Securing information in a paper-efficient environment

FEATURE About the author Travis Spencer is a senior technical architect at Ping Identity. He has over a decade of application development experience, which includes the design of large-scale service-oriented and federated systems.

His experience federating SaaS offerings with some of the world’s largest financial institutions, coupled with his low-level understanding of federation protocols (eg, SAML, WS-Trust and WS-Federation) has allowed him to help numerous companies

Securing information in a paper-efficient environment

ssuccessfully begin using cloud computing. His knowledge of OpenID and OAuth also provides him with a unique perspective on the relationship between enterpriseand consumer-grade digital identity management.

Phil Greenwood

*…ˆÊÀii˜Üœœ`]ÊÀœ˜ÊœÕ˜Ì>ˆ˜ A secure, IT-based paperless office has been ‘just around the corner’ for the past vœÕÀÊ`iV>`iðÊœÀʓ>˜ÞÊLÕȘiÃÃiÃ]ʅœÜiÛiÀ]Ê̅iÊ«ÀœÃ«iVÌʜvÊÀi«>Vˆ˜}Ê«>«iÀÊ `œVՓi˜ÌÃÊ܈̅Ê`ˆ}ˆÌ>ÊvˆiÃÊV>˜ÊLiÊ>Ê`>՘̈˜}ʜ˜i°Ê*>«iÀʈÃÊ«>ÀÌʜvʜÕÀÊVՏÌÕÀ>Ê
\ÊȘViʜÕÀÊ>˜ViÃ̜ÀÃÊÃÌ>ÀÌi`ÊÌÀ>`ˆ˜}]ÊÜiʅ>ÛiÊÀiˆi`ʜ˜Ê«…ÞÈV>ÊÀiVœÀ`ðÊ>˜ÞÊ business processes and information management systems have been designed around paper, and even the most technologically minded may well print out the occasional email or word document to read on the train home. Removing paper is therefore a huge operational and emotional challenge for many organisations – and may explain why the supposed utopia of the paper-free office has yet to materialise.

The price of paper However, staying in our paper-centric comfort zone comes at a price. Paper is easy to lose and difficult to track. A printed document can’t tell you who has seen it, handled it or how many times it has been copied and where all those copies are. That can leave a business immensely vulnerable to the loss of valuable or sensitive data – and exposed to the risk of breaching the increasingly stringent UK and European data protection laws. Another downside of all that paper is the difficulty of accessing the knowledge locked within it. Many paper-centric organisations don’t know what they know, and in today’s fast-moving, increasingly technology-enabled, global business environment, that could have long-term implications for competitive advantage. In short, businesses can no longer afford to be so totally dependent on paper. For many businesses, the continued use of paper sits 18

Computer Fraud & Security

– sometimes uncomfortably – alongside an explosion of digital information: including emails, electronic documents, spread sheets and social media communications. Information can move between physical and digital formats during its lifecycle, often existing in both forms at once.

“Businesses can be tempted to rush headlong into a ‘scan everything’ mentality, but that is often extremely expensive, time-consuming and probably unnecessary” Things aren’t going to get any easier. Studies show that the volume and complexity of information processed by companies is growing exponentially. According to the Association of Information and Image Management (AIIM), businesses hold ten times more information now than they did five years ago. Taking control of all that

information – including paper – is now a business-critical priority. However, many companies don’t know where to start, and the longer they wait, the bigger the problem becomes.

Digitising documents This is where digital scanning comes in. ‘Digitising’ involves making an electronic copy of a document in such a way that the information contained in it becomes more accessible. Digital files also take up a fraction of the storage space of all those paper folders. Seemingly, it is such an ideal solution that some businesses can be tempted to rush headlong into a ‘scan everything’ mentality, but that is often extremely expensive, time-consuming and probably unnecessary. Companies should step back and take a considered, practical ‘hybrid’ approach that encompasses both paper and digital records and gradually shifts the company away from an overdependence on paper into a managed situation where paper archives and scanned records can coexist. The first step is to shrink the problem. This involves auditing and segmenting the company’s information. Organisations need to differentiate between important or frequently used information and less-important, unused March 2012

FEATURE or redundant information that can be archived with a retention schedule or securely destroyed. Companies need to know where all their information is and what format or formats it exists in. This process will help companies to efficiently allocate resources and attention. The second step should be to make digital copies of those documents identified to be the most important. A digital one-size-fits-all solution just won’t work. Conventional wisdom says: ‘Make all documents available digitally, shred the paper and you’ll have a fully paperless office’. This approach invariably leads to over-investment in digitising documents that are unlikely to ever be accessed. So rather than a digitise-all approach, the focus should be on understanding how information should best be accessed and used, and then investing first in the digitisation of documents you need to access frequently. Whether this is done by an in-house scanner or a trusted third-party supplier, digitisation should aim to extract, index and validate relevant customer information, employee knowledge, business intelligence and innovation locked up in the paper documents, identifying synergies between them and making the information available to employees who require access. Data can feed directly into automated processes such as invoice management. It can help improve security, productivity and efficiency. Keywords and meta-tags can be ascribed to scanned documents, making content easy to find and retrieve.

