Industry Trends

When Security Meets Information Governance

By Evan Schuman | October 08, 2015

Email has been in the news a lot lately, occasionally regarding phishing and recent attacks, but more often as a persistent talking point in the run up to 2016 Presidential elections. Politics aside, though, email is a sticky wicket. It's used almost universally in enterprise settings in both business and the public sector. But consider the fun, geeky issues here. What are the implications when an e-mail is sent and it contains nothing classified or sensitive, but it becomes classified months later? Even better, let's say it's a lengthy e-mail memo and the recipient sees it and forwards it to five colleagues for analysis and feedback. What if one minor bullet near the end of the message was classified and no one flagged that?

The problem—which directly relates to enterprise IT information governance conundrums—is that people rarely compartmentalize well. There are conflicting rules here. There's a rule that government communications must be properly archived, with an eye on eventually being shared publicly. There are also rules prohibiting political—and especially donation-related—e-mails from being on government servers. This forces senior officials to maintain two e-mail accounts—one personal and the other governmental. The same thing happens outside of government agencies, where business users often find the line between business communication and personal email blurring or just can't be bothered to maintain multiple accounts.

What happens when someone wants to communicate a message and it includes a governmental message ("the military base negotiations with Australia have run into problem. How should we resolve this?") and a political one ("By the way, when do you plan on leaving the charity fundraiser on Sunday? I'm buying two tables. Can I grab you for 10 minutes to review Australian negotiating points?") Which e-mail address should they send it to? It doesn't seem to matter as it will violate some rule regardless of which one it uses. More to the point, people can—to a limited degree—control what they send, but they have almost no ability to control what other people send them.

Is it time for enterprise IT to use software that enforce rules, which humans are notoriously bad at handling? What if all data points—not documents or e-mails, which can include lots of information of varying sensitivities—were given security classifications? And what if all employees and contractors and partners (manufacturers, suppliers, distributors, external salesforce, etc.) were also assigned classifications?

The potential for sidestepping some of today's most common corporate communications glitches is intriguing. Gone would be the days of typo-driven errors sending sensitive data to an unintended party. (That is, unless you're unlucky enough to have accidentally typed in the name of someone who happens to have the right classification. In that case, you're toast.) The system would not allow Top Secret data to be sent to someone who doesn't have a Top Secret clearance.

Printers would also have limits, just as the government does. A printout of salaries could only go to a printer behind a locked door that can only be opened by an employee with appropriate clearance. Alternatively, the sensitive message could go to any printer, but the printer would hold the message in its buffer and not print it until someone enters an access code into the printer.       

Such a system could also deal with information that was not considered sensitive when it was sent two days ago, but now is. (Example: A lawsuit was filed yesterday that suddenly makes seemingly innocuous text and e-mail exchanges from a year ago very problematic.) When such a security classification was upgraded, any employee/contractor whose security level is no longer high enough would have that message blocked or deleted.

This after-the-fact attempt at sanitization would certainly have its limits. First, it can’t deal with employees who have already read the message and remembered it. (Unless your CIO can get some of those neutralizers from the Men In Black films.) Secondly, once messages are shared with people, they can be copied and placed beyond IT's ability to take back, such as being synched to a mobile device, sent to a personal device at an employee's home, backed up a backup drive or a third-party cloud-based backup service. It's true that sensitive information can be restricted from such transfers, but this example speaks to moving data before it's classified.

What this is really about is letting companies—through IT—try and regain control of their intellectual property. The government problem here is an extreme example of a very familiar 2015 enterprise problem: Bring Your Own Device (BYOD). As devices—especially mobile devices—are simultaneously including corporate and personal data, separations are getting almost impossible to enforce.

So instead of trying to segment data as personal and business, why not segment it as sensitive and not sensitive? A flurry of work emails about which restaurant to use for the staff lunch on Thursday is not sensitive and an employee's personal finance program is highly sensitive.

With that in mind, what is the biggest obstacle to getting BYOD programs to work? It's the absence of full employee cooperation. That's because the employees see little benefit to cooperating, as punishment for not cooperating is rarely inflicted. (Why? Because your boss is probably also not cooperating—but that's another story.) By offering to help the employee protect their most sensitive personal data, the carrot part of the carrot-and-stick dance becomes stronger.

We still have a fundamental hurdle: how to identify references to something classified Top Secret. That's relatively easy to do after-the-fact, but it's much more challenging for software to identify in realtime. As mentioned earlier, humans are notoriously terrible at self-compartmentalizing. Therefore, in an e-mail primarily about choosing that restaurant, it must be able to find sensitive references. "Given that we have two fish allergies on the team, let's go for The Garlic Rose. I certainly don't want anyone sicker than necessary as we're discussing selling out to Acme Conglomerate for only $2.5 billion."

Keywords would be a fine start, but intelligent contextual searches would be infinitely superior. It could also factor in the classification level of the sender. If Employee 1234 is authorized to know Top Secret information, there's a much better chance her outgoing messages might contain such data. But the system would also have to recognize unauthorized employees gossiping. ("Did you hear that Acme Conglomerate is preparing to buy us for $2.5 billion? I overheard our EVP mentioning it in the lunchroom.") Even worse, the system using keywords could incorrectly flag something as Secret—and unintentionally reveal data to an unauthorized party. ("This message could not be sent because it appears to contain Top Secret data.") To the extent that would serve as confirmation that something is indeed up with Acme Conglomerate, the SEC could be very unhappy.

There's a reason that so few enterprises are deploying meaningful information governance systems. They are so difficult to get right and so incredible easy to do poorly. The technology is maturing rapidly, though and is worth a second thought before you accidentally send your product plans for next year to a competitor—or a reporter.