the owning organization. 53
Third-party possession or control of enterprise data is a critical point of vulner- ability, and many organizations realize that securing data outside the organizational perimeter is a high priority. But a new concept has cropped up of late that bucks un- conventional wisdom: “ Control does not require ownership.”
Instead of focusing on securing devices where confi dential data is accessed, the new thinking focuses on securing the data and documents directly. With this new mind-set, security can be planned under the assumption that the enterprise owns its data but none of the devices that access it. As Forrester’s report states, “Don’t trust the endpoints. Treat them as hostile”. This is referred to as the zero-trust model of infor- mation security. The report states: “...trust but verify applies here. Enterprises must put teeth into their contractual language and audit their partners.” 54
Forrester has developed a new network architecture that builds security into the DNA of a network, using a mixture of fi ve data security design patterns:
1. Thin client. Access information online only, with no local operations, using a diskless terminal that cannot store data, documents, or programs so confi den- tial information stays stored and secured centrally. For additional security, “IT can restrict host copy-and-paste operations, limit data transfers, and require strong or two-factor authentication using SecurID or other tokens.”
2. Thin device. Devices such as smartphones, which have limited computing resources, Web surfi ng, e-mail, and basic Web apps that locally conduct no real information processing, are categorized as thin devices. In practice, these devices do not hold original documents but merely copies, so the offi cial busi- ness record or master copy cannot be altered or deleted. A nice feature of many smartphones is the ability to erase or wipe data remotely, in the event the device is lost. According to the Forrester report, “For insurance, thin de- vices can be remotely wiped—making them truly ‘disposable,’ unlike PCs.” 55
3. Protected process. This approach allows local processing with a PC where confi - dential e-documents and data are stored and processed in a partition that is highly secure and controlled. This processing can occur even if the PC is not
INFORMATION GOVERNANCE AND PRIVACY AND SECURITY FUNCTIONS 231
owned and controlled by the organization. “The protected process pattern has many advantages: local execution, offl ine operation, central manage- ment, and a high degree of granular security control, including remote wipe [erase].” A mitigating factor to consider here is most business PCs today are Windows based, and the world is rapidly moving to other, more nimble platforms.
4. Protected data. Deploying IRM and embedding security into the documents (or data) provides complete DLS. The newer wave of more sophisticated, easier-to-use IRM vendors have role-based policy implementation and such features as “contextual” enforcement, where document rights are dependent on the context —that is, tt where and when a user attempts access. For instance, allow access to documents on workers’ desktops but not on their laptops; or provide access to printing confi dential documents at the facility during offi ce hours but not after. “ Of all the patterns in the Zero Trust data security strategy, protected data is the most fi ne-grained and effective because it focuses on the informa- tion, not its containers.”
5. Eye in the sky. This design pattern uses technologies such as DLP to scan network traffi c content and halt confi dential documents or sensitive data at the perimeter. Deployed properly, DLP is “ideal for understanding the veloc- ity and direction of information fl ow and for detecting potential breaches, outliers, or anomalous transmissions.” It should be noted that DLP does not provide complete protection. To do so would mean that many legitimate and sanctioned e-mails and documents would be held up for inspection, thus slow- ing the business process. As stated earlier, DLP is best for discovering infor- mation fl ows and monitoring network traffi c. Another negative is that you cannot always require partner organizations and suppliers to install DLP on their computers. So this is a complementary technology, not a complete solu- tion to securing confi dential information assets.
By discarding the “age-old confl ation of ownership and control, enterprises will be able to build data protection programs that encompass all possible ownership sce- narios, including Tech Populism, offshoring, and outsourcing.”
Document Labeling
Document labeling is “an easy way to g increase user awareness about the sensitivity of information in a document”(emphasis added).56 What is it? It is the process of attach- ing a label to classify a document. For instance, who would not know that a document labeled “confi dential” is indeed confi dential? If the label appears prominently at the top of a document, it is diffi cult for persons accessing it to claim they did not know it was sensitive.
The challenge is to standardize and formalize the process of s getting the label onto the document— tt enterprisewide. This issue would be addressed in an IG effort focused on se- curing confi dential e-documents, or may also be a part of a classifi cation and taxonomy design effort. It cannot simply be left up to users to type in labels themselves, or it will not be suffi ciently executed and will end up leaving a mishmash of labeled documents without any formal classifi cation.
232 INFORMATION GOVERNANCE
Another great challenge are legacy or archived documents, which are the lion’s share of an organization’s information assets. How do you go back and label those? One by one? Nope. Not practical.