Security benefits If the benefits of digitisation in terms of information access are easy to see, so too

March 2012

are the advantages in terms of security. Digitised information can be protected by controlling access or distribution, and by ensuring that any activity or amendment is tracked to form a comprehensive ‘chain of custody’. In other words, with a digital file, you can track its journey through the business and its full lifecycle from creation or receipt to use, storage and eventual secure destruction. An efficient and well-designed information management programme that combines digitisation with an appropriate paper management and archiving process will, therefore, make a significant difference to the way in which a business uses and secures its information. However, on its own it will not be enough to achieve success. To really release the value from information, and protect data from exposure or loss, it is imperative that businesses develop and implement robust policies for information handling. Every employee should understand what these are and commit to a culture of accountability. Research shows that, at present, responsibility for information management is often spread across a number of departments or business areas, with no-one in overall control or with a single vision of what is happening across the organisation. This can make it very difficult to develop and implement appropriate guidelines. To minimise data loss incidents, overall responsibility should be given to one person or department with the skills and authority to manage, maintain and dispose of data securely. This should be complemented by individual accountability, with everyone knowing how to handle documents in a tightly controlled, secure and accepted process that covers the

lifecycle of paper documents as they pass through the organisation.

Weakest link Human error is often the weak point in information management, and policies need to be designed to work with, not against, existing ways of working so that employees find the policies easy to adopt and implement. The policies need to be backed up with visible support and communication from the top of the organisation. The vital importance of training and on-going reminders should not be underestimated.

“It is as damaging to destroy a document you need for regulatory purpose or legal disclosure as it is to fail to destroy a document containing personal details you are no longer entitled to retain” Then, last but not least, we come to the part of information management most often overlooked by businesses: how to dispose of information securely when it is no longer required or when, for reasons of compliance, it can no longer be held. Paper documents are often more vulnerable to exposure at the destruction stage than their digital counterparts. They cannot be locked, encrypted or deleted. Employees can forget that throwing away is not the same thing as secure destruction. Even if done on office premises, just putting something in the bin puts information at risk of being intercepted and inadvertently disclosed. Every day, newspapers seem to carry another story about the careless disposal of documents

Computer Fraud & Security

19

CALENDAR containing sensitive customer or employee information, exposing the organisation and others to the risk of fraud, identity theft, the loss of brand reputation and the risk of a fine.

Secure shredding The natural solution is to introduce a programme of secure shredding for documents that are no longer required. Splashing out on an in-house shredding machine is an option, but the money saved by the business comes at a cost. Organisations rarely understand their full range of needs, machines can be time-consuming or resource-intensive to operate and maintain, and employees using them may not be aware of the legal implications associated with shredding a document. For example, it is as damaging to destroy a document you need for regulatory purposes or legal disclosure as it is to fail to destroy a document containing personal details you are no longer entitled to retain. Employees may also be unaware that they might need to provide documented evidence of disposal. An alternative option is to outsource shredding to a trusted third party – one that understands the compliance issues and can provide the evidence of secure, legally compliant destruction required. Information management companies like Iron Mountain will be willing to design, develop and implement a secure document shredding programme from start to finish. Keeping up to date with the latest document destruction regulations is a headache for many an office or compliance manager, not to mention an IT manager more comfortable with managing digital information. Again, this is an area where an external supplier can provide assistance.

Becoming paperefficient Digitisation brings many benefits, but the truth is we will not go paper20

Computer Fraud & Security

free in the immediate or mid-term. Businesses should instead concentrate on becoming ‘paper-efficient’ rather than paperless. The growth of paper archives is accompanied by the exponential growth of digital information – all set against a backdrop of increasingly stringent legal regulation and changing business needs. Dealing with this is often hampered by restricted budgets, outof-date systems and processes, and a spread of responsibility across multiple departments. The most pragmatic way to move forward is to adopt a hybrid model, where both physical and digital information is recognised and managed as part of a coherent information strategy. The cost of getting it wrong is increasing. Today, lost data can incur a fine of up to £500,000 from the Information Commissioner’s Office (ICO) and ruin brand reputation and customer trust. It can be far easier for a business to recover from the former than the latter.

Calendar 4 April 2012 hackZA Johannesburg, South Africa www.hackza.com

5 April 2012 INTERFACE Dallas, Texas, US www.f2fevents.com/vendor-info.html

19–20 April ForenSecure’12 (formerly Netsecure)! Wheaton, Illinois, US http://bit.ly/z8c1cD

24–26 April 2012 Infosecurity Europe London UK www.infosec.co.uk

24–29 April 2012 SANS AppSec 2012 Las Vegas, US www.sans.org/appsec-2012/

25 April 2012 About the author

Security B-Sides

Phil Greenwood is UK sector director at Iron Mountain. He is responsible for delivering information and records management solutions into the UK’s largest public, private and NHS customers. Greenwood runs specialist sector teams aligned to the sector-specific requirements of Iron Mountain’s clients. These requirements demand innovative solutions that deliver compliance and governance as well as efficiency and cost cutting in order to improve the way organisations use their information. He has over 10 years’ experience working with UK and international records management and is involved with the UK Information and Records Management Society. Legally qualified, Greenwood has also spent time as a fee earner within law firms and has a strong understanding of the way that information and services drive the core business of client organisations.

London, UK www.securitybsides.org.uk/

21–25 May 2012 Hack In The Box Security Conference 2012 Amsterdam, The Netherlands conference.hackinthebox.org/

22–24 May 2012 ITEC Cyber Security Training and Education Workshop London, UK www.itec.co.uk/Content/Home/1/

16–22 June 2012 24th Annual First Conference Malta conference.first.org/program/

21–26 July 2012 Black Hat USA 2012 Las Vegas, US www.blackhat.com

March 2012