Security professionals can tell mesmerizing stories about information protection plans that never saw practical implementation. A myriad of reasons could be pointed as to why those failed. Some of those plans were unreasonable, since they put an overwhelming onus on users. Others impractical, because they did not reason well with the fact that information exists to be consumed. Others short-sighted to the fact that cloud, “BYOs” and the need to share data with 3rd parties, means “data has left the building”.
Dealing with the latter, we’ve all come to realize that with so many free online collaboration tools available at the click of a button or a swipe of the screen, leveraging a cloud-based drive is easy, fast and cheap. Nonetheless, enterprises have long realized that once files are moved outside of such “safe heavens”, there’s really no way to control and prevent information flows and, consequently, disclosure.
At a lower or higher price point, most of those cloud silo options offer some sort of security mechanism that entails protecting data from falling into the wrong hands. Offers vary from delivering ways to control and restrict the access to documents, by means of encryption or, in some cases, enterprise digital rights management. Although good IT security policy, such approaches are blinded to the role and correspondent need to know of each user over data. Since it doesn’t take into consideration the principle of least privilege, it applies a one-size-fits-all access and usage policy, which doesn’t match the need to collaborate, in which different people should have different privileges over the same data.
To tackle the problem, companies should rely on data classification and role-based access control policies, to automatically apply and enforce corporate restrictions to data, without any overhead to the user. This ensures that all documents are consistently classified in-line with the organization security and governance policies and minimizes the risk of accidental leakage of data due to human error.
Once a data classification schema and taxonomy is defined, you need to appropriately classify all your organization's data, and develop and implement the security standards that specify appropriate handling practices for each category. Which is the same as saying that data classification should be the driving force behind the DRM or encryption that enforces the ability to access, use and share sensitive data both internally and with external parties. Thus, all associated actions the user is entitled to have over the data file, is driven based upon the role the individual user holds within the team and not standard drive or library permissions.