Some content repositories or portals, such as Microsoft SharePoint®, provide some functionality toward addressing the document labeling challenge. SharePoint is the most popular platform for sharing documents today.
SharePoint has an information management policy tool called Labels, which can be used to add document labels, such as Confi dential , to the top of documents:l
There are several options available for administrators to customize the labels, including the ability to:
1. Prompt users to add the label when they save or print, rather than relying on the user to click the Label button in the ribbon;
2. Specify labels containing static text and/or variables such as Project Name; 3. Control the appearance of the labels, such as font, size, and justifi cation. 57
The labels are easily added from within Microsoft Offi ce Word, PowerPoint, and Excel. One method that can be used is for the user to click the Label button on the Insert ribbon group; another method is to add the label through a prompt that appears when a user saves or prints a document (if the administrator has confi gured this option).
The labeling capabilities in document and content management systems such as Microsoft’s SharePoint are a good start for increasing user awareness and improving the handling of sensitive documents. However, the document labeling capabilities of Share- Point are basic and limited . These basic capabilities may provide a partial or temporary d solution, although organizations aiming for a high level of security and confi dentiality for their documents will need to search for supplemental technologies from third- party software providers. For instance, fi nding the capabilities to label documents in bulk rather than one by one, add watermarks, or force users to save or print documents with a standard document label that cannot be altered may require looking at alterna- tives. Some are software vendors have enhanced the SharePoint document labeling capability and may provide the complete solution.
Document Analytics
Some software providers also provide document analytics capabilities that monitor the access, use, and printing of documents and create real-time graphical reports of docu- ment use activities. These capabilities are very valuable.
Document analytics allows a compliance offi cer or system administrator to view exactly how many documents a user accesses in a day and how many documents the user accesses on average. Using this information, analytics monitors can look for spikes or anomalies in use. It is also possible to establish baselines and compare usage with that of an employee’s peers, as well as with his or her past document usage. If, for instance, a user normally accesses an average of 25 documents a day and that sud- denly spikes to 200, the system sends an alert, and perhaps it is time to pay a visit to that person’s offi ce. Or, if an employee normally prints 50 pages per day, then one day prints 250 pages, a fl ag is raised. Document analytics capabilities can go so far as to
INFORMATION GOVERNANCE AND PRIVACY AND SECURITY FUNCTIONS 233
calculate the average time a user spends reading a document; signifi cant time fl uctua- tions can be fl agged as potentially suspicious activity.
Confi dential Stream Messaging
E-mail is dangerous. It contains much of an organization’s confi dential information, and 99 percent of the time it is sent out unsecured. It has been estimated that as many as 20 percent of e-mail messages transmitted pose a legal, fi nancial, or regulatory threat to the organization. Specifi cally, “34 of employers investigated a leak of confi dential busi- ness information via email, and an additional 26% of organizations suffered the expo- sure of embarrassing or sensitive information during the course of a year,” according to Nancy Flynn, Executive Director of the ePolicy Institute. These numbers are rising, giv- ing managers and business owners cause to look for confi dential messaging solutions. 58
Since stream messaging separates the header and identifying information from the message, sends them separately, and leaves no record or trace, it is a good option for executives and managers, particularly when engaged in sensitive negotiations, litigation, or other highly confi dential activities. Whereas e-mail leaves behind an indelible fi n- gerprint that lives forever on multiple servers and systems, stream messaging does not.
Business records, IP and trade secrets, and confi dential executive communications can be protected by implementing stream messaging. It can be implemented alongside and in concert with a regular e-mail system, but clear rules on the use of stream mes- saging must be established, and access to it must be tightly restricted to a small circle of key executives and managers.
The ePolicy Institute offers seven steps to controlling stream messaging:
1. Work with your legal counsel to defi ne “business record” for your organization on a companywide basis. Establish written records retention policies, dispo- sition and destruction schedules. And litigation hold rules. Support the email retention policy with a bona fi de email archiving solution to facilitate the in- dexing, preservation and production of legally authentic records. Implement a formal electronic records management system to manage all records.
2. Work with your legal counsel to determine when, how, why, and with whom confi dential stream messaging is the most appropriate, effective— and legally compliant—way to hold recordless, confi dential business dis- cussions when permanent records are not required.
3. In order to preserve attorney-client privilege, a phone call or confi dential electronic messaging may be preferable to email. Have corporate counsel spell out the manner in which executives and employees should communi- cate with lawyers when discussing business, seeking legal advice, or asking questions related to specifi c litigation.
