Problem solve Get help with specific problems with your technologies, process and projects.

How to protect distributed information flows

In a book excerpt from "The Shortcut Guide to Prioritizing Security Spending," author Dan Sullivan explains how to get a handle on enterprise data that may be moving around the globe.

Cloud computing is not the only service that is changing how information is being delivered. The ability to move information quickly and inexpensively has enabled global business relationships, but it has also challenged security professionals to keep an eye on data as it goes from various manufacturers, headquarters and distributors around the world.

In part 2 of this chapter excerpt from The Shortcut Guide to Prioritizing Security Spending, author Dan Sullivan explains just how widely distributed today's enterprise information actually is. Security professionals must therefore work diligently to protect data in transit, data shared between business partners and data on employees' personal devices.

The Shortcut Guide to Prioritizing Security Spending:
Chapter 3: Security and the Dynamic Infrastructure

Table of contents:
Part 1: How to justify information security spending on cloud computing
Part 2: How to protect distributed information flows

Download Chapter 3 of "Prioritizing Security Spending" as a .pdf

Another significant way in which IT service delivery has changed is the demise of traditional organization boundaries with respect to information sharing. The benefits of specialization and the ability to move information quickly and inexpensively around the globe is one of the enabling technologies of globalization. Distributed information flows are so prevalent now that we can, in the words of Thomas Freidman, view the world as flat. A business with headquarters in Chicago could have a manufacturing partner based in Shanghai, receive accounting and finance services from a company in Mumbai, look to a firm in Brussels for legal advice, and collaborate with a distributor in Buenos Aires.

Once again, we have an example of a compelling economic argument for an innovative way of doing business with significant security implications. We will consider three:

  • Protecting data in transit and the demise of network boundaries
  • Sharing data with trusted business partners
  • Employees and personal information devices

    As we will see, distributed information flows must be protected at a macro level (business to business) and at a micro level (business to employee).

    More from Realtime Publishers

    Download other information security book chapters from Realtime Publishers.

    Read more from The Shortcut Guide to Prioritizing Security Spending.
    Protecting Data in Transit and the Demise of Network Boundaries
    Data moving between organizations can give the impression that network boundaries no longer exist. This is an exaggeration, but an illustrative one. Of course, business and organizations continue to use firewalls, network segments, and other means to isolate resources. At a physical and architectural level, boundaries still exist, but at the logical level of data flows, these boundaries are more porous than a network architecture diagram might indicate. Orders can flow from a sales management system to a manufacturing partner who then transmits data to the accounts receivable system which then issues an invoice to a distributor halfway around the world.

    Protecting data in a highly distributed, multi-organization system such as this requires attention to:

  • Data classification—Businesses need to know what data to protect. Not all data is created equal; some requires more protection than others, either for regulatory or business strategy reasons. Personally identifying information (PII), credit and financial information, and trade secret information should be governed by appropriate controls.
  • Data in transit—Businesses need to know where protected data flows. Manufacturing partners may need some insight to a trade secret related to a product design but do not need customer accounting information. Information flows are dynamic, but they should not be free form.
  • Confidentiality—Businesses, government agencies, and other organizations maintain substantial amounts of private information on individuals and businesses. State, provincial, national, and trans‐national regulations dictate protections of such information in many parts of the world. A data breach in a Mumbai data center can have multiple implications when lost data includes information on customers from California to the European Union (EU).

    Encrypting communications is one control, but knowing appropriate data classifications and implementing controls on where data flows is also required to protect data in transit.

    Sharing Data with Trusted Business Partners
    Sharing data with trusted business partners has similar security implications to those found when utilizing cloud computing. First, you need some way to establish who you want to share the data with. Federated identity management systems allow for this by providing the means to determine who is a trusted business partner. After you have identified your trusted business partners, there are issues associated with compliance implications and data loss prevention.

    With regards to compliance, a business must understand how the data shared with business partners relates to compliance requirements. A well‐formed and well‐managed data classification system can help organizations understand how data flowing out of the organization should be protected. Agreements between business partners can be used to bind parties to particular responsibilities regarding data protections, including measures to protect against data loss.

    Employees and Personal Information Devices
    Sharing data with other businesses or organizations is just one way protected data can leave the controlled infrastructure of a business. Employees using personally owned information devices are another.

    The increasing use of personal devices for work‐related tasks has created something of a grey area for IT security. On the one hand, these devices are not owned by the business or government agencies, so they are not generally at liberty to dictate what device the employee should purchase, what OS to run, or the applications that the employee should use. On the other hand, individuals downloading corporate data have a responsibility to protect that data. The meeting ground seems to be that businesses should establish policies and practices that define minimum security requirements for devices that will house company data. These can include:

  • Establishing polices on the use of encryption, limits on the amount or types of data that can be downloaded, restrictions on backing up corporate data from a personal device, and requirements for the use of passwords or other means of authentication on the device.
  • Network security professionals can also use network access controls to prevent devices from connecting to the network that do not meet minimal security standards. This can include proper OS patch levels and up‐to‐date antivirus software.
  • Organizations can also provide security awareness training with an emphasis on data loss prevention and social engineering attacks. Corporate and government information is flowing more easily to devices controlled by other companies, agencies, and in some cases employees. The drive for efficiency and the willingness to adapt innovative processes will likely perpetuate and perhaps accelerate this process. Attending to the security implications is best done sooner rather than later in the adoption process.

    To read the rest of Chapter 3: Security and the Dynamic Infrastructure, download the .pdf.

    Check out more from The Shortcut Guide to Prioritizing Security.

  • This was last published in November 2009

    Dig Deeper on Information security policies, procedures and guidelines

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.