Information Risk Management
Businesses today rely on employee, customer and partner collaboration using electronic information -- making email, SharePoint, IM and related systems critical to the success of the organization. At the same time, however, IT organizations are struggling with the short- and long-term challenges caused by the massive growth in unstructured information. Simply stated, IT must:
- Keep bad stuff out, such as viruses, spam and other malicious programs designed to steal information
- Keep good stuff in, such as intellectual property and other sensitive information
- Efficiently store the right information for the right amount of time -- no more, and no less
- Be able to quickly find all relevant information for business, legal and regulatory purposes
The challenges of securing, storing and searching this information throughout its useful life are compounded because unstructured information is everywhere -- traversing the network on endpoints, in storage and in collaborative applications like email and SharePoint.
To effectively secure and manage information in this increasingly challenging environment, organizations will need to adopt a more comprehensive information risk management strategy -- one that makes it easy to secure, manage and leverage information, but without disrupting the business. They need a strategy that ultimately allows the organization to protect its information everywhere, reduce storage costs, and automate high cost work flows.
Information Risk Management In Real Life
The ING Renault Formula 1 racing team is involved in one of the most competitive motor sports teams in the world. The ING Renault team hand builds cars and engines at two locations in England and France, and tests and races them on circuits around the world using the latest and most sophisticated manufacturing and logistics processes.
The car itself generates huge volumes of information -- wirelessly transmitting megabytes of telemetry data every time it passes the pit lane. With the team sending and receiving more than 400,000 emails per week, the team’s messaging infrastructure was buckling under the strain with several crashes of its Exchange system. It was also being further stressed by spam -- unwanted messages that annoyed employees and added to the storage burden.
The team was able to get their spam issue under control using gateway filtering that cut spam volume without stopping legitimate messages, and added active email archiving to get storage under control and dramatically reduce the size of its Exchange message store. This eliminated the crashes and reduced storage by 40 percent. Data loss prevention capabilities in the mail gateway also quarantine any outgoing message that contains anything considered confidential property of the team, such as engineering drawings.
Halting Incoming Malicious Threats
By now, most organizations recognize the importance of deploying a proactive, multi-tiered defense against an ever-expanding range of Internet threats. By providing protection for laptops, desktops, mobile devices and mail servers, organizations can significantly reduce their risk exposure to malicious programs, spam and phishing designed to extract information from the organization.
Protection must also be provided at the gateway. For example, messaging security gateways safeguard users from email- and instant messaging-borne viruses, spam, phishing, worms and malicious code.
A major challenge is the sheer volume of illegitimate messages. These messages account for more than 80 percent of all email, up from 8 percent eight years ago. Traffic shaping technology helps turn the tide of spam by tracking the amount of spam each email source sends to the gateway -- in other words, the sender's reputation. This allows the gateway to simply refuse connections from sources with a reputation for only sending spam. But today, many sources send a mixture of spam and legitimate email, usually because they aggregate email from senders inside an organization -- some of which are compromised computers that can be controlled by hackers, known as bots. Refusing connections from these mixed sources will block legitimate email. To resolve this quandary, the gateway has to allocate message filtering resources according to their reputation. Mixed senders have some connections accepted, but not all, and their messages are scanned more slowly so as to use fewer gateway resources. This not only reduces the volume of spam received at the business, it ensures more legitimate messages get through and saves computing resources needed to deal with the growth in message volume.
Preventing Outgoing Data Loss
In addition to keeping malicious attackers out, organizations must also keep sensitive information in and prevent inadvertent and intentional loss.
The problem with unstructured information is that it is everywhere, so the logical starting point is finding confidential information wherever it is stored or used -- whether on laptops, desktops, servers, email, websites, relational databases or other repositories.
The next step is to determine information-centric policies for controlling sensitive or important information so that they can be consistently enforced everywhere information flows or resides. A policy to block transmission of the latest financial results outside the company must work regardless of whether they are copied to a USB device, pasted into a document, faxed, printed, emailed, uploaded to webmail or sent via FTP. This means that a central policy manager for data loss across endpoints, stored information and networks is mandatory.
