Pavel Ignatov - Fotolia


Security controls move to information assets

Repository-level security is too imprecise to protect sensitive information from accidental leaks and intentional breaches. A composite of controls starting at the content level may be the answer.

Today, data security breaches are becoming more frequent, with both external and internal parties posing as potential threats. For organizations, the challenge is to reduce the likelihood that sensitive content will make its way into the public domain.

Most organizations rely on a combination of content management technologies that use security controls only at the container level. This means that as long as content remains in a repository, only authorized parties should have access. However, the Associated Press recently cited employees as the primary cause of data breaches. Individuals who intentionally leak documents (like Edward Snowden) obviously pose a risk, but so do employees who simply lose laptops or mobile devices. These situations suggest that simple repository-level security is insufficient. As such, firms need to think differently about how to protect information assets.

Data classification is the first step

One of the most important first steps to properly securing content is to classify it. Data classification is a process by which you clearly identify the level of protection and security that is required for any given information within your organization. Within governments and high-tech agencies, classifications like "privileged and confidential" or "top secret" are common examples of a basic classification scheme. While your organization may not need a "top secret" classification, it's important to set up categories to define which security controls will be applied.

Once you've established your data classifications, define specific security controls. The "privileged and confidential" classification, for example, may mean that content with this classification can only be stored in one physical location. It may also mean that a subset of your employees have access to it. Those employees may be required to attend specific training on the use, distribution and handling of the information assets. In the U.S., ITAR represents a very specific content classification that requires explicit and rigid controls, often leading ITAR-covered organizations to structure their IT assets to physically delineate between content that is ITAR-restricted and content that does not need those controls.

Data-at-rest security

If you've ever lost your laptop or even had a third-party access your computer hardware for repairs, you were at risk for a data breach. In the case of a lost or stolen laptop, perpetrators are now in possession of potentially sensitive information. In the case of a network perimeter breach, a compromised server or even basic repair situation, unauthorized third parties can leak confidential, sensitive or otherwise proprietary content. To protect information assets in these situations, data should be secured at rest.

Data-at-rest security involves rendering content inaccessible unless users pass certain security gates. The simplest security gate allows users to authenticate themselves on a laptop. This authentication process decrypts files that would normally be encrypted at rest. Encryption is a primary technique to ensure content stored on laptop hard drives cannot be accessed by unauthorized third parties. In the event of a lost or stolen laptop, the contents of the hard drive would be unavailable even if the drive were removed and connected to other hardware. In this way, we're not simply creating a perimeter barrier to the content, like a simple log-on prompt, we're making the content itself unusable without proper authorization.

Information lifecycle management

Information lifecycle management (ILM) is an important dimension of content security, but it's often overlooked. ILM defines both the stages and corresponding management actions for each time and action-based segment of your content's life. In part, ILM can manifest as a records management policy: how long a document can exist or what actions need to be taken when a specific time period is reached. ILM, however, extends beyond most traditional records management policies and often involves automating specific parts of the information lifecycle.

ILM encompasses information creation, retention and destruction, as well as specific actions that may need to be taken at all points in the content's lifecycle. Many ECM solutions include some aspect of ILM. Many also allow you to automate some facets, like periodic reviews, automated destruction or storage movement. In the context of security, ILM includes who can access content and how, often at the document level, but absolutely at the category or classification level. In this way, security is measures are applied throughout the content's existence and not statically applied at one stage or another.

Operational or rights-based security

In many cases, an authorized individual may compromise content security with inappropriate actions. The most common example is an authorized employee emailing a sensitive document to an authorized third party -- accidentally or intentionally. Once the document has left the repository or storage device, none of the previously mentioned controls can limit that content's exposure to further distribution. As such, operational or rights-based security is the final necessary control.

Operational or rights-based security is applied to the content itself. The control defines specific actions that can be taken by an individual. For example, rights-based security can limit whether individuals can email, print or edit a file, and it can even limit the duration the content can stay in their possession. Obvious examples in the media industry include the Digital rights management technology applied to music and movies. For content-based technologies, companies like Microsoft, IBM, Oracle, EMC Documentum and SAP have created similar techniques to ensure users can exercise only an appropriately narrow set of functions.

Composite security is necessary

Ultimately, the traditional methods for securing content are insufficient. To protect information assets organizations must adopt a security program that combines modern techniques. Further, it's critically important that content security moves beyond simple repository or access control list approaches. Organizations must create a classification discipline, institute appropriate data-at-rest policies, define lifecycle events and apply rights-based security.

Will these techniques completely eliminate all risks? No. But firms can dramatically reduce the opportunities for either accidental content leakage or deliberate third-party breaches by developing a prescriptive approach to content security that starts at the content level.

Next Steps

How to measure the value of information assets

Is cloud the real security risk, or is it third-party involvement?

Content controls protect against internal hazards

Dig Deeper on Enterprise content management software platforms