Information Loss Prevention: The Key to Healthy Information Security

Kristin Lovejoy
Imagine a world where you are standing at a tram stop, wondering if you have enough time to buy a coffee before the next tram arrives. You open your phone and go to the camera function, which you use to scan the bar code on the 'Where's My Tram' sign. Seeing you have 15 minutes, you again use the function to scan the barcode on the coffee shop sign. A Web page opens with walking directions to the cafe around the corner. A pop up asks, 'Would you like to pre-order your favorite?' You click yes, and use your thumbprint to authorize a transaction. You walk to the cafe, pick up your coffee, and head back to the tram stop with plenty of time to spare.

What technology is facilitating this to happen? From the backend, part of your voyage was enabled by a small startup that built an application using tools and technologies offered by a cloud services provider that hosts the service from a data center from essentially anywhere around the world. The coffee purchase was made possible by the coffee shop, your bank and a third party credit card processor.

By now, I believe we are all willing to define the following as truth-information continually and freely circulates across and beyond enterprises, governments and social networks, aided by open, collaborative environments, mash-up technologies and intelligent information streams. Geospecific information is becoming more and more critical to businesses-from pinpointing or tracking cargo in a supply chain to finding the right medical devices in a hospital.

And, with the potential for information breaches and the chance of inappropriate disclosure or use of intellectual capital as a boardroom issue, businesses expect a continued focus on privacy and security. However, from a practical standpoint, businesses will balance this pressure with another truth: Information is a commodity and its use and availability fuels the economy.

Given this reality, most customers have one key question: Recognizing the need to make information both available and useful, how can I prevent sensitive information from accidentally or illicitly being exposed?  It's a big question given the pace of information being exchanged between parties, often residing in non-secured areas and on non-secured devices.

Like it or not, the short answer is that users need to be placed on an information diet with regard to the sharing and accessing of information. Critical data should be made available only to those who should have access to it; for all others, access should be restricted. This is the core tenet of a successful Information Loss Prevention (ILP) system.  Establishing a well-implemented ILP system not only reduces risk but improves the quality of user interaction while decreasing long-term storage and security costs.

Let's take a look at key requirements of a comprehensive ILP system:

Information Discovery and Classification:

Let's face it, not all information needs to be managed and controlled in the same way. It should be classified into groups, with sensitive groups demanding more security control. When classifying and organizing information, the following are key questions to consider:

1. What categories of information assets do we have-(ex. public, sensitive, confidential)
2. How valuable are these categories of information to the business? 
3. If it was lost or leaked, how impactful would it be to the organization?

Classification can be achieved manually or automatically using special purpose tools designed to seek and find information buried within the environment.

Acceptable Use of Information Policy:

Today it seems like almost every user of our IT systems and digitally held information is trusted-suppliers, partners, customers and employees. These users have multiple digital identities that give them the ability to share information across many communication channels, such as e-mail, instant messaging and Internet sessions.  It is critical that they understand their roles and responsibilities vis � vis, information use and disclosure. It is generally recommended that a policy defining acceptable use of information, who can touch what, when and under what circumstances or contexts are they permitted to do so be posted and where appropriate. Users are required to sign digitally or physically that they will comply with the policy.

Identity and Access Management:

Telling people what their responsibilities are is not enough. The truth is digital identity is a focal point in today's global economy; trustworthy credentials are required for any interaction or transaction. Are you going to transfer money or share confidential information with an entity you don't know? Likewise, are you going to allow someone you don't know or trust to have access to your critical information? Unfortunately, many organizations have not yet recognized the link between poor identity and access management practices and information loss or disclosure. It is critical that organizations automate the process of granting and maintaining digital identities, granting access to applications and information assets, and auditing user activities using identity and access management solutions.

Information Protection:

In this category, there are three areas where organizations need to pay close attention. The first is securing structured information (information in databases) to assure that only privileged users can make changes to the database structure. The second is ensuring that critical information is protected via encryption whether at rest or in flight. The final is monitoring information for potential information leaks associated through e-mail, IM and social networking sites.

Go Forth and Protect

Don't know where to start? Discovering and classifying information assets along with encryption of critical data and management of user identity and access will establish a foundation for an ILP system and provide organizations with the content and contextual awareness needed to architect a comprehensive solution. From there, linking to identity and access control systems at a more granular level across systems, devices, applications and information repositories will mitigate information loss to a great extent.

In closing, one of the most important things an organization can do to implement an ILP strategy is make sure they are relating users and their roles to the information they need to access to get their jobs done.  Doing so will prevent information overload and lead to the creation of a healthy security system that provides just the right levels of control. Once that is understood, you'll be well on your way to establishing a comprehensive and effective ILP strategy capable of protecting all of your sensitive information.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.