4. Defi ne key terms for employees. Don’t assume employees understand what management means when using terms like “confi dential,” “proprietary,” or “private” or “intellectual property,” etc. Employees must clearly understand defi nitions If they are to comply with confi dentiality rules.
5. Implement written rules and policies governing the use of email and con- fi dential stream messaging. E-policies should be written clearly and should
234 INFORMATION GOVERNANCE
be easy for employees to access, and understand. Make them [as] “short and sweet” as possible. Do not leave anything up to interpretation.
6. Distribute a hard copy of the new confi dential messaging policy, email pol- icy and other electronic communications (e.g., social media, blogs). Insist that each and every employee signs and dates the policy, acknowledging that they understand and accept it and that disciplinary action including termi- nation may result from violation of the organization’s established policies.
7. Educate, educate, educate. Ensure that all employees who need to know the difference between email which leaves a potential business record and stream messaging which does not, and is confi dential. 59
Securing personal, classifi ed, or confi dential information effectively requires an eclectic, multifaceted approach. It takes clear and enforced IG policies, a collection of technologies, and regular testing and audits, both internally and by a trusted third party.
CHAPTER SUMMARY: KEY POINTS
■ The average cost of a data breach in 2013 was over $5 million.
■ Attacks on organizations’ networks and theft of their IP continue to increase. There were an estimated 354 million privacy breaches between 2005 and 2010 in the United States alone.
■ Attacks can continue in organizations for years before they are uncovered—if they are discovered at all.
■ All organizations should classify all their documents with the aim of identify- ing the ones that need persistent security protection.
■ Today’s ECM and document management solutions rely mostly on perimeter security and were not designed to allow for secure document sharing and collaboration.
■ Businesses are operating in a more distributed model than ever before, and they are increasingly sharing and collaborating—exposing confi dential documents.
■ Secure document printing reduces the chance that fi les can be compro- mised during or after printing. There are various methods to secure the print stream, depending on the print manufacturer. Copies or remnants of large print fi les often exist unsecured on the hard drives of high-speed printers. These fi les must be completely wiped to ensure security.
■ Identity and access management (IAM) software governs user access to in- formation through an automated, continuous process that addresses access creep, whereby employees move to a different business unit and their access rights are not updated.
INFORMATION GOVERNANCE AND PRIVACY AND SECURITY FUNCTIONS 235
■ Data governance software is another tool that looks at who is accessing which documents and creates a matrix of roles and access along behavioral lines.
■ Encrypting sensitive e-mail messages is an effective step to securing con- fi dential information assets while in transit. Encryption can be applied to desktop folders and fi les.
■ For e-mail communication with no trace or record, stream messaging is a solution.
■ Digital signatures authenticate the identity of the signatory and prove that the signature was, in fact, generated by the claimed signatory. This is known as nonrepudiation.
■ Data loss prevention technology performs a “deep content inspection” of all e-documents and e-mails before they leave the organization’s perimeter to stop sensitive data from exiting the fi rewall.
■ DLP can be used to discover the fl ow of information within an organization. Additional security tools can then be applied. This may be the best use for DLP.
■ Information rights management software enforces and manages use rights of electronic documents. IRM provides a sort of security wrapper around docu- ments and protects sensitive information assets from unauthorized use or copying. IRM is also known as enterprise rights management.
■ Persistent security tools like IRM should be enforced on price lists, proprietary blueprints, and CAD designs. Printing these documents should be highly restricted.
■ Most legacy or fi rst-to-market providers of IRM focused on internal sharing and are heavily dependent on Microsoft Active Directory and lightweight di- rectory access protocol (LDAP) for authentication. These early solutions were not built for cloud use or the distributed enterprises of today, where mobile devices are proliferating.
■ DLP started in the form of network gateways (much like fi rewalls) that searched e-mails, Web traffi c, and other forms of information for data that was defi ned as internal. When it detected such data, it blocked it from leav- ing the perimeter or monitored its use.
■ Soon agent-based DLP technologies were introduced, performing the same action locally on users’ computers. The next step brought a consolidation of many agent- and network-based technologies to offer a more comprehen- sive solution.
CHAPTER SUMMARY: KEY POINTS (Continued )
(( dcontinued ) )dd
236 INFORMATION GOVERNANCE
Notes
1. Ponemon Institute Research Report, “2013 Cost of Data Breach Study: United States,” May 2013, www .symantec.com/content/en/us/about/media/pdfs/b-cost-of-a-data-breach-us-report-2013.en-us.pdf
2. Jim Finkle, “‘State Actor’ behind Slew of Cyber Attacks,” Reuters, August 3, 2011, www.reuters.com/ article/2011/08/03/us-cyberattacks-idUSTRE7720HU20110803 (accessed August 18, 2011).
