Designing Electronic Barriers around Digital Assets - White Paper

Designing Electronic Barriers around Digital Assets - White Paper






Total Views
Views on SlideShare
Embed Views



1 Embed 21 21



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Designing Electronic Barriers around Digital Assets - White Paper Designing Electronic Barriers around Digital Assets - White Paper Document Transcript

  • Designing Electronic BarriersAround Digital AssetsCase Studies in CollaborationBusiness success today can be increasingly measured on This white paper explores a different approach tothe same scale as an organization’s collaborative acumen. implementing electronic barriers, one that results inThe best opportunities often lie beyond the traditional more precise solutions that are both data-centric andperimeter, in the overlap between organizations and context-sensitive. Case studies of real challenges insynergies with partners, across global supply chains and a industry collaboration reveal the need for multiple kindsmobile workforce. However, as businesses eagerly position of electronic barriers to target users and data in precisethemselves to take advantage of these opportunities, they and complementary ways. This white paper examines thefind themselves spending as much time—if not more— differences between three kinds of electronic barriers andtrying to understand new forms of risk. explains how they can be strategically combined to prevent wrongful disclosure in four industry use cases. This paperPerhaps the biggest challenge is anticipating and preparing concludes by deriving a list of the building blocks thatto block the inappropriate sharing and consumption of comprise any effective electronic barrier solution.electronically stored information (ESI). What constitutesinappropriate sharing differs across industries, is regulated Three Kinds of Electronic Barriers:by different compliance organizations and governingbodies, and is subject to different litigation and fines. But the Differences in Design, Goal, andunderlying problem is the same: wrongful disclosure, where Targeted Stage(s) of Informationan organization fails to prevent unauthorized users fromconsuming certain classes of information. Common causes Lifecycleof wrongful disclosure include breaches in confidentiality Successful electronic barriers must be defined broadlyor non-disclosure agreements (NDA) between parties, enough to prevent wrongful disclosure, but precisely enoughdesignated conflicts of interest (which are highly regulated to allow authorized forms of collaboration to occur. Ideally,in many industries), and failure to comply with industry and electronic barriers require neither unwieldy administrativegovernment regulations pertaining to the export of certain procedures nor extensive infrastructure changes (althoughclasses of data to foreign countries and persons. In addition some procedural and infrastructure changes are oftento demonstrating compliance for auditing and certification required).purposes, businesses are expected to assume pro-activestewardship of all sensitive ESI within their organizations Implementing successful barriers in a complex organizationin the interest of investors, partners, clients, and even the requires a solid understanding of design options (the shapepublic at large. of the logical barrier or separation, and whether it should apply to users, data, or both) and enforcement goals (theThis white paper explores a technique commonly used intent of enabling sharing and access or blocking sharingto mitigate wrongful disclosure: implementing electronic and access, and whether for users, data, or both). It is alsobarriers that segregate data and users. Traditional necessary to understand at which point(s) in the informationapproaches to creating barriers include physically lifecycle electronic barriers should be applied—that is, wheresegregating infrastructure, maintaining multiple instances interventions and policy automations can be inserted intoof applications, patching together disparate access controls creation and storage models, access and usage patterns,and point solutions, and even “locking information up” so modes of communication, and so on. This section examinesrequests are processed on a case-by-case basis, only after three kinds of electronic barriers that differ in design, goal,labor-intensive, manual checks. These traditional approaches and targeted stage(s) of the information lifecycle.can be error-prone and costly to maintain, and can hamperbusiness collaboration.
