Go with the flow – The case for information policy compliance monitoring
October 20th, 2004 | by ian |How do you control the flow of information in your organization? More importantly how to you secure these flows of information?
It is impractical to physically protect all of an organization’s sensitive information from being copied and stolen, because it is so easy to move information. Lower costs of bandwidth, removable storage media, and higher speed transfer mechanisms such as USB 2.0 are ensuring that it isn’t getting any harder. In most circumstances, it is easy to circumvent protection schemes at a physical, technological or social level because it is too expensive or impractical to secure information.
Despite advice to the contrary from Cory Doctorow (read his famous talk given to Microsoft Research) Microsoft continues to pursue the aptly named project Janus named after the Roman god with two faces. For details on why the name is apt, and to understand how misguided this project is see The Register’s excellent article: “Here’s locking down you, kid – MS hawks vision of DRM future”.
Some believe that the only solution to improve data security is to supplement formal access control with intelligent monitoring. Permission based security can, in most real world situations, be manipulated and circumvented, so an organization should log activities to understand what data is leaking and thus better manage their risk.
John Udell quotes the former CTO of @stake and founder of Verdasys: “The way forward, Geer suggests, is not to abandon ACLs but rather to augment them with aggressive monitoring that holds people accountable for behaviors that can’t economically be permitted or denied.” For the rest of this compelling argument see the full article.
I would like to add something to this argument. This form of monitoring, rather than solely being used in its inevitable capacity as a “big brother is watching you” technology, SHOULD BE used as a more benevolent “big brother who guides you”. Intelligent monitoring can help you understand better the flow of information in your organization, and hence identify the BOTTLENECKS, and PATHS OF LEAST RESISTANCE. I would argue that the monitoring unstructured data exchange in the organization should be a key facet of any comprehensive knowledge management strategy. Expecting all your employees to structure all valuable corporate data into document management, CRM and Intranet systems is absurd and ignores some fundamentals of human nature.
Information wants to be free and like water flowing downhill will eventually find an often surprising path through your organization and finally outside of it. We might as well understand how and why this happens, follow its progress, and be ready for damage control in the event of a serious breach. Blind faith in the technological controls surrounding your information is a disaster waiting to happen.