Cloud computing is not the only service that is changing how information is being delivered. The ability to move information quickly and inexpensively has enabled global business relationships, but it has also challenged security professionals to keep an eye on data as it goes from various manufacturers, headquarters and distributors around the world.
In part 2 of this chapter excerpt from
The Shortcut Guide to Prioritizing Security Spending, author Dan Sullivan explains just how widely distributed today's enterprise information actually is. Security professionals must therefore work diligently to protect data in transit, data shared between business partners and data on employees' personal devices.
The Shortcut Guide to Prioritizing Security Spending:
Chapter 3: Security and the Dynamic Infrastructure
Table of contents:
Part 1: How to justify information security spending on cloud computing
Part 2: How to protect distributed information flows
Another significant way in which IT service delivery has changed is the demise of traditional organization boundaries with respect to information sharing. The benefits of specialization and the ability to move information quickly and inexpensively around the globe is one of the enabling technologies of globalization. Distributed information flows are so prevalent now that we can, in the words of Thomas Freidman, view the world as flat. A business with headquarters in Chicago could have a manufacturing partner based in Shanghai, receive accounting and finance services from a company in Mumbai, look to a firm in Brussels for legal advice, and collaborate with a distributor in Buenos Aires.
Once again, we have an example of a compelling economic argument for an innovative way of doing business with significant security implications. We will consider three:
As we will see, distributed information flows must be protected at a macro level (business to business) and at a micro level (business to employee).
Data moving between organizations can give the impression that network boundaries no longer exist. This is an exaggeration, but an illustrative one. Of course, business and organizations continue to use firewalls, network segments, and other means to isolate resources. At a physical and architectural level, boundaries still exist, but at the logical level of data flows, these boundaries are more porous than a network architecture diagram might indicate. Orders can flow from a sales management system to a manufacturing partner who then transmits data to the accounts receivable system which then issues an invoice to a distributor halfway around the world.
Protecting data in a highly distributed, multi-organization system such as this requires attention to:
Encrypting communications is one control, but knowing appropriate data classifications and implementing controls on where data flows is also required to protect data in transit.
Sharing Data with Trusted Business Partners
Sharing data with trusted business partners has similar security implications to those found when utilizing cloud computing. First, you need some way to establish who you want to share the data with. Federated identity management systems allow for this by providing the means to determine who is a trusted business partner. After you have identified your trusted business partners, there are issues associated with compliance implications and data loss prevention.
With regards to compliance, a business must understand how the data shared with business partners relates to compliance requirements. A well‐formed and well‐managed data classification system can help organizations understand how data flowing out of the organization should be protected. Agreements between business partners can be used to bind parties to particular responsibilities regarding data protections, including measures to protect against data loss.
Employees and Personal Information Devices
Sharing data with other businesses or organizations is just one way protected data can leave the controlled infrastructure of a business. Employees using personally owned information devices are another.
The increasing use of personal devices for work‐related tasks has created something of a grey area for IT security. On the one hand, these devices are not owned by the business or government agencies, so they are not generally at liberty to dictate what device the employee should purchase, what OS to run, or the applications that the employee should use. On the other hand, individuals downloading corporate data have a responsibility to protect that data. The meeting ground seems to be that businesses should establish policies and practices that define minimum security requirements for devices that will house company data. These can include:
To read the rest of Chapter 3: Security and the Dynamic Infrastructure, download the .pdf.
Check out more from The Shortcut Guide to Prioritizing Security.
This was first published in November 2009