Creating a User-Centric Approach to Data Protection

By: Ryan St. Hilaire | 2/13/2015

Information Security Starts with the User. Technologies shift, enterprises react. Mobility, the cloud, big data - all have played a major role in changing information security. Organizations have had to adapt to these changes, primarily by adding new tool sets. Unfortunately, over time this results in a collection of security controls that is overly complex both for IT and for the end user.

In an article on Mobile Market Portal, I examine how the influx of mobile devices has created the most visible change in information security and how organizations have reacted to this shift over time, creating the problems we see today.

Many organizations have invested in MDM technologies to configure and manage the mobile devices now used in the organization. However, many organizations have done so reactively. This type of reactive investment can often introduce an unnecessary layer of workflow within an IT security system that is already too complicated, in effect creating "security silos” where different policies are necessary to support different device types. With this model there is little correlation to the security controls across all device types within the organization.

If you shift the perspective, you’ll see that a user’s requirement is to have the same data on each device - laptop, smartphone, tablet. Focusing on the device adds an unnecessary complexity. Instead, if you have one solution that can secure all devices with a focus on managing the risk at the user level you end up with a far stronger, and more manageable, security solution.

In the article, I talk about how to prioritize information security risk with a user-centric approach that considers technology, internal processes and user education. Focusing on the highest risk to your organization, which is often centred on the users themselves, I list 5 steps to keep data secure including the management of data access, using DLP tools, being able to revoke access, and managing the endpoint. Knowing that risk profiles are not static, the article gives tips on how to continue monitoring medium and low risk scenarios.

By utilizing security information surrounding an event, including the status of the device, the sensitivity of the data, and the user’s role, security teams can respond accordingly, based on the risk profile. By layering solutions, your sensitive data can be protected by a defense-in-depth strategy. Read more about how to do this here.

Financial Services