Almost all medium and large organizations depend on transactional systems for their day-to-day operations such as ERP, CRM, order management, invoicing, accounting, planning and control, transport and logistics, and so on. Some organizations consolidate their corporate data across multiple systems into data warehouses or reporting data stores, which may be used for analysis and reporting.
Data access within the transactional system will usually be controlled via access rights logic to ensure that users access only data they are authorized to access. Often, users are allowed to extract or download reports from the systems for analysis or offline reporting purposes. Such extracted data is no longer governed by the access rights logic. The data may have been downloaded by the authorized user, but may be shared with anybody without any limitations once it is outside the system. Every report or data extract that is outside the system is thus a source of corporate data leakage.
Access rights logic within the application may be sufficient to secure the data which resides within the boundaries of the application, but it cannot control the data outside the application.
Controlling data outside the system
An information rights management (IRM) solution can be integrated with the transaction system to protect the data download or data extract before it is made available to the authorized user. The protection policies would be applied automatically as part of the download or data extraction process.
These IRM policies can be managed centrally and changed at any time as required, using an IRM solution. The security policy for any such download or data extract will govern:
- Who has access — users or user groups?
- What access is given — can the user print or edit or copy the document.
- When the access expires — a specified timeframe, after which the data gets locked.
- Where the access is available — within the office network (LAN or WAN), and not from outside.
Data audits and usage reports
With IRM solutions, once the data is protected using the IRM policy, every access to the document is logged and tracked centrally. This helps maintain an audit trail of access outside the application boundary. This comprehensive audit log is made available to the document owner.
The logs are easily searchable, and provide insightful information on who has accessed the information, as well as the performed operations. The transactional system maintains the audit trail for data that resides within the system, and the IRM solution also maintains the audit trail for data that is outside the transactional system.
Sample case 1: Consider an insurance company that has a sales reporting process to provide weekly sales figures of each of its intermediaries to the executive sales team.
MIS users at the regional head offices are responsible for extracting this data from the transactional system for their regions and sending it to the head office. The MIS team is required to massage the data and aggregate it before sending it to the head office. This data is sensitive and should not fall into the wrong hands.
With an IRM solution integrated with the transactional system, access to this data can be limited to the MIS team and the executive sales team at the head office. Further, every access will be tracked and any misuse can be traced to the individual. The usage policies can be changed at any time, and these changes will be enforced immediately on the data files.
Sample case 2: A financial services organization wants to outsource its back office activities to a BPO firm. The organization is highly concerned about customer data being exposed to the BPO. All client data resides in a standard software application. After the transition, the same application will be used by the vendor from its office location.
Data that resides within the system is tightly controlled by the application’s access control logic. However, data needs to be downloaded (data extracts) for creating custom reports. This information security risk can be addressed by implementing IRM solutions. Once the data is extracted from the system, the IRM solution will ensure it is available only to the rightful users as decided by the data owner. Such tight control with IRM solutions ensures that outsourcing can be as secure, if not more secure, than the earlier in-house process.
About the author: Zubin Dalal heads business solutions at Seclore Technology.
This was first published in December 2011