Childhood physics lessons always taught me that objects moving through a system followed the path of least resistance. Whether it is water running downhill, electricity running through a circuit or even weather systems travelling across a continent, this rule always rings true. As security professionals, it should not then, come as a surprise, that our users will often do the same.
I am always amazed when I read about data breaches. Inevitably there is always the admission that there were controls put in place and that users had stepped outside of these business processes which had led to the inevitable loss of valuable assets or data.
Perhaps the area we see this most is where users are exchanging information with third parties and there are numerous public sector breaches over recent years that perfectly illustrate this point. Whether it is a misplaced laptop, stolen USB stick or an unencrypted disk that doesn’t get to its final destination when sent through the post, the sharing of information, an essential part of any business’s every day existence is fraught with potential pitfalls.
The answer for most businesses is to restrict this exchange of information. We attempt to stem the tide by insisting that users cannot exchange any sensitive data without some kind of permission. We implement hard line controls and provide few options for users that genuinely need to interact with their customers, partners and suppliers except to use antiquated systems inevitably provided by over-worked IT staff.
These systems sometimes take days to use, so it’s no surprise when users attempt to circumnavigate them by sending the information through non-authorised channels, after all they are merely reacting to the rules of the universe, the path of least resistance.
I believe the answer to this issue is to put in place controls that not only provide us with the highest level of security, but also empower users to get on with their everyday jobs. This balancing act, security versus productivity, is the cornerstone of any security process and the Holy Grail. The security control that makes a user’s life easier is something to which we all strive.
However, is this possible when we look at something as fraught with potential issues as third party data exchange? I believe that if the solution meets some clear and defined criteria then it is more than possible.
Provide the highest levels of security for data?whether at rest or in motion
Maintaining the security of data at all times is essential for any solution designed for the exchange of data between third parties or employees. Far too many of today’s off-the-shelf systems provide security for the data in transit, but lack any kind of controls for when the data is at rest.
Any solution should provide a secure, auditable repository for data as well as providing a totally secure and auditable method of file transfer. This allows IT to be confident that the infrastructure will meet their needs, allowing them to relinquish control of user creation and control to the business owners, which brings us to the next important step.
Allow business owners to decide which users can exchange data and who they can exchange it with
In today’s IT environment, it is often the role of security and IT to say what data should and shouldn’t be exchanged and who should and shouldn’t exchange it. This places a huge amount of responsibility on staff that are already overworked and leads, inevitably, to delays in authorisation and access whilst IT check with managers and senior policy makers before setting up access rights.
A simple solution to this is to provide staff with a system that meets the IT requirements of file exchange (security, ease of use, ease of management) and allow the owners of the information being exchanged to authorise who can and cannot exchange their data.
They will know whether a certain document should be accessed or exchanged by certain members of staff and via regular reporting, they can easily spot infringements. By letting business owners set these access rights themselves, while being confident that the infrastructure is ‘rubberstamped’ by the IT department, we provide a solution that goes a long way to that ‘holy grail’ described earlier in the article.
Of course, any solution that provides an answer to the issue around data exchange should also recognise that the lifecycle of information is far longer than just the point of exchange. A document is created, stored and added to throughout its lifetime and as such any third-party exchange tool should provide a way to continuously assess the suitability of the user and the document itself for any type of exchange. With this in mind, we come to the last, essential step.
Integrate with existing and planned technologies to provide a holistic solution for secure data exchange
Any modern security solution, whatever it is, should be able to integrate with existing and planned technologies. In the case of a third-party file exchange infrastructure, it is essential that any product works with a company’s existing systems such as its directory infrastructure, authentication processes and monitoring tools.
It should be able to integrate with other security products such as DLP solutions and malware and virus checking software and should provide an open architecture that allows future technology advancements to be easily integrated as the company and its requirements grow.
Providing this level of integration not only provides the user with a sense of familiarity when working with the system, but saves huge amounts of development and evaluation time as the systems used do not need to be scoped and acquired, but already exist within the company infrastructure.
Sourcing a solution that meets these three criteria, will provide any company with a ‘path of least resistance’ system for third-party file exchange, or Governed File Exchange as my company refers to it. A solution that not only solves a huge security and business issue but also obeys the laws of physics at the same time!
By Mark Fullbrook, UK & Ireland Director, Cyber-Ark