Introduction
Recent years have seen an explosion in the volume of data produced and relied on by business and it continues to grow. The IDC forecast study[1] predicts that data volume will increase tenfold over the next few years, itself a significant increase over the period before. Data management challenges facing businesses are not just related to volume, but also to the nature of the information and its importance to both the company itself and the regulatory attention it receives.
The conflicting goals of data availability and security are also a consistent issue, particularly when applied to sensitive and high value information. High value data assets can contain a disparate range of confidential information sets that have specific value to the organisation such as earnings sheets, product designs, customer payment details, patent information and so on. Assets often require different levels of access and security related to the inherent value and sensitivity of their content.
To complicate matters further compliance is increasingly high on the list of compelling drivers. Modern standards, like ISO 27001, require a Security Management System to be implemented that is based on an assessment of risk and for technology and process to be applied to mitigate these risks.
However, not all data is the same. Information that is of high value to companies, but is not subject to regulatory pressures like the Data Protection Act, is often overlooked. This information can be of such high strategic value that its compromise could have major financial or public relations implications and possibly disastrous consequences for the company.
Understanding Data Types
When considering the different scenarios within which sensitive data are used, and the risks inherent in these scenarios, it is important to understand the different types of sensitive data an organisation has. A recent Forrester study[2] examined the type and value of enterprise documents that contained intellectual property, and found they formed two tangible groups.
Secrets – valuable confidential data such as financial reports, design documents, product roadmaps.
Custodial Data – data that are held on behalf of others such as banking data, patient data, legal contracts etc.
The value properties of each group differ due to the nature of their use and requirement. Proprietary company secrets generate revenue, increase profits, and maintain competitive advantage. Custodial data such as customer, medical, and payment card information has value because regulation or contracts make it toxic when spilled and costly to clean up.
Table 1. Examples of Custodial and Secret Information
|
Custodial Data |
Secrets |
Creator / Owner |
Business Partners Customers |
Enterprise |
Relationship to data |
Custodian |
Owner |
Examples |
Customer PII Credit Card Numbers Governmental Identifiers |
Trade secrets Strategic plans Sales forecasts |
Source value |
External: determined by regulators and criminals |
Internal / External competitive |
Compulsion to protect |
Controlled by regulation, statue or contract |
Would cause strategic harm |
Regulation |
DPA PCI-DSS |
- |
Consequences |
Clean up, notification costs Reputation |
Revenue losses Reputation |
Key Question |
Why is the data circulating? |
Who needs to know? |
Priorities |
Stop unnecessary circulation Reduce use |
Control circulation Reduce abuse |
Based On: Forrester Research, “Selecting Data Security Technologies,” December 2009.
Increasing Regulatory and Compliance Pressure
Recent changes to the Data Protection Act came into force on 6th April 2010 and are designed to deter data breaches. The Information Commissioner’s Office (ICO) is now able to order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act. The power to impose a monetary penalty is designed to deal with the most serious personal data breaches and is part of the ICO’s overall regulatory toolkit which includes the power to serve an enforcement notice and the power to prosecute those involved in the unlawful trade in confidential personal data.
This drive for regulatory compliance has specific resonance for data that fall within the custodial group, however secret data remains unaffected, is company specific, arguably of higher value and has higher consequences should it suffer a breach or leak.
It is also worth noting that increasingly competitive markets and sophisticated customers are putting pressure on companies to implement, and be assessed against, non-mandated standards like ISO 27001. Customers are becoming more aware and demanding that suppliers conform to recognised standards as they themselves become more attuned to the risks inherent in sharing their own data.
Compliant Doesn’t Mean Secure
Understanding and recognising the different types of data a business makes use of can help to address the balance when formalising where data security investments are needed. Often a company will focus on trying to prevent accidents with custodial data, due to regulatory pressures, but an additional and often overlooked risk is theft of sensitive company secrets as they carry a far higher intrinsic value.
Company secrets are the data asset “crown jewels” and represent the most sensitive activities from research and development, patent filings, mergers and acquisitions, financial and strategic direction. This information is of critical importance to the future success of the organisation. Keeping it safe should be the highest priority.
As compliance is focused on the appropriate use of custodial data, solutions that operate within that remit alone are frequently too narrow in their objective and result in overlooking valuable data assets such as company secrets. When considering solutions for the protection of sensitive information, both data types should be considered and, where possible, processes combined in order to derive maximum return for the organisation. The combination effect of a carefully considered purpose built solution will deliver the requirements needed for both data types – security and compliance for custodial data; and secure sharing and control of company secrets.
Traditional Solutions Operate in Distinct Technology Areas
Until very recently there are a number of point security technologies that can help secure individual stages of the data “custody” chain as shown below. These technologies tended not to take into account the overall business process they were operating alongside and rarely gave an end-to-end solution: at some point valuable data was left exposed.
While there are many point solutions that operate within each of these technology areas, all suffer from the same problems:
- At some point an item of data has to be unprotected in order that it can be used
- Once an item is sent out from its owner and arrives with a recipient, control is lost
- Information Security risks tend to be associated with human activity (absent mindedness leading to loss, malicious actions leading to theft, poorly designed business processes leading to compromise, etc). These activities more often than not span more than one step of the custody chain and so technology lead solutions tend to be misaligned with the risks they are trying to mitigate
- Following on from this, few of these solutions are designed to work together, creating expensive and complicated integration work or difficult to follow workflows and making it difficult to demonstrate compliance.
Approach the problem from another perspective: Think Data Centric
The reason that traditional solutions have the problems described above is that they focus on areas of technology, rather than starting with the higher level problem of mitigating information security risks associated with the activities of business – they are an evolution of a less mature view of security.
What is required is a security paradigm that includes the following considerations (based on the sections discussed above):
- Secure both Secret and Custodial data with the same rigour
- Secure Information irrespective of where it lies within the custody chain
- Secure Information wherever it ends up
- Remove human error where possible
- Support compliance needs
- Be driven by the needs of doing business – using but not losing data.
A recent development in this field is the concept of truly “Data Centric” security. In this world view individual items of data are secured irrespective of where they are held in a fashion that allows the appropriate access to the appropriate person, wherever they are and whenever they try to make access. Rights are variable by the owners of data as circumstances dictate and all actions relating to items are securely recorded for auditing purposes.
Conclusion
Compliance is a major spend within the security budget but does not necessarily equal secured data when it comes to sensitive information security. Enterprises need to consider placing more focus on securing critical secrets that confer long-term competitive advantage, rather than just preventing accidents involving custodial data.
By coming at the problem from a point of view that considers the business requirements that lead to information risks and selecting systems and solutions that share this world view, businesses will be better placed to support the needs of compliance and address the security of their own secrets.
Enterprises should consider data-centric security technologies that provide a unified platform to protect both types of data. They should specifically be able to accommodate unstructured information, provide the correct level of access to necessary parties and place emphasis on retaining control of information at all times including throughout any collaboration processes or sharing. Files should also be secured with persistently applied measures, allowing the file to be always protected as its minimum state, and access controlled wherever it is used, sent or stored.
[1] The Diverse and Exploding Digital Universe, IDC. March 2008
[2] The Value of Corporate Secrets, Forrester. March 2010