You need to know where your data are
Automatiseringsgids
Auteur: Frank Bertram, director MDES
News
MDES in the media
Automatisering Gids
You should know where your data are!
Author: Frank Bertram, Director, MDES
In the Automatisering Gids of 2 November, Rolf Zaal describes the innovative Jericho security concept from Capgemini. The 11 Jericho principles are based on the concept that it makes no sense to secure an organization like a fortress; this is outdated. It is an illusion to think that you can board up your company with a 100 percent security guarantee. Even with the most advanced endpoint security solution, this is utopia.
Companies have spent lots of money on security, even on endpoint security, for example, on Identity and Security Management and still there are information leaks. The enormous investment is still not sufficient. This is because users can get around security mechanisms with a USB flash drive and in other ways, and extract data from systems.
In the end, it’s people who work with systems. And people make mistakes, they sometimes break the rules, they perhaps forget about the rules, or they can’t be bothered to read the thick manual of Sarbanes Oxley security regulations. People are a crucial factor in the effective security of an organization.
Within an organization, you have to focus security on the endpoints, where information can be extracted from an organization. By doing so, you create an open and workable organization which is also secure provided a twelfth principle is added to Capgemini's principles: You shall know where your information can be found.
An overview of your information is a determining factor in the security of an endpoint solution. Companies, however, often don’t know where information is to be found, let alone where the most important information is located. That was the past, and you can even question whether this information belongs to the organization. If you don’t know what information you have, how can you prove that your own the information?
Apart from the fact that this twelfth principle is missing from the Jericho principles of Capgemini, there’s something tangible missing in the plans. There are good practical endpoint security solutions on the market. Not only expensive IDM solutions from Novell, Oracle and Microsoft, but also endpoint solutions in encryption, such as SafeBoot, or solutions in Digital Rights Management, such as from Liquid Machines.
It is not sufficient to know where your information is, you also need to know what has been done with the information. For example, a solution on the market from Verdasys logs what users do with specific information. Other solutions in Data Leakage Prevention (DLP) are Vontu (Symantec), Proofpoint and Tablus (RSA). As soon as deviating patterns of information use becomes apparent, action needs to be taken.
In addition, it is also important to educate users to handle information in a safe and secure way and also in a subtle way. It would not be so smart to incorporate the 12 Jericho principles into a list for users. But with a software solution, you can subtlely address undesirable behaviour. That generally works better than a tap on the hand.
Author: Frank Bertram, CEO research and consultancy MDES HotColdFrozenData
