What Every Business Can Learn from Snowden
News out that there is a second or even third leaker turning sensitive documents about the U.S. government’s terrorist watch list to a journalist reminds us all about the security of information. With this in mind, today we focus on what every business can learn from Snowden.
While you may not be keeping national secrets, content is the bread and butter for any organization. It might be customer information, HR details, intellectual property (IP) or financial and commercial information. For organizations to get the most out of content, we collaborate on it. We have it stored in platforms like SharePoint or in file shares. It is online, offline, in the cloud, on our desktops or mobile devices. We need it to achieve an end goal.
The challenge, and what we can all learn from Snowden, is in securing sensitive content – whether structured or unstructured. If content is king, then corporate sensitive and confidential content is an emperor. It needs to be assigned the highest level of security possible.
Here are four tips that every organization should employ to secure data:
- Access is a privilege not a right
Not every person within an organization should be able to access the same content. You don’t want the receptionist to see customer’s personally identifiable information (PII). You also don’t want the IT Admin to gain access to HR information like salaries. You need to see access as a privilege to be granted. However, managing access can be a challenge.
Classifying documents according to their content is one way to solve this. Using this information, you can define the level sensitivity of a document as confidential, private or secret, and then build rules that define the audience, department or project that can access the document based on its classification. By applying granular security at the document level, only approved audiences will be able to see the document even if a wider audience has access to the site or library where the item physically resides. Item level security also travels with a document so if it’s moved to another folder or library the security parameters stays with it.
- Dynamic vs. inherited permissions
By default, SharePoint sites inherit permissions from a parent site. As a result, content access control requires the creation of multiple locations – sites, libraries or folders – to satisfy the demands of a wide range of sharing and access scenarios. A better way to address this is by defining rules that dynamically restrict access to items and documents by using user properties and item classifications without changing item permissions. This approach not only simplifies site management, it helps to keep content secure by taking into consideration the user’s context before allowing them to access sensitive documents. For example, if an employee is trying to access a sensitive document that they normally have access to, but they are on their mobile device in another country, access to the document can be denied.
- Document level encryption
Database encryption is a great way to keep hackers out. However, when the entire database is encrypted, an “all or nothing” mentality is applied. This means that items must be placed into a specific “bucket” in order for encryption to be applied. More times than not, this approach is difficult to map to everyday use in an organization and can disrupt content flow. Solutions that allow for item level encryption empower any document in any library to become more secure.
- Track Your Content
Know who is accessing sensitive content or trying to access it, and what they are doing with it. Tracking content is important to comply with regulatory mandates, provide documentation for audits, and in the event of a breach or leak, track down the source in order to take appropriate actions.
For more information on how to keep content safe, especially when you are collaborating on content, read our Do’s and Don’ts of Enterprise Collaboration.