Securing data simply by defending the network perimeter is no longer enough to satisfy the law. IT departments need to consider a different approach.
Protecting personal data is an emotive subject that's long been an issue for CIOs. It became an even bigger concern when UK data privacy watchdog the Information Commissioner's Office gained the power in 2010 to impose fines of up to £500,000 ($800,000) for breaching the Data Protection Act.
But breaches that affect commercially sensitive and secret information get less attention. That's surprising because such incidents can result in companies being sued for breach of contract and directors facing action for breaching their fiduciary duties.
UK data protection law is based on eight principles and requires companies to take "appropriate technical and organisational measures" to protect personal information.
Against that, the law of confidentiality, which applies to commercially sensitive or secret information, is a common law right based on precedent and has not been codified. Consequently, people tend not to understand it so well, although the principles are easily stated.
This approach to protecting confidential and personal information is logical. It allows the law to remain flexible and relevant despite rapid changes in the technology industry.
The result is that regulators and enforcers have to take a purposive approach, which may appear quite subjective, when they decide whether appropriate protection has been provided.
The trouble with this approach is that it is relatively easy to apply in retrospect but not so easy to use when drawing up requirements. Furthermore, rapid tech changes can make solutions that are satisfactory now seem totally inadequate in six months.
These factors create a further dilemma for CIOs, particularly when faced with increasing demands to make information mobile, allow for technology convergence and permit the use of personal devices and develop BYOD-friendly policies. They need to rethink the underlying approach to securing information.
Meeting regulatory requirements
It's clear that an approach to securing information that relies solely on defending the network perimeter will not now meet the regulatory requirements.
Hackers have succeeded with attacks even where strong network security is in place, such as in government networks. These attacks show that a perimeter-based strategy will not be sufficient to meet the needs of most networks.
So, we should be looking at the fundamental requirements of information assurance to deliver the confidentiality, integrity and availability of information, and where the information is communicated, to be able to verify the source.
Reversing the approach and concentrating on securing the information makes allowance for the possibility that the network may be compromised and focuses attention on the value and importance of the information itself.
The information owner is the person most likely to understand the harm that might be caused if the information is disclosed, deleted or corrupted. So the information owner should also be empowered to make a decision on the level of protection a piece of information requires while it is held by the business.
Like the law itself, protecting information as an asset allows for a more flexible approach to technological development.
Inside-out approach to data security
So an inside-out approach meets two key requirements of the regulatory environment. First, it allows the technical approach to remain relevant regardless of changes to the platform and applications used for the processing of that information.
That flexibility allows the IT department to meet demands for system and network improvements while reducing the risk that these changes will expose the company to accusations of failing to take adequate steps to protect information.
Secondly, employees will require education on the allocation of appropriate levels of security to the information assets. This training will go part of the way to meeting the organisational requirements of the data protection legislation.
In doing so, we may have to accept that the default position will be to overprotect information. But in the context of the heavy fines and the reputational damage that occurs in the event of a breach, that overprotection should be seen as the preferred option.
Of course, companies could remove the decision from employees and take the approach of enforcing the highest level of security to all information assets in all circumstances. But that measure may overburden the system and can have a wider impact on the business.
Securing information does not remove the need for perimeter defences, but it should form the key part of a comprehensive security strategy.
Encrypting information and using digital certificates meet the security needs of all stakeholders while the data is at rest and in transit. When the information is being processed it is much harder for an unauthorised person to access, alter or publish it, and this is also the area where intrusion-detection and prevention systems are more capable of providing adequate protection.