What Credit Cards, Identity Theft, and Snowden can teach us about effectively managing sensitive information
Many people and organisations, regardless of age and experience, often develop a hankering for the “olden days” ― a poorly defined and vague time and place when life was simpler and somehow better.
Managing sensitive information was definitely simpler but not always better in the pre-digital age. When working with paperwork, you simply got the file and put it in a lockable cabinet and restricted access to the key.
In the age of the cloud, access is much more fraught with the constant danger of data theft and unwanted data leakage.
Yesterday’s mistakes are today’s lessons learned
Good data management begins with understanding where all data ― sensitive or otherwise ― is stored, and to have well-established policies for categorising data so all types of data can be handled properly.
An example of this is the situation where for whatever reason data needs to be encrypted in transmission across a network and while stored, regardless of the location and device being used. In the case of Stellar, of course, this process is baked into the application so you don’t have to worry, but this doesn’t apply to all your sensitive data.
This can also be the case for information such as payroll data, where the application handles security and storage but care needs to be taken to ensure such information is never moved and stored to an insecure location.
In other cases, there is a need to put in place tools and controls to make sure your data policy is followed and that data sets are safe. These tools and controls need to be supported by user education to help them understand the sensitivity of the data they work with and their role in keeping it safe.
Payment and credit card details and stories of identity theft are yet another constant reminder of the importance (and consequences) of keeping information secure…or not.
Managing data, the right way
The key elements in managing sensitive information are understanding what information is sensitive, having rules in place for managing it, and providing your employees with the tools and processes to handle this properly.
Beyond policies and data management tools, there is also the need to protect computer networks and data from threats ― both internal and external.
The most famous inside job when it comes to leaking was Edward Snowden, which was a result of an issue with the collaboration software being used. The problem was not with the software itself but with the policies and governance ― who had access to what data and what they could do with.
As with encryption discussed above, this is an area of management which is baked into Stellar where full control is delegated to the library manager. This is further supported by the ability to expire data or remotely remove it from mobile devices (for example in the case where a device is lost or stolen).
So the key lesson to remember from the Snowden case is the need to restrict copying capabilities (at a hardware/software level) and also to make sure employees should only have access to data they are entitled to and need for their job.
Most data storage and management tools have the functionality to securely manage sensitive data to some extent, and the challenge to managers is to make sure these are implemented effectively.
In the case of Stellar, these tools are easily accessed and policies can be set in place, with exceptions easily managed and their impact limited.
Over-confidence can be a (data) killer
Here is where one of the most important lessons when it comes to data security kicks in ― don’t become too over-confident in the technology, no matter how sophisticated it is. You can never make anything secure completely or forever.
In this day and age anything can be hacked, especially when surveillance of electronic communications is apparently ubiquitous.
Content controls, protection, tracking and deep analytics for files, can plug security and workflow holes. But they are not the final solution.
Protecting your data doesn’t have to be difficult
Here is where we come full circle back to governance and your enterprise’s / board room’s data management policies. Work on the assumption that at some point there will be unauthorised access to your data, make sure all your software is up to date, and constantly review and check your policies.