Documents cross firewalls all the time, as downloads from web sites, portals, FTP sites, email attachments, etc.
Why should a CIO worry about this?
It’s under control, right? After all, the networks and desktops are locked down tight right? In actual fact I’ll bet they are locked down so tight people can barely get any work done and it takes months in costly project over-runs to get anything done due to the complexity of setting up network security, Web filters, reverse proxies, etc.
Like many countries, companies are dealing with the threat or opportunity of new technologies such as social networks which enable the viral spread of information. So which is it; threat, opportunity or both?
First; What is a Firewall? (From Wikipedia) http://en.wikipedia.org/wiki/Firewall_(computing)
“A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices that is configured to permit or deny network transmissions based upon a set of rules and other criteria.”
However from an application perspective it prevents pretty much anything from happening across the network without a lot of effort.
So, on to the Opportunity section… We have all heard the hype about how social networks and Enterprise 2.0 will open the enterprise and help the spread of information, increase job satisfaction and enhance productivity. pardon my “yawwwnnn…” at this point. It has been said for pretty much any new computer application, otherwise who would spend money on it?
But… it does have some amazing effects. Who would have expected the net effect of social networks, mobile devices and totalitarian regimes? I must admit the thought had crossed my mind but I didn’t expect it to happen so dramatically. And as the Prime Minister of Canada, Harper, said: “You can’t put that toothpaste back in the tube”. ..
From our perspective, in democratic countries, that was an exciting and joyous moment. In other totalitarian regimes it was a warning shot and rationalization for information control.
But, wait a second, aren’t companies and government agencies totalitarian? They are not democratic, although many like to manage by collaboration and consensus, and ultimately depend on a hierarchical command and control structure. Well, yes they are totalitarian in nature and they are obsessed with information control and security.
Having said that some organizations are showing marketing and PR savvy by utilizing a carefully guided and crafted social network presence.
The viral effect of social networks is like Karma at the speed of light.
“Our deeds determine us as much as we determine our deeds.”
Things do not spread or gather social momentum unless they are attractive to others and or serve the purpose of another. So, companies can post the same ol’ on social networks and it will just sit there and do nothing or they can do really cool things on social networks.
In order to get content across a firewall to a social network someone needs to post it. That is how things happen on traditional corporate portals and websites. It goes though a committee like process, gets approved and published and then sent out for public consumption. One small problem with that, or huge problem with that… depending on how you see it. It won’t work very well with social networks because it is not participatory. The organization’s people can’t participate, make witty comments, make mistakes, say inappropriate things, or accidentally (or on purpose) “out” sensitive information. That is what social networks are all about; the organic, fast moving, self managed, self directed communal mentality with the attention span of a gnat.
The threat? Yes, there is a very real threat of leaking or exposing information inappropriately. Wikileaks being the poster child for the effect of leaking information.. There is also the very real issue of exposing information assets and networks to black-hat (bad guys) hackers. There are lots of random lone-wolf, organized crime and organized government hackers out there. It is a sad fact that networks do need to be over-secured.
However, the greatest threat is from those persons inside the organization. There is the classic disgruntled employee, industrial spy plant, government leaker and accident or sloppy employee with a password written on a sticky note on their monitor.
I think we would all be able to relax just a little bit if as much attention was paid to task analysis and information security across the organization as is paid to efficiency studies in supply chain.
This is what I mean: Study the information flow in the organization to see who does what to which pieces of information. Then define the security requirements for each piece (even subparts) of information at the task level in each work flow, even ad-hoc ones. Then choose the right technology that will enable you to assemble and secure this information for the various outputs you require. Then, setup pilot programs to prove it out and then apply it in the most critical areas.
So, you say you have already done this? BS I say. What if you were to copy a sensitive piece of information to a wikileak site or USB drive? Can anybody read it or do you need to decrypt it? Do you even delete the content when the retention policy says to according to internal policy and regulation? Do you or your organization even know or defined what that is? I doubt it. Not many have.
Most organizations are sitting ducks. It is time to smarten those ducks up. Then and only then can you be sure accidents or intention breaches don’t happen and people can feel safe about sharing the information they should. This will create a more open and nimble organization. That is unless you just say you don’t need the analysis in the first place and just lock everything down…#ElectronicRecordsManagement #socialnetwork #enterprise #content #firewall #SharePoint