A key theme of Information Risk Management is to avoid disrupting the business, which is why controlling data loss has to take on a coaching role. When sensitive data is about to be lost, users must be told what is happening, why it is a problem, who they can contact for more information and in most cases allow them to make a choice about what to do. For example, it's important that a design team has the ability to send product designs to contract manufacturers for production. Blocking this would disrupt business.
So the ability to tell users their actions are being logged but offering choices like "Cancel the operation -- I didn't realize this was confidential information" vs. "Continue -- I need to do this as part of my job" is important. Experience shows that when coached in real time, employees rapidly learn the correct behavior and inadvertent data loss incidents rapidly decline.
Efficiently Storing and Retaining Relevant Information
As unstructured enterprise information grows, it will consume many terabytes of storage, which not only wastes precious space but also will cost time and money to manage, maintain and back up. A more fundamental problem for senior IT managers is that their storage hardware budget is growing much faster than the overall IT budget. As a result, storage is squeezing out other IT projects at a time when IT leaders are being asked to spend less time managing technology and more time contributing to the efficiency and profitability of the business.
Archiving, however, automatically migrates information across tiered storage – from an expensive primary disk to a cheaper disk, and then optionally to tape or WORM storage which significantly lowers operational cost. It can also automatically delete information which has reached the end of its useful life (and which is not being held for legal or regulatory purposes). An intelligent archiving system allows organizations to leverage it as their primary repository for all unstructured information. In our research we’ve found that these systems have been able to reduce storage costs by 60 percent or more.
All information in the archive must be indexed so that it can be searched. However, indexing technologies widely differ and produce an index of varying size. It is vital that the size of the index be kept small for archiving, as a large index will squander any storage efficiency gained by deduplication and compression. Resist the urge to index with sophisticated search technologies that result in indexes 50 to 100 percent of the size of the information being indexed.
To make sure the business is not disrupted, the best active archiving is tightly integrated with collaborative applications like Outlook/Exchange, Domino/Notes and SharePoint so that users notice little or no difference in operation and no process changes are required.
Information classification can make it easier to find information in the archive, and also identify the limited amount of information that must be retained for longer periods. While user classification is simple to do, studies by the National Archives and Reference Administration (NARA) show that it has its limits – users give up on the extra work required to do classification. Automated classification is better; the best information classification is based on the same policies used to stop data loss and protect information.
Finding it Fast
Burgeoning information volumes also make it more difficult to find the right information at the right time, and manually aggregating and reviewing files, messages or other content for legal scrutiny can be time-consuming and cumbersome.
To mitigate the risk of failing to find relevant information within the appropriate timeframe, organizations must be able to simplify and automate the process of searching and reviewing information. Legal discovery or disclosure adds an additional requirement that the process used to find information be transparent and repeatable to ensure it has returned all of the relevant information for a case. Opaque or inconsistent search approaches are likely to be challenged by the opposition and may result in sanctions if the judge cannot tell whether the court's requirements are being met.
Self-service searching is essential to avoid creating a bottleneck in the IT department. Workflow capabilities such as team and delegated review can help divide and conquer the task overall. Guided review, where the discovery tool suggests ways to drill down into a set of documents under review, helps internal or external experts quickly home in on important information while avoiding the irrelevant.
As the volume of unstructured information continues to grow, organizations need to adopt a comprehensive information risk management strategy that protects against incoming threats and outgoing data loss while also meeting the information storage, search and discovery demands of today and tomorrow. Furthermore, organizations can leverage this dynamic and powerful infrastructure to mine their own information and gain key insights that will help them quickly respond to customer and market changes for years to come.
Mathew Lodge is senior director of product marketing at Symantec Corp. over the Symantec Brightmail, Enterprise Vault, and Control Compliance Suite product lines. He completed his undergraduate studies at the University of York in the UK and his graduate degree from London Business School. Mathew is based in San Francisco.