"Managing the risks of information leakage"
By Bernardo Patrão, Information Security expert at Critical Software
23 Nov 2011
ContinuityCentral.com, a website that provides frequently updated resources on business continuity and has 70,000 monthly unique users, just published an article (whitepaper) on "Managing the risks of information leakage" writen by Bernardo Patrão, Critical Software's Information Security expert. Here's a brief transcript of it:
«Information leakage is a real and growing problem. Every month, news about another organization leaking confidential information becomes public. These are the known cases that have a visible impact. Many similar incidents occur daily and the vast majority of information leaks are accidental: it is not solely the result of intentional, harmful actions. Unintentional data loss is perhaps more dangerous because those affected are not necessarily aware of, or able to act on, the problem.
Aside from any other impact, information loss may represent a very high cost for organizations. Information loss has both direct and indirect costs: the intellectual property or industrial information itself together with the cost of handling the consequences of its loss. Indirect costs include: loss of credibility, erosion of competitive advantage and regulatory transgressions.
Nowadays little or no paperwork is involved in core business processes. Critical business information is increasingly held digitally. A recent IDC study shows that the trend of growth of digital format information is exponential and may reach 35 Zettabytes by 2020.
The growing awareness of the risks of information leakage was sparked by a series of corporate scandals in which confidential information was disclosed. As the majority of those cases demonstrate, such breaches are often not the result of malicious wrongdoing, but rather employees who unknowingly put their companies at risk. This may occur as employees send out email messages that contain files or content that they are not aware is confidential. Another example is employees delivering confidential files to their web-based email boxes, or copying files to mobile devices, and thus exposing them to untrusted environments.
Information security involves the protection of information from external attacks to organizations' infrastructure and processes. Security standards and best-practices (e.g. ISO/IEC 27002:2005) are mainly focused on the protection of information systems from external sources and events, involving processes and infrastructure security. Information leakage can, therefore, slip under the radar of information security processes and teams.
Protecting systems, infrastructures and processes from penetration is no longer enough. Organizations must protect the information that they hold (often on behalf of others) from accidental disclosure.
A high-level solution
In order to help prevent information leakage, the information itself should be safeguarded from undue accesses. The only way to ensure this is to use a solution that is able to apply to information some form of persistent protection that travels with it; ensuring data is protected regardless of its state or location. Such solutions are known as data-centric security solutions.
By analysing the taxonomy of the most relevant information security techniques (presented in the following diagram) it is easily seen that most technologies focus on the protection of data in a specific state: 'at rest' - while it is stored in a computer or network hard drive; 'in motion' - while traveling through the network between two users or machines; and 'in usage', while being accessed (read, edited, printed, etc.) by the users.»
You can read the full article here: http://continuitycentral.com/feature0931.html
15 Apr 2013