A Good Judge of Character
By Peter Coffee
October 10, 2005
OpEd - eWeek
Systems need to know suspicious content when they see it.
I can't define "suspicious traffic," but I know it when I see it. Unfortunately, this human test—with apologies to the late Justice Potter Stewart, who famously applied it to pornography—does not scale cost-effectively to enterprise volumes of potentially sensitive information that requires controls on access or exchange.
The future of corporate and personal reputations (not to mention the growing danger of legal penalties) therefore depends on our devising and deploying systems that can automatically characterize information, in context, and tell us when something doesn't look right—without getting in the way of doing our work.
We can't depend on perimeter defense because both innocent misdirections and malicious leaks are often the acts of authorized parties. We can't depend on data protection policies or employee training because many problems result from user error. We can't rely on firewalls, anti-virus or anti-spam products, or other generic tools because they protect against what's intrinsically bad—not against what's merely inappropriate in specific situations.
"The current approaches are threat-centric," said Sharon Besser. Besser, a senior director at PortAuthority Technologies, said that "virus threats and spam threats are very similar from one organization to another, but content is quite different. You and I both have contracts, we both have trade secrets, but those similar things are in quite different-looking documents."
What's needed, Besser continued, is an information-leakage detection process that doesn't generate lots of false positives and doesn't interfere with business processes. Sensitivity to users' roles is critical, he added: A human resources manager may often refer to Social Security numbers, while a physician may need to discuss prescriptions for Viagra. Neither should have messages discarded or delayed by blanket rules concerning disallowed information types or because of generic lists of blocked keywords.
From where I sit, it's clear that getting data under control requires automation: We can't afford to put more people on a non-value-adding task, and human error is itself a big part of the problem. It also requires transparency: Users will find a way around any system that adds to their workload without adding to their output.
Most difficult is the requirement of an in-depth approach that looks at what's actually crossing the wire, without relying on falsifiable indicators such as file name extensions. Users find and share the shortcuts that let them get their jobs done more quickly—even though the same shortcuts can also be used invidiously.
In an environment where any user can get expert advice in a matter of seconds, perhaps with a few more minutes to download or to learn to use the necessary tools, no single method of protecting information is likely to hold up for long. What's needed is a multivectored approach. For example, sensitive documents can be "fingerprinted," to use PortAuthority's term for its application of multiple hash functions.
The final step, of course, is management visibility into indications of error or abuse. I guess that brings us back to Justice Stewart's rule. To know it, you have to be able to see it—but at least we can hope to get a higher-level view.
posted by Richard at
Wednesday, October 19, 2005
0 Comments:
Post a Comment
Links to this post:
Create a Link
<< Home