'Take an information-centric view of security'

Today, the rising incidents of unauthorized information access, data thefts or ineffectiveness of security mechanisms to protect information has raised major concerns among enterprises and organizations. Seclore Technologies' CEO, Vishal Gupta talks to Pankaj Maru of CyberMedia News about information digitization and its changing dimensions, evolving information threats or risks, information security mechanism in the recessionary times and much more. Excerpts:

Digitization of information or data has completely changed the information dimensions and also the way it is used and managed today. Do you think the information digitization has brought in an entirely different perspective on information's risk, its security and management, particularly at the enterprise level?

Absolutely. The methods to contain information risks before and after digitization are completely different. Before digitization, physical access control to information was the only method of its security. Examples of such are large document vaults which still exist in some pharmaceutical companies and law firms. With digitization and the collaboration that it brings, access control methods are rendered ineffective since replication and transmission of information is easy.

Consequently, any system which restricts access, replication or transmission quickly becomes ineffective due to new methods coming for the same purpose. There is no option but to take an information-centric view of security and ensure that security is built into the information itself instead of the infrastructure around it.

Which are the evolving threats or risks about information? And how can it be managed using IT?

Risks of information breaches are continuously evolving like a 'cops-and-robbers' game, i.e. you mitigate one risk and another one springs up. Also the solutions to problems typically become the problem themselves after a while. Amongst the largest threats today are risks associated with “internal employee or partner” data breach (Blog reference) as well as risks associated with the rapidly vanishing “enterprise perimeter”.

Most security systems today, like firewalls, UTMs etc, do not take care of “internal” resources being the cause of an information breach. The only way to mitigate such risks is to have an “information-centric” policy for usage, i.e. define and implement a policy for information usage which is dependent on the “as-of-now” relationship between the owner of information and its user.

Also, these usage rights should be dynamic, i.e. if the genuine need for the “recipient” to use the information has expired or the business relationship between the owner and the recipient changes, then it should be possible to “withdraw” the usage rights to that information.

Seclore’s products such as Seclore FileSecure and Seclore InfoSource provide exactly these controls to individuals and enterprises. Seclore FileSecure allows users (owners) of information to control WHO (people, groups, etc) can use the information, WHAT (view, edit, print, forward, etc) can they do with the information, WHEN (dates, timespans, etc) can they use the information and WHERE (within the office, at home, etc) can they use the information.

Seclore InfoSource allows enterprises looking to outsource key business process to external agencies (BPO/KPO) to retain control over information shared with the agencies, while not hindering the agencies’ capability to perform. This is specially useful in any kind of cross-border data flow.

Budget constraints, especially for IT, has become a major issue today. In the Indian context, how are the local organizations and enterprises evaluating the significance of information security mechanisms and IT budgets constraints?

The need for information security has not gone away; the budgets to support large initiatives have, however, reduced considerably. Considering this, information security companies should look at a partnership model with customers which can allow security initiatives to progress with a “pay as you use” commercial model.

Some of the largest enterprises are coming around to this model, which I believe will not only define security initiatives but also generic software initiatives. At Seclore, we have introduced exactly this model which will allow us to become a partner in the customers business and its security.