3. Ibid. 4. Ibid. 5. Ibid. 6. Peter Abatan, “Persistently Protecting Your Computer Aided Designs,” Enterprise Digital Rights Man-
agement, http://enterprisedrm.tumblr.com/post/1423979379/persistently-protecting-your-computer- aided-designs (accessed August 18, 2011).
7. Ari Ruppin, March 20, 2011 via e-mail. 8. Sam Narisi, “IT’s role in secure staff cuts,” March 2, 2009. www.fi nancetechnews.com/its-role-in-
secure-staff-cuts/ 9. Ibid. 10. Shira Scheindlin and Daniel Capra, The Sedona Conference, Electronic Discovery and Digital Evidence ,
Thomson Reuters, 2009, p. 204, www.amazon.com/Scheindlin-Conferences-Electronic-Discovery-Evidence- ebook/dp/B00AUE0LRI
11. Oracle White Paper, “Oracle Information Rights Management 11g—Managing Information Every- where It Is Stored and Used,” March 2010 p. 4, www.oracle.com/technetwork/middleware/webcenter/ content/irm-technical-whitepaper-134345.pdf (accessed December 23, 2011).
12. Ibid. 13. Open Web Application Security Project, “Defense in Depth,” https://www.owasp.org/index.php/
Defense_in_depth (accessed June 24, 2013). 14. HCL, “Identity and Access Management Services,” www.hclisd.com/identity-and-access-management
.aspx (accessed September 2, 2011). 15. Ibid. 16. Ibid. 17. Nicola Clark and David Jolly, “Fraud Costs Bank 7.1 Billion,” New York Times , January 25, 2008, wwws
.nytimes.com/2008/01/25/business/worldbusiness/25bank-web.html?hp (accessed September 2, 2011).
■ Combining IRM and DLP technologies is the best available approach to securing e-documents and data. Other encryption methods should also be utilized, such as e-mail encryption and FDE).
■ The use of thin-client and thin-device architecture can reduce security threats to confi dential information assets.
■ Document analytics monitor the access, use, and printing of documents and create real-time graphical reports of document use activities.
■ Document labeling is an easy way to increase user awareness about the sen- sitivity of information in a document.
■ Stream messaging is a way to conduct sensitive business negotiations and activities without leaving a business record. Legal counsel must be consulted, and clear policies for regular e-mail versus stream messaging must be estab- lished and enforced.
CHAPTER SUMMARY: KEY POINTS (Continued )
- PART THREE—Information Governance Key Impact Areas Based on the IG Reference Model
- CHAPTER 11 Information Governance and Privacy and Security Functions
- Cyberattacks Proliferate
- Insider Threat: Malicious or Not
- Countering the Insider Threat
- Malicious Insider
- Nonmalicious Insider
- Solution
- Privacy Laws
- Redaction
- Limitations of Perimeter Security
- Defense in Depth
- Controlling Access Using Identity Access Management
- Enforcing IG: Protect Files with Rules and Permissions
- Challenge of Securing Confidential E-Documents
- Protecting Confidential E-Documents: Limitations of Repository-Based Approaches
- Apply Better Technology for Better Enforcement in the Extended Enterprise
- Protecting E-Documents in the Extended Enterprise
- Basic Security for the Microsoft Windows Office Desktop
- Where Do Deleted Files Go?
- Lock Down: Stop All External Access to Confidential E-Documents
- Secure Printing
- Serious Security Issues with Large Print Files of Confidential Data
- E-Mail Encryption
- Secure Communications Using Record-Free E-Mail
- Digital Signatures
- Document Encryption
- Data Loss Prevention (DLP) Technology
- Promise of DLP
- What DLP Does Well (and Not So Well)
- Basic DLP Methods
- Data Loss Prevention: Limitations
- Missing Piece: Information Rights Management (IRM)
- Key IRM Characteristics
- Other Key Characteristics of IRM
- Embedded Protection
- Is Encryption Enough?
- Device Control Methods
- Thin Clients
- Note about Database Security
- Compliance Aspect
- Hybrid Approach: Combining DLP and IRM Technologies
- Securing Trade Secrets after Layoffs and Terminations
- Persistently Protecting Blueprints and CAD Documents
- Securing Internal Price Lists
- Approaches for Securing Data Once It Leaves the Organization
- Document Labeling
- Document Analytics
- Confidential Stream Messaging
- Notes