  • Information Barriers: Block Sharing Between Information Boundaries: Restrict SharingGroups Within a GroupInformation Barriers are the simplest form of electronic Information Boundaries encircle groups of users as thebarrier. They erect a logical wall between two groups authorized consumers of confidential information, sensitiveof users to block communication and sharing of data. data, intellectual property, trade secrets, or any non-publicInformation Barriers are commonly content-aware. That information. Whereas Information Barriers are designedis, the restriction of information flow targets confidential to block the sharing of information between users ininformation of a precise nature; the sharing of other, non- order to segregate user roles, Information Boundariesrestricted information may still take place. Information are designed to enable the sharing of informationBarriers are common in legal firms, where portions of an within a group of users, but not outside of the group.organization may serve both conflicting litigants. They are Boundaries may be logical (around a facility, company, oralso common in the financial sector (as will be discussed in brand). While Information Boundaries may correspondmore detail in case study 1), where barriers are mandated to natural infrastructure boundaries that already exist inby Federal, State, and private entities, such as the Security an organization (a common example being a dedicatedand Exchange Commission (SEC), National Association of server or file share where a group stores data, which isSecurities Dealers (NASD), Public Company Accounting only accessible to members of that group), InformationOversight Board (PCAOB), Financial Accounting Standards Boundaries can also be more complex and unrelated toBoard (FASB), and others. infrastructure. Think of data that must be accessed by cross-functional teams, data shared during inter-company partnerships or contract relationships, and data stored in multiple locations. Boundaries may overlap other boundaries—even entire organizational boundaries. They may also be temporary or conditional in nature, existing only for the duration of a joint venture or partnership, merger and acquisition period, or contract relationship (as will be discussed in more detail in case study 2).While Information Barriers typically target the sharing ofa particular kind of information, they are user-centric inboth design and goal. Specifically, Information Barriers areerected to prevent organizational conflicts of interest—orsituations where a person or entity in a position of trustfaces competing interests, sufficient to influence, or appearto influence, the objective exercise of duties. The goal ofan Information Barrier is to segregate user roles so thatone person may not have access to information associatedwith one role while simultaneously engaged in activitiesassociated with another role deemed to be in conflict. While Information Boundaries can be considered user-centricThe most pertinent stage of the information lifecycle is in design, just like Information Barriers, they are more data-the movement of data between groups. Organizations centric in goal. User groups are targeted not because theremust anticipate and control modes of communication and is a need to prevent conflicts of interest or segregate userdata in transit , whether over e-mail, IM, FTP, uploading roles; instead, user groups provide the easiest way to mapto SharePoint or other corporate intranet, copying to how data should be organized into logical boundaries offile shares, publication communications, USB, and so access and use. In most cases, it makes sense to designateon. Most often, Information Barriers do not exist in the a group of engineers as the only authorized producers andnatural infrastructure boundaries of an organization. Either consumers of data associated with an engineering project.physical infrastructure must be overhauled (which is Or, it may make sense to allow only a team associated withactually required by some regulations), or policies must be a particular client to have access to IP associated with thatimplemented to control how data moves through existinginfrastructure. 2
  • client (as is discussed in more detail in case study 3). In both For instance, policies may specify that data of a certaincases, the point is not to block one group from sharing data class may not be created or saved outside the sandboxwith another group, but to make sure data cannot be shared location. Then, additional safety controls can govern theoutside the authorized group. actions authorized users can perform on data within the sandbox. While creating, viewing, uploading, and modifyingWhereas controlling the modes of communication and may be allowed, other actions—printing, downloading,detecting content while in-transit are the primary lifecycle emailing, copying and pasting, moving, and renaming—targets for Information Barriers, Information Boundaries tend may be blocked. Such controls ensure that users canto focus more broadly on usage and storage patterns. For perform authorized actions on digital information withininstance, what applications are generally used to produce the sandbox, but may not distribute or access informationand consume information by users within the boundary? outside it.Where is this data stored so that others in the group mayaccess it (in enterprise applications, in shared network Sandboxes primarily target two information lifecycle stages:locations)? How can you restrict storage and enforce access blunt restrictions placed on the storage model, and fine-controls that reference the pertinent identity attributes grained controls on access and usage patterns. In addition,(such as company, project, etc.), in order to distinguish as is illustrated in more detail in case study 3, sandboxes canauthorized users from unauthorized ones? be designed strategically to either restrict or broaden cross- team access. In other words, a sandbox may apply bluntInformation Sandboxes: Contain Data within a storage rules so data may not be created or stored outside of the sandbox. Then, because data is both static and secure,Location limited forms of access can be extended to broader userInformation Sandboxes are a kind of boundary that have groups, if required.the primary goal of containing data within a logical locationor system. Whereas Information Boundaries are designed Common cases that require Information Sandboxing includeprimarily around user groups, with the goal of restricting Protected or Patient Health Information (PHI). In accordanceaccess and usage within that group, Information Sandboxes with the Health Insurance Portability and Accountabilityare designed primarily around data, often corresponding to Act (HIPAA), all PHI must be safeguarded against wrongfulor reinforcing natural