Recently, there has been a significant amount of conversation around data privacy, and how it relates to data security and the needs, obligations, and capabilities of the enterprise to implement an effective data security model. In a sense, this issue is at the center of any security policy discussion: where is the balance point between convenience and necessity when it comes to security policy?
For many publicly traded organizations, their primary goal is either to:
(A) maximize shareholder value, or to
(B) foster an environment focused on “developing innovative products, delivering value for the customer, and motivating their employees to be more productive and successful,” depending upon their philosophical and organizational values.
Accordingly, they need to ensure that their trade secrets remain confidential, that their financial and personnel assets are kept private, and that they are meeting a variety of regulatory requirements. In order to do so, most organizations implement a range of systems and procedures that allow them to, when appropriate, monitor employee activity and traffic on corporate-owned systems, networks, and properties.
For government and educational organizations, the motivations may be different, but the resulting environment is similar. Typically, these institutions are holders of significant amounts of highly sensitive data, and have both legal and ethical obligations to keep it safe. As with private enterprises, they must take a number of steps in order to do so, and this includes forensic analysis and security-driven review of the data stored within their systems.
In terms of legalities, these response strategies require actions that typically fall under the doctrine of “reasonable expectation of privacy”. In separate rulings, the Eighth and Tenth Circuit courts in the United States have found that US-based employees have no expectation of privacy at work while connected to corporate network assets, based on the policies that were clearly outlined prior to their usage of those systems.
Likewise, in the European Union — which does hold privacy in higher regard, generally speaking — the “seven principles” metric is often applied to whether or not an employer may monitor or review electronic information that relates to its business. Generally a guideline rather than a formal legal standard, the principles outline the reasons why an organization may view this type of data while remaining in compliance with the Data Protection Directive and its varying subsequent interpretations, including “necessity” and “transparency”.
In effect, organizations in either legal environment can find and implement policies, solutions, and approaches that respect essential privacy considerations while meeting their regulatory and ethical obligations, including the protection of highly sensitive data stored within their systems. The most robust approach to doing so is to acquire solutions that are based on the idea that organizations can and should be able to identify and control insecure practices and data.
This is not a new concept: on-premise data loss prevention software has been a mainstay of good information security for at least twenty years. Data review in situ is a best practice, and it is a requirement for effective security analyst work.
Accordingly, CloudLock’s Collaboration Security product for Google Apps is designed to operate entirely within the Google ecosystem, and is the only product on the market capable of both analyzing an organization’s data and exposures, analyzing that information for inappropriately shared personally identifiable information, payment card information, and custom patterns of data, and providing real security and control, all without transferring any of that information out of the Google environment.