Swiss banker and whistleblower Rudolf Elmer (right) gives WikiLeaks founder Julian Assange (left) two CDs that he claims contain information about politicians, business people and multinational conglomerates.[/caption]Compliance has been key in driving companies to invest in digital security. But does heightened compliance always protect sensitive data? In many cases, the answer is no.
One need not look any further than the latest WikiLeaks incidents in which hundreds of thousands of military logs and state department cables were leaked. But WikiLeaks is only one example in a series of incidents in recent months. Transportation Security Administration screening manuals have been posted online, Major League Baseball financials were published and Apple's iPod specs were exposed ahead of time.
Whether you need to comply with HIPAA, Sarbanes-Oxley (SOX) or any other regulations, it is now clear that compliance can be achieved without providing true protection. In fact, compliance is sometimes used as a fig leaf, covering a lack of real document security.
Standard security tools and practices largely deal with controlling the flow of personal information or corporate financials. But while covering some areas, they leave others untouched. For example, take the recently updated Payment Card Industry Data Security Standards that all merchants accepting credit and debit cards must abide by. To achieve compliance, many businesses have used data loss prevention systems to prevent leakage of credit card information and financial data. But these solutions frequently reside at the company's gateway (i.e., between the internal network and the outside world) and cannot prevent the leakage of the same data from an individual outside of the enterprise perimeter.
So, what seems good on paper does not necessarily provide a complete solution. This is because the tech environment has changed in three key areas. First of all, mobile workers are more pervasive. Information lives not only within the enterprise perimeter but also on mobile workers' laptops, iPhones and other devices. Additionally, cloud services are on the rise, which means information can be everywhere. And lastly, the world is more globalized. Many documents that may be highly sensitive in nature need to be shared with partners, customers and contractors across the globe.
To avoid being part of the next major data leak incident, organizations should consider protecting information at the document level because the enterprise perimeter is no longer relevant.
You can equate today's perimeter solutions to the Maginot Line -- a boundary of concrete fortifications, tank obstacles, artillery and other defenses that France constructed along its borders with Germany and Italy in light of its experience in World War I. It proved ineffective, however, as the Nazis simply went around it during World War II, invading Belgium and proceeding unobstructed to conquer France. The Maginot Line may have been "compliant," but it was not effective.
The lesson is that while the perimeter should be protected, so should the area beyond it. Specifically, companies should look into the latest in encryption and digital rights management (DRM) technologies. With this, it is possible to control documents throughout their life cycle. As such, an organization can prevent documents from being forwarded to unintended recipients (either maliciously or by accident), burned onto USB thumb drives and removed, printed or copied. These technologies even offer ways to wipe out documents after they have been shared, preventing further massive data leaks.