It seems that, while there are many technologies and solutions to prevent unauthorized information access, there will always be security holes due to inherent product defects, to solutions that were not implemented, or to patches not installed. However, there is much that can be done to secure content, even if an intruder manages to breach network security. File encryption is one solution. Stolen content is useless to a thief if he or she cannot open it.
Content is among the most valuable assets of any organization, yet it is also among the least protected. Unless it is protected or its use is governed by law, each organization is free to develop its own policies for content access and use. Furthermore, in order for organizations to succeed, they must make content available internally and externally to enable collaboration.
In the case of the defense contractors, one company could do little to prevent confidential documents from leaving its premises along with an employee, who joined a company that was later acquired by a rival in the satellite bid. The documents were used to provide intelligence on the company’s likely strategy and pricing for the lucrative contract.
Although the employee who took the documents and two other employees of the rival company were charged with stealing trade secrets from the company, the damage had already been done.
Information theft and the resulting competitive, legal and public relations exposure are not the only drivers for organizations to improve content security and their means of collaboration. The government recently enacted laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, and the Sarbanes-Oxley Act that include mandates for information privacy and penalties for improper storage, access, or use of confidential information.
Until now, there was little that organizations could do to prevent those with authorized or unauthorized access to content from viewing it, saving it to disk, e-mailing it, printing and faxing it, or copying it for use in other content. Now, there are technologies available that go beyond access control to include content encryption and post-access control of end-user actions.
To combat the various means of information theft, an organization should consider implementing the following security measures to protect their sensitive information:
1. Access control: Only making information accessible via an authentication method such as user name and password
2. Encrypted storage: Preventing internal or external thieves from viewing information they obtained without authorization
3. Post-access control: Controlling the actions end users can perform with information they are authorized to view
4. Role-based administration: Uniformly assigning permissions to groups of users based on their role in an organization
5. Auditing: Knowing who accessed the content, what actions were performed, and when
6. Immediate access revocation: Immediately denying access to information when it is no longer needed
The challenge that organizations face today is to enable these security measures while maintaining the ability to collaborate internally and externally on sensitive information. While increased security is a requirement, it should not undermine collaboration, one of the essential elements for achieving business objectives.
Until now, there was a gap between the need for collaboration and the need to protect and manage sensitive information. That gap has been filled with the introduction of a new category of enterprise software: secure collaboration. Secure collaboration systems enable organizations to collaborate internally and externally, while controlling the flow and use of sensitive information, and providing a clear audit trail indicating how, when and where information is shared.
Before the introduction of secure collaboration, the security and collaboration landscape was a patchwork of partial solutions that could not be combined to secure content while enabling collaboration. Access controls, encryption, firewalls, virtual private networks (VPNs), public-key infrastructure (PKI) and secure socket layer (SSL) provide authentication and secure transmission, but they do not control information use.
Collaboration software and Web-based collaboration environments enable collaboration, but also do not control information use. While these technologies are all important components of a security solution, none of them could have prevented the employee of the defense contractor from e-mailing, saving, or printing sensitive documents and taking them off-site.
Secure collaboration provides the right mix of capabilities to enable organizations to protect, manage, and share sensitive and valuable information with confidence. It combines authentication, access control, information-use control, and the ability to collaborate while auditing all end-user activities. It allows an enterprise to access, secure, and collaborate on sensitive and valuable information. The following paragraphs provide an overview of secure-collaboration systems today, and some insight on what lies ahead.
To ensure that no one has the rights to audit and administer the entire system and access all of its secure content (administrators with such rights are also a security threat), a secure-collaboration system should include a framework that distributes administration among several roles, such as security officer, administrator, and auditor. This framework enables a secure-collaboration policy that includes checks and balances while allowing you to address the needs of your organization.
Content Access and Supported Formats
Currently, the content that secure-collaboration systems support ranges from Adobe .pdf only to a combination of text, Microsoft Office applications, and Adobe .pdf. In the future, vendors will expand support for other file formats, such as databases, computer-aided design (CAD), and other graphic files, and will provide interfaces to the enterprise repositories in which the content resides, such as enterprise content management (ECM), product lifecycle management (PLM), enterprise requirements planning (ERP), supply chain management (SCM), and customer relationship management (CRM).
Security is the foundation of secure collaboration, and the main reason organizations consider its implementation. There are four main topics that pertain to security within secure collaboration:
1. Authentication: In order to ease implementation, a secure-collaboration system should be able to use an authentication system already in place at your organization, such as LDAP or Active Directory.
2. Information access: There are currently two approaches: keeping the encrypted content on a secure server inside the firewall, while still making it available via the Web, or delivering encrypted files directly to end-user desktops.
For maximum security, content should remain stored and encrypted on a secure server and should not be delivered to users’ desktops, where it could be more easily decrypted and where it remains indefinitely. We’ve all heard stories about people buying used computers that still contain sensitive information. However, delivering encrypted files allows users who have laptops to work offline.
3. Administration: Secure collaboration should accommodate various types of end users who should be organized into groups so that the end users have the same content-use permissions applied to their group. For example, a group of investors may only be authorized to view information, while attorneys at your law firm may be authorized to annotate content that you provide for review.
4. Post-access control: A secure-collaboration system should provide granular control of all end-user interaction with content. Actions such as viewing content, copying to clipboard, saving to disk, printing, print screen, number of access sessions, and access dates should all be controlled.
Without collaboration, business cannot exist. Another key feature of secure collaboration is the end user’s ability to collaborate on content and share ideas. End users should be able to annotate content, and it should also be possible to make their annotations public, so that others can view them, or private.
In order for an organization to rest assured and be able to prove to auditors and regulators that its secure-collaboration policy is working, a secure-collaboration system should:
1. Actively and frequently enforce end-user permissions by checking on their status at intervals under one minute, enabling administrators to quickly modify or revoke end-user access rights.
2. Maintain a complete history of the activities performed by each end user and administrator in the system.
Our increasing ability to share information is offset by the staggering increase in information theft and its accompanying legal, financial, competitive, and public-relations exposure. Until now, there was no comprehensive means to secure sensitive information while maintaining the ability to collaborate. Secure collaboration is an emerging technology that helps protect information against theft and misuse, while enabling compliance with internal and external mandates for information storage, access, and security.
Elaine S. Price is co-founder, president, and CEO of CYA Technologies, a leading provider of business continuity and secure collaboration solutions. She has been an entrepreneur throughout her 20-year career in enterprise computing, by serving as CEO of three successful companies. Price’s career in the enterprise computing industry includes roles in programming, sales, and management. She is a frequent speaker at industry trade shows and is regularly quoted in articles on business continuity, secure collaboration, and success in business.