In our discussions with customers and countless surveys, cybersecurity and sensitive data protection are always top-ranking issues. IT now has available some of the most advanced cybersecurity innovations in its arsenal than ever before, with excellent authentication and real-time threat detection. While these tools are critical to secure IT infrastructure, many organizations still struggle with concerns over proper information protection and security, with broad concerns about data leaks, unauthorized access to information, and non-compliance with regulatory security protections.
To address these concerns, organizations must take a proactive, automated approach to information protection and governance. OpenText experts recommend a set of practices under the moniker Zero Trust Information Governance.
What is Zero Trust?
As the name implies, Zero Trust principles mean that protections are implemented to control access wherever it can be controlled. Many IT organizations have implemented strong network access security and even application-level access. However, it is common that information repositories, especially document repositories, are left open in the spirit of information sharing and convenience. Unfortunately, this is no longer a viable option for most organizations; more purposeful and directed access controls must be placed on individual documents and folders to ensure they are protected.
What are some key information protection challenges?
Threats to the organization’s information security range from clever cybercriminals that use social engineering to pry their way into information repositories. Employees can also unwittingly expose highly sensitive data in ways they never imagined. Ransomware operators are particularly well-equipped and sometimes well-funded to pursue sensitive information that cannot be compromised.
What can organizations do to better protect information?
Relying on employees to follow compliance and governance rules that are complex, that vary by region and practice, and have opaque levels of risk based on the content of the document is not a feasible option. Automation is a must, given the vast volumes of content and the high rate of collaboration and sharing on today’s networks. The good news is that automation tools are available and, when implemented, will protect the organization from embarrassing leaks and steep fines and can significantly improve productivity and the relevancy of information.
To protect information appropriately, you must consider your end-to-end processes involving documents and implement content services throughout each. Well-tailored and properly configured services provide the necessary controls and built-in intelligence to actively look for vulnerabilities and simultaneously automate access protections that are part of the business processes to which each document belongs. These controls should be conveniently implemented from the moment each document is created, through their creation and collaboration phase, and flow naturally into long-term retention, search, and access.
How can organizations get started with Zero Trust Information Governance?
Here are five proactive steps you can take to begin building a Zero Trust Information Governance regimen within your organization:
1. Organize content management controls around meaningful business events
Standardizing business practices and content organization by well-understood, repeatable business entities such as clients, projects or events can help an organization deliver predictability and enhance user participation and compliance.
When the organization has an established, repeatable process that demands secure handling of content, the system should be able to apply appropriate information protection controls naturally. Automating content classification and access control within such business processes is much simpler and far more reliable than depending on user compliance.
2. Fully engage robust governance controls
It is essential to proactively and accurately classify content and oversee its lifecycle. All information should be under management, even long forgotten information, that is more likely to be leaked. Keeping personally identifiable information (PII) and other sensitive data beyond its necessary retention period puts the organization out of compliance. Ensure that written records policies are automated and, when possible, connected to sources of business transactions that can trigger on-time and accurate disposition.
3. Extend governance controls with active rights management
Ensure that security clearances and markings are relevant by employing digital rights management explicitly driven by the organization’s governance policy and classification system. Content services should retain and fully embrace security controls within systems that they integrate with, such as Microsoft® 365.
Furthermore, it may be important to control access based on situational awareness: It may be necessary to prevent access to some critical information except when the user is in the office. So, for example, a user in a coffee shop might be prevented from accessing HR files or proprietary information. In contrast, such access would be granted sitting in their cubicle at headquarters.
4. Assess risk continuously with intelligent content analysis tools
Content must be constantly monitored for compliance, and policy must be assessed for gaps in coverage. The volume of information to be reviewed likely requires automated tools to facilitate ongoing assessment and drive content and policy review priorities. AI, natural language processing, image analysis and more integrated content analytics can help identify and measure risk levels and areas to investigate further.
5. Bring unmanaged content into compliance and under a proactive security plan
Legacy network file shares and repositories with terabytes of unmanaged content represent an unacceptable risk to any organization. Organizations should initiate a program to bring all unmanaged content under the control of governance.
Strong auto-classification, data mapping and discovery tools can help remove redundant, obsolete and trivial (ROT) content and preserve only necessary business records. This proactive control helps protect against disruptions caused by ransomware as well.
Are you ready to keep information protected, yet accessible? Learn how.