Paradigm Shift NEeded in Data Protection

In New Developments, internal auditors will find information about the most recent IT and audit research reports and survey results; new IT, security, and privacy legislation; and other news items of importance to auditors.

Paradigm Shift Needed in Data Protection

Ensuring confidentiality and control over business-sensitive data is a challenging task in many organizations given the rise of Web-enabled applications, the need for round-the-clock online availability, and the global nature of today's business landscape. To help organizations improve their data security practices, software solutions provider Brainloop recently published Protecting Confidential Documents in the Extended Enterprise: Common Misconceptions and Best-practice Strategies (PDF, 496 KB). The white paper looks at common security misconceptions and discusses a paradigm shift in how companies view data security to enhance their information security (IS) measures.

According to the white paper, "the imperative of 'getting the job done' compels individuals to forward business-sensitive information, whether or not airtight security measures are in place." As a result, many organizations face a huge IS dilemma as the costs associated with data security breaches escalate. A 2007 Forrester Research report states that a security breach costs between US $90 to US $305 per record, not including other costs associated with the breach, such as potential customer losses, negative impacts to stock prices, shareholder lawsuits, unfavorable press, and noncompliance costs.

Part of the problem is the prevalence of commonly held ideas about data security that are not true, states the report. The paper then describes three of the most common misconceptions impeding organizations from enhancing their security efforts — the belief that data security is IS's problem, information behind the firewall is secure, and traditional security measures are strong enough to protect the integrity of sensitive data.

As the report states, these misconceptions illustrate the need for a major paradigm shift in the way companies view data security. "Traditional approaches to data security like firewalls (perimeter security), encrypting data-at-rest (on the server), or in-transit (encrypted e-mail) are insufficient," the white paper explains. "They [organizations] assume that highly confidential business information remains in a tightly controlled, definable environment ... The reality is this: Data must move ... Therefore, data protection has to be attached to the document itself and it has to follow the document wherever it goes. This is known as persistent document security."

This new paradigm sees important documents as safer when placed in a repository outside of the firewall — a place that is highly secure and allows users to control exactly which documents are viewed, accessed, and updated. In addition, document workflows should be managed by users so sensitive data is shielded from internal or external IS personnel and they should be accessed via strong authentication methods that ensure authorized access. Furthermore, access rights need to be managed at a group- or individual-level depending on the situation.

"With these measures in place, documents outside of the firewall become in fact more secure," the report states. "Although they are accessed anywhere, anytime, a complete audit trail captures all activity and documents remain secure in the repository."

Finally, to move toward this new paradigm, the paper describes two strategies currently in use to help organizations provide end-to-end data security as documents travel in and out of the organization. These strategies involve the use of enterprise rights management (ERM) software and secure virtual data rooms (VDRs).

ERM software enables companies to implement controls at the data level so recipients can only view or modify documents as allowed, explains the report. The drawback is that ERM software requires the use of proprietary software on the server and desktop, as well as significant management overhead as access privileges need to be assigned for each document.

On the other hand, VDRs are Web-enabled applications that operate outside of the corporate firewall by providing highly secure access and viewing controls at the data level. Unlike ERM software, VDRs do not require proprietary server and client-side software and are offered as a Web service. However, because VDRs are offered as Web services, they operate by exposing application functionality over the Internet. Therefore, what was a highly defended system is now open to universal access through port 80, the port that is designated for Web traffic and is usually left open so companies can communicate to the world via the Internet.

To read Protecting Confidential Documents in the Extended Enterprise, visit the CSO Web site.