When someone steals our wallet, we lose some cash and then we call our credit card companies to ensure we get new cards. When an “Edward Snowden” steals our information, we can lose our entire life savings with no way of getting it back.
The simple fact is that we can’t prevent the next Snowden; just like we can’t stop the next terrorist attack. As Tom Fingar wrote in his book Reducing Uncertainty, we can only mitigate the risk or bring into clarity the likelihood of a future event. It is simply impossible to guarantee information security because we are unable to “fix stupid.” This is not to say that the men and women of governments are stupid; in fact there can be nothing further than the truth. “Fixing stupid” means that we have to change the way we all think in an era where trusted advisors decide to go rogue without he fear of being caught.
Reducing risk starts with smart employees
Employees are the most expensive computer in which a company invests. If you think about it, the purpose of any white-collar employee is to collect, collaborate, create, and sometimes publish new ideas. A graphic artist takes customer requirements and outputs a new design. A stockbroker researches financials, makes assessments, and gives advice; and so on, and so on. This means that any security protection we place around employees must have minimal impact on the business process flow. Failure to find that balance will quietly destroy the productivity of an organization and cause our human assets to spend an excessive amount of time finding ways to work around these protections.
In order to understand what an organization must do to find that balance, we must break down each element of an employee’s “processing power” into smaller chunks and analyze how information is moving through our organization. An easy way to do this is to look at the individual functions of the employees and map technological tools to those functions. We will examine how information flows between these functions later on to ensure we don’t miss a place where hackers can penetrate through the cracks.
1. We have to start with a smart employee
We will begin with the premise that we have a good “human computer.” This means that training is absolutely critical. I will cover this in detail later.
2. Employees collect information
This starts with “discovery,” which means, for most employees, conducting some sort of search. Searching files requires documents to be indexed for the search engines to work. To ensure searches can “discover” the files, these indexes often cannot be encrypted.
3. Employees collaborate on information
Employees collaborate through shared documents, email, telephone, video-conferencing, online tools, cloud storage, near-field communication, and other mobile apps. In many cases, the ad-hoc forms of collaboration cannot be encrypted since they’re done on the fly and are not usually tagged.
4. Employees create information
Tagging information must be easy so that employees can do it without cutting corners, “faking the fields,” or under-classifying their tags. Training is a key element here as well.
5. Employees publish information
Data-at-rest encryption, including document-based-encryption, must be transparent or easy to use. All documents that are normally distributed (including printed documents) must be seen as a weak link for security.
6. Organizations disseminate information to other organizations, customers, countries, etc.
The moment information is sent outside an organization, the game changes. Separation of roles/access by administrators, DB operators, encryption key owners, and content owners is paramount. Review and release process must be standardized based on tags/policies and proper training of those procedures is paramount.
Security “guards” between domains must protect the policy integrity of documents passing between environments. Continuous monitoring must be put in place to make sure that the policies we have set in place are being followed.
If you look at this list, it may seem daunting; especially when you take into account we haven’t even discussed network security, Wi-Fi security, or mobile security. This is only a list of the business processes that need protecting.
Craig Bowman is the director of defence and national security solutions for Adobe.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…