When I talk to clients, I always start by saying that I know there is a high probability that they have a corporate policy about data protection. I then ask how sure they are that employees stick to it. Have they themselves, in fact, ever been so cavalier as to email critical content, burn it to a CD, put it on a USB memory device or a PDA, or carry it home on a laptop?
Of course, with the possible exception of those hard-core security types who probably encrypt everything, most folk have to move data around to be productive.
But in business, information privacy can be critical. Whether it's a legal document, a design for a new prototype or a bid for a contract, revealing it to the wrong person can cause the company irrevocable harm. Yet, with the proliferation of mobile devices and the likelihood of critical data travelling from place to place, with users having remote access via broadband and wireless, and with systems routinely shared by contractors, vendors and customers, data is more exposed than ever. As we all hear at so many conferences, there is no longer any such thing as a real perimeter.
So it is critical that we install proper access protocols and find ways to protect the rights of the data itself.
Within Accenture, we see high-performance companies establishing identity infrastructures that are automated, interoperable and online – the sort of infrastructure that is the key foundation to providing this enhanced security.
A decade ago, you could walk out of your employer's place of business with a hard drive containing a career's worth of data. But while there was no way to monitor or control what you did, you needed expensive tape drives and proprietary systems to read the tape. So, de facto, the information was protected.
Today, firms have started to put in place identity and access management solutions that allow the enterprise to get a more detailed look at the identity of the user before giving access.
This means the enterprise knows when you have logged in, but nothing has really changed as far as employees taking data home, making a copy of it, or even moving it onto mobile devices – and then losing it in a taxi. According to some estimates, as many as 60,000 portable storage devices were lost globally in the last six months of 2004. I suspect this is a very conservative number.
The point of all this is that you need to protect the data no matter where it resides.
For example, you are working on a document at home, (and are allowed to do so because your identity has been verified across the network), the document opens for you because you are you and, when you are done with it, the new version is saved. But what about three months later, once you have left the company? You should no longer be able to open that document.
Technologies allow firms to do this now, where the document will not open unless you have an agent on your system that automatically downloads for you, prompts you and ubiquitously gives you access.
Enterprises today must create sets of rules about content, actions allowed and disallowed, and consequences for executing them. They need to be able to monitor the workflow and know what is going on. Furthermore, by using analytics, by monitoring the population of employees, companies should be able to predict who is going to quit, so they can make provisions ahead of time. Ultimately, once you have implemented a system like this, a departed employee will be unable to take anything with him.
But you can't stop there. Policies must be established and converted into actions that will prevent critical information from passing between departments, saving companies from embarrassment – or worse.
Welcome to the world of enterprise content security and rights management – combining access rights and use of data, and making sure that information stays with that data wherever it travels. If companies are not looking at this today, and running prototypes, then tomorrow they will be the ones with the higher risk of loss.
Stuart Okin is a consultant within Accenture's security practice