Does Your Company Leak?

Probably it does.   The most recent issue of The Economist has a briefing article on the new challenges involved in keeping corporate information secure.  As we saw in the WikiLeaks affair, the economics of leaking data have shifted a great deal in favor of the leaker.  Information that, in an age of paper records, would have taken days or hours to photocopy, and a truck to move around, now can leave the building on a USB drive the size of a pack of chewing gum.

Companies these days are also generating a lot more data, much of it in a form that is difficult to track.  (The research firm IDC estimates that, by 2020, the amount of data created each year by companies will increase to ~35 zettabytes.   One zettabyte  is 1021 bytes.)  When computers were first used in business, they typically dealt with structured data in databases.  In addition to whatever physical security the system might have had, the average worker probably had no idea how to access the data on an ad hoc basis.  Today, sensitive information is in E-mails, spreadsheets, word processing documents, and even calendar entries.   Even some very sensitive data gets there, not necessarily due to malice or even carelessness, but because people want to work with the data, and naturally prefer the tools that are familiar.  In addition, many employees, particularly the younger ones, are very familiar with consumer digital gadgets, like the iPhone, and want to use them for work.

As I’ve noted before,  the traditional security model of a defensive perimeter separating the “inside” network from the outside world is getting badly frayed.  Security vendors are offering several types of new tools to help firms manage their confidential data.

One is the content management system.  This works something like the layered classification used by the military, assigning levels of confidentiality to different bits of data, and specifying who can access them.   This approach has two significant drawbacks:.  First, it is difficult even to identify, much less classify, all the potentially sensitive unstructured data in the firm.  Second, it is major challenge to define access levels so that employees have all they need to do their jobs, but not more.

Another type of system is called data loss prevention.  This attempts to look at all data that is (potentially) leaving the firm, and block sensitive material.  Such a system might, for example, block Social Security numbers or credit card details.  It may be of some value in preventing employees from doing thoughtlessly stupid things, but it is a very weak reed against a malicious attempt.  Suppose the Social Security number is expressed in words?  or in Russian words?  The fundamental problem here is very similar to that encountered in some early attempts, a couple of decades back, to detect and block computer viruses.  Some techniques attempted to establish a class of “safe” material (for example, plain ASCII text).  The developers quickly discovered that there was really no good way to define what was safe, if the player on the other side was sufficiently malicious and clever.  More recently, we have seen work that shows how malware can be coded to resemble ordinary language.

A third type of system is based on network forensics, although a better term might be anomaly detection.  This attempts to take note of unusual behavior by applications or users (for example, someone downloading 250,000 diplomatic cables from SIPRNet).  When used by network administrators who know what they’re doing and paying attention, this type of tool probably has the best potential.

But there are other forces at work, too.  Many businesses are getting very involved in what are sometimes called “systems of engagement”, to facilitate and streamline the firm’s interactions with customers, suppliers, and the world at large.  (Think, for example, of the number of firms that invite you to become their “fan” on Facebook.)  This means that the push for security can only go so far.

Trying to prevent leaks by employees or to fight off hackers only helps so much. Powerful forces are pushing companies to become more transparent. Technology is turning the firm, long a safe box for information, into something more like a sieve, unable to contain all its data. Furthermore, transparency can bring huge benefits. “The end result will be more openness,” predicts Bruce Schneier, a data-security guru.

In the end, companies will have to decide how open they want to be, and try to devise systems and processes to go so far, but not farther.

Comments are closed.

%d bloggers like this: