Corporate Digital Data is a key component to your digital identity. It is a critical asset that must be protected from external threats. At the same time, this digital data empowers your business. Forward thinking business leaders should be looking at a few key data protection principals at every scale, from the small business to the large enterprise. Here is how to get started:
- Authorize only specific user experiences to access your corporate data.
- Delegate user access via specific applications to interact with your data API.
- Create a well understood corporate data classification policy.
- Create a well understood role based access control policy.
- Provide reasonable defaults for employees.
Authorize Specific User Experiences
All too often, corporate digital data ends up in siloed applications or in a collection of unstructured documents. Access controls are typically put in place, inconsistently, on these silos and collections. Rarely is the business context of the corporation taken into account with these structured and access controls. This is leading to the rise of corporate data APIs (Application Programming Interfaces). This is a great step forward to reduce silos and provide structure.
APIs are often written in context to the application domain that provides the user experience. This is problematic for corporations as their business data is forced into a structure that does not make sense for the data. APIs should be tailored to the business context, solving the business problem, not the technical implementation. Business’s understand their domains. APIs tailored to the business domain have the exact context needed to be well understood by all employees of that business. This is a key to innovation. This is a key to businesses employing context specific user experiences. In many cases, employees are able to innovate with new user experiences as they have the technical knowledge to develop them and are not constrained by a poor API designed around a technical implementation specific to a particular application. These employees are able to use their corporate business model directly.
Corporate APIs must have a security model that allows for employees to innovate user experiences. The security model must allow for different user experiences to be authorized against the API. This allows corporations to control specifically what user experiences are authorized to talk to their API based systems.
Delegate access via User Experiences
Users do not understand the scope of access for each user experience authorized against and corporate API. Users must have a convenient way to understand and make informed decisions about the experience they are choosing. Systems that authorize specific user experiences are a good start. However, they must also understand access scope.
Access scope is defined as the information that the user experience needs to perform its job as well as the type of actions on the API, such as create, read, update and delete. Each user experience must be explicit as to what actions and what data it needs. With this information, the user is empowered to make an informed decision which allows them to delegate access, on their behalf, to the user experience against the API.
Create a well understood Corporate Digital Data classification policy
If businesses think about classification policies, they tend to think of large complex policies with digital data handling instructions akin to what military or intelligence agency handling policies. These complex policies are often brushed aside in favor of general access to data. This leads to exposure or compromise of potentially damaging information. Companies may suffer financial or reputation damage, which may be obvious. What is not obvious, is data like employee travel, which may put the employee’s life at risk. Attempting to put security policies in place after the fact, often leads to inconsistent adoption and/or inconsistent data access.
A common sense security policy should be instituted from the start. These policies, if straightforward lend themselves to good protection of digital data, preventing accidental dissemination or other compromises. A common sense policy might look like:
- Special – classification to handle potential life threatening data
- Highly Confidential – Dissemination may cause severe financial, legal or reputation damage.
- Confidential – Dissemination may cause financial, legal or reputation damage.
- General – Restricted for use within the company.
- Open – No corporate impact if disseminated.
This type of data classification is foundational. Every piece of data must be marked, thus providing the foundation for the system to make automated access control decisions.
Create a well understood role based access control policy
Corporate users and guests should not all have the same level access to corporate digital data. Many times, role based access policies are put in place that merely delineate between administrator access and non administrator access. Occasionally a managerial layer is put in place within the policy. Many times, access control of this nature is an afterthought. These policy implementations tend to let data access get out of control or tend to silo information across data systems with differing policies. This further complicates the data access problem either by too heavily restricting access or by making the access control too difficult, resulting in employees bypassing the control.
Corporate systems should have the ability to implement a role based access control system that allows flexibility in what the roles may do and who may be in the roles. This system should be able to be shared such that other corporate data systems may use this system. This approach provides for a standardization of roles and what they are allowed to access across the corporate data systems.
Provide reasonable defaults for employees
The previous four policy implementations and data security standards combine to make a system of security that is well thought out and ensures only appropriate access to data. The problem is that these four approaches also combine to create a complex security model. Users who must deal with a complex security model, will ignore it.
Corporate applications must provide defaults that allow the user to operate within the security system, be conscious of it, but become a hurdle to information sharing or accomplishing work. Data generated to any corporate system, should not have to be manually marked by a user, but rather a corporate default shall be used based on system and type of data. User Experiences should allow users to override defaults because some users will have a better grasp of the security model and thus know when to downgrade or upgrade security. Over time, the corporate data system will learn this behavior and develop the ability to predict classification based on the type of data, users involved, etc.
Enter the text or HTML code here