Balance Content Security and Content Access With Granular Governance
Every CISO knows that you can’t have privacy without security, however, you can have security without privacy. Multi-factor authentication, data encryption, and threat protection defend against external threats, but they do nothing to ensure sensitive content is handled correctly by authorized users. While users across your extended enterprise expect easy access to their sensitive content, they also expect complete confidentiality: transparent collaboration comprised of private communications.
CISOs must enable secure file sharing that balances the protection of sensitive content with the overwhelming need to share it, easing access while preventing breaches, ensuring privacy alongside transparency, and adhering to complex regulations without getting in the way of efficient communication. Each trade-off entails risks. This blog series explores these trade-offs and offers six guiding principles for creating a secure content sharing channel that enables work across the extended enterprise and protects your most sensitive digital assets.
In my last blog post, I shared some of the pitfalls associated with providing simple, seamless access to content. Today, I’ll discuss the challenge organizations have in providing easy access to sensitive content, but also ensuring that content is shared with complete confidentiality.
Understand User Roles to Enforce Policy Controls
Confidentiality is the result of strong content communication governance – ensuring only authorized users can access, modify and share specific content in specific ways. It cannot be enforced at the network level—where most security controls are implemented, because it requires information like who, what, where, when, and how. It must be enforced at the user-application-content level, because that is where this information resides. For example, preventing a finance manager from sharing audited statements publicly prior to an earnings announcement requires an understanding of user roles, content type and timing of the request. These requirements echo my earlier blog post about the requirements for total visibility: connection to every user sharing endpoint and every content repository. Only now we need more than just a connection—confidentiality requires control.
Confidentiality means ensuring only authorized users can access, modify, and share specific content in specific ways. It must be enforced at the user-application-content level, because that is where this information resides. [source: Accellion secure file sharing and governance platform]
Complete Content Confidentiality Requires Complete Content Control
Your secure content sharing channel must have very granular policy controls based on a wide array of inputs, including user roles and privileges, as well as content metadata, such as file size, type, location, read and write permissions, and content sensitivity. Consider file access at a hospital. Should a podiatrist have access to an obstetrics patient’s records? Should an admitting clerk be able to edit a patient’s prescription dosage? Not if the hospital wants to demonstrate HIPAA compliance. This is the baseline to govern data at rest. To govern data in motion as it enters and leaves your organization, policy controls need to incorporate sharing metadata, such as sender, receiver, origin, destination, time of transfer, and window of availability. The more granular the governance, the greater your ability to enforce confidentiality and strike the right balance between privacy and transparency.
In the next post, I’ll discuss how organizations can prevent employees from building their own shadow IT out of easily accessible, consumer cloud applications. Until organizations make it simple to share sensitive content securely, they will force employees to seek out less cumbersome, and also less secure, alternatives.
Don’t want to wait? Download the eBook now!
The Risky Business of Online Collaboration