infrastructure boundaries. The primary disclosure. While health care organizations should allowgoal of an Information Sandbox is to allow authorized users authorized users to create, view, modify, and store patientto access data only while it resides within the sandbox records in secure locations, they must also preventlocation. authorized users from distributing those records outside secure locations. In a cases like this, organizations tend to consolidate controlled data within an enterprise application or system, and then implement access and usage controls within that application or system. In this way, Information Sandboxes often correspond with, and/or are reinforced by, natural application and infrastructure boundaries. The need to comply with export regulations governing controlled technical data is another common industry driver for Information Sandboxing. In accordance with regulations such as the International Trade in Arms Regulations (ITAR) (to be discussed in more detail in case study 4), controlled technical data should only be stored and routed on IT infrastructure located on US soil. While the benefit of Information Sandboxing is the ability to contain data within a secure location, sandboxes often need to be combined with other kinds of barriers to enable successful collaboration. An overly broad sandboxing approach, in other words, may impede necessary sharing of data. 3
  • Design Goal Information Lifecycle Classification RequirementsInformation Simple barrier between To prevent sharing Ability to anticipate and Ability to detect and classifyBarrier groups between users control all modes of restricted content, either by communication content or label, in the midst of Usually content aware To segregate communication or sharing roles to prevent Ability to detect restricted Usually not reinforced conflicts of data while in-transit (sent Ability to detect identity traits by natural infrastructure interest via email, uploaded to file for information senders and boundaries, although shares, SharePoint, etc.) recipients infrastructure changes are sometimes mandated by regulationsInformation Boundary encircling user To enable access, Knowledge of core Ability to apply classifications toBoundary groups usage, and sharing applications used to data at rest and during use (at the of data by all create and consume data, point of initial creation, storage, Often multiple, members of a user ability to enforce access and access) overlapping, and group controls within these temporary applications Ability to distinguish authorized users from unauthorized users, Can correspond with Knowledge of and ability based on pertinent identity logical architecture, system, to control the storage attributes application and physical model for controlled data location, or notInformation Boundary containing data To enable Ability to restrict storage, Ability to classify data thatSandbox authorized access creation, and usage of requires sandboxing persistently Designed to be permanent and use while data data within a logical across all stages of the resides within a boundary information lifecycle Often reinforced through logical, physical, or logical architecture, system, Granular control of user Ability to distinguish authorized systemic location; enterprise application, and/ behaviors to permit from unauthorized users based on to contain a or physical location certain actions and block pertinent identity attributes certain class of data others within the sandboxCase Studies from IndustryMost often, policy designers should strategically combine In one of the most highly publicized settlements, in a caseelectronic barriers (Information Barriers, Boundaries, and brought by the SEC, NASD, and NYSE (often referred to asSandboxes) to create precise solutions that effectively the “Global Analyst Research Settlement”), ten of the largestmitigate the risk of wrongful disclosure. Consider the Wall Street firms agreed to pay over one billion dollars infollowing industry case studies. fines for publishing stock research that was manipulated to benefit firms’ and clients’ investment banking activities. Around the same time, as a reaction to public outcry overCase Study 1: Conflicts of Interest in the major corporate scandals involving ENRON, WorldCom, andFinancial Sector others, Congress passed the Sarbanes-Oxley act, also known as the “Public Company Accounting Reform and InvestorInformation Barriers have received the most media attention Protection Act.” This legislation expanded and reinforcedin the Financial Industry, where high profile legal cases reforms called for in the Global Analyst Research Settlement,and legislation have resulted in broad reforms to regulate including requirements to establish oversight boards, ensureconflicts of interest. auditor independence, and prevent “Securities Analyst Conflict of Interest.” 4
  • One outcome of these events is that financial organizations Case Study 2: Intellectual Property in Jointare now tasked with blocking all communication between Venturesthe wing of their organization that provides loans andhandles mergers and acquisitions, and the wing that Another challenge organizations face is protectingproduces securities analysis and research to make buy and intellectual property (IP) in the midst of, or following, asell recommendations on stocks and bonds. The precise period of inter-company collaboration. Consider the case ofconflict of interest to be prevented is where a research joint ventures, common in government projects, Aerospaceanalyst’s objectivity may be tainted by knowledge of and Defense (A&D), construction, and other large scaleongoing investment banking initiatives. The temptation efforts. Joint ventures are common in cases where themay exist to make erroneously favorable or unfavorable technology is multi-faceted and complex, thus requiringprojections in service of investment banking activities the collaboration among entities with highly specialized areas ofanalyst is privy to. To prevent this cross-contamination of expertise. Because joint ventures allow multiple entities touser roles, financial organizations are tasked with physically pool resources and share labor, they empower businesses toseparating departments and preventing the sharing of accomplish together what they could not accomplish alone.information between them. Plus, joint ventures and partnerships can be an especially vital source of entrepreneurial synergy and technical innovation in the formative stages of a business, technology, or industry. On the other hand, many well-known cases attest to the hazards posed from sharing IP with partners, since those partners tend to become eventual competitors. One well-known example is the case brought by Lexar against Toshiba. In 1997, California-based Lexar and Japan-based Toshiba entered into an agreement