Are you practicing secure collaboration or is it chaotic? asks Yaki Faitelson, pictured, Chief Executive Officer, President and Co-founder of Varonis Systems. He looks at the implications for organisations that get it wrong, and gives advice on how to protect your information in a digital world.
Digital files are critical business assets. Organisations create more and more of them every day, in a widening variety of more sophisticated formats. As spreadsheets, presentations, images, audio and video files increase in capability and complexity they convey more information and tell more complete stories. As an example, a presentation can now contain graphics, charts, video, and audioโorganisations use presentations to communicate their business plans, quarterly reviews, and internal processes. Files that canโt be used for collaboration are like financial assets that canโt be spent.
Not surprisingly, organisations now collaborate with digital files as part of almost every business process. They share them using core infrastructure components: File shares, email, and SharePoint. Collaboration via these infrastructure components has become so critical that organisations can scarcely function without themโ even for an hour. If given a choice, most people would choose to have their phone service disrupted rather than their email.
And, while collaboration is essential, it introduces a lot of chaos. There is evidence of chaos in the sheer quantity of data being created– the amount of data organisations need to manage and protect is growing at 50 percent year on year. Today we think in Gigabytes and Terabytes instead of Kilobytes and Megabytes; some organisations are grappling with Petabytes.
There is more evidence of chaos when examine how organisations try to manage and protect all this data; the number of data management elementsโthe folders, groups, and access control listsโis doubling every year. With dynamic, cross-functional teams accessing data sets in numerous locations on multiple platforms, it is difficult or impossible to determine who has access, needs access, does access, and โownsโ the data.
The risks associated with this chaos turn grave when we consider that organisations now store countless files that contain information about their partners, their patients, their vendors, their clients, their customers, and even their clientโs customers. Today it is difficult to find someone that hasnโt been notified at some point that their email or credit card information has been stolen.
When these digital assets are misused they can become a tremendous liabilityโreputation and client confidence suffers, intellectual property and competitive edge may be lost, or damages may be inflicted.
People and organisations will choose to conduct business with those organisations that have demonstrated that they can conduct secure collaboration, and organisations that continue to practice chaotic collaboration will eventually lose their ability to conduct business. Who will want to choose do business with a company that has demonstrated that they canโt protect their customersโ credit cards and email addresses? Who will want go to a hospital that canโt protect medical records?
How can you tell if your organisation is practicing secure collaboration?
Pick two people in your organisation at random, and pose the following questions to IT and data policy makers:
QWhat data can these two people access? (Not what groups theyโre in, what actual dataโwhat folders, files, SharePoint sites, mailboxes, etc.)
QWhat have these two people accessed over the past week? (Not which servers; which actual files, folders and emails)
QOf that data – which are sensitive and would cause problems if it were lost or released?
QHow did we decide what data these users should have access to? (Not what groups theyโre in, what data)
QHow will we decide when they should no longer have access to that data? (Other than when they leave the organisation).
QIf they suddenly decided to access everything they are able to, would we know and how?
If your organisation knows the answers to these questions, and itโs better than โI donโt know,โ then youโre in reasonably good shape.
If not, then your organisationโs collaboration practices are uncontrolled, and not only are you at risk for a significant breach, but small-scale breaches are probably happening already.
The question you now need to answer is how to transform your chaotic collaboration into secure collaboration, to make it more ordered, manageable, and less risky, using the same platforms that youโve already invested in and use so heavilyโfile shares, email, SharePoint.
How can You Achieve Secure Collaboration?
In order to tame the chaos, organisations first need to be able to quickly answer basic questions about data assets and the people that use them:
QWho has access to what data?
QWho is using what data?
QWhich data is sensitive?
Unfortunately, the answers to these questions change every day, so a snapshot of this information is not sufficientโthis data about data, or metadata, needs to be continually updated through automated collection.
By continually collecting, aggregating, storing, and analysing metadata, organisations can then answer these more complex questions:
QWho owns the data, or should be designated as its custodian?
QWho should have access?
QWhere is data exposed?
QWho is abusing their access?
Armed with these answers, organisations can then put procedures in place that enable secure collaboration. For example, all data has a designated owner or custodian, who reviews who has access to their data on a regular basis. Their reviews are enhanced through automated recommendations about which users have too much access, much like online shopping experiences are enhanced by recommendation algorithms. Data owners can easily review who has been accessing their data, which files contain sensitive content, and which are no longer used. No one is authorised to access data without correct approval.
Automation identifies and alerts on probable abnormal or abusive access, much like automation identifies and alerts on possibly fraudulent credit card activity.
Secure collaboration means that only the right people have access to the right data, and use of all data is monitored. It is a balance between the absence of access, where the asset cannot be leveraged, and excessive access, where the asset is a liability capable of causing damage.
If you didnโt trust a bank to safeguard your money you wouldnโt do business with them and the same is true for personal information. If you donโt trust an organisation to safeguard your data, you wonโt do business with them, either. Controlling who is accessing your data and what theyโre doing with it establishes a foundation of trust that everyone will feel happier about.
