What technology is facilitating this to happen? From the backend, part of your voyage was enabled by a small startup that built an application using tools and technologies offered by a cloud services provider that hosts the service from a data center from essentially anywhere around the world. The coffee purchase was made possible by the coffee shop, your bank and a third party credit card processor.
By now, I believe we are all willing to define the following as truth-information continually and freely circulates across and beyond enterprises, governments and social networks, aided by open, collaborative environments, mash-up technologies and intelligent information streams. Geospecific information is becoming more and more critical to businesses-from pinpointing or tracking cargo in a supply chain to finding the right medical devices in a hospital.
And, with the potential for information breaches and the chance of inappropriate disclosure or use of intellectual capital as a boardroom issue, businesses expect a continued focus on privacy and security. However, from a practical standpoint, businesses will balance this pressure with another truth: Information is a commodity and its use and availability fuels the economy.
Given this reality, most customers have one key question: Recognizing the need to make information both available and useful, how can I prevent sensitive information from accidentally or illicitly being exposed? It's a big question given the pace of information being exchanged between parties, often residing in non-secured areas and on non-secured devices.
Like it or not, the short answer is that users need to be placed on an information diet with regard to the sharing and accessing of information. Critical data should be made available only to those who should have access to it; for all others, access should be restricted. This is the core tenet of a successful Information Loss Prevention (ILP) system. Establishing a well-implemented ILP system not only reduces risk but improves the quality of user interaction while decreasing long-term storage and security costs.
Let's take a look at key requirements of a comprehensive ILP system:
Information Discovery and Classification:
Let's face it, not all information needs to be managed and controlled in the same way. It should be classified into groups, with sensitive groups demanding more security control. When classifying and organizing information, the following are key questions to consider:
Classification can be achieved manually or automatically using special purpose tools designed to seek and find information buried within the environment.
Acceptable Use of Information Policy:
Today it seems like almost every user of our IT systems and digitally held information is trusted-suppliers, partners, customers and employees. These users have multiple digital identities that give them the ability to share information across many communication channels, such as e-mail, instant messaging and Internet sessions. It is critical that they understand their roles and responsibilities vis � vis, information use and disclosure. It is generally recommended that a policy defining acceptable use of information, who can touch what, when and under what circumstances or contexts are they permitted to do so be posted and where appropriate. Users are required to sign digitally or physically that they will comply with the policy.
Identity and Access Management:
Telling people what their responsibilities are is not enough. The truth is digital identity is a focal point in today's global economy; trustworthy credentials are required for any interaction or transaction. Are you going to transfer money or share confidential information with an entity you don't know? Likewise, are you going to allow someone you don't know or trust to have access to your critical information? Unfortunately, many organizations have not yet recognized the link between poor identity and access management practices and information loss or disclosure. It is critical that organizations automate the process of granting and maintaining digital identities, granting access to applications and information assets, and auditing user activities using identity and access management solutions.
In this category, there are three areas where organizations need to pay close attention. The first is securing structured information (information in databases) to assure that only privileged users can make changes to the database structure. The second is ensuring that critical information is protected via encryption whether at rest or in flight. The final is monitoring information for potential information leaks associated through e-mail, IM and social networking sites.
Go Forth and Protect
Don't know where to start? Discovering and classifying information assets along with encryption of critical data and management of user identity and access will establish a foundation for an ILP system and provide organizations with the content and contextual awareness needed to architect a comprehensive solution. From there, linking to identity and access control systems at a more granular level across systems, devices, applications and information repositories will mitigate information loss to a great extent.
In closing, one of the most important things an organization can do to implement an ILP strategy is make sure they are relating users and their roles to the information they need to access to get their jobs done. Doing so will prevent information overload and lead to the creation of a healthy security system that provides just the right levels of control. Once that is understood, you'll be well on your way to establishing a comprehensive and effective ILP strategy capable of protecting all of your sensitive information.