Confidential company information, secret recopies, partner profiles, client histories and many other confidential matters are stored on departmental and network storage servers today. Access to this data, as well as to sensitive information encompassing employee records, salaries and health care details is not controlled as the norm. Moreover when small workgroups converge to work on special projects, we often see that such information is not live on the company data storage, but rather on the hard drives of notebooks or the personal mail folder of the individual participants.
This leaves the organisation open to many liabilities and can jeopardise a competitive edge or customer relationship, should this information find its way into the wrong hands. Questions that beg asking are, "Do we have a data classification standard in place, and has it been effectively communicated to the users?" Furthermore, "Do we have the tools in place to enforce such policies and procedures?"
Assuming these questions can be answered in the affirmative, one could then assume that a first step has been taken in securing the company`s confidential information.
The data custodian, i.e. the person that looks after the network storage, makes backups and validates the data integrity, must be a trusted soul within the company. Is this trust extended to a third party / outsourcing company that potentially performs this role? Does the SLA you have with that company make you privy to the background checks performed on these individuals?
Karel Rode, Security Consultant at LATITUDE Information Technology believes that digital credential implementation enables customers to achieve superior security control. "Providing users with robust authentication and authorisation mechanisms is an excellent alternative that can be used to address data confidentiality and integrity. As such, a two factor authentication system (proving you are who you are to the system by providing two unique `tokens` of identification) can be implemented that will only authorise a user to specific network resources, be it the Internet, mail, RAS, VPN or the accounting system, once the required authentication credentials are presented."
"When we implement a digital credential like a digital certificate, stored on a smart card or USB token, with clever integration into an Enterprise Directory we can achieve an enhanced state of security and control over data that has not been possible in the past," says Rode. "Such credentials can be used to encrypt and decrypt data on network shares, with special shared keys available to project teams that work concurrently on the information. Moreover, the digital keys can be used to sign documents and emails, providing integrity information, encrypt emails between parties, providing confidentiality of the communications.
Lastly, these keys can encrypt the files and folder on the mobile workforce`s machines allowing managers to rest peacefully with the knowledge that company confidential information cannot fall into the hands of mischievous or malicious third parties, through the loss of mobile computing devices."
Share