to share IP while co- developing flash memory technology (the technology behind digital photography, consumer electronics, and other industrial and communications technologies). In a 2005 court case, Lexar sued Toshiba for leaking vital trade secrets to Lexar’s main competitor, Sandisk, with whom Toshiba had formed a subsequent joint venture. The courtTo satisfy these regulations, avoid costly legal battles and awarded Lexar a $464 million dollar settlement.fines, and reestablish public and investor confidence,financial institutions should prevent wrongful disclosureusing two kinds of electronic barriers: Information Barriersto block the communication and sharing of certain kindsof information between investment banking and securitiesanalysts, and Information Boundaries around InvestmentBankers who have access to “insider” information (non-public, unpublished research about the health of financialinstitutions). Investment bankers should be able to create,access, store, or share this information with each otherin authorized ways; however, this information shouldbe inaccessible to securities research analysts, as well asanyone outside investment banking. This solution requiresthe ability to detect “insider” information, control how it isstored and accessed, apply communications controls thatcan detect insider information while in transit, and block To mitigate the risk associated with a case like this one,communications based on the identity of senders and organizations should apply precise and persistent controlsrecipients. to govern how their IP is shared with partners. First, an inter-company Information Boundary should be drawn around users associated with the joint venture. Sharing of IP 5
  • would be permitted within this team, but prevented outside could then also be applied to prevent the communicationof it. When the period of the joint venture is complete, the between teams working on competing clients’ IP. In thisboundary should dissolve and data should no longer be case, users can download client IP and email it to otheraccessible by external partners. The joint venture boundary members within the authorized group. But, a content-awarethus requires controls to be enforced on devices off the main Information Barrier would block Team A from sendingcorporate network, as well as the ability to rescind access emails containing Client A information to Team B (whereasand usage rights when the partnership is complete. Team A could share information regarding other clients or unclassified data, such as Team U in the figure).Next, more highly sensitive IP could be sandboxed so thatit can be controlled even more strictly. By limiting accessto the most sensitive or critical IP, a sandbox would allowauthorized users to perform actions on data only while itresides on the controlled system or location. The Sandboxcould also apply granular controls to allow authorized usersto enter the sandbox and work with data in appropriateways, but block users from downloading to an endpoint,sharing with other users, and so on.Importantly, this combined Information Boundary andSandbox solution would enforce distinct storage andusage patterns for different classes of data: one class ofIP is approved for access, download to an endpoint, anddistribution to partners’ computers, while another morehighly restricted class requires sandboxing. The solution thusrequires classifying data and users, and user classificationsmay need to encompass multiple identity attributes at once:company employees associated with the joint venture,external partners associated with the joint venture, andvarious internal employees granted access to the sandbox.Case Study 3: Customer Intellectual Property inContract ManufacturingAnother kind of wrongful disclosure, common in Finally, an Information Sandbox could be addedmanufacturing services and contract manufacturing, stems strategically, to address two different use cases. One usenot so much from the need to protect an organization’s own case is where another client has more stringent IP protectionIP during or after a period of collaboration (as with case requirements than others, so their data must be storedstudy 2), as from the need to segregate and protect the IP within an Information Sandbox. In this case, client IP canof one or more clients. For example, it is not uncommon for only be accessed and used while it resides on a securea single contract manufacturer to be working with IP from server or within the sandbox application. A second use casemultiple clients who are in direct competition with one (illustrated in the image above), would be a sandboxinganother. Increasingly, to win these contracts, manufacturers approach that is designed to enable broader cross-teammust demonstrate their ability to safeguard and segregate access to a client’s data. It may be the case, for instance, thatall client IP. Oftentimes, this means conducting regular inadvertent disclosure of IP is the main concern, not theauditing and reporting to demonstrate the effectiveness of contamination of user roles. Sandboxing a client’s IP couldprocedures and employee compliance. enable users from different client teams to safely access and handle client C’s data. Because data will never leaveInformation Barriers, Boundaries, and Sandboxes could the secure location, the threat that users will inadvertentlybe combined to effectively protect IP in this scenario. For disclose data (in an email sent to a competitor, for instance)example, an Information Boundary could ensure that only is diminished. Note how this last use case illustrates theTeam A can access and use IP associated with Client A, different goals of designing boundaries around user groupsthe same for Team B and Client B. An Information Barrier versus data. 6
  • Case Study 4: Export ComplianceMany businesses are grappling with the complexity ofexport compliance regulations for controlled technical data.Taking the International Traffic in Arms Regulation (ITAR) asjust one example, regulations tend to prohibit the exportof “Defense Articles,” which typically refers to products aswell as technical data and services associated with thoseproducts. Export to non-US countries without a properexport license constitutes a violation, as well as sharingor giving access to foreign persons, including access byforeign workers on US soil. Routing or storing technical datathrough servers or storing data in file shares located in othercountries can also constitute a violation.Clearly, these regulations present hurdles to businesses thatseek to collaborate and share export-controlled technicaldata across global supply chains, in international trade withoverseas customers, or while manufacturing for foreignclients. Several high profile cases attest to the prevalence ofthis business challenge, including: Organizations trying to pursue business opportunities associated with controlled technical data, whether for global• Boeing (2009), fined $15 million dollars for violations manufacturing, international sales, or military contracts, of the ITAR; found guilty of ITAR Compliance violation tend to have users from multiple countries and data located every other year since 9/11 in multiple locations. In addition, business will often have data that is and is not subject to compliance regulations. In• Lockheed Martin (2008), fined $4 million dollars for ex- fact, for some cases, organizations are dealing with a small porting technical data connected to the sale of Hellfire subset of their business that is subject to export compliance missiles to the United Arab Emigrates regulations, but because of the “contamination” issue and• Northrop Grumman (2008), fined $15 million dollars for the fact that they have employees in multiple locations and export of controlled parts and technology for commer- of varying citizenship, they must properly segregate this cial inertial navigation units small subset of data before conducting other business. For complex cases like these, Information Barriers, Boundaries,• ITT Corp (2007), fined $100 million dollars for exporting and Sandboxes may all be necessary. military night vision goggles to foreign countries First, all data subject to ITAR, for which no export license• Loral Space & Communications Corp., Boeing, and exists, would need to be sandboxed within logical and Hughes Electronics (2003), fined $14 million dollars for physical locations within US soil. This addresses the ITAR exporting satellite launch rocket integration and failure requirement that controlled technical data never be stored analysis services to China; while the satellites were com- or routed through a foreign country without the proper mercial, the launch vehicles were subject to ITAR export license. Second, Information Boundaries would need to be applied to limit access to ITAR data to ITAR-authorizedMany of these high profile violations occurred because users. Creating this Information Boundary can be moresub-components and processes associated with a larger difficult than it first sounds, as it must combine identityassembly are subject to ITAR. Smaller defense articles may attributes for citizenship, current geographical location,“contaminate” otherwise uncontrolled commercial products. and pertinent export licenses. In this case, authorized usersThe inclusion of an ITAR component, no matter how small, would include US employees in US locations and users inwill cause a larger commercial assembly to be subject to other locations with export licenses. Unauthorized usersITAR. Its export, the export of any information about it, the would include US employees in non-US locations, non-USstoring or routing of information about it on servers on employees in US locations, and non-US employees in non-foreign soil, and the sharing of information about it with a US locations (or more simply, those “not in” the authorizednon-US citizen would all constitute a violation. user group). 7
  • Use Case Solution Components Required Solution Capabilities1. Preventing conflicts of Information Barriers across modes of Classification of “Insider” informationinterest in the financial communication and collaborationsector Identification of users based on identity attributes Information Boundary around research (department) analysts to govern access, storage, and usage models Detection of classified data while in-transit Access and usage controls for all applications used to create and modify data Location-based controls to govern where data is stored2. Protecting intellectual Information Boundary around users Classification of semi-critical and critical IPproperty during and after associated with the joint venture, to restrictjoint ventures communication, collaboration, access, Identification of users based on identity attributes storage, and usage (joint venture team, authorized internal users) Possible Information Sandbox to contain Access, usage, and storage controls for all applications highly critical IP used by authorized users to work with semi-critical IP Off-the-network digital rights enforced for semi- critical IP that is downloaded to workstations outside the organization Access, storage, and usage controls for data residing within the Information Sandbox3. Segregating client Information Barriers and Boundaries Classification of semi-critical and critical IPintellectual property separating client teams when there are concerns about segregation of duties, Identification of users based on identity attributes controlling modes of communication, (joint venture team members, authorized internal access, usage, and storage users) Information Sandbox for client IP when Access, usage, and location-based storage controls for added protection is required or to enable all applications used to handle Client A and B data safer cross-team access Access, usage, and storage controls for application or system used to contain Client C data4. Complying with export Overlapping Information Boundaries Classification of ITAR restricted datacontrol regulations allowing US and licensed users to access ITAR data Identification of users based on multiple identity attributes (citizenship, location, applicable export Additional Information Boundaries for licenses) users/locations where there are proper exceptions/licenses Location-based access, usage, and storage controls for all applications used to handle ITAR data within Information Sandbox restricting creation the Information Boundary and storage of classified data to secure US locations Location-based access, usage, and storage controls for applications or systems used to sandbox ITAR data 8
  • Once these groups are mapped out, overlapping Classifying existing data usually entails a discovery processInformation Boundaries could be drawn around the groups for all data stores, servers, databases, applications, and evenso ITAR-authorized users can access both non-ITAR and user workstations. Organizations often handle this throughITAR data, whereas non-ITAR users can access only non-ITAR a batch scanning process that applies classifications todata (note that the example in the image does not factor in existing data based on the results of content analysis, whichthe complexity of export licenses). Finally, a content-aware may consider file attributes (owner, creator, date created),Information Barrier could be erected between authorized content (key words or types), file type, and/or location. Inand unauthorized users to block the sharing of any ITAR data addition to classifying data that already exists, organizationsbetween the two groups. This could be necessary for ITAR may classify data at the point of creation or while data isdata that is exported to a foreign location where a license in transit. This can happen through an automated contentexists, but where there is no Information Sandbox to lock analysis and labeling process that “kicks off” wheneverdata in place. users perform an action (such as save a file, upload to a file share, etc.). Alternatively, classification can be a user-drivenSolution Building Blocks for process where, based on the presence of certain key words, the identity of the creator, and/or the origination or storageImplementing Digital Information location, users are prompted to supply the appropriateBarriers classification themselves.The industry case studies discussed above illustrate how Importantly, once data is classified, these classificationseffective electronic barriers—that is, those capable of should be persistent if data is permitted to move fromblocking wrongful disclosure while enabling appropriate one location to another. Take a scenario where sensitiveforms of collaboration—must be precise and granular client IP is stored in a designated SharePoint site or otherenough to be designed around data and/or users to corporate intranet, which is only accessible to a team ofaccomplish specific, limited objectives. While the solution users associated with that client (similar to the Informationfor each case study differs, together they reveal the basic Boundary discussed in case study 3). The classification ofbuilding blocks of any good electronic barrier solution: that client IP must persist when the data is downloaded to authorized users’ desktops. Without persistence, a “content• Discovery, Analysis, and Persistent Classification of Data aware” Information Barrier could not be enforced, that is, a barrier that blocks the emailing of classified content• Attribute-Based Classification of Users between groups of users, but enables the sharing of other• Flexible Location-Based Controls non-sensitive content.• Centralized, Standards-Based Policy Engine with Elec- Attribute-Based Classification of Users tronic Barriers Support All four case studies discussed above also require the ability• Easy-to-Define Access, End-Use, and Storage Controls to classify users based on their characterisitcs, or attributes.• Enforcement across Multiple Locations, Applications, More complex cases often require the ability to classify and Communication Channels users based on multiple attributes at once (citizenship, location, department, project, and so on), and may also• Persistent Data-Level Controls off the Server or Network require attributes that are housed in different identity stores. For case study 3, in order to determine whether users• Monitor and Audit of Electronic Barriers are authorized, controls must be able to detect whether they are internal employees or external partners, and forDiscovery, Analysis, and Persistent internal employees, whether they are members of the jointClassification of Data venture team or not. In this case, identity attributes of users outside the organization must be collected from an externalAll four solutions discussed in the case studies above identity store, such as the Active Directory of the partneringrequire some means to classify data—in case 1, to designate organization, and then be integrated and applied in controls“insider” information, in case 2, to distinguish between alongside the identity attributes of internal users.sharable IP and restricted IP that must be sandboxed, in case3, to label customer IP, and in case 4, to identify data subject Another example is case study 4, where maintainingto ITAR export compliance regulations and data for which an Information Boundaries for ITAR compliance requires theexport license has been granted. 9
  • classification of users based on citizenship, the presence of Centralized, Standards-Based Policy Engine,export licenses, the location of access, and possible other with Electronic Barriers Supportbusiness attributes, such as team membership or job title.While some of these attributes are likely static or semi-static To sum up the building blocks discussed thus far, an(as in citizenship), others are likely to change or be time- effective electronic barrier solution should be able to:sensitive (as in location and possible team membership). (1) apply data classifications, (2) reference and combineSome of these traits may be housed in a separate application disparate identity attributes, and (3) enforce controlsoutside Active Directory—for example, identity attributes dynamically based on the locations of data and users.assigned to users in a shared Human Resource Management These requirements point to the need for a centralized,System (HRMS), Enterprise Resource Planning (ERP), or standards-based policy management tool. A centralized toolProduct Lifecycle Management (PLM) application. An is necessary so all data classifications, identity attributes, andeffective Electronic Barrier must be capable of referencing location definitions can be gathered and managed withinthese identity stores to evaluate user attributes dynamically one application, by one team, in the same set of policies. Theat the point of policy enforcement. standards requirement ensures that the policy authorization system will be both extensible and compatible with otherFlexible Location-Based Controls authorization tools (the current industry standard for policy languages being eXtensible Access Control MarkupAn effective electronic barrier solution must also be able Language (XACML)).to enforce controls based on the locations of data andusers. Location-based controls should be flexible enough to The authorization mechanism should be externalized fromeither lock data in place (as in a sandbox location), or apply the application logic of the applications where controls arecontrols dynamically to data as it moves across multiple applied. In other words, they should apply to more thanlocations. From within the same policy set, a business may just SharePoint, Adobe Acrobat Reader, or Microsoft Officeneed to enforce certain controls while data resides within files. At the same time, the authorization mechanism mustfile servers and shared network locations, other controls be flexible enough to integrate or “hook into” all thesewhen the same data is downloaded to a user’s desktop, and applications. Ideally, the policy platform should also includeother controls when that data is emailed to an external user built-in support for the kinds of controls that are typicallyoutside the organization. The same is true for the location needed for effective electronic barriers, namely: endpointof users: one control may need apply to a group of users controls, communication controls, access controls for datawhenever they access data remotely, another control when on servers, and pertinent collaborative and enterpriseusers travel outside the country. application controls.This requirement is apparent in all four use cases, but isparticularly clear in use case 2, where an organization Easy-to-Define Access, End-Use, and Storagewants to share data with a partner during a designated Controlsproject period. Highly critical IP may need to be sandboxedwithin a dedicated file share location. Other less critical IP The policy engine should include an easy way to definemay reside within more public company file shares, where all the various actions users can perform in the multipleauthorized users can view, download, and print documents. applications where controls are applied. Another way toWhen data is downloaded to an authorized user’s endpoint, phrase this requirement is that any effective electronicother controls allow users to modify documents, save barrier solution should be business-aligned, that is, capableversions or copies, upload documents to file shares (but not of allowing or denying user requests for the typical workoverwrite originals), and email documents to authorized of a regular business day. Taking the example of actionsusers in the external partner organization. Finally, when that typically happen at a user workstation, this list mightdata is within the possession of that partner organization, include viewing, modifying, printing, copying, emailing,additional controls may need to restrict redistribution performing a save as, and saving to removable media,and modification. In all cases, the solution should be able to even more granular actions, such as taking a screento dynamically detect the location from which an access capture, copying content from a file to the clipboard, andor usage request originates, and enforce the appropriate changing file properties. Beyond being able to apply basiccontrol. 10
  • For both cases, a successful solution must apply consistentWindows desktop controls at this level of granularity, the controls around data as it travels through locations andsolution should also support controls for access on servers, across communication channels. Organizations soonuploading to web portals, and actions performed in discover that enforcing controls within only one location,specialized collaborative applications. application, or channel is much simpler than applyingThe need for controls that can be defined at this level controls consistently as data moves from one location to theof granularity is obvious in the case of Information next. To respond to this requirement, organizations often trySandboxing. While the data location remains static, to implement disparate point-specific solutions, which oftenpermissions to be granted to that data may be highly results in extra administrative work, hampered collaboration,granular, so that the data can be created and viewed, but and the inadvertent blocking of authorized access andnot moved or distributed outside the sandbox location. sharing requests.In case study 3, it would be necessary to prevent anemployee working with the IP of client A to copy data Persistent Data-Level Controls, Off the Serverfrom a sandboxed application into another document or Networkintended for circulation with Team B. Information Barriersand Boundaries also require precision and granularity The ability to control how documents are accessed and usedin how user controls are defined. For example, it may be while they reside in controlled Information Sandboxes ornecessary to prevent users from uploading data to public on the corporate network is one thing; the ability to applyfile share locations accessible by users associated with controls off the server or network is another.other departments (as in case studies 1 and 3). This requirement is illustrated in detail in case study 2, where an organization needs to share data outside the traditionalEnforcement across Multiple Locations, company perimeter in order to enable collaboration withApplications, and Communication Channels outside contractors, suppliers, and partners. Oftentimes, this data should be shared with users conditionally—only forThe case studies discussed above do not specify exactly the duration of a contract or joint venture. In addition, anwhere data is being stored (in file shares, servers, organization may want to apply strict controls to what usersendpoints, web portals and SharePoint, or in which can do with this data while it is outside the organizationcollaborative enterprise applications (such as ERP, PLM, and (permitting downloaded and viewing, but not emailing, forDocument or Content Management Systems (DMS, CMS)). instance).The case studies also do not specify which communicationchannels are being used to share data (email, instant These kinds of scenarios require an electronic barriermessage, web meeting sessions, etc.). The assumption is solution that can apply persistent data-level accessthat the specifics will change from business to business, and usage digital rights, even on devices outside theand that a successful electronic barrier solution will organization’s IT infrastructure. While policies should ideallyneed to apply controls across all the pertinent locations, be managed and distributed by a central policy server,applications, and communication channels. enforcement should not be dependent on constant server connectivity.For example, it may be necessary to control access to ITARtechnical data across several locations at once, as with casestudy 4: data posted to SharePoint, stored on file shares, Monitor and Audit of Electronic Barriersand inserted into SAP, a common ERP application. Or, in a A final piece of an effective electronic barrier solution is thescenarios like case study 1, classified “insider” data should capability to monitor activities, conduct audits, and reportbe stored only in certain locations (a file share where on events. This requirement is easily visible in use cases 1,only authorized users can upload, view, and download 3, and 4, where organizations must run regular reports tofiles). Authorized users may download this data to their demonstrate compliance with financial industry regulations,endpoints, but they are prevented from emailing data to win contracts when clients request proof that their IP willcertain users. be secure, and avoid export compliance fines. An effective 11
  • solution should be able to leverage logs that capture user Administration and management of the policies can beactivity across the enterprise. Reporting tools should also be delegated to the corresponding business stakeholder, asflexible enough to satisfy multiple auditing and reporting well as the Policy Administrator. Additionally, policy objectsrequirements. and audit data can be managed centrally with web-based administration and reporting tools.Audit, monitoring, and reporting features can also beimportant in early planning and implementation stages, Evaluation of policies is performed dynamically, inwhen an organization is trying to understand the best real-time, based on attributes of the information, user,way to design effective electronic barriers. For instance, event, and environment. Information risk management“monitor only” policies may be deployed to audit how data or data security policies, including electronic barrieris accessed and used on file servers, or how it is uploaded policies, can be identity-driven and content- andand downloaded from SharePoint sites. Reports can include location-aware, while also supporting a spectrum ofwhich users are downloading what data, to what locations, enforcement options: allowing or blocking user actions,so that businesses can better understand storage, access, educating users on proper data handling proceduresand usage patterns and what kinds of controls are needed. and applicable policies, and automating workflows and providing other remediations. NextLabs’ central policyAbout the NextLabs Solution for management engine can also leverage identity attributes from multiple data stores, for fine-grained Attribute BasedInformation Risk Management Access Control (ABAC), with out-of-the-box support for endpoints, communications, servers, SharePoint, SAP, PLMNextLabs’ approach to electronic barriers is designed with applications, and’s collaborative challenges in mind. The NextLabssolution helps companies comply with industry regulations Specifically, the NextLabs solution allows companies to:by enforcing and auditing barriers during all stages of theinformation lifecycle. Using NextLabs’ centralized policy • Create Information Barriers, Boundaries, and Sand-management system, organizations can combine controls to boxes to reflect business relationships and use casesdesign and implement Information Barriers, Boundaries, and typical of IP protection, financial regulation, and exportSandboxes to meets their particular industry and business compliancerequirements. • Manage data access, handling, and disclosure withThe policy engine is powered by a standards-based XACML consistency across communication and collaborationpolicy language with built-in electronic barriers support. The channels to prevent improper activities, while notXACML-based policy engine allows easy creation of controls, interfering with “business as usual”in the form of policies or rules, to enable combinations ofvarious types of electronic barriers. A complex electronic • Centralize policy and classification management inbarrier requirement can be implemented using a single a XACML-based policy server, with support for dataset of policies, with fine-grained controls across multiple discovery, content analysis, and persistent classifica-teams, applications, and modes of communication. Both tion, as well as dynamic, extensible integration withbusiness analysts and IT administrators will be able to multiple identity storescreate policy using common business terms and vocabulary • Monitor activities comprehensively (surveillance), sim-to reflect underlying business processes, workflows, and plify auditing, and report violations to prove effectivecompliance requirements. This allows for the creation of policy; Educate users about policies and procedures toa common policy language and fabric for IT and business increase compliance awarenessleaders to collaborate and address complex complianceand risk management objectives. As a result, controls • Apply one set of common policies across and outsidecan be integrated with critical business applications and the enterprise: workstation, server access control, com-applied uniformly to ensure consistent enforcement and to mon enterprise collaborative applications (SharePoint,create a cohesive solution deployed across the enterprise. SAP ECC, SAP PLM) 12
  • • When a non-US user attempts to access an ITAR classi-In addition, NextLabs provides out-of-the-box ElectronicBarrier support, with pre-built policy objects and of an export license, and when lacking, deny the accesscomponents designers can use to construct policies. request; log the attempt for auditing and display anPolicy sets are interoperable and easily customized to the educational user alert.environment to address areas of risk, including the followingareas: File Sharing File Sharing policies apply controls across desktops, servers to limit disclosure. Example policies include:multi-channel communications to apply consistent controlsacross voice and electronic communications applications • Allow account managers of the company’s Japan sub-(IM, e-mail, VoIP, Web conference, etc.). These policies sidiary to upload client account records only to Japanare integrated with strong automation and remediation regional servers.capabilities. Example policies include: • Prevent client team “A” from accessing Merger and• When a chat is initiated over instant messenger be- - share directory used by client team “B” who is respon- matically add a chaperone to monitor the conversation. sible for a competing client.• Deny employees on a Web conference located outside of the region from saving client data distributed elec- About NextLabs tronically. NextLabs, Inc. is the leading provider of policy-driven• - information risk management software for large enterprises. count information outside the region, quarantine docu- ments and initiate approval procedures. compliance and mitigating information risk by helping companies achieve safer and more secure internal and external collaboration, prevent data loss, and ensure properCollaboration authorizations to applications and data.Collaboration policies apply controls across collaboration NextLabs’ partnerships with industry leaders such as IBM, SAP, Microsoft, HCL Axon, Adobe, HP, PTC, and SiemensECC or PLM. Example policies include: bring to market industry-focused information risk• Prevent anyone outside of the research team from ac- management (IRM) solutions that combine industry best cessing unpublished research in designated SharePoint practices with turnkey applications, to meet customers’ document libraries (regardless of access rights delegat- governance, risk, and compliance requirements. ed by SharePoint administrators). To learn more about the products that can support the• When non-EU employees attempt to access and down- precise Electronic Barriers solutions described in this white paper, or contact us at regional regulations and log the attempt for auditing.© 2007-2012 NextLabs® Inc., All Rights Reserved.NextLabs, the NextLabs Logo, Enterprise Data Protection and Compliant Enterprise are trademarks or registered trademarks of NextLabs the United States. All other company, product, or service names mentioned may be the trademarks or service marks of their respectivecompanies. 9-08. 2 Waters Park Drive, #250 San Mateo, CA 94403 USA t: 650-577-9101 f: 650-577-9102 13