|
The string of recent publicly-disclosed breaches combined with privacy legislation has organizations, especially in the financial, healthcare and government organizations on the constant defense against threats. They are held to the highest compliance standards for safeguarding sensitive information and communications and are concerned over security policy enforcement. Every industry has mountains of data from desktops to the data center, but few actually have an idea of whether data is confidential, who has access to what data, and what users are doing with it.
While organizations of all sizes are using a combination of technology and policy to lock down their systems, IT and security professionals continue to struggle to implement new ways to effectively ensure they are protecting sensitive, classified and/or private information and addressing rigid disclosure requirements.
A secure information-sharing environment requires an architecture that is able to enforce rules, policies, privileges, and configurations without compromising ease of use. That means building a policy-based architecture that can control access and protect data across the entire network, while still enabling collaboration through the familiar Microsoft Windows operating environment, common Microsoft Office tools, and standards-based network infrastructure elements.
The Current State of Email Security Policy
In Executive Order 12958, the President mandates the marking and classification of emails and documents. The Federal Information Security Management Act (FISMA) places the onus squarely on agencies and their partners to develop information security risk assessments and mitigation strategies. As part of FISMA compliance, agencies and departments must implement ways to classify and categorize their information.
In the United Kingdom, the Government Protective Marking Scheme (GPMS) requires that broad classes of government-generated information be marked with an appropriate security marking and handled appropriately. The Australian government has taken a more direct approach with government email. The Australian government Email Protective Marking standard requires that all email originating in federal agencies carry protective markings.
These strong security policies have been driven by a number of factors in recent years, including high profile incidents of data leakage, as well as new compliance requirements stemming from Sarbanes-Oxley Act (SOX), Health Insurance and Information Portability Act (HIPAA) and Graham-Leach-Bliley Act (GLBA).
Within the last two years, there have been several high profile incidents of information leakage in the public and private sector. The May 2006 case of the United States Veterans Administration is one of the most well-known where a database containing the names, social security numbers and dates of birth of more than 26.5 million veterans and their families were stolen. It was found that an employee had violated policy and brought this information home.
What should be of concern is that realistically, only a small number of incidents are ever recognized or reported. But the business costs of such leaks are immense. One survey from the Ponemon Institute reported that the average cost per leak is $4.8 million dollars. A recently introduced bill in Massachusetts requires companies leaking personal data to assume any fraud-related costs and identity theft-related expenses.
Against this backdrop, organizations are relying heavily on not only technology, but corporate security email policies which are implemented via the “honour system.” That is, all employees are expected to read, understand and acknowledge their company’s security policy at regular intervals. In reality, the majority of issues originate at the user-level and enforcement mechanisms meant to ensure compliance are rarely implemented. Understandably, executives are increasingly concerned about how to enforce policy to meet compliance legislation, and share information securely while maintaining productivity and ease of use.
Best Practices for Security Policy Enforcement
Developing a solid process surrounding email use and access is one step in a many-pronged approach to protecting the email infrastructure. To take security policy from a lifeless written document which employees may or may not follow, organizations need to be proactive putting security policy front and centre. The key is to actually enforce security policy at the user-level so individuals make decisions and take action in a way that contributes, and not damages, the security and privacy of confidential or sensitive information.
The majority of information travels by email and it tends to be a weak link in security, so it provides an excellent example of how to incorporate security policy into user behaviour. Protecting vital information in emails and attached documents is imperative to prevent the following high level threats:
1. User accidentally sends an email or document to a user outside the organization
2. User intentionally attempts to email document to unauthorized user for profit or revenge
3. User stores sensitive information on their own personal hard drive
When sending or receiving email, users need to think ahead: Is the information sensitive, private or confidential to the enterprise? How should I handle or distribute this information? Can it be sent outside the enterprise? Often, users on the receiving end of email have no way of measuring the sensitivity of the information. Without an enforceable organizational classification policy, users will often make mistakes when deciding on the proper handling of information.
Enforcing Email Security Policy at the Desktop
Policy enforcement for content protection against inadvertent disclosure of sensitive information starts with user awareness and education. The challenge is to implement a written policy in a way that it becomes part of the user’s corporate culture. Organizations need a way to instil user awareness and raise security-consciousness without changing behaviour.
Once security policies are in place, one way to ensure that all users are better informed of security policies and will take proactive actions to prevent and minimize security incidents is through email labelling or classification by the end user at the desktop.
Policies written by the industry and enforced at the desktop with labels can be a powerful and easy way to immediately implement change. Email classification tools or labels can force users to select classification labels for their message or document based on organizational policy. And who better to understand the sensitivity of the information then the author themselves.
With forced labels, users will not be allowed to send email or save a document until a label has been assigned to the content. Labels have properties that once assigned, become part of the email or document and cannot be altered by the user. This ensures that all users will be aware of the sensitivity of information.
Information labels clearly identify the existence of confidential and sensitive information in email and documents. Just as a print version of a classified document is stamped, users can quickly identify the sensitivity of information in email or electronic documents by looking at the visual labels. This way, they are less likely to mishandle or incorrectly distribute the information resulting in less inadvertent disclosure of sensitive information. By forcing the application of information labels before emails can be sent, or documents can be saved, organizations can enhance information handling for privacy compliance and provide a means to implement existing corporate classification policies.
Leveraging existing infrastructure to enforce policy
The concept of layered protection is now fairly commonplace and is a widely recommended approach by consultants, auditors and IT professionals. There is a general understanding that a company needs extra layers to build a fortress.
For customers using digital rights management systems such as Microsoft Rights
Management Services (RMS), classification tools can enable administrators to associate classification levels with enforceable rights management policy. These policies can then restrict the distribution, printing or retention of email. For instance, RMS could automatically restrict the forwarding of an email based on the original classification assigned to the message.
Today, users get confused and don’t know which PKI or encryption to use. By selecting a label from a pre-built menu, users will automatically apply SMIME, DRM or encryption based on the selected classification label. Users only need to understand the sensitivity of the information. How that information is handled can then be automated by the label to invoke third party encryption or archiving software. Overall this minimizes training, facilitates adoption and users enforces organizational policy simply and easily with labels.
Email classification has become a necessary first step, as part of a bigger plan. Solutions need to be compatible with existing legacy products and easy to use so they can be adopted.
Conclusion
Organizations around the world are increasingly concerned about email security policy enforcement due to high profile cases of information leakage and regulatory requirements. We know security policy needs to go from a static set of policies which are merely read, to an active level that raises user awareness, where users continually must assess the information they are distributing. Email classification provides a starting point for organizations looking to enforce security policy at the individual user level, and proactively diminishes the risk of non-compliance or information leakage for their industry.
About the Author:
Tim Upton is the president of Titus Labs and a frequent speaker and author on security trends and issues. He can be reached at tim.upton@titus-labs.com.
Go Back
|
