IT Security Strategy: Removing the LidBy Scott E. Christiansen | Posted 2008-09-02 Email Print
Today’s IT security strategies should be as flexible as the business needs, while still maintaining the proper measure of security protection and control. Security policy needs to reflect who will see and use the use the data. Filters can help manage data taxonomy while access control will allow new technologies to be added in to your environment for collaboration, while remaining secure. Change control and configuration management can also help.
Removing the Lid
“Opening” your glass box is the first step toward alleviating the problem of increasing the size of your sealed glass box without spilling your green liquid. If you remove the top of the box, you still have the same transparency as before, but now you also have the flexibility to easily expand your box as your employees, customers and business groups demand. You will need corporate buy-in for this, but most businesspeople will find this flexible IT security strategy attractive, once they learn how it can help them.
The second step involves separating your green liquid (all the different types of data) into different components (a variety of different colored liquids) through data governance. This process involves understanding what you are storing and categorizing your information: AutoCAD drawings, building information modeling, images, proposals, requests for proposals, contracts, price quotes, etc. This enables you to group your data and easily build a taxonomy. (See “Grouping Your Data” at end of article.)
Once you understand what the data is, it’s easy to develop pathways that match the data’s taxonomy. For example, if you have a price quote that should be seen only by your sales team, upper management and a client, you can design an information store for that data, back it up as necessary, and place filters on storage resources or endpoints that scan for keywords or metadata identifying what type of document it is.
This will prevent users from circumventing your approved channels. Subsequently, you can also deploy a system that allows the client to securely log in and obtain that information.
These processes are dependent on a document’s sensitivity. Sending an e-mail message with an attached PDF price quote containing a nondisclosure statement may be all that’s necessary for that document type. But you would undoubtedly have more stringent requirements for documentation on a product you’re delivering to a government agency.
Now that you can easily expand your glass box and are intimately aware of the various colored liquids (data types) inside, it’s time to understand how to get those different liquids in and out of your box. I recommend giving your employees, customers and business groups the tools to pour in their own liquids.
For example, by providing employees, customers and business groups with a blue pitcher to pour in a blue liquid (which could represent contract documents), you are implementing a control for that type of data. However, you are also providing the users of that pitcher with the flexibility to pour in as much or as little as desired. When the blue liquid enters your glass box, you know where it will rest inside the box (the location in a specific server where the data is stored). This process is essentially your access control. (See illustration.)
There is a similar process when extracting your blue liquid (in this case, contract documents) from the glass box. By providing employees, customers and your business groups with a blue spigot that rests at the same layer as your blue liquid, you are allowing them to extract as much or as little data as they require, while understanding that it is only the blue liquid that is pouring from that spigot. No other types of data can be accessed from that spigot. (See illustration.)