Building barriers to keep out the wrong people is an ancient human practice. From the walls of Jericho to the Great Wall of China to the massive barricades of Troy, said to be built by the gods, walls keep different groups separated. It's a logic that inspires perimeter-style cyber security: we use firewalls to keep the wrong people out, and we use VPNs to 'tunnel' through such walls.
But just as modern cities no longer surround themselves with tall edifices, cyber security 'walls' have hit a barrier – they are not flexible enough for today's collaborative, hybrid work and globalised businesses.
Limiting when and where someone can access information is crucial, yet tricky. For example, Australian law forbids public servants from accessing certain information outside their country. But what if a state employee downloads their emails at an airport in Sydney just before boarding their flight? Can you stop them from checking that information when they are halfway across the Pacific?
Perhaps violating international sovereignty is not your concern. Instead, you want people in your company to communicate with each other, yet they don't have the same access privileges. So even if they want to arrange a weekend braai with some colleagues, they can't do so over official channels because policy enforced by information barriers prevents them. And giving them additional access is impractical because their role does not allow it.
"Historically, information barriers have been very black and white," explains Kurt Mueffelmann, Global Chief Operating Officer at archTIS. "You are either inside the wall or outside the wall. But in today's collaborative environment, that doesn't work. You can't have two groups that never communicate with each other. Yet there are certain topics, certain documents, that they should not communicate on. That information has to be segmented and segregated."
What's in a role?
Security often relies on roles to permit or restrict people's movement. Like a bouncer with a guest list, they approve or reject access. Yet that assumes the wall doesn't change, nor do its conditions for access.
But refer back to the travelling Australian state employee. Their role allows them to download the information they seek, yet that role has no say when or where they check it. The role primarily determines if they have the right. Yet in this example, the wall – or information barrier – should determine if they have that right while outside of their country's borders.
Parameter-style information barriers cannot make that distinction unless there is significant juggling of policy and rules in the background, which creates a different problem.
"If your information barriers are too rigid, you are inviting employees to work around them," Mueffelmann explains. "What happens is that if you have this stark barrier where they can't communicate internally, they're going to go off into other methods that are non-corporate. They're going to create a shadow network, where maybe they install WhatsApp, and start chatting."
Roles alone should not define information access. Today's dynamic workplaces need dynamic information barriers if they want data and communications to flow freely and securely.
Secure and flexible access
If we cannot rely on roles to determine access under variable circumstances, we should move closer to the source: the data itself. Increasingly, companies are using attribute-based access control (ABAC) to complement their role and parameter defences. In this approach, information barriers are created based on the type of data assets and weighed against various user and environmental characteristics.
"This is the benefit of using attribute-based access control. You're really looking at two things. One, what is the information, and is that information sensitive from a regulatory, legal or even internal process perspective? And then look at that user: is that user accessing information on a correct device and in the correct scenario, such as a geographical area or appropriate time?"
Such an approach is also notably simpler and less expensive to implement and govern than policy-driven restrictions. The latter still matters – what's at stake here is that it cannot provide the flexibility on a data asset level that matches modern workplace dynamics. Attribute-based security deploys quickly and can scan assets to determine their place in the company data value chain. It's a terrific addition to security, data management and collaboration.
Dynamic information barriers that are enforced using ABAC additionally deliver an advantage that many companies couldn't previously justify. The obvious use cases for such barriers appear in heavily regulated industries such as financial trading and the public sector. But since the advent of legislation such as POPIA and GDPR, they are an excellent means to control the exposure of regulated personal data.
Dynamic information barriers are also excellent across branch offices and competing projects. Mueffelmann cites a recruiting customer that handles the accounts for two major competing brands – dynamic barriers keep them separated under the right circumstances without compromising the agency's esprit de corps.
"I think almost every sector in every business has the need for information barriers," he concludes. "It might be for legal reasons or to protect IP. Maybe you have an employee visiting a country with a high risk for hacking. You can control that with attribute-based security and dynamic information barriers. For example, I'm the COO and that once meant I could access just about anything in our business. But now that access depends not only on who I am, but where I am, what device I'm on and if that information has anything to do with me. One size really doesn't fit all. You need dynamic data access control if you want a dynamic and data-centric environment."
Share