BUSINESS: Preventing Information Leak Scandals
Recent Gauteng Business News
Managing information, ensuring that confidential or sensitive data does
not find its way outside of an organisation, and making sure that only
the right people have access to data when and where they need it is a
challenging task. This task, broadly defined as User Rights Management,
requires well defined corporate information policies, but also in
today's environment, necessitates technology to assist.
The importance of effectively managing user rights has been highlighted by the recent Wikileaks scandal, where sensitive and highly confidential information was removed from government and private sector organisations and spread over the Internet for the world to view.
The fact that this information could be not only accessed but downloaded, saved on a portable storage device and removed from these institutions shows that the policies in place were either inadequate, or that the protection technology in place did not prevent these incidents from occurring, or both. However there are so many ways that information security can be compromised, as many workers use portable devices like laptops, USB drives, compact discs and other media, including paper to move information around, not to mention the fact that information can be photographed or even videoed easily using mobile phones.
The truth is that there is no 'silver bullet' solution that will solve information access and user rights management dilemmas, and the best solution is similar to any form of security - a multi-layered approach that offers levels of overlapping protection. And this approach should be delivered in the form of a combination of training and awareness of security issues, and organisational policy, as well as technology that can be put in place to enforce this policy.
In terms of technology there are many facets involved in securing information, but there are three main layers or steps to be taken. The first of these is to identify both the user and the device, to decide who can access the network in the first place and under what conditions with which devices. On the information side documents and other files need to be classified according to their confidentiality.
As a first step, organisations need to create a user repository (directory), and ensure that when someone attempts to access the network, the Network Access Control (NAC) technology can identify who the user is, determine if the user is allowed access to the network, and under what conditions.
Once the user is authenticated, and granted access to the network, a second layer of protection needs to be added to enforce information usage policies. Data Loss Prevention/Protection (DLP) is one of the technologies that can be harnessed at this stage. Based on the organisational information access policies, DLP tools can help to prevent data leaks and protect data whether it is in use, transit or in storage, reducing the risk of accidental disclosure through bad business process.
Finally once policies are in place and tools are added to enforce these, the solution as well as usage needs to be monitored and updated to ensure that policies remain correct and are being adhered to and that data remains protected. In today's rapidly changing environment it is vital to have dynamic tools so that policies can be altered as needed in order to maintain correct levels of protection and user access.
Ultimately there is no single technology that delivers the full spectrum of user rights management solutions, and keeping data and sensitive information secure requires a combination of user training and enforcing technology to prevent potentially ruinous crises such as Wikileaks from occurring.
Business News Sector Tags: Security| Infotech| BBBEE